The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of TSol

vulnerability alert CVE-2003-1067 CVE-2013-2924 CVE-2013-5821

Solaris: several vulnerabilities of January 2014

Synthesis of the vulnerability

Several vulnerabilities of Solaris were announced in January 2014.
Impacted products: Solaris, Trusted Solaris.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 11.
Creation date: 15/01/2014.
Identifiers: BID-64840, BID-64843, BID-64850, BID-64853, BID-64856, BID-64859, BID-64862, BID-64866, BID-64871, BID-64876, CERTA-2014-AVI-031, cpujan2014, CVE-2003-1067, CVE-2013-2924, CVE-2013-5821, CVE-2013-5833, CVE-2013-5834, CVE-2013-5872, CVE-2013-5875, CVE-2013-5876, CVE-2013-5883, CVE-2013-5885, CVE-2014-0390, VIGILANCE-VUL-14091.

Description of the vulnerability

Several vulnerabilities were announced in Solaris.

An attacker can use a vulnerability of Localization (L10N), in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64840, CVE-2003-1067]

An attacker can use a vulnerability of "ps", in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64843, CVE-2013-5834]

An attacker can use a vulnerability of Filesystem, in order to trigger a denial of service. [severity:2/4; BID-64850, CVE-2013-5833]

An attacker can use a vulnerability of Kernel, in order to trigger a denial of service. [severity:2/4; BID-64853, CVE-2013-5876]

An attacker can use a vulnerability of Remote Procedure Call (RPC), in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-64856, CVE-2013-5821]

An attacker can use a vulnerability of Java Web Console, in order to alter information. [severity:2/4; BID-64859, CVE-2014-0390]

An attacker can use a vulnerability of Kernel, in order to alter information, or to trigger a denial of service. [severity:2/4; BID-64862, CVE-2013-5883]

An attacker can use a vulnerability of Role Based Access Control (RBAC), in order to alter information, or to trigger a denial of service. [severity:1/4; BID-64866, CVE-2013-5875]

An attacker can use a vulnerability of Name Service Cache Daemon (NSCD), in order to trigger a denial of service. [severity:1/4; BID-64871, CVE-2013-5872]

An attacker can use a vulnerability of Localization (L10N), in order to trigger a denial of service. [severity:1/4; CVE-2013-2924]

An attacker can use a vulnerability of Audit, in order to alter information. [severity:1/4; BID-64876, CVE-2013-5885]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2013-5211

ntp.org: distributed denial of service via monlist

Synthesis of the vulnerability

An attacker can use monlist of ntp.org, in order to trigger a distributed denial of service.
Impacted products: GAiA, CheckPoint IP Appliance, IPSO, Provider-1, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Cisco Router, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, FreeBSD, HP-UX, AIX, Juniper J-Series, Junos OS, Meinberg NTP Server, NetBSD, NTP.org, openSUSE, Solaris, Trusted Solaris, pfSense, Puppet, Slackware, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 31/12/2013.
Identifiers: 1532, BID-64692, c04084148, CERTA-2014-AVI-034, CERTFR-2014-AVI-069, CERTFR-2014-AVI-112, CERTFR-2014-AVI-117, CERTFR-2014-AVI-244, CERTFR-2014-AVI-526, CSCtd75033, CSCum44673, CSCum52148, CSCum76937, CSCun84909, CSCur38341, CVE-2013-5211, ESX400-201404001, ESX400-201404402-SG, ESX410-201404001, ESX410-201404402-SG, ESXi400-201404001, ESXi400-201404401-SG, ESXi410-201404001, ESXi410-201404401-SG, ESXi510-201404001, ESXi510-201404101-SG, ESXi510-201404102-SG, ESXi550-201403101-SG, FreeBSD-SA-14:02.ntpd, HPSBUX02960, JSA10613, MBGSA-1401, NetBSD-SA2014-002, openSUSE-SU-2014:0949-1, openSUSE-SU-2014:1149-1, sk98758, SSA:2014-044-02, SSRT101419, VIGILANCE-VUL-14004, VMSA-2014-0002, VMSA-2014-0002.1, VMSA-2014-0002.2, VMSA-2014-0002.4, VMSA-2015-0001.

Description of the vulnerability

The ntp.org service implements the "monlist" command, which returns the list of the 600 last clients which connected to the server.

However, the size of the reply is larger than the size of the query. Moreover, public NTP servers request no authentication, and UDP packets can be spoofed.

An attacker can therefore use monlist of ntp.org, in order to trigger a distributed denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-0398 CVE-2013-3745 CVE-2013-3746

Solaris: several vulnerabilities of July 2013

Synthesis of the vulnerability

Several vulnerabilities of Solaris are fixed by the CPU of July 2013.
Impacted products: Solaris, Trusted Solaris.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 16.
Creation date: 17/07/2013.
Identifiers: BID-61230, BID-61239, BID-61245, BID-61247, BID-61248, BID-61250, BID-61254, BID-61258, BID-61259, BID-61261, BID-61263, BID-61266, BID-61267, BID-61271, BID-61273, BID-61275, CERTA-2013-AVI-416, CERTA-2013-AVI-427, cpujuly2013, CVE-2013-0398, CVE-2013-3745, CVE-2013-3746, CVE-2013-3748, CVE-2013-3750, CVE-2013-3752, CVE-2013-3753, CVE-2013-3754, CVE-2013-3757, CVE-2013-3765, CVE-2013-3773, CVE-2013-3786, CVE-2013-3787, CVE-2013-3797, CVE-2013-3799, CVE-2013-3813, VIGILANCE-VUL-13131.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Solaris.

An attacker can use a vulnerability of Kernel/STREAMS framework, in order to trigger a denial of service. [severity:3/4; BID-61267, CVE-2013-3753]

An attacker can use a vulnerability of Driver/IDM (iSCSI Data Mover), in order to trigger a denial of service. [severity:3/4; BID-61271, CVE-2013-3748]

An attacker can use a vulnerability of Kernel/VM, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-61258, CVE-2013-3750]

An attacker can use a vulnerability of HA for TimesTen, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-61259, CVE-2013-3754]

An attacker can use a vulnerability of Zone Cluster Infrastructure, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-61254, CVE-2013-3746]

An attacker can use a vulnerability of SMF/File Locking Services, in order to alter information, or to trigger a denial of service. [severity:3/4; BID-61263, CVE-2013-3757]

An attacker can use a vulnerability of Kernel, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; BID-61266, CVE-2013-3786]

An attacker can use a vulnerability of Libraries/PAM-Unix, in order to obtain or alter information. [severity:2/4; BID-61230, CVE-2013-3813]

An attacker can use a vulnerability of XSCF Control Package (XCP), in order to trigger a denial of service. [severity:2/4; BID-61247, CVE-2013-3773]

An attacker can use a vulnerability of Utility/Remote Execution Server(in.rexecd), in order to obtain information. [severity:2/4; BID-61250, CVE-2013-0398]

An attacker can use a vulnerability of Kernel, in order to trigger a denial of service. [severity:2/4; BID-61273, CVE-2013-3799]

An attacker can use a vulnerability of Kernel/VM, in order to trigger a denial of service. [severity:2/4; BID-61275, CVE-2013-3765]

An attacker can use a vulnerability of Filesystem/DevFS, in order to trigger a denial of service. [severity:2/4; BID-61239, CVE-2013-3797]

An attacker can use a vulnerability of Service Management Facility (SMF), in order to alter information. [severity:2/4; BID-61245, CVE-2013-3752]

An attacker can use a vulnerability of Kernel, in order to trigger a denial of service. [severity:2/4; BID-61248, CVE-2013-3787]

An attacker can use a vulnerability of Libraries/Libc, in order to trigger a denial of service. [severity:1/4; BID-61261, CVE-2013-3745]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 13077

Solaris: privilege escalation via 144751-01 postinstall

Synthesis of the vulnerability

A local attacker can use the 144751-01 postinstall script, in order to escalate his privileges on Solaris x86.
Impacted products: Solaris, Trusted Solaris.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 09/07/2013.
Identifiers: BID-61025, VIGILANCE-VUL-13077.

Description of the vulnerability

The 144751-01/SUNWos86r/install/postinstall script is executed after the installation of 144751-01 on a x86 platform.

This script runs the following command:
  /sbin/sh /tmp/disketterc.d/rcs9.sh "post"

However, if an attacker previously created the /tmp/disketterc.d/rcs9.sh file, it is executed with root privileges.

A local attacker can therefore use the 144751-01 postinstall script, in order to escalate his privileges on Solaris x86.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-0568 CVE-2012-0570 CVE-2013-0403

Solaris: several vulnerabilities of April 2013

Synthesis of the vulnerability

Several vulnerabilities of Solaris are fixed by the CPU of April 2013.
Impacted products: Solaris, Trusted Solaris.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 16.
Creation date: 17/04/2013.
Identifiers: BID-59157, BID-59174, BID-59186, BID-59193, BID-59197, BID-59199, BID-59204, BID-59214, BID-59221, BID-59230, BID-59233, BID-59235, BID-59236, BID-59238, BID-59241, BID-59245, CERTA-2013-AVI-252, cpuapr2013, CVE-2012-0568, CVE-2012-0570, CVE-2013-0403, CVE-2013-0404, CVE-2013-0405, CVE-2013-0406, CVE-2013-0408, CVE-2013-0411, CVE-2013-0412, CVE-2013-0413, CVE-2013-1494, CVE-2013-1496, CVE-2013-1498, CVE-2013-1499, CVE-2013-1507, CVE-2013-1530, VIGILANCE-VUL-12682.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Solaris.

An attacker can use a vulnerability of Filesystem/NFS, in order to obtain or alter information. [severity:2/4; BID-59157, CVE-2013-0405]

An attacker can use a vulnerability of RBAC Configuration, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-59174, CVE-2013-0411]

An attacker can use a vulnerability of Filesystem, in order to create a denial of service. [severity:2/4; BID-59186, CVE-2013-1507]

An attacker can use a vulnerability of Kernel/IO, in order to create a denial of service. [severity:2/4; BID-59199, CVE-2013-1498]

An attacker can use a vulnerability of Kernel/IO, in order to create a denial of service. [severity:2/4; BID-59197, CVE-2013-1496]

An attacker can use a vulnerability of Kernel, in order to create a denial of service. [severity:2/4; BID-59193, CVE-2013-1494]

An attacker can use a vulnerability of CPU performance counters drivers, in order to create a denial of service. [severity:2/4; BID-59204, CVE-2013-0408]

An attacker can use a vulnerability of Remote Execution Service, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-59214, CVE-2013-0413]

An attacker can use a vulnerability of Kernel/IPsec, in order to alter information. [severity:2/4; BID-59245, CVE-2013-0406]

An attacker can use a vulnerability of Kernel, in order to create a denial of service. [severity:2/4; BID-59221, CVE-2013-1530]

An attacker can use a vulnerability of Kernel/Boot, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-59230, CVE-2013-0404]

An attacker can use a vulnerability of pax, in order to alter information, or to create a denial of service. [severity:2/4; BID-59236, CVE-2013-0412]

An attacker can use a vulnerability of Libraries/Libc, in order to create a denial of service. [severity:2/4; BID-59241, CVE-2012-0570]

An attacker can use a vulnerability of Utility/fdformat, in order to obtain information. [severity:2/4; BID-59233, CVE-2012-0568]

An attacker can use a vulnerability of Utility, in order to create a denial of service. [severity:1/4; BID-59235, CVE-2013-0403]

An attacker can use a vulnerability of Network Configuration, in order to create a denial of service. [severity:1/4; BID-59238, CVE-2013-1499]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-3499

Apache httpd: Cross Site Scripting of modules

Synthesis of the vulnerability

An attacker can trigger several Cross Site Scripting in the mod_info, mod_status, mod_imagemap, mod_ldap and mod_proxy_ftp modules, in order to execute JavaScript code in the context of the web site.
Impacted products: Apache httpd, Debian, Fedora, HP-UX, NSMXpress, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 25/02/2013.
Identifiers: BID-58165, c03734195, CERTA-2013-AVI-153, CERTA-2013-AVI-387, CERTA-2013-AVI-543, CERTA-2013-AVI-590, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CERTFR-2015-AVI-286, CVE-2012-3499, DSA-2637-1, FEDORA-2013-4541, HPSBUX02866, JSA10685, MDVSA-2013:015, MDVSA-2013:015-1, openSUSE-SU-2013:0629-1, openSUSE-SU-2013:0632-1, RHSA-2013:0815-01, RHSA-2013:1012-01, RHSA-2013:1013-01, RHSA-2013:1207-01, RHSA-2013:1208-01, RHSA-2013:1209-01, SSA:2013-062-01, SSRT101139, VIGILANCE-VUL-12457.

Description of the vulnerability

The Apache httpd service can use several modules.

However, the mod_info, mod_status, mod_imagemap, mod_ldap and mod_proxy_ftp modules do not correctly validate received data before displaying them in the generated web document.

An attacker can therefore trigger several Cross Site Scripting in the mod_info, mod_status, mod_imagemap, mod_ldap and mod_proxy_ftp modules, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-0569 CVE-2012-3178 CVE-2013-0399

Solaris: several vulnerabilities of January 2013

Synthesis of the vulnerability

Several vulnerabilities of Solaris are fixed by the CPU of January 2013.
Impacted products: Solaris, Trusted Solaris.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 8.
Creation date: 16/01/2013.
Identifiers: BID-57393, BID-57395, BID-57398, BID-57399, BID-57402, BID-57403, BID-57406, BID-57407, CERTA-2013-AVI-031, cpujan2013, CVE-2012-0569, CVE-2012-3178, CVE-2013-0399, CVE-2013-0400, CVE-2013-0407, CVE-2013-0414, CVE-2013-0415, CVE-2013-0417, VIGILANCE-VUL-12334.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Solaris.

An attacker can use a vulnerability of Filesystem/cachefs, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-57398, CVE-2013-0400]

An attacker can use a vulnerability of Utility/Umount, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-57399, CVE-2013-0399]

An attacker can use a vulnerability of Bind, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-57403, CVE-2013-0415]

An attacker can use a vulnerability of Fault Management System (FMS), in order to obtain information. [severity:2/4; BID-57407, CVE-2013-0417]

An attacker can use a vulnerability of Kernel/DTrace, in order to create a denial of service. [severity:1/4; BID-57393, CVE-2013-0407]

An attacker can use a vulnerability of Install/smpatch, in order to obtain or alter information. [severity:2/4; BID-57395, CVE-2012-0569]

An attacker can use a vulnerability of Utility/ksh93, in order to alter information, or to create a denial of service. [severity:1/4; BID-57402, CVE-2013-0414]

An attacker can use a vulnerability of Kernel, in order to create a denial of service. [severity:1/4; BID-57406, CVE-2012-3178]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2012-0217 CVE-2012-3165 CVE-2012-3187

Solaris: several vulnerabilities of October 2012

Synthesis of the vulnerability

Several vulnerabilities of Solaris are corrected by the CPU of October 2012.
Impacted products: Solaris, Trusted Solaris.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 17.
Creation date: 17/10/2012.
Identifiers: BID-56012, BID-56016, BID-56023, BID-56029, BID-56034, BID-56038, BID-56048, BID-56049, BID-56052, BID-56053, BID-56060, BID-56062, BID-56064, BID-56069, BID-56074, BID-56077, CERTA-2012-AVI-586, cpuoct2012, CVE-2012-0217, CVE-2012-3165, CVE-2012-3187, CVE-2012-3189, CVE-2012-3199, CVE-2012-3203, CVE-2012-3204, CVE-2012-3205, CVE-2012-3206, CVE-2012-3207, CVE-2012-3208, CVE-2012-3209, CVE-2012-3210, CVE-2012-3211, CVE-2012-3212, CVE-2012-3215, CVE-2012-5095, VIGILANCE-VUL-12078, VU#649219.

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Solaris.

A remote attacker can use a vulnerability of Kernel, in order to create a denial of service. [severity:3/4; BID-56077, CVE-2012-3210]

An attacker can use a vulnerability of iSCSI COMSTAR, in order to create a denial of service. [severity:3/4; BID-56064, CVE-2012-3189]

An attacker can use a vulnerability of Gnome Trusted Extension, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-56052, CVE-2012-3199]

An administrator in a guest ParaVirtualized 64 bit system can use the SYSRET instruction with an invalid RIP, in order to execute code on the host system with a 64 bit Intel processor (VIGILANCE-VUL-11693). [severity:2/4; CVE-2012-0217, VU#649219]

An attacker can use a vulnerability of Gnome Trusted Extension, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-56048, CVE-2012-3204]

An attacker can use a vulnerability of Kernel, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-56060, CVE-2012-3187]

An attacker can use a vulnerability of Logical Domain(LDOM), in order to alter information, or to create a denial of service. [severity:2/4; BID-56074, CVE-2012-3209]

An attacker can use a vulnerability of Kernel, in order to create a denial of service. [severity:2/4; BID-56062, CVE-2012-3207]

An attacker can use a vulnerability of Kernel/RCTL, in order to create a denial of service. [severity:2/4; BID-56069, CVE-2012-3208]

An attacker can use a vulnerability of Kernel, in order to create a denial of service. [severity:3/4; BID-56038, CVE-2012-3212]

An attacker can use a vulnerability of Kernel/System Call, in order to create a denial of service. [severity:2/4; BID-56049, CVE-2012-3211]

An attacker can use a vulnerability of inetd, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-56029, CVE-2012-5095]

An attacker can use a vulnerability of mailx, in order to obtain or alter information. [severity:2/4; BID-56016, CVE-2012-3165]

An attacker can use a vulnerability of SPARC T3/T4, in order to obtain information. [severity:1/4; BID-56023, CVE-2012-3206]

An attacker can use a vulnerability of Gnome Display Manager (GDM), in order to create a denial of service. [severity:1/4; BID-56053, CVE-2012-3203]

An attacker can use a vulnerability of Vino server, in order to alter information. [severity:1/4; BID-56034, CVE-2012-3205]

An attacker can use a vulnerability of Kernel, in order to obtain information. [severity:1/4; BID-56012, CVE-2012-3215]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-2687

Apache httpd: Cross Site Scripting of mod_negotiation

Synthesis of the vulnerability

When an attacker can upload a file in a directory with MultiViews enabled, he can generate a Cross Site Scripting via the module mod_negotiation of Apache httpd.
Impacted products: Apache httpd, BIG-IP Hardware, TMOS, Fedora, HP-UX, NSMXpress, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 21/08/2012.
Identifiers: BID-55131, c03734195, c03820647, CERTA-2012-AVI-460, CERTFR-2015-AVI-286, CVE-2012-2687, FEDORA-2013-1661, HPSBUX02866, JSA10685, MDVSA-2012:154, MDVSA-2012:154-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0245-1, openSUSE-SU-2013:0248-1, openSUSE-SU-2013:0629-1, openSUSE-SU-2013:0632-1, openSUSE-SU-2014:1647-1, RHSA-2012:1591-01, RHSA-2012:1592-01, RHSA-2012:1594-01, RHSA-2013:0130-01, RHSA-2013:0512-02, SOL15901, SSRT101139, VIGILANCE-VUL-11877.

Description of the vulnerability

The mod_negotiation module chooses the best document to transmit to the client, based on his language and encoding. The MultiViews configuration directive enables the automatic choice of the document.

The make_variant_list() function of the modules/mappers/mod_negotiation.c file generates the list of available documents, which is included in HTTP 300 replies (Multiple Choices). However, filenames are not filtered before being included in the generated HTML code.

When an attacker can upload a file in a directory with MultiViews enabled, he can therefore generate a Cross Site Scripting via the module mod_negotiation of Apache httpd.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2012-3401

libtiff: memory corruption via tiff2pdf

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious TIFF image with tiff2pdf, in order to create a denial of service or to execute code.
Impacted products: Debian, Fedora, LibTIFF, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 19/07/2012.
Identifiers: 837577, BID-54601, CERTA-2012-AVI-434, CVE-2012-3401, DSA-2552-1, FEDORA-2012-10978, FEDORA-2012-11000, MDVSA-2012:127, MDVSA-2013:046, openSUSE-SU-2012:0955-1, RHSA-2012:1590-01, SUSE-SU-2012:0919-1, VIGILANCE-VUL-11781.

Description of the vulnerability

The tiff2pdf tool of the libtiff suite is used to convert a TIFF image to a PDF document.

A TIFF image contains one or several IFD (Image File Directory) indicating specific parameters ("tags") for the image (BitsPerSample, ColorMap, etc.).

The t2p_read_tiff_init() function of the tools/tiff2pdf.c file reads TIFF data. It uses the TIFFSetDirectory() function to skip to the next IFD. If the IFD is malformed, the TIFFSetDirectory() function fails, but the t2p_read_tiff_init() function does not return an error. The tiff2pdf program thus continues to write in memory.

An attacker can therefore invite the victim to open a malicious TIFF image with tiff2pdf, in order to create a denial of service or to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.