The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of RedHat Linux

computer vulnerability alert CVE-2004-0918

Squid: denial of service of SNMP agent

Synthesis of the vulnerability

By sending malicious data to the SNMP agent of Squid, a network attacker can stop it.
Impacted products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, RedHat Linux, Squid.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 12/10/2004.
Revisions dates: 14/10/2004, 21/10/2004, 22/10/2004, 25/10/2004, 29/10/2004, 30/06/2008.
Identifiers: BID-11385, CERTA-2004-AVI-348, CVE-2004-0918, DSA-576, DSA-576-1, FEDORA-2004-338, FEDORA-2008-6045, FLSA-2006:152809, MDKSA-2004:112, RHSA-2004:591, SQUID-2004:3, SQUID-2008:1, SUSE-SR:2008:014, V6-SQUIDSNMPASN1PARSEDOS, VIGILANCE-VUL-4436.

Description of the vulnerability

The Squid proxy has a SNMP agent which is used by the administrator to obtain information on the cache. This agent has to be compiled in Squid, then enabled in the configuration file.

The SNMP protocol uses ASN.1 to encode data. The asn_parse_header() function of snmplib/asn1.c file of Squid decodes data.

However, a special SNMP packet can create an error in asn_parse_header(), which forces a reload of Squid.

An attacker allowed to send SNMP packets to the UDP port of Squid can thus create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2006-0996 CVE-2006-1494 CVE-2006-1549

PHP: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP in order to conduct a denial of service, to read a file, or to generate a Cross Site Scripting.
Impacted products: Fedora, Mandriva Linux, Mandriva NF, openSUSE, PHP, phpMyAdmin, RHEL, RedHat Linux, Slackware, SLES, TurboLinux.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 4.
Creation date: 10/04/2006.
Revision date: 01/03/2007.
Identifiers: 10310, 20060501-01-U, 20060701-01-U, BID-17439, BID-22766, CERTA-2006-AVI-171, CVE-2006-0996, CVE-2006-1494, CVE-2006-1549, CVE-2006-1608, CVE-2007-1325, FEDORA-2006-289, FLSA-2006:175040, MDKSA-2006:074, MDKSA-2007:199, MOPB-02-2007, PMASA-2007-3, RHSA-2006:027, RHSA-2006:0276-01, RHSA-2006:050, RHSA-2006:0501-02, RHSA-2006:056, RHSA-2006:0567-01, RHSA-2006:0568-01, SSA:2006-217-01, SSA:2008-045-03, SUSE-SA:2006:024, TLSA-2006-17, VIGILANCE-VUL-5751.

Description of the vulnerability

Four vulnerabilities were announced in PHP.

A remote attacker can conduct a Cross Site Scripting attack on web sites using phpinfo(). [severity:2/4; CERTA-2006-AVI-171, CVE-2006-0996]

A local attacker can use copy() function to copy file located outside directories configured with Safe Mode (VIGILANCE-VUL-6027). [severity:2/4; CVE-2006-1608]

A local attacker can create a recursive function in order to stop PHP and Apache. [severity:2/4; BID-22766, CVE-2006-1549, CVE-2007-1325, MOPB-02-2007]

A local attacker can create a file outside root using tempnam() function, in order for example to conduct a denial of service. [severity:2/4; CVE-2006-1494]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2006-1173

Sendmail: denial of service via a MIME message

Synthesis of the vulnerability

An attacker can create an email containing deeply nested MIME in order to exhaust memory space of process.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, Mandriva Linux, Mandriva NF, NetBSD, OpenBSD, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Sendmail, Slackware, SLES, TurboLinux.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 15/06/2006.
Identifiers: 102460, 20060601-01-P, 20060602-01-U, 373801, 380258, 6424201, BID-18433, c00680632, c00692635, CERTA-2006-AVI-246, CERTA-2006-AVI-336, CVE-2006-1173, DSA-1155-1, DSA-1155-2, DUXKIT1000636-V40FB22-ES-20060519, FEDORA-2006-836, FEDORA-2006-837, FLSA-2006:195418, FreeBSD-SA-06:17.sendmail, HPSBTU02116, HPSBUX02124, MDKSA-2006:104, NetBSD-SA2006-017, RHSA-2006:051, RHSA-2006:0515-01, SA-200605-01, SSA:2006-166-01, SSRT061135, SSRT061159, SUSE-SA:2006:032, T64V51AB-IX-631-SENDMAIL-SSRT-061135, TLSA-2006-9, VIGILANCE-VUL-5924, VU#146718.

Description of the vulnerability

An email can contain several parts separated by MIME headers. Each part can also contain data encapsulated with MIME headers.

When Sendmail has to transfer an email to a MTA server which does not support binary data on 8 bit, message is converted to 7 bit using mime8to7() function. Each time this function is called, an important stack memory area is used.

When the mail to transfer contains deeply nested MIME, the mime8to7() function can use all available stack area. The process then stops and a core dump is eventually generated.

The main Sendmail process is not stopped, but when the bad email is in the queue, following emails are not transmitted. Moreover, core dumps can fill the disk.

An attacker can therefore create a malicious email to disturb Sendmail and saturate computer, but without fully stopping the service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2006-1990 CVE-2006-1991 CVE-2006-7205

PHP: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities permit a PHP author to corrupt memory or to conduct denial of services.
Impacted products: Fedora, Mandriva Linux, Mandriva NF, openSUSE, PHP, RHEL, RedHat Linux, Slackware, SLES, TurboLinux.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 25/04/2006.
Identifiers: 20060701-01-U, CVE-2006-1990, CVE-2006-1991, CVE-2006-7205, FLSA-2006:175040, INFIGO-2006-04-02, MDKSA-2006:091, MDKSA-2006:122, RHSA-2006:050, RHSA-2006:0501-02, RHSA-2006:056, RHSA-2006:0568-01, SSA:2006-217-01, SUSE-SA:2006:031, SUSE-SA:2006:034, TLSA-2006-38, VIGILANCE-VUL-5792.

Description of the vulnerability

Three vulnerabilities were announced in PHP.

The wordwrap() function fragments a text by lines, specifying an end of line separator. However, when separator is very long, memory is corrupted.

The array_fill() function fills an array using repetitive patterns. When the number of repetitions is high, all memory is consumed (within memory_limit limit).

The substr_compare() function compares two sub-string. When compared size is too long, a memory access error stops PHP.

An attacker allowed to create a PHP script can therefore use first vulnerability to elevate his privileges. The two other errors are minor denials of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-0292 CVE-2006-0293 CVE-2006-0296

Thunderbird 1.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Thunderbird 1.0, the worst one leading to code execution.
Impacted products: Debian, Fedora, Tru64 UNIX, HP-UX, Mandriva Linux, Mozilla Suite, Thunderbird, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Slackware.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 17.
Creation date: 18/04/2006.
Identifiers: 102550, 20060404-01-U, 228526, 6424579, c00672120, c00679472, CERTA-2002-AVI-144, CERTA-2006-AVI-156, CVE-2006-0292, CVE-2006-0293, CVE-2006-0296, CVE-2006-0748, CVE-2006-0749, CVE-2006-1538, CVE-2006-1727, CVE-2006-1728, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1739, CVE-2006-1742, DSA-1046-1, DSA-1051-1, FEDORA-2006-486, FEDORA-2006-487, FEDORA-2006-488, FEDORA-2006-489, FEDORA-2006-490, FEDORA-2006-491, FEDORA-2006-492, FEDORA-2006-493, FEDORA-2006-494, FEDORA-2006-495, FLSA:189137-1, FLSA:189672, FLSA-2006:189137-1, FLSA-2006:189672, HPSBTU02118, HPSBUX02122, MDKSA-2006:076, MDKSA-2006:078, MFSA2006-01, MFSA2006-05, MFSA2006-10, MFSA2006-11, MFSA2006-14, MFSA2006-15, MFSA2006-16, MFSA2006-17, MFSA2006-18, MFSA2006-19, MFSA2006-22, MFSA2006-24, MFSA2006-25, MFSA2006-27, RHSA-2006:032, RHSA-2006:0329-01, RHSA-2006:033, RHSA-2006:0330-01, SSA:2006-114-01, SSRT061145, SSRT061158, SUSE-SA:2006:022, VIGILANCE-VUL-5775, ZDI-06-009, ZDI-06-010, ZDI-06-011.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird 1.0.

An attacker can invite user to run a malicious Javascript code to conduct a denial of service or to run code (MFSA 2006-01, CVE-2006-0292, CVE-2006-0293, VIGILANCE-VUL-5578).

An attacker can inject Javascript code to be run on starting (MFSA 2006-05, CVE-2006-0296, VIGILANCE-VUL-5581).

An attacker can corrupt memory during garbage collection (MFSA 2006-10, CVE-2006-1742).

Several memory corruptions lead to code execution (MFSA 2006-11, CVE-2006-1739, CVE-2006-1538, CVE-2006-1737).

An attacker can elevate his privileges using XBL.method.eval (MFSA 2006-14, CVE-2006-1735).

An attacker can run privileged Javascript with Object.watch() (MFSA 2006-15, CVE-2006-1734).

An attacker can install a malicious program via valueOf.call() (MFSA 2006-16, CVE-2006-1733).

An attacker can conduct a Cross Site Scripting attack via window.controllers (MFSA 2006-17, CVE-2006-1732).

An attacker can corrupt memory by changing tag order (MFSA 2006-18, CVE-2006-0749).

An attacker can conduct a Cross Site Scripting attack via valueOf.call() (MFSA 2006-19, CVE-2006-1731).

An integer overflow occurs in CSS letter-spacing property (MFSA 2006-22, CVE-2006-1730).

An attacker can increase his privileges using crypto.generateCRMFRequest (MFSA 2006-24, CVE-2006-1728).

An attacker can obtain chrome privileges using Print Preview (MFSA 2006-25, CVE-2006-1727).

An attacker can corrupt memory by changing tag order (MFSA 2006-27, CVE-2006-0748).
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2006-0292 CVE-2006-0293 CVE-2006-0296

Firefox 1.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Firefox, the worst one leading to code execution.
Impacted products: Debian, Fedora, Tru64 UNIX, HP-UX, Mandriva Linux, Firefox, Mozilla Suite, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Slackware.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 21.
Creation date: 14/04/2006.
Identifiers: 102550, 20060404-01-U, 228526, 6424579, BID-17516, c00672120, c00679472, CERTA-2002-AVI-144, CERTA-2006-AVI-156, CVE-2006-0292, CVE-2006-0293, CVE-2006-0296, CVE-2006-0748, CVE-2006-0749, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1736, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742, DSA-1044-1, DSA-1046-1, FEDORA-2006-410, FEDORA-2006-486, FEDORA-2006-487, FEDORA-2006-488, FEDORA-2006-489, FEDORA-2006-490, FEDORA-2006-491, FEDORA-2006-492, FEDORA-2006-493, FEDORA-2006-494, FEDORA-2006-495, FLSA:189137-1, FLSA:189137-2, FLSA-2006:189137-1, FLSA-2006:189137-2, HPSBTU02118, HPSBUX02122, MDKSA-2006:075, MDKSA-2006:076, MFSA2006-01, MFSA2006-03, MFSA2006-05, MFSA2006-09, MFSA2006-10, MFSA2006-11, MFSA2006-12, MFSA2006-13, MFSA2006-14, MFSA2006-15, MFSA2006-16, MFSA2006-17, MFSA2006-18, MFSA2006-19, MFSA2006-22, MFSA2006-23, MFSA2006-24, MFSA2006-25, MFSA2006-27, RHSA-2006:032, RHSA-2006:0328-01, RHSA-2006:0329-01, SSA:2006-114-01, SSRT061145, SSRT061158, SUSE-SA:2006:021, VIGILANCE-VUL-5771, ZDI-06-009, ZDI-06-010, ZDI-06-011.

Description of the vulnerability

Several vulnerabilities were announced in Firefox 1.0.

An attacker can invite user to run a malicious Javascript code to conduct a denial of service or to run code (MFSA 2006-01, CVE-2006-0292, CVE-2006-0293, VIGILANCE-VUL-5578).

An attacker can generate an overflow in history.dat (MFSA 2006-03, CVE-2005-4134, VIGILANCE-VUL-5417).

An attacker can inject Javascript code to be run on starting (MFSA 2006-05, CVE-2006-0296, VIGILANCE-VUL-5581).

An attacker can inject Javascript code using events handler (MFSA 2006-09, CVE-2006-1741).

An attacker can corrupt memory during garbage collection (MFSA 2006-10, CVE-2006-1742).

Several memory corruptions lead to code execution (MFSA 2006-11, CVE-2006-1739, CVE-2006-1538, CVE-2006-1737).

An attacker can spoof secure site indicator (MFSA 2006-12, CVE-2006-1740).

An attacker can store an executable program on user's computer by inviting him to download an image (MFSA 2006-13, CVE-2006-1736).

An attacker can elevate his privileges using XBL.method.eval (MFSA 2006-14, CVE-2006-1735).

An attacker can run privileged Javascript with Object.watch() (MFSA 2006-15, CVE-2006-1734).

An attacker can install a malicious program via valueOf.call() (MFSA 2006-16, CVE-2006-1733).

An attacker can conduct a Cross Site Scripting attack via window.controllers (MFSA 2006-17, CVE-2006-1732).

An attacker can corrupt memory by changing tag order (MFSA 2006-18, CVE-2006-0749).

An attacker can conduct a Cross Site Scripting attack via valueOf.call() (MFSA 2006-19, CVE-2006-1731).

An integer overflow occurs in CSS letter-spacing property (MFSA 2006-22, CVE-2006-1730).

An attacker can obtain a file located on user's computer using a text form (MFSA 2006-23, CVE-2006-1729).

An attacker can increase his privileges using crypto.generateCRMFRequest (MFSA 2006-24, CVE-2006-1728).

An attacker can obtain chrome privileges using Print Preview (MFSA 2006-25, CVE-2006-1727).

An attacker can corrupt memory by changing tag order (MFSA 2006-27, CVE-2006-0748).
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2006-1490

PHP: memory reading with html_entity_decode

Synthesis of the vulnerability

An attacker can obtain a memory fragment from server using a script containing html_entity_decode().
Impacted products: Fedora, Mandriva Linux, Mandriva NF, openSUSE, PHP, RHEL, RedHat Linux, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 29/03/2006.
Identifiers: 10310, 20060501-01-U, BID-17296, CERTA-2006-AVI-134, CERTA-2006-AVI-517, CVE-2006-1490, FLSA-2006:175040, MDKSA-2006:063, RHSA-2006:027, RHSA-2006:0276-01, SUSE-SA:2006:024, VIGILANCE-VUL-5727.

Description of the vulnerability

The html_entity_decode() function converts HTML entities to characters. For example, " is converted to a quote.

This function does not correctly manage null character. Indeed :
  html_entity_decode("a\0bcd")
stops conversion after the first character, but returns a string of 5 characters. Supplementary characters are retrieved from current memory's content.

An attacker can therefore obtain a memory fragment from server using a script containing html_entity_decode().
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2006-0058

Sendmail: code execution via signals

Synthesis of the vulnerability

An attacker can connect to a server to generate a race condition in asynchronous signals, and that could lead to code execution.
Impacted products: Debian, Fedora, FreeBSD, Tru64 UNIX, HP-UX, AIX, Mandriva Linux, Mandriva NF, NetBSD, OpenBSD, openSUSE, Solaris, Trusted Solaris, RHEL, RedHat Linux, Sendmail, Slackware, SLES, TurboLinux.
Severity: 4/4.
Consequences: administrator access/rights.
Provenance: internet client.
Creation date: 22/03/2006.
Revisions dates: 22/03/2006, 23/03/2006.
Identifiers: 102262, 200494, 20060302-01-P, 20060401-01-U, 6397275, 6403051, BID-17192, BID-17207, c00692635, CERTA-2002-AVI-006, CERTA-2006-AVI-124, CVE-2006-0058, DSA-1015-1, DUXKIT1000636-V40FB22-ES-20060519, emr_na-c00629555-7, FEDORA-2006-193, FEDORA-2006-194, FLSA-2006:186277, FreeBSD-SA-06:13.sendmail, HPSBTU02116, HPSBUX02108, IY82992, IY82993, IY82994, MDKSA-2006:058, NetBSD-SA2006-010, RHSA-2006:026, RHSA-2006:0264-01, RHSA-2006:0265-01, SSA:2006-081-01, SSRT061133, SSRT061135, SUSE-SA:2006:017, T64V51AB-IX-631-SENDMAIL-SSRT-061135, TLSA-2006-5, VIGILANCE-VUL-5710, VU#834865.

Description of the vulnerability

The setjmp() et longjmp() functions save and restore the stack context.

A race condition occurs in libsm library during usage of these functions, and management of an asynchronous signal. This error can be exploited using a buffer in sm_syslog() function.

This error can not occur during email emission or reception. An attacker has to connect to port 25 of server and to run a serie of SMTP commands with a precise timing.

This vulnerability leads to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2006-0049

GnuPG: injection of unsigned data

Synthesis of the vulnerability

An attacker can for example insert data before the signed data, but GnuPG does not detect the change.
Impacted products: Debian, Fedora, GnuPG, Mandriva Linux, Mandriva NF, openSUSE, RHEL, RedHat Linux, Slackware.
Severity: 3/4.
Consequences: data flow.
Provenance: document.
Creation date: 10/03/2006.
Identifiers: 20060401-01-U, BID-17058, CERTA-2006-AVI-103, CVE-2006-0049, DSA-993-1, DSA-993-2, FEDORA-2006-147, FLSA:185355, FLSA-2006:185355, MDKSA-2006:055, RHSA-2006:026, RHSA-2006:0266-01, SSA:2006-072-02, SUSE-SA:2006:014, VIGILANCE-VUL-5679.

Description of the vulnerability

A signed message is generally composed of "O + D + S":
 - O: "One-Pass" (version, signature type, etc.)
 - D: data
 - S: signature of D
However, in order to support various historic formats, GnuPG also recognizes:
 - S + D
 - D + S
 - O1 + D1 + S1 + O2 + D2 + S2 (two concatenated signed messages)

An attacker can construct following message :
  attacker_data + O + D + S
In this case, GnuPG checks S the signature of D, but real data is "attacker_data + D". This data is for example returned by "--output" option.

An attacker can therefore, from a captured signed message, construct a new message, which will be validated by GnuPG.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-0188 CVE-2006-0195 CVE-2006-0377

SquirrelMail: several vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities of SquirrelMail permit an attacker to conduct a Cross Site Scripting attack or to inject IMAP commands.
Impacted products: Debian, Fedora, openSUSE, RHEL, RedHat Linux, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 22/02/2006.
Revision date: 28/02/2006.
Identifiers: 10310, 20060501-01-U, BID-16756, CERTA-2006-AVI-095, CVE-2006-0188, CVE-2006-0195, CVE-2006-0377, DSA-988-1, FEDORA-2006-133, FEDORA-2006-134, FLSA:190884, FLSA-2006:190884, MDKSA-2006:049, RHSA-2006:028, RHSA-2006:0283-01, SNS Advisory No.86, SUSE-SR:2006:005, VIGILANCE-VUL-5638.

Description of the vulnerability

The SquirrelMail program permits users to read their mailbox using a web browser.

The webmail.php script does not correctly sanitize its right_frame parameter, which leads to a Cross Site Scripting attack (CVE-2006-0188).

The MagicHTML feature can be used to conduct a Cross Site Scripting attack, but only affects Internet Explorer (CVE-2006-0195).

The sqimap_mailbox_select parameter can be used to inject IMAP commands (CVE-2006-0377).
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.