VARIoT IoT vulnerabilities database
| VAR-201203-0194 | CVE-2011-3038 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to multi-column handling. Google Chrome Has a deficiency in processing related to multi-columns, resulting in disruption of service operations. (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1617-1
CVE-2011-3031, CVE-2011-3038, CVE-2011-3042, CVE-2011-3043,
CVE-2011-3044, CVE-2011-3051, CVE-2011-3053, CVE-2011-3059,
CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3076,
CVE-2011-3081, CVE-2011-3086, CVE-2011-3090, CVE-2012-1521,
CVE-2012-3598, CVE-2012-3601, CVE-2012-3604, CVE-2012-3611,
CVE-2012-3612, CVE-2012-3617, CVE-2012-3625, CVE-2012-3626,
CVE-2012-3627, CVE-2012-3628, CVE-2012-3645, CVE-2012-3652,
CVE-2012-3657, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671,
CVE-2012-3672, CVE-2012-3674, CVE-2012-3674, https://launchpad.net/bugs/1058339
Package Information:
https://launchpad.net/ubuntu/+source/webkit/1.8.3-0ubuntu0.12.04.1
. This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0193 | CVE-2011-3037 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Google Chrome before 17.0.963.65 does not properly perform casts of unspecified variables during the splitting of anonymous blocks, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document. (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Denial of service operations through crafted documents by third parties (DoS) May be affected or unknown in detail. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0199 | CVE-2011-3043 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a flexbox (aka flexible box) in conjunction with the floating of elements. Google Chrome There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) You may be put into a state or affected by other details.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1617-1
CVE-2011-3031, CVE-2011-3038, CVE-2011-3042, CVE-2011-3043,
CVE-2011-3044, CVE-2011-3051, CVE-2011-3053, CVE-2011-3059,
CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3076,
CVE-2011-3081, CVE-2011-3086, CVE-2011-3090, CVE-2012-1521,
CVE-2012-3598, CVE-2012-3601, CVE-2012-3604, CVE-2012-3611,
CVE-2012-3612, CVE-2012-3617, CVE-2012-3625, CVE-2012-3626,
CVE-2012-3627, CVE-2012-3628, CVE-2012-3645, CVE-2012-3652,
CVE-2012-3657, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671,
CVE-2012-3672, CVE-2012-3674, CVE-2012-3674, https://launchpad.net/bugs/1058339
Package Information:
https://launchpad.net/ubuntu/+source/webkit/1.8.3-0ubuntu0.12.04.1
. This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0198 | CVE-2011-3042 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of table sections. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1617-1
CVE-2011-3031, CVE-2011-3038, CVE-2011-3042, CVE-2011-3043,
CVE-2011-3044, CVE-2011-3051, CVE-2011-3053, CVE-2011-3059,
CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3076,
CVE-2011-3081, CVE-2011-3086, CVE-2011-3090, CVE-2012-1521,
CVE-2012-3598, CVE-2012-3601, CVE-2012-3604, CVE-2012-3611,
CVE-2012-3612, CVE-2012-3617, CVE-2012-3625, CVE-2012-3626,
CVE-2012-3627, CVE-2012-3628, CVE-2012-3645, CVE-2012-3652,
CVE-2012-3657, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671,
CVE-2012-3672, CVE-2012-3674, CVE-2012-3674, https://launchpad.net/bugs/1058339
Package Information:
https://launchpad.net/ubuntu/+source/webkit/1.8.3-0ubuntu0.12.04.1
. This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0192 | CVE-2011-3036 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Google Chrome before 17.0.963.65 does not properly perform a cast of an unspecified variable during handling of line boxes, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document. (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Denial of service operations through crafted documents by third parties (DoS) May be affected or unknown in detail. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0190 | CVE-2011-3034 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving an SVG document. Google Chrome There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) May be affected or unknown in detail.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0197 | CVE-2011-3041 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of class attributes. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0196 | CVE-2011-3040 | Used in multiple products Webkit Service disruption in (out-of-bounds read) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Google Chrome before 17.0.963.65 does not properly handle text, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0195 | CVE-2011-3039 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to quote handling. Google Chrome Is quote Service operation is interrupted due to incomplete processing (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0200 | CVE-2011-3044 | Used in multiple products Webkit Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG animation elements. Google Chrome There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected. This vulnerability Webkit Vulnerability in Google Chrome Other than Webkit Products that use may also be affected.Service disruption by a third party (DoS) You may be put into a state or affected by other details.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). ============================================================================
Ubuntu Security Notice USN-1617-1
October 25, 2012
webkit vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Multiple security vulnerabilities were fixed in WebKit.
Software Description:
- webkit: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKit browser and
JavaScript engines.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libjavascriptcoregtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libjavascriptcoregtk-3.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-1.0-0 1.8.3-0ubuntu0.12.04.1
libwebkitgtk-3.0-0 1.8.3-0ubuntu0.12.04.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1617-1
CVE-2011-3031, CVE-2011-3038, CVE-2011-3042, CVE-2011-3043,
CVE-2011-3044, CVE-2011-3051, CVE-2011-3053, CVE-2011-3059,
CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3076,
CVE-2011-3081, CVE-2011-3086, CVE-2011-3090, CVE-2012-1521,
CVE-2012-3598, CVE-2012-3601, CVE-2012-3604, CVE-2012-3611,
CVE-2012-3612, CVE-2012-3617, CVE-2012-3625, CVE-2012-3626,
CVE-2012-3627, CVE-2012-3628, CVE-2012-3645, CVE-2012-3652,
CVE-2012-3657, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671,
CVE-2012-3672, CVE-2012-3674, CVE-2012-3674, https://launchpad.net/bugs/1058339
Package Information:
https://launchpad.net/ubuntu/+source/webkit/1.8.3-0ubuntu0.12.04.1
. This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0188 | CVE-2011-3032 | Used by multiple products Webkit Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of SVG values. This vulnerability Webkit Vulnerability. Google Chrome Other than Webkit Products that make use of may also be affected.Denial of service by third party (DoS) May be affected or may be unspecified. Google Chrome is prone to multiple security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.
Google Chrome versions prior to 17.0.963.65 are vulnerable. Google Chrome is a web browser developed by Google (Google). This update removes handling of feed:// URLs. This update removes handling of feed:// URLs. This
header is used by many websites to serve files that were uploaded to
the site by a third-party, such as attachments in web-based e-mail
applications. Any script in files served with this header value would
run as if the file had been served inline, with full access to other
resources on the origin server.
CVE-ID
CVE-2012-3689 : David Bloom of Cue
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: Dragging and dropping selected text on a web page may cause
files from the user's system to be sent to a remote server
Description: An access control issue existed in the handling of drag
and drop events.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: OS X Lion v10.7.4, OS X Lion Server v10.7.4
Impact: An attacker may be able to escape the sandbox and access any
file the current user has access to
Description: An access control issue existed in the handling of file
URLs. An attacker who gains arbitrary code execution in a Safari
WebProcess may be able to bypass the sandbox and access any file that
the user running Safari has access to. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: March 25, 2012
Bugs: #406975, #407465, #407755, #409251
ID: 201203-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been reported in Chromium, some of which
may allow execution of arbitrary code.
Background
==========
Chromium is an open source web browser project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 17.0.963.83 >= 17.0.963.83
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers and release notes referenced below for
details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
site using Chromium, possibly resulting in the execution of arbitrary
code with the privileges of the process, a Denial of Service condition,
Universal Cross-Site Scripting, or installation of an extension without
user interaction.
A remote attacker could also entice a user to install a specially
crafted extension that would interfere with browser-issued web
requests.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-17.0.963.83"
References
==========
[ 1 ] CVE-2011-3031
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3031
[ 2 ] CVE-2011-3032
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3032
[ 3 ] CVE-2011-3033
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3033
[ 4 ] CVE-2011-3034
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3034
[ 5 ] CVE-2011-3035
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3035
[ 6 ] CVE-2011-3036
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3036
[ 7 ] CVE-2011-3037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3037
[ 8 ] CVE-2011-3038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3038
[ 9 ] CVE-2011-3039
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3039
[ 10 ] CVE-2011-3040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3040
[ 11 ] CVE-2011-3041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3041
[ 12 ] CVE-2011-3042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3042
[ 13 ] CVE-2011-3043
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3043
[ 14 ] CVE-2011-3044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3044
[ 15 ] CVE-2011-3046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046
[ 16 ] CVE-2011-3047
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3047
[ 17 ] CVE-2011-3049
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3049
[ 18 ] CVE-2011-3050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3050
[ 19 ] CVE-2011-3051
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3051
[ 20 ] CVE-2011-3052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3052
[ 21 ] CVE-2011-3053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3053
[ 22 ] CVE-2011-3054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3054
[ 23 ] CVE-2011-3055
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3055
[ 24 ] CVE-2011-3056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056
[ 25 ] CVE-2011-3057
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057
[ 26 ] Release Notes 17.0.963.65
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.htm=
l
[ 27 ] Release Notes 17.0.963.78
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-up=
date.html
[ 28 ] Release Notes 17.0.963.79
http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update_10.=
html
[ 29 ] Release Notes 17.0.963.83
http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21=
.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201203-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-09-19-1 iOS 6
iOS 6 is now available and addresses the following:
CFNetwork
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. CFNetwork may send requests to an incorrect hostname, resulting
in the disclosure of sensitive information. This issue was addressed
through improvements to URL handling.
CVE-ID
CVE-2012-3724 : Erling Ellingsen of Facebook
CoreGraphics
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Multiple vulnerabilities in FreeType
Description: Multiple vulnerabilities existed in FreeType, the most
serious of which may lead to arbitrary code execution when processing
a maliciously crafted font. These issues were addressed by updating
FreeType to version 2.4.9. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2012-1126
CVE-2012-1127
CVE-2012-1128
CVE-2012-1129
CVE-2012-1130
CVE-2012-1131
CVE-2012-1132
CVE-2012-1133
CVE-2012-1134
CVE-2012-1135
CVE-2012-1136
CVE-2012-1137
CVE-2012-1138
CVE-2012-1139
CVE-2012-1140
CVE-2012-1141
CVE-2012-1142
CVE-2012-1143
CVE-2012-1144
CoreMedia
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access existed in the handling
of Sorenson encoded movie files. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2012-3722 : Will Dormann of the CERT/CC
DHCP
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may broadcast
MAC addresses of previously accessed networks per the DNAv4 protocol.
This issue was addressed by disