The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SUSE Linux Enterprise Server

computer vulnerability bulletin CVE-2012-2807

libxml2: integer overflows

Synthesis of the vulnerability

An attacker can send malformed XML data to an application linked to libxml2, in order to stop it, and possibly to execute code.
Impacted products: Debian, Fedora, libxml, MBS, MES, Mandriva Linux, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 31/07/2012.
Identifiers: 129930, 835863, BID-54718, CERTA-2013-AVI-208, CERTFR-2014-AVI-112, CVE-2012-2807, DSA-2521-1, ESX410-201301001, ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, ESX410-201301405-SG, ESXi410-201301001, ESXi410-201301401-SG, ESXi410-201301402-SG, ESXi500-201303001, ESXi500-201303101-SG, ESXi500-201303102-SG, ESXi510-201304101-SG, FEDORA-2012-13820, FEDORA-2012-13824, MDVSA-2012:126, MDVSA-2013:056, openSUSE-SU-2012:0813-1, openSUSE-SU-2012:0975-1, RHSA-2012:1288-01, SUSE-SU-2012:1095-1, SUSE-SU-2012:1095-2, SUSE-SU-2013:1625-1, SUSE-SU-2013:1627-1, VIGILANCE-VUL-11808, VMSA-2012-0018.2, VMSA-2013-0001, VMSA-2013-0001.3, VMSA-2013-0003, VMSA-2013-0004, VMSA-2013-0004.1.

Description of the vulnerability

The libxml2 library implements an XML parser.

However, on a 64 bit processor, an attacker can generate several integer overflows (in files globals.c, entities.c and parser.c), leading to memory corruptions.

An attacker can therefore send malformed XML data to an application linked to libxml2, in order to stop it, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2012-3432

Xen: denial of service via HVM MMIO

Synthesis of the vulnerability

An attacker can manipulate MMIO operations in a Xen HVM guest system, in order to stop his guest system.
Impacted products: XenServer, Debian, Fedora, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 27/07/2012.
Identifiers: BID-54691, CERTA-2012-AVI-458, CTX134708, CVE-2012-3432, DSA-2531-1, FEDORA-2012-11182, FEDORA-2012-11190, openSUSE-SU-2012:1172-1, openSUSE-SU-2012:1174-1, openSUSE-SU-2012:1176-1, SUSE-SU-2012:1043-1, SUSE-SU-2012:1044-1, VIGILANCE-VUL-11802.

Description of the vulnerability

The MMIO (Memory-Mapped I/O) feature allows the processor to access to a device using a dedicated memory address range.

The handle_mmio() function of the xen/arch/x86/hvm/io.c file implements MMIO for Xen in mode HVM (Hardware Assisted Virtualization). However, this function does not reset its state between two calls. The second call thus generates an exception, which stops the kernel of the guest system.

In order to exploit this vulnerability, the guest system has to allow unprivileged users to access to MMIO.

An attacker can therefore manipulate MMIO operations in a Xen HVM guest system, in order to stop his guest system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2012-3430

Linux kernel: memory reading via RDS recv

Synthesis of the vulnerability

A local attacker can use the functions recvfrom() and recvmsg() on a RDS socket, in order to obtain a memory fragment from the kernel.
Impacted products: Fedora, Linux, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 27/07/2012.
Identifiers: BID-54702, CVE-2012-3430, FEDORA-2012-11348, openSUSE-SU-2013:0927-1, RHSA-2012:1304-01, RHSA-2012:1323-01, RHSA-2012:1491-01, SUSE-SU-2012:1679-1, SUSE-SU-2012:1708-1, VIGILANCE-VUL-11801.

Description of the vulnerability

The RDS (Reliable Datagram Sockets) protocol is used to transmit data in a non connected mode. It is supported by kernels since version 2.6.30.

The recvfrom() and recvmsg() system calls are used to read data from a socket.

The rds_recvmsg() function of the net/rds/recv.c file implements recvfrom() and recvmsg() for RDS sockets. However, when the address size is larger than the size of the sockaddr_in structure, this function copies too many data (up to 128 bytes) in user's structure.

A local attacker can therefore use the functions recvfrom() and recvmsg() on a RDS socket, in order to obtain a memory fragment from the kernel.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2012-3817 CVE-2012-3868

ISC BIND: denials of service

Synthesis of the vulnerability

An attacker can send malicious DNS queries or replies, in order to generate several denials of service in BIND.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, BIND, MES, Mandriva Linux, NetBSD, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 2/4.
Creation date: 25/07/2012.
Identifiers: BID-54658, BID-54659, c03526327, CERTA-2012-AVI-405, CERTA-2012-AVI-601, CERTA-2012-AVI-663, CERTA-2013-AVI-243, CVE-2012-3817, CVE-2012-3868, DSA-2517-1, ESX410-201211001, ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, ESX410-201211407-SG, FEDORA-2012-11146, FEDORA-2012-11153, FreeBSD-SA-12:05.bind, HPSBUX02823, MDVSA-2012:119, NetBSD-SA2012-004, openSUSE-SU-2012:0969-1, openSUSE-SU-2012:0971-1, openSUSE-SU-2013:0605-1, openSUSE-SU-2013:0666-1, RHSA-2012:1122-01, RHSA-2012:1123-01, sol13175, SOL14316, SSA:2012-209-01, SSA:2012-341-01, SSRT100976, SUSE-SU-2012:1048-1, SUSE-SU-2012:1048-2, SUSE-SU-2012:1048-3, VIGILANCE-VUL-11796, VMSA-2012-0016.

Description of the vulnerability

Several vulnerabilities were announced in BIND.

An attacker can send numerous queries with DNSSEC, in order to force the usage of a record, which is not yet initialized in cache. An assertion error then occurs, and stops the service. [severity:2/4; BID-54658, CVE-2012-3817]

An attacker can use numerous TCP queries, in order to generate a memory leak, which progressively leads to a denial of service. [severity:2/4; BID-54659, CVE-2012-3868]

With BIND version 9.9, a client can use a recursive query, in order to generate a memory leak. [severity:1/4]

An attacker can send a reply of null length, in order to stop the daemon. [severity:2/4]

An attacker can therefore send malicious DNS queries or replies, in order to generate several denials of service in BIND.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2012-3570 CVE-2012-3571 CVE-2012-3954

ISC DHCP: three vulnerabilities

Synthesis of the vulnerability

An attacker can send malicious packets to an ISC DHCP server, in order to stop it, and possibly to execute code.
Impacted products: Debian, Fedora, ISC DHCP, MES, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 25/07/2012.
Identifiers: BID-54665, CERTA-2012-AVI-406, CVE-2012-3570, CVE-2012-3571, CVE-2012-3954, DSA-2516-1, DSA-2519-1, DSA-2519-2, FEDORA-2012-11079, FEDORA-2012-11110, MDVSA-2012:115, MDVSA-2012:116, openSUSE-SU-2012:1006-1, RHSA-2012:1140-01, RHSA-2012:1141-01, SSA:2012-237-01, SUSE-SU-2012:1002-1, SUSE-SU-2012:1003-1, SUSE-SU-2012:1005-1, VIGILANCE-VUL-11795.

Description of the vulnerability

Several vulnerabilities were announced in ISC DHCP.

An attacker can send a DHCPv6 query with a long Client Identifier, in order to generate a buffer overflow. [severity:3/4; CVE-2012-3570]

An attacker can send a DHCP query with a Client Identifier of null length, in order to generate an infinite loop. [severity:2/4; CVE-2012-3571]

An attacker can send a malformed query, in order to generate two memory leaks, which progressively leads to a denial of service. [severity:1/4; CVE-2012-3954]

An attacker can therefore send malicious packets to an ISC DHCP server, in order to stop it, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2012-3425

libpng: denial of service via png_push_read_zTXt

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Impacted products: libpng, openSUSE, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 24/07/2012.
Identifiers: 668082, BID-54652, CVE-2012-3425, openSUSE-SU-2012:0934-1, SUSE-SU-2012:0989-1, USN-2815-1, VIGILANCE-VUL-11791.

Description of the vulnerability

The libpng library is used by several applications to decode or display PNG images.

The png_push_read_zTXt() function of the file pngpread.c reads zTXt (compressed text) fields stored in PNG images. However, this function incorrectly computes the position of compressed data. The libpng library thus tries to read at an invalid memory address.

An attacker can therefore invite the victim to display a malicious PNG image, in order to generate a denial of service in applications linked to libpng.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2012-4048 CVE-2012-4049

Wireshark: two denials of service

Synthesis of the vulnerability

Two vulnerabilities of Wireshark can be used by a remote attacker to create a denial of service.
Impacted products: Debian, MBS, MES, Mandriva Linux, openSUSE, Solaris, SUSE Linux Enterprise Desktop, SLES, Wireshark.
Severity: 1/4.
Creation date: 24/07/2012.
Identifiers: BID-54649, CERTA-2012-AVI-401, CVE-2012-4048, CVE-2012-4049, DSA-2590-1, MDVSA-2012:125, MDVSA-2013:055, openSUSE-SU-2012:0930-1, SUSE-SU-2012:1168-1, VIGILANCE-VUL-11790, wnpa-sec-2012-11, wnpa-sec-2012-12.

