VARIoT IoT vulnerabilities database
| VAR-201103-0280 | CVE-2011-0180 | Apple Mac OS X of HFS Integer overflow vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Integer overflow in HFS in Apple Mac OS X before 10.6.7 allows local users to read arbitrary (1) HFS, (2) HFS+, or (3) HFS+J files via a crafted F_READBOOTSTRAP ioctl call.
A local attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Due to the nature of this issue, local attackers may be able to execute arbitrary code in the context of the kernel, but this has not been confirmed.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM
files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VSR Security Advisory
http://www.vsecurity.com/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Apple HFS+ Information Disclosure Vulnerability
Release Date: 2011-03-22
Application: Apple OS X kernel (XNU)
Versions: All versions <= xnu-1504.7.4
Severity: Medium
Author: Dan Rosenberg <drosenberg (at) vsecurity (dot) com>
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-0180
Reference: http://www.vsecurity.com/resources/advisory/20110322-1/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- -------------------
- From [1]:
"Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid,
UNIX-based foundation that is engineered for stability, reliability, and
performance. The kernel environment is built on top of Mach 3.0 and provides
high-performance networking facilities and support for multiple, integrated
file systems."
Vulnerability Overview
- ----------------------
On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented
in the OS X XNU kernel. By exploiting this
vulnerability, an unprivileged user with local access to a machine using HFS+
may be able to read raw filesystem data, bypassing file permissions and
resulting in information disclosure.
Vulnerability Details
- ---------------------
Users may interact with the filesystem using the standard ioctl interface. The ioctl intends to ensure that this
data is restricted to the first 1024 bytes, where bootstrap information is
stored. However, due to an integer overflow in the code that attempts to
enforce this restriction, it is possible for an unprivileged user to use this
ioctl to read large portions of filesystem data outside of this byte range,
leading to an information disclosure vulnerability.
The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:
if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
return EINVAL;
If a user provides values for the fbt_offset and fbt_length members such that
their sum overflows and wraps around to an integer less than 1024, portions of
filesystem data outside the intended range will be read and returned to the
user.
Proof-of-Concept Exploit
- ------------------------
VSR has developed a proof-of-concept exploit [3] to both demonstrate the
severity of this issue as well as allow users and administrators to verify the
existence of the vulnerability.
Versions Affected
- -----------------
Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but
review of older source code suggests that all versions of OS X may be affected.
Vendor Response
- ---------------
The following timeline details Apple's response to the reported issue:
2010-07-01 Apple was provided a draft advisory
2010-07-02 Apple acknowledges receipt of advisory
2010-07-22 Request for confirmation of issue
2010-07-25 Apple confirms issue under investigation
2010-09-02 Request for status update
2010-09-02 Apple confirms fix is being tested
2010-10-13 Request for status update
2010-10-14 Apple confirms fix is planned for undetermined date
2010-11-16 Request for status update
2010-11-16 Apple confirms ship date is set for early 2011
2011-01-18 Request for status update
2011-01-18 Apple confirms ship date for early April
2011-03-21 Apple publishes fix
Apple's advisory may be obtained at:
http://support.apple.com/kb/HT4581
Recommendation
- --------------
Apply the fix provided by Apple's OS X security update [2].
Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2011-0180 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. Darwin and Core Technologies
http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html
2. HFS+ F_READBOOTSTRAP information disclosure exploit
http://www.vsecurity.com/download/tools/hfs-dump.c
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.
See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/disclosurepolicy.html
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2011 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2IyTQACgkQQ1RSUNR+T+h13QCfaDJiFghrnF3/HLMdppiqP/Bq
UrwAn3M/wbWRjXhp/oX1KLZo939FFhNv
=pAH9
-----END PGP SIGNATURE-----
| VAR-201103-0275 | CVE-2011-0175 | Apple Mac OS X of Apple Type Services Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded TrueType font. Apple Mac OS X is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied input.
Successful exploits may allow an attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0274 | CVE-2011-0174 | Apple Mac OS X of Apple Type Services Heap-based buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allows remote attackers to execute arbitrary code via a document that contains a crafted embedded OpenType font. Apple Mac OS X is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0273 | CVE-2011-0173 | Apple Mac OS X Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple format string vulnerabilities in AppleScript in Apple Mac OS X before 10.6.7 allow context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a (1) display dialog or (2) display alert command in a dialog in an AppleScript Studio application. Apple Mac OS X is prone to format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as a format specifier to a formatted-printing function.
An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable AppleScript Studio-based application. Failed exploit attempts will likely result in a denial-of-service condition.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0272 | CVE-2011-0172 | Apple Mac OS X Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
AirPort in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to cause a denial of service (divide-by-zero error and reboot) via Wi-Fi frames on the local wireless network, a different vulnerability than CVE-2011-0162.
Attackers can exploit this issue to cause the system to reset, denying service to legitimate users.
Mac OS X versions through 10.6 to 10.6.6 and Mac OS X Server versions through 10.6 to 10.6.6 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM
files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
For more information:
SA37977
SA42396
21) An error within the "i386_set_ldt()" system call can be exploited
by malicious, local users to execute arbitrary code with system
privileges.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0276 | CVE-2011-0176 | Apple Mac OS X of Apple Type Services Vulnerable to buffer overflow |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS X before 10.6.7 allow remote attackers to execute arbitrary code via a document that contains a crafted embedded Type 1 font. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within how the Type1Scaler library processes a specially formatted compact font file. When processing this file, the application will corrupt memory outside the bounds of an allocated buffer. This can lead to code execution under the context of the application that utilizes the library. Apple Mac OS X is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied input. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is the American Apple ( Apple ) company for Mac A set of special operating systems developed by computers. ZDI-11-108: Mac OS X Compact Font Format Decoder Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-108
March 22, 2011
-- CVE ID:
CVE-2011-0176
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Apple
-- Affected Products:
Apple Preview
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10952.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4581
-- Disclosure Timeline:
2010-12-01 - Vulnerability reported to vendor
2011-03-22 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* geekable
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0287 | CVE-2011-0188 | Ruby of BigDecimal In class VpMemAlloc Vulnerability in arbitrary code execution in function |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue.". Ruby is prone to a remote code-execution vulnerability because it fails to properly sanitize user-supplied input.
A successful exploit can allow an attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Ruby 1.9.2 is vulnerable; other versions may also be affected.
NOTE: This issue was previously described in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers.
The safe-level feature in Ruby allows context-dependent attackers
to modify strings via the Exception#to_s method, as demonstrated by
changing an intended pathname (CVE-2011-1005). (CVE-2011-0188).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN2jqhmqjQ0CJFipgRAlnKAKDcf6I3beHFSSrX86ob/PzT+NwtxgCeNgsq
uMw3t7u8fkmaD51bIO3CaIw=
=yXr+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Ruby: Denial of Service
Date: December 13, 2014
Bugs: #355439, #369141, #396301, #437366, #442580, #458776,
#492282, #527084, #529216
ID: 201412-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Ruby, allowing
context-dependent attackers to cause a Denial of Service condition. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Ruby 1.9 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-1.9.3_p551"
All Ruby 2.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.0.0_p598"
References
==========
[ 1 ] CVE-2011-0188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0188
[ 2 ] CVE-2011-1004
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1004
[ 3 ] CVE-2011-1005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1005
[ 4 ] CVE-2011-4815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815
[ 5 ] CVE-2012-4481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4481
[ 6 ] CVE-2012-5371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371
[ 7 ] CVE-2013-0269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269
[ 8 ] CVE-2013-1821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821
[ 9 ] CVE-2013-4164
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4164
[ 10 ] CVE-2014-8080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8080
[ 11 ] CVE-2014-8090
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8090
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-27.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ruby security update
Advisory ID: RHSA-2011:0910-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0910.html
Issue date: 2011-06-28
CVE Names: CVE-2011-0188 CVE-2011-1004 CVE-2011-1005
=====================================================================
1. Summary:
Updated ruby packages that fix three security issues are now available for
Red Hat Enterprise Linux 6. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to do system management tasks.
A flaw was found in the way large amounts of memory were allocated on
64-bit systems when using the BigDecimal class. This issue did not affect 32-bit systems. (CVE-2011-0188)
A race condition flaw was found in the remove system entries method in the
FileUtils module. If a local user ran a Ruby script that uses this method,
a local attacker could use this flaw to delete arbitrary files and
directories accessible to that user via a symbolic link attack.
(CVE-2011-1004)
A flaw was found in the method for translating an exception message into a
string in the Exception class. A remote attacker could use this flaw to
bypass safe level 4 restrictions, allowing untrusted (tainted) code to
modify arbitrary, trusted (untainted) strings, which safe level 4
restrictions would otherwise prevent. (CVE-2011-1005)
Red Hat would like to thank Drew Yao of Apple Product Security for
reporting the CVE-2011-0188 issue.
All Ruby users should upgrade to these updated packages, which contain
backported patches to resolve these issues.
4. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
678913 - CVE-2011-1004 Ruby: Symlink race condition by removing directory trees in fileutils module
678920 - CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings
682332 - CVE-2011-0188 ruby: memory corruption in BigDecimal on 64bit platforms
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/ruby-1.8.7.299-7.el6_1.1.src.rpm
i386:
ruby-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-irb-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
x86_64:
ruby-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-irb-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/ruby-1.8.7.299-7.el6_1.1.src.rpm
i386:
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
ruby-docs-1.8.7.299-7.el6_1.1.i686.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.i686.rpm
ruby-ri-1.8.7.299-7.el6_1.1.i686.rpm
ruby-static-1.8.7.299-7.el6_1.1.i686.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.i686.rpm
x86_64:
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
ruby-devel-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-docs-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-ri-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-static-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/ruby-1.8.7.299-7.el6_1.1.src.rpm
x86_64:
ruby-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
ruby-devel-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-docs-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-irb-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-ri-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-static-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/ruby-1.8.7.299-7.el6_1.1.src.rpm
i386:
ruby-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-irb-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
ppc64:
ruby-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.ppc.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-irb-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-libs-1.8.7.299-7.el6_1.1.ppc.rpm
ruby-libs-1.8.7.299-7.el6_1.1.ppc64.rpm
s390x:
ruby-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.s390.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-irb-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-libs-1.8.7.299-7.el6_1.1.s390.rpm
ruby-libs-1.8.7.299-7.el6_1.1.s390x.rpm
x86_64:
ruby-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-irb-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/ruby-1.8.7.299-7.el6_1.1.src.rpm
i386:
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
ruby-docs-1.8.7.299-7.el6_1.1.i686.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.i686.rpm
ruby-ri-1.8.7.299-7.el6_1.1.i686.rpm
ruby-static-1.8.7.299-7.el6_1.1.i686.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.i686.rpm
ppc64:
ruby-debuginfo-1.8.7.299-7.el6_1.1.ppc.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-devel-1.8.7.299-7.el6_1.1.ppc.rpm
ruby-devel-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-docs-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-ri-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-static-1.8.7.299-7.el6_1.1.ppc64.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.ppc64.rpm
s390x:
ruby-debuginfo-1.8.7.299-7.el6_1.1.s390.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-devel-1.8.7.299-7.el6_1.1.s390.rpm
ruby-devel-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-docs-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-ri-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-static-1.8.7.299-7.el6_1.1.s390x.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.s390x.rpm
x86_64:
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-devel-1.8.7.299-7.el6_1.1.i686.rpm
ruby-devel-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-docs-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-rdoc-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-ri-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-static-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-tcltk-1.8.7.299-7.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/ruby-1.8.7.299-7.el6_1.1.src.rpm
i386:
ruby-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-irb-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
x86_64:
ruby-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.i686.rpm
ruby-debuginfo-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-irb-1.8.7.299-7.el6_1.1.x86_64.rpm
ruby-libs-1.8.7.299-7.el6_1.1.i686.rpm
ruby-libs-1.8.7.299-7.el6_1.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-0188.html
https://www.redhat.com/security/data/cve/CVE-2011-1004.html
https://www.redhat.com/security/data/cve/CVE-2011-1005.html
https://access.redhat.com/security/updates/classification/#moderate
http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/
http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/
8.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOChFrXlSAg2UNWIIRAqVDAKC4AQkDB5prIP2m6NnD6qfX0sYGkACeOH7K
8UV4ULTNCtKEbwxTKay8Ilk=
=Nsw7
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. (CVE-2011-0188)
It was found that WEBrick (the Ruby HTTP server toolkit) did not filter
terminal escape sequences from its log files. A remote attacker could use
specially-crafted HTTP requests to inject terminal escape sequences into
the WEBrick log files. If a victim viewed the log files with a terminal
emulator, it could result in control characters being executed with the
privileges of that user. (CVE-2009-4492)
A cross-site scripting (XSS) flaw was found in the way WEBrick displayed
error pages. A remote attacker could use this flaw to perform a cross-site
scripting attack against victims by tricking them into visiting a
specially-crafted URL. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
19) An error in the Install Helper when handling URLs can be
exploited to install an arbitrary agent by tricking the user into
visiting a malicious website.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
31) An integer overflow error in QuickTime when handling certain
movie files can be exploited to potentially execute arbitrary code
when a specially crafted file is viewed.
32) An error within QuickTime plug-in when handling cross-site
redirects can be exploited to disclose video data.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
For more information:
SA41738
SOLUTION:
Update to version 10.6.7 or apply Security Update 2011-001.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Content-Disposition: inline
============================================================================
Ubuntu Security Notice USN-1377-1
February 28, 2012
ruby1.8 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in ruby1.8.
Software Description:
- ruby1.8: Interpreter of object-oriented scripting language Ruby 1.8
Details:
Drew Yao discovered that the WEBrick HTTP server was vulnerable to cross-site
scripting attacks when displaying error pages. (CVE-2010-0541)
Drew Yao discovered that Ruby's BigDecimal module did not properly allocate
memory on 64-bit platforms.
(CVE-2011-0188)
Nicholas Jefferson discovered that the FileUtils.remove_entry_secure method in
Ruby did not properly remove non-empty directories. (CVE-2011-1004)
It was discovered that Ruby incorrectly allowed untainted strings to be
modified in protective safe levels. (CVE-2011-1005)
Eric Wong discovered that Ruby does not properly reseed its pseudorandom number
generator when creating child processes. An attacker could use this flaw to
gain knowledge of the random numbers used in other Ruby child processes.
(CVE-2011-2686)
Eric Wong discovered that the SecureRandom module in Ruby did not properly seed
its pseudorandom number generator. An attacker could use this flaw to gain
knowledge of the random numbers used by another Ruby process with the same
process ID number. (CVE-2011-2705)
Alexander Klink and Julian W=E4lde discovered that Ruby computed hash values
without restricting the ability to trigger hash collisions predictably. A
remote attacker could cause a denial of service by crafting values used in hash
tables. (CVE-2011-4815)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
libruby1.8 1.8.7.352-2ubuntu0.1
ruby1.8 1.8.7.352-2ubuntu0.1
Ubuntu 11.04:
libruby1.8 1.8.7.302-2ubuntu0.1
ruby1.8 1.8.7.302-2ubuntu0.1
Ubuntu 10.10:
libruby1.8 1.8.7.299-2ubuntu0.1
ruby1.8 1.8.7.299-2ubuntu0.1
Ubuntu 10.04 LTS:
libruby1.8 1.8.7.249-2ubuntu0.1
ruby1.8 1.8.7.249-2ubuntu0.1
In general, a standard system update will make all the necessary changes
| VAR-201103-0286 | CVE-2011-0187 | Apple Mac OS X of QuickTime Vulnerability in plug-in to retrieve important video data |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via vectors involving a cross-site redirect. Apple Mac OS X is prone to a cross-domain information-disclosure vulnerability that occurs in the QuickTime media player.
An attacker can exploit this issue to disclose video data from another site.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
RELEASE DATE:
2011-03-22
DISCUSS ADVISORY:
http://secunia.com/advisories/43814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities.
1) A divide-by-zero error in AirPort when handling Wi-Fi frames can
be exploited to cause a system reset.
2) Multiple vulnerabilities in Apache can be exploited by malicious
people to disclose potentially sensitive information and by malicious
users and malicious people to cause a DoS (Denial of Service).
For more information:
SA40206
3) A format string error within AppleScript Studio when handling
certain commands via dialogs can be exploited to potentially execute
arbitrary code.
4) An unspecified error in the handling of embedded OpenType fonts in
Apple Type Services (ATS) can be exploited to cause a heap-based
buffer overflow when a specially crafted document is viewed or
downloaded.
5) Multiple unspecified errors in the handling of embedded TrueType
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
6) Multiple unspecified errors in the handling of embedded Type 1
fonts in Apple Type Services (ATS) can be exploited to cause a buffer
overflow when a specially crafted document is viewed or downloaded.
7) Multiple unspecified errors in the handling of SFNT tables in
embedded fonts in Apple Type Services (ATS) can be exploited to cause
a buffer overflow when a specially crafted document is viewed or
downloaded.
8) An integer overflow error in bzip2 can be exploited to terminate
an application using the library or execute arbitrary code via a
specially crafted archive.
For more information:
SA41452
9) An error within the "FSFindFolder()" API in CarbonCore when used
with the "kTemporaryFolderType" flag can be exploited to disclose the
contents of arbitrary directories.
10) Multiple errors in ClamAV can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a
vulnerable system.
For more information:
SA41503
SA42426
11) An unspecified error in the handling of embedded fonts in
CoreText can be exploited to corrupt memory when a specially crafted
document is viewed or downloaded.
12) An integer overflow error within the handling of the
F_READBOOTSTRAP ioctl in HFS, HFS+, and HFS+J filesystems can be
exploited to read arbitrary files.
13) An error in ImageIO within the handling of JPEG files can be
exploited to cause a heap-based buffer overflow.
14) An integer overflow error in ImageIO within the handling of XBM
files can be exploited to potentially execute arbitrary code.
15) An error in libTIFF within the handling of JPEG encoded TIFF
files can be exploited to cause a buffer overflow.
16) An error in libTIFF within the handling of CCITT Group 4 encoded
TIFF files can be exploited to cause a buffer overflow.
17) An integer overflow error in ImageIO within the handling of JPEG
encoded TIFF files can be exploited to potentially execute arbitrary
code.
18) Multiple errors in Image RAW when handling Canon RAW image files
can be exploited to cause buffer overflows.
20) Multiple errors in Kerberos can be exploited by malicious users
and malicious people to conduct spoofing attacks and bypass certain
security features.
22) An integer truncation error within Libinfo when handling NFS RPC
packets can be exploited to cause NFS RPC services to become
unresponsive.
23) An error exists in the libxml library when traversing the XPath.
For more information:
SA42175
24) A double free error exists in the libxml library when handling
XPath expressions.
For more information:
SA42721
25) Two errors in Mailman can be exploited by malicious users to
conduct script insertion attacks.
For more information:
SA41265
26) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions and by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
For more information:
SA39573
SA41724
27) Multiple errors in PHP can be exploited by malicious users and
malicious people to bypass certain security restrictions.
For more information:
SA41724
28) An error in the OfficeImport framework when processing records
containing formulas shared between multiple cells can be exploited to
corrupt memory and potentially execute arbitrary code.
29) An error in QuickLook when handling certain Microsoft Office
files can be exploited to corrupt memory when a specially crafted
document is downloaded.
30) Multiple unspecified errors in QuickTime when handling JPEG2000,
FlashPix, and panorama atoms in QTVR (QuickTime Virtual Reality)
movie files can be exploited to corrupt memory via specially crafted
files.
33) An integer truncation error within the Ruby BigDecimal class can
be exploited to potentially execute arbitrary code.
This vulnerability only affects 64-bit Ruby processes.
34) A boundary error in Samba can be exploited by malicious people to
potentially compromise a vulnerable system.
For more information:
SA41354
35) A security issue in Subversion can be exploited by malicious
people to bypass certain security restrictions.
For more information:
SA41652
36) A weakness in Terminal uses SSH version 1 as the default protocol
version when using ssh via the "New Remote Connection" dialog.
37) Some vulnerabilities in FreeType can be exploited to cause a DoS
(Denial of Service) or potentially compromise an application using
the library.
PROVIDED AND/OR DISCOVERED BY:
15, 16, 33) Reported by the vendor.
The vendor credits:
3) Alexander Strange.
5) Christoph Diehl of Mozilla, Felix Grobert of the Google Security
Team, Marc Schoenefeld of Red Hat Security Response Team, and Tavis
Ormandy and Will Drewry of Google Security Team.
6) Felix Grobert, Google Security Team and geekable via ZDI.
7) Marc Schoenefeld, Red Hat Security Response Team.
11) Christoph Diehl, Mozilla.
12) Dan Rosenberg, Virtual Security Research.
13) Andrzej Dyjak via iDefense.
14) Harry Sintonen.
17) Dominic Chell, NGS Secure.
18) Paul Harrington, NGS Secure.
19) Aaron Sigel, vtty.com.
21) Jeff Mears.
22) Peter Schwenk, University of Delaware.
28) Tobias Klein via iDefense.
29) Charlie Miller and Dion Blazakis via ZDI.
30) Will Dormann of CERT/CC, Damian Put and an anonymous researcher
via ZDI, and Rodrigo Rubira Branco of Check Point Vulnerability
Discovery Team.
31) Honggang Ren, Fortinet's FortiGuard Labs.
32) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR).
36) Matt Warren, HNW Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4581
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-3 OS X Lion v10.7.2 and Security Update 2011-006
OS X Lion v10.7.2 and Security Update 2011-006 is now available and
addresses the following:
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in Apache
Description: Apache is updated to version 2.2.20 to address several
vulnerabilities, the most serious of which may lead to a denial of
service. Further
information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-0419
CVE-2011-3192
Application Firewall
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Executing a binary with a maliciously crafted name may lead
to arbitrary code execution with elevated privileges
Description: A format string vulnerability existed in Application
Firewall's debug logging.
CVE-ID
CVE-2011-0185 : an anonymous reporter
ATS
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A signedness issue existed in ATS' handling of Type 1
fonts.
CVE-ID
CVE-2011-3437
ATS
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: An out of bounds memory access issue existed in ATS'
handling of Type 1 fonts.
CVE-ID
CVE-2011-0229 : Will Dormann of the CERT/CC
ATS
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Applications which use the ATSFontDeactivate API may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: A buffer overflow issue existed in the
ATSFontDeactivate API.
CVE-ID
CVE-2011-0230 : Steven Michaud of Mozilla
BIND
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in BIND 9.7.3
Description: Multiple denial of service issues existed in BIND
9.7.3. These issues are addressed by updating BIND to version
9.7.3-P3.
These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
Impact: Root certificates have been updated
Description: Several trusted certificates were added to the list of
system roots. Several existing certificates were updated to their
most recent version. The complete list of recognized system roots may
be viewed via the Keychain Access application.
CFNetwork
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Safari may store cookies it is not configured to accept
Description: A synchronization issue existed in CFNetwork's handling
of cookie policies. Safari's cookie preferences may not be honored,
allowing websites to set cookies that would be blocked were the
preference enforced. This update addresses the issue through improved
handling of cookie storage.
CVE-ID
CVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin
C. Walker, and Stephen Creswell
CFNetwork
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CoreFoundation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in CoreFoundation's
handling of string tokenization. This update addresses the issue through improved bounds
checking. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of QuickTime movie files.
CVE-ID
CVE-2011-0224 : Apple
CoreProcesses
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access to a system may partially
bypass the screen lock
Description: A system window, such as a VPN password prompt, that
appeared while the screen was locked may have accepted keystrokes
while the screen was locked. This issue is addressed by preventing
system windows from requesting keystrokes while the screen is locked.
CVE-ID
CVE-2011-0260 : Clint Tseng of the University of Washington, Michael
Kobb, and Adam Kemp
CoreStorage
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Converting to FileVault does not erase all existing data
Description: After enabling FileVault, approximately 250MB at the
start of the volume was left unencrypted on the disk in an unused
area. Only data which was present on the volume before FileVault was
enabled was left unencrypted. This issue is addressed by erasing this
area when enabling FileVault, and on the first use of an encrypted
volume affected by this issue.
CVE-ID
CVE-2011-3212 : Judson Powers of ATC-NY
File Systems
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: An attacker in a privileged network position may manipulate
HTTPS server certificates, leading to the disclosure of sensitive
information
Description: An issue existed in the handling of WebDAV volumes on
HTTPS servers. If the server presented a certificate chain that could
not be automatically verified, a warning was displayed and the
connection was closed. If the user clicked the "Continue" button in
the warning dialog, any certificate was accepted on the following
connection to that server. An attacker in a privileged network
position may have manipulated the connection to obtain sensitive
information or take action on the server on the user's behalf. This
update addresses the issue by validating that the certificate
received on the second connection is the same certificate originally
presented to the user. When a password is required to wake from
sleep, a person with physical access may be able to access the system
without entering a password if the system is in display sleep mode.
This update addresses the issue by ensuring that the lock screen is
correctly activated in display sleep mode.
CVE-ID
CVE-2011-3214 : Apple
iChat Server
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A remote attacker may cause the Jabber server to consume
system resources disproportionately
Description: An issue existed in the handling of XML external
entities in jabberd2, a server for the Extensible Messaging and
Presence Protocol (XMPP). jabberd2 expands external entities in
incoming requests. This allows an attacker to consume system
resources very quickly, denying service to legitimate users of the
server. This update addresses the issue by disabling entity expansion
in incoming requests.
CVE-ID
CVE-2011-1755
Kernel
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access may be able to access the
user's password
Description: A logic error in the kernel's DMA protection permitted
firewire DMA at loginwindow, boot, and shutdown, although not at
screen lock. This update addresses the issue by preventing firewire
DMA at all states where the user is not logged in.
CVE-ID
CVE-2011-3215 : Passware, Inc.
Kernel
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: An unprivileged user may be able to delete another user's
files in a shared directory
Description: A logic error existed in the kernel's handling of file
deletions in directories with the sticky bit.
CVE-ID
CVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer,
and Allan Schmid and Oliver Jeckel of brainworks Training
libsecurity
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: An error handling issue existed when parsing a
nonstandard certificate revocation list extension.
CVE-ID
CVE-2011-3227 : Richard Godbee of Virginia Tech
Mailman
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Mailman 2.1.14
Description: Multiple cross-site scripting issues existed in Mailman
2.1.14. These issues are addressed by improved encoding of characters
in HTML output. Further information is available via the Mailman site
at http://mail.python.org/pipermail/mailman-
announce/2011-February/000158.html This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0707
MediaKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Opening a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of disk images.
CVE-ID
CVE-2011-3217 : Apple
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Any user may read another local user's password data
Description: An access control issue existed in Open Directory.
CVE-ID
CVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and
Patrick Dunstan at defenseindepth.net
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: An authenticated user may change that account's password
without providing the current password
Description: An access control issue existed in Open Directory.
CVE-ID
CVE-2011-3436 : Patrick Dunstan at defenceindepth.net
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A user may be able to log in without a password
Description: When Open Directory is bound to an LDAPv3 server using
RFC2307 or custom mappings, such that there is no
AuthenticationAuthority attribute for a user, an LDAP user may be
allowed to log in without a password.
CVE-ID
CVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin,
Steven Eppler of Colorado Mesa University, Hugh Cole-Baker, and
Frederic Metoz of Institut de Biologie Structurale
PHP
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in FreeType's handling of
Type 1 fonts. This issue is addressed by updating FreeType to version
2.4.6. Further
information is available via the FreeType site at
http://www.freetype.org/
CVE-ID
CVE-2011-0226
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in libpng 1.4.3
Description: libpng is updated to version 1.5.4 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further
information is available via the PHP website at http://www.php.net/
CVE-ID
CVE-2010-3436
CVE-2010-4645
CVE-2011-0420
CVE-2011-0421
CVE-2011-0708
CVE-2011-1092
CVE-2011-1153
CVE-2011-1466
CVE-2011-1467
CVE-2011-1468
CVE-2011-1469
CVE-2011-1470
CVE-2011-1471
postfix
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate
mail sessions, resulting in the disclosure of sensitive information
Description: A logic issue existed in Postfix in the handling of the
STARTTLS command. After receiving a STARTTLS command, Postfix may
process other plain-text commands. An attacker in a privileged
network position may manipulate the mail session to obtain sensitive
information from the encrypted traffic. This update addresses the
issue by clearing the command queue after processing a STARTTLS
command. Further
information is available via the Postfix site at
http://www.postfix.org/announcements/postfix-2.7.3.html
CVE-ID
CVE-2011-0411
python
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in python
Description: Multiple vulnerabilities existed in python, the most
serious of which may lead to arbitrary code execution. This update
addresses the issues by applying patches from the python project.
Further information is available via the python site at
http://www.python.org/download/releases/
CVE-ID
CVE-2010-1634
CVE-2010-2089
CVE-2011-1521
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in
QuickTime's handling of movie files.
CVE-ID
CVE-2011-3228 : Apple
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSC
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSS
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSZ
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STTS
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may inject
script in the local domain when viewing template HTML
Description: A cross-site scripting issue existed in QuickTime
Player's "Save for Web" export. The template HTML files generated by
this feature referenced a script file from a non-encrypted origin. An
attacker in a privileged network position may be able to inject
malicious scripts in the local domain if the user views a template
file locally. This issue is resolved by removing the reference to an
online script.
CVE-ID
CVE-2011-3218 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
H.264 encoded movie files.
CVE-ID
CVE-2011-3219 : Damian Put working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
QuickTime's handling of URL data handlers within movie files.
CVE-ID
CVE-2011-3220 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An implementation issue existed in QuickTime's handling
of the atom hierarchy within a movie file.
CVE-ID
CVE-2011-3221 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted FlashPix file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
FlashPix files.
CVE-ID
CVE-2011-3222 : Damian Put working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
FLIC files.
CVE-ID
CVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SMB File Server
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A guest user may browse shared folders
Description: An access control issue existed in the SMB File Server.
Disallowing guest access to the share point record for a folder
prevented the '_unknown' user from browsing the share point but not
guests (user 'nobody'). This issue is addressed by applying the
access control to the guest user. Tomcat is only provided on Mac OS X Server systems. Further information is
available via the Tomcat site at http://tomcat.apache.org/
CVE-ID
CVE-2010-1157
CVE-2010-2227
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
CVE-2011-0534
User Documentation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate
App Store help content, leading to arbitrary code execution
Description: App Store help content was updated over HTTP. This
update addresses the issue by updating App Store help content over
HTTPS.
CVE-ID
CVE-2011-3224 : Aaron Sigel of vtty.com
Web Server
Available for: Mac OS X Server v10.6.8
Impact: Clients may be unable to access web services that require
digest authentication
Description: An issue in the handling of HTTP Digest authentication
was addressed. Users may be denied access to the server's resources,
when the server configuration should have allowed the access. This
issue does not represent a security risk, and was addressed to
facilitate the use of stronger authentication mechanisms. Systems
running OS X Lion Server are not affected by this issue.
X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in libpng
Description: Multiple vulnerabilities existed in libpng, the most
serious of which may lead to arbitrary code execution. These issues
are addressed by updating libpng to version 1.5.4 on OS Lion systems,
and to 1.2.46 on Mac OS X v10.6 systems. Further information is
available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2690
CVE-2011-2691
CVE-2011-2692
OS X Lion v10.7.2 also includes Safari 5.1.1. For information on
the security content of Safari 5.1.1, please visit:
http://support.apple.com/kb/HT5000
OS X Lion v10.7.2 and Security Update 2011-006 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration.
For OS X Lion v10.7.1
The download file is named: MacOSXUpd10.7.2.dmg
Its SHA-1 digest is: 37f784e08d4461e83a891a7f8b8af24c2ceb8229
For OS X Lion v10.7
The download file is named: MacOSXUpdCombo10.7.2.dmg
Its SHA-1 digest is: accd06d610af57df24f62ce7af261395944620eb
For OS X Lion Server v10.7.1
The download file is named: MacOSXServerUpd10.7.2.dmg
Its SHA-1 digest is: e4084bf1dfa295a42f619224d149e515317955da
For OS X Lion Server v10.7
The download file is named: MacOSXServerUpdCombo10.7.2.dmg
Its SHA-1 digest is: 25e86f5cf97b6644c7a025230431b1992962ec4a
For Mac OS X v10.6.8
The download file is named: SecUpd2011-006Snow.dmg
Its SHA-1 digest is: 0f9c29610a06370d0c85a4c92dc278a48ba17a84
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2011-006.dmg
Its SHA-1 digest is: 12de3732710bb03059f93527189d221c97ef8a06
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlc/zAAoJEGnF2JsdZQeeWFcH/RDHS+dCP8T4a92uYRIbs9T3
TFbT7hnOoTB0H+2eN3oziLNime2N4mO921heHobiAKSXv/luU41ZPHxVd6rE77Md
/BHDqLv65RA0XFTIPmrTcfpLhI5UgXDLfOLrsmdwTm52l5zQZkoxufYFf3mB3h7U
ZJUD1s081Pjy45/Cbao097+JrDwS7ahhgkvTmpmSvJK/wWRz4JtZkvIYcQ2uQFR4
sTg4l6pmi3d8sJJ4wzrEaxDpclRjvjURI4DiBMYwGAXeCMRgYi0y03tYtkjXoaSG
69h2yD8EXQBuJkDyouak7/M/eMwUfb2S6o1HyXTldjdvFBFvvwvl+Y3xp8YmDzU=
=gsvn
-----END PGP SIGNATURE-----
.
CVE-ID
CVE-2011-3254 : Rick Deacon
CFNetwork
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: User's AppleID password may be logged to a local file
Description: A user's AppleID password and username were logged to a
file that was readable by applications on the system. This is
resolved by no longer logging these credentials.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
Data Access
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An exchange mail cookie management issue could incorrectly
cause data synchronization across different accounts
Description: When multiple mail exchange accounts are configured
which connect to the same server, a session could potentially receive
a valid cookie corresponding to a different account. This issue is
addressed by ensuring that cookies are separated across different
accounts.
CVE-ID
CVE-2011-3257 : Bob Sielken of IBM
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar.
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure.
CVE-ID
CVE-2011-3427
Data Security
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password.
CVE-ID
CVE-2011-3389
Home screen
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Switching between applications may lead to the disclosure of
sensitive application information
Description: When switching between applications with the four-
finger app switching gesture, the display could have revealed the
previous application state. This issue is addressed by ensuring that
the system properly calls the applicationWillResignActive: method
when transitioning between applications.
CVE-ID
CVE-2011-3431 : Abe White of Hedonic Software Inc.
CVE-ID
CVE-2011-0206 : David Bienvenu of Mozilla
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A remote attacker may cause a device reset
Description: The kernel failed to promptly reclaim memory from
incomplete TCP connections.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Kernel
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A local user may be able to cause a system reset
Description: A null dereference issue existed in the handling of
IPV6 socket options.
CVE-ID
CVE-2011-1132 : Thomas Clement of Intego
Keyboards
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A user may be able to determine information about the last
character of a password
Description: The keyboard used to type the last character of a
password was briefly displayed the next time the keyboard was used.
CVE-ID
CVE-2011-0184 : Tobias Klein working with iDefense VCP
Safari
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may
lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP
Content-Disposition header. This header is used by many websites to
serve files that were uploaded to the site by a third-party, such as
attachments in web-based e-mail applications.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP,
Yoshinori Oota from Business Architects Inc working with JP/CERT
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: An attacker with physical access to a device may be able to
recover the restrictions passcode
Description: The parental restrictions functionality enforces UI
restrictions. Configuring parental restrictions is protected by a
passcode, which was previously stored in plaintext on disk. This
issue is addressed by securely storing the parental restrictions
passcode in the system keychain.
CVE-ID
CVE-2011-3429 : an anonymous reporter
Settings
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Misleading UI
Description: Configurations and settings applied via configuration
profiles did not appear to function properly under any non-English
language. Settings could be improperly displayed as a result.
CVE-ID
CVE-2011-3430 : Florian Kreitmaier of Siemens CERT
UIKit Alerts
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a malicious website may cause an unexpected device
hang
Description: An excessive maximum text layout length permitted
malicious websites to cause iOS to hang when drawing acceptance
dialogs for very long tel: URIs.
CVE-ID
CVE-2011-0218 : SkyLined of Google Chrome Security Team
CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS
Research Team, and Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative
CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0234 : Rob King working with TippingPoint's Zero Day
Initiative, wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-0238 : Adam Barth of Google Chrome Security Team
CVE-2011-0254 : An anonymous researcher working with TippingPoint's
Zero Day Initiative
CVE-2011-0255 : An anonymous reporter working with TippingPoint's
Zero Day Initiative
CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc
CVE-2011-0983 : Martin Barbella
CVE-2011-1109 : Sergey Glazunov
CVE-2011-1114 : Martin Barbella
CVE-2011-1115 : Martin Barbella
CVE-2011-1117 : wushi of team509
CVE-2011-1121 : miaubiz
CVE-2011-1188 : Martin Barbella
CVE-2011-1203 : Sergey Glazunov
CVE-2011-1204 : Sergey Glazunov
CVE-2011-1288 : Andreas Kling of Nokia
CVE-2011-1293 : Sergey Glazunov
CVE-2011-1296 : Sergey Glazunov
CVE-2011-1449 : Marek Majkowski
CVE-2011-1451 : Sergey Glazunov
CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day
Initiative
CVE-2011-1457 : John Knottenbelt of Google
CVE-2011-1462 : wushi of team509
CVE-2011-1797 : wushi of team509
CVE-2011-2338 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2339 : Cris Neckar of the Google Chrome Security Team
CVE-2011-2341 : Apple
CVE-2011-2351 : miaubiz
CVE-2011-2352 : Apple
CVE-2011-2354 : Apple
CVE-2011-2356 : Adam Barth and Abhishek Arya of Google Chrome
Security Team using AddressSanitizer
CVE-2011-2359 : miaubiz
CVE-2011-2788 : Mikolaj Malecki of Samsung
CVE-2011-2790 : miaubiz
CVE-2011-2792 : miaubiz
CVE-2011-2797 : miaubiz
CVE-2011-2799 : miaubiz
CVE-2011-2809 : Abhishek Arya (Inferno) of Google Chrome Security
Team
CVE-2011-2813 : Cris Neckar of Google Chrome Security Team using
AddressSanitizer
CVE-2011-2814 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2816 : Apple
CVE-2011-2817 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-2818 : Martin Barbella
CVE-2011-2820 : Raman Tenneti and Philip Rogers of Google
CVE-2011-2823 : SkyLined of Google Chrome Security Team
CVE-2011-2827 : miaubiz
CVE-2011-2831 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3232 : Aki Helin of OUSPG
CVE-2011-3234 : miaubiz
CVE-2011-3235 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3236 : Abhishek Arya (Inferno) of Google Chrome Security
Team using AddressSanitizer
CVE-2011-3237 : Dimitri Glazkov, Kent Tamura, Dominic Cooney of the
Chromium development community, and Abhishek Arya (Inferno) of Google
Chrome Security Team
CVE-2011-3244 : vkouchna
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-origin issue existed in the handling of URLs
with an embedded username.
CVE-ID
CVE-2011-1295 : Sergey Glazunov
WebKit
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: A maliciously crafted website may be able to cause a
different URL to be shown in the address bar
Description: A URL spoofing issue existed in the handling of the DOM
history object. Visiting a maliciously crafted website may lead to arbitrary
files being created with the privileges of the user, which may lead
to arbitrary code execution.
CVE-ID
CVE-2011-0166 : Michal Zalewski of Google Inc.
CVE-ID
CVE-2011-2800 : Juho Nurminen
WiFi
Available for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4,
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later,
iOS 3.2 through 4.3.5 for iPad
Impact: WiFi credentials may be logged to a local file
Description: WiFi credentials including the passphrase and
encryption keys were logged to a file that was readable by
applications on the system. This is resolved by no longer logging
these credentials. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone, iPod touch or iPad is docked, iTunes will present the
user with the option to install the update. We recommend applying
the update immediately if possible. Selecting Don't Install will
present the option the next time you connect your iPhone, iPod touch,
or iPad.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone, iPod touch, or iPad
is docked to your computer.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"5 (9A334)"
| VAR-201103-0365 | No CVE | Unknown security vulnerability exists in OpenSCAP |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
OpenSCAP is an open source framework that integrates secure content automation protocols. There are unspecified security errors in OpenSCAP. No detailed vulnerability details are currently available. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March).
http://secunia.com/company/events/mms_2011/
----------------------------------------------------------------------
TITLE:
OpenSCAP Unspecified Vulnerability
SECUNIA ADVISORY ID:
SA43740
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43740/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43740
RELEASE DATE:
2011-03-17
DISCUSS ADVISORY:
http://secunia.com/advisories/43740/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43740/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43740
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability with unknown impacts has been reported in OpenSCAP.
The vulnerability is reported in versions prior to 0.7.1.
SOLUTION:
Update to version 0.7.1.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
https://www.redhat.com/archives/open-scap-list/2011-March/msg00001.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0358 | No CVE | ABBS Electronic Flash Cards Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
ABBS is an architectural portal. ABBS Electronic Flash Cards has a buffer overflow vulnerability that allows an attacker to exploit a vulnerability message for a malicious attack
| VAR-201103-0361 | No CVE | ABBS Audio Media Player Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
ABBS is an architectural portal. ABBS Audio Media Player has a buffer overflow vulnerability that allows an attacker to exploit a vulnerability message for a malicious attack
| VAR-201107-0263 | CVE-2011-2963 |
Progea Movicon of TCPUploadServer.exe Vulnerability in which important information is obtained
Related entries in the VARIoT exploits database: VAR-E-201103-0597 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
TCPUploadServer.exe in Progea Movicon 11.2 before Build 1084 does not require authentication for critical functions, which allows remote attackers to obtain sensitive information, delete files, execute arbitrary programs, or cause a denial of service (crash) via a crafted packet to TCP port 10651. Progea Movicon is a new generation of automated monitoring software. A vulnerability exists in TCPUploadServer.exe provided by Progea Movicon that allows remote unauthenticated hosts to execute arbitrary commands on the server. The attacker sends a specially crafted message to the server TCP port 10651, which allows the system to respond to the OS version and driver information. In addition, an attacker sending a specially crafted message can cause the file to be deleted or the server to crash. Progea Movicon is prone to a security-bypass vulnerability.
An attacker can exploit this issue to perform unauthorized actions, obtain sensitive information, and cause denial-of-service conditions.
Versions prior to Movicon 11.2 Build 1084 are vulnerable
| VAR-201103-0371 | No CVE | SAP Crystal Reports Server Parameter input vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. There is an input validation error in SAP Crystal Reports Server. The input passed to aa-open-inlist.jsp via the \"url\", \"sWindow\", \"BEGIN_DATE\", \"END_DATE\", \"CURRENT_DATE\" and \"CURRENT_SLICE\" parameters is missing before returning to the user. Filtering can lead to cross-site scripting attacks
| VAR-201103-0376 | No CVE | Trend Micro WebReputation API URI Security Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Trend Micro WebReputation API technology can be used to prevent clients from accessing suspicious web sites. The Trend Micro WebReputation API has a security bypass vulnerability that allows an attacker to bypass the filters contained in the download mechanism and successfully exploit the vulnerability to allow target users to download malicious files to the system. Trend Micro WebReputation API is prone to a security-bypass vulnerability. Successful exploits may cause victims to download malicious files onto affected computers.
This issue affects WebReputation API 10.5; other versions may also be vulnerable
| VAR-201209-0611 | CVE-2011-5154 |
SAP GUI DLL Load arbitrary code execution vulnerability
Related entries in the VARIoT exploits database: VAR-E-201103-0599 |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Multiple untrusted search path vulnerabilities in (1) SAPGui.exe and (2) BExAnalyzer.exe in SAP GUI 6.4 through 7.2 allow local users to gain privileges via a Trojan horse MFC80LOC.DLL file in the current working directory, as demonstrated by a directory that contains a .sap file. NOTE: some of these details are obtained from third party information. SAP GUI of (1) SAPGui.exe Or (2) BExAnalyzer.exe Contains a vulnerability that allows it to get permission due to a flaw in search path processing. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. MFC80LOC.DLL It may be possible to get permission through the file. The SAP GUI is a graphical user interface client for SAP software. SAP GUI applications (such as SAPGui.exe and BExAnalyzer.exe) load libraries (such as MFC80LOC.DLL) in an unsafe manner, and an attacker can entice a user to open an SAP GUI shortcut on a remote WebDAV or SMB share (\".sap\" A file that causes arbitrary code to be executed in the login user security context.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
SAP GUI versions 6.4 through 7.2 are vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SAP GUI Insecure Library Loading Vulnerability
SECUNIA ADVISORY ID:
SA43707
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43707/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43707
RELEASE DATE:
2011-03-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43707/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43707/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43707
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in SAP GUI, which can be exploited
by malicious people to compromise a user's system.
The vulnerability is caused due to the application (e.g SAPGui.exe
and BExAnalyzer.exe) loading libraries (e.g. MFC80LOC.DLL) in an
insecure manner. This can be exploited to load arbitrary libraries by
tricking a user into e.g.
Successful exploitation allows execution of arbitrary code.
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Alexey Sintsov and Alexandr Polyakov, Digital Security Research Group
(DSecRG)
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1511179
Digital Security Research Group (DSECRG-11-014):
http://dsecrg.com/pages/vul/show.php?id=314
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0360 | No CVE | SAP NetWeaver Parameter vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. SAP NetWeaver has input validation errors. Passing the \"logger\" parameter to the ViewLogger.jsp and \"class\" parameters passed to the ShowMemLog servlet. Inputs are missing before use, which can result in injecting arbitrary HTML and script code when the malicious data is viewed. Executed on the user's browser. The input of the \"logonUrl\" parameter is missing filtering before returning to the user, which can lead to cross-site scripting attacks. SAP Netweaver is prone to multiple cross-site scripting vulnerabilities and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SAP NetWeaver Cross-Site Scripting and Script Insertion
Vulnerabilities
SECUNIA ADVISORY ID:
SA43737
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43737/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43737
RELEASE DATE:
2011-03-14
DISCUSS ADVISORY:
http://secunia.com/advisories/43737/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43737/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43737
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in SAP NetWeaver, which
can be exploited by malicious users to conduct script insertion
attacks and by malicious people to conduct cross-site scripting
attacks.
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
1, 3, 4) Dmitriy Evdokimov, Digital Security Research Group (DSecRG)
2) Alexey Sintsov, Digital Security Research Group (DSecRG)
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1438191
https://service.sap.com/sap/support/notes/1450270
https://service.sap.com/sap/support/notes/1512776
Digital Security Research Group (DSECRG-11-009, DSECRG-11-010,
DSECRG-11-012, DSECRG-11-013):
http://dsecrg.com/pages/vul/show.php?id=309
http://dsecrg.com/pages/vul/show.php?id=310
http://dsecrg.com/pages/vul/show.php?id=312
http://dsecrg.com/pages/vul/show.php?id=313
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0073 | CVE-2011-0609 | Adobe Flash Player contains unspecified code execution vulnerability |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
Unspecified vulnerability in Adobe Flash Player 10.2.154.13 and earlier on Windows, Mac OS X, Linux, and Solaris; 10.1.106.16 and earlier on Android; Adobe AIR 2.5.1 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.2 and 10.x through 10.0.1 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011. Adobe Flash contains an arbitrary code execution vulnerability. Adobe Flash contains a memory corruption vulnerability that may lead to arbitrary code execution. Attacks leveraging this vulnerability have been confirmed.Crafted Flash Viewing a document with embedded content may lead to arbitrary code execution. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Both Adobe Reader and Acrobat are products of the American company Adobe. Adobe Reader is a free PDF file reader, and Acrobat is a PDF file editing and conversion tool. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Unspecified Code Execution Vulnerability
SECUNIA ADVISORY ID:
SA43751
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43751/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43751
RELEASE DATE:
2011-03-16
DISCUSS ADVISORY:
http://secunia.com/advisories/43751/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43751/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43751
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Adobe Flash Player, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error. Further
information is currently not available.
The vulnerability is reported in versions 10.2.152.33 and prior for
Windows, Macintosh, Linux, and Solaris, versions 10.2.154.18 and
prior for Chrome, and versions 10.1.106.16 and prior for Android.
NOTE: The vulnerability is reportedly being actively exploited.
SOLUTION:
Adobe plans to release a fixed version during the week of March 21,
2011.
PROVIDED AND/OR DISCOVERED BY:
Reported as a 0-day.
ORIGINAL ADVISORY:
http://www.adobe.com/support/security/advisories/apsa11-01.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA43751
SOLUTION:
Do not browse untrusted sites. ----------------------------------------------------------------------
Meet Secunia @ Microsoft Management Summit (MMS) in Las Vegas, USA (21-25 March). This fixes a
vulnerability, which can be exploited by malicious people to
compromise a user's system.
For more information:
SA43751
SOLUTION:
Updated packages are available via Red Hat Network.
SOLUTION:
Delete, rename, or remove access to authplay.dll to prevent running
SWF content in PDF files.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers and Adobe Security Advisories and
Bulletins referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201103-0384 | No CVE | Comtrend CT-5367 \"password.cgi\" Secure Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Comtrend CT-5367 ADSL Router is an ADSL router. Since the device allows unauthenticated access to the \"password.cgi\" script, a remote attacker can gain access to the device by submitting a specially crafted HTTP request, changing the administrator password. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Comtrend CT-5367 "password.cgi" Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA43653
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43653/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43653
RELEASE DATE:
2011-03-11
DISCUSS ADVISORY:
http://secunia.com/advisories/43653/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43653/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43653
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Comtrend CT-5367, which can be
exploited by malicious people to bypass certain security
restrictions.
The vulnerability is caused due to the device allowing unrestricted
access to the "password.cgi" script. This can be exploited to e.g.
SOLUTION:
Restrict access to trusted hosts only.
PROVIDED AND/OR DISCOVERED BY:
Todor Donev
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201103-0082 | CVE-2011-1416 | RIM of BlackBerry Torch 9800 Vulnerability in reading content in memory area |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Research In Motion (RIM) BlackBerry Torch 9800 with firmware 6.0.0.246 allows attackers to read the contents of memory locations via unknown vectors, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. Blackberry Torch 9800 is prone to a remote security vulnerability. This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011
| VAR-201103-0081 | CVE-2011-1415 | Research In Motion BlackBerry Torch WebKit Integer overflow vulnerability |
CVSS V2: - CVSS V3: - Severity: CRITICAL |
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1290. Reason: This candidate is a duplicate of CVE-2011-1290. Notes: All CVE users should reference CVE-2011-1290 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. An integer overflow vulnerability exists in WebKit in Research In Motion (RIM) BlackBerry Torch 9800 with firmware version 6.0.0.246. A remote attacker can execute arbitrary code with the help of an unknown vector. This vulnerability has been demonstrated by Vincenzo Iozzo, Willem Pinckaers and Ralf-Philipp Weinmann in the Pwn2Own hacking contest at CanSecWest 2011