Description of the vulnerability

The Wireshark program captures and displays network packets. Protocols are decoded by dissectors. They are impacted by several vulnerabilities.

An attacker can send a malicious PPP packet, in order to force Wireshark to use an invalid memory address. [severity:1/4; CVE-2012-4048, wnpa-sec-2012-11]

An attacker can send a NFS packet, in order to generate a large loop in Wireshark. [severity:1/4; CVE-2012-4049, wnpa-sec-2012-12]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2012-3365

PHP: bypassing open_basedir via SQLite

Synthesis of the vulnerability

When a PHP application uses the SQLite extension, an attacker can send a special uri, in order to access to some files, bypassing open_basedir.
Impacted products: Juniper J-Series, JUNOS, SRX-Series, MES, Mandriva Linux, openSUSE, Solaris, PHP, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Creation date: 23/07/2012.
Identifiers: BID-54612, CERTA-2012-AVI-397, CERTFR-2014-AVI-244, CVE-2012-3365, JSA10804, MDVSA-2012:108, openSUSE-SU-2012:0976-1, SUSE-SU-2012:1033-1, SUSE-SU-2012:1034-1, VIGILANCE-VUL-11786.

Description of the vulnerability

The open_basedir configuration directive limits the list of directories where an PHP application is allowed to access.

The PHP SQLite extension can use databases stored in memory, and which are reachable via the uri "file::memory:...". However, the make_filename_safe() function of the ext/pdo_sqlite/sqlite_driver.c file compares this uri prefix on a short length. So, uris starting by "file::memory" are thus accepted.

When a PHP application uses the SQLite extension, an attacker can therefore send a special uri, in order to access to some files, bypassing open_basedir.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-2688

PHP: buffer overflow via _php_stream_scandir

Synthesis of the vulnerability

An attacker can create a directory containing numerous entries, in order to create an overflow in the _php_stream_scandir() function, which leads to a denial of service or to code execution.
Impacted products: Debian, Fedora, MES, Mandriva Linux, openSUSE, Solaris, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 20/07/2012.
Identifiers: BID-54638, CERTA-2012-AVI-430, CERTFR-2014-AVI-244, CVE-2012-2688, DSA-2527-1, FEDORA-2012-10908, FEDORA-2012-10936, MDVSA-2012:108, openSUSE-SU-2012:0976-1, RHSA-2013:0514-02, RHSA-2013:1307-01, RHSA-2013:1814-01, SUSE-SU-2012:1033-1, SUSE-SU-2012:1034-1, VIGILANCE-VUL-11783.

Description of the vulnerability

The _php_stream_scandir() function of the main/streams/streams.c file stores in an array the list of files located in a directory.

This function is for example called by the PHP scandir() function, which lists files of a real directory. It is also called by ZipArchive::addPattern(), which adds a list of files in a ZIP archive to be built.

However, if the number of files is larger than 2^32/4, an integer overflow occurs, and _php_stream_scandir() allocates a memory area too short to store the list.

An attacker can therefore create a directory containing numerous entries, in order to create an overflow in the _php_stream_scandir() function, which leads to a denial of service or to code execution.

In order to setup an attack, the attacker has to create several files in a directory which is analyzed by a PHP code using scandir(). If the attacker is allowed to execute PHP code, he can also write a PHP application which creates a ZIP archive with ZipArchive::addPattern().
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2012-3401

libtiff: memory corruption via tiff2pdf

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious TIFF image with tiff2pdf, in order to create a denial of service or to execute code.
Impacted products: Debian, Fedora, LibTIFF, MBS, MES, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 19/07/2012.
Identifiers: 837577, BID-54601, CERTA-2012-AVI-434, CVE-2012-3401, DSA-2552-1, FEDORA-2012-10978, FEDORA-2012-11000, MDVSA-2012:127, MDVSA-2013:046, openSUSE-SU-2012:0955-1, RHSA-2012:1590-01, SUSE-SU-2012:0919-1, VIGILANCE-VUL-11781.

Description of the vulnerability

The tiff2pdf tool of the libtiff suite is used to convert a TIFF image to a PDF document.

A TIFF image contains one or several IFD (Image File Directory) indicating specific parameters ("tags") for the image (BitsPerSample, ColorMap, etc.).

The t2p_read_tiff_init() function of the tools/tiff2pdf.c file reads TIFF data. It uses the TIFFSetDirectory() function to skip to the next IFD. If the IFD is malformed, the TIFFSetDirectory() function fails, but the t2p_read_tiff_init() function does not return an error. The tiff2pdf program thus continues to write in memory.

An attacker can therefore invite the victim to open a malicious TIFF image with tiff2pdf, in order to create a denial of service or to execute code.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SUSE Linux Enterprise Server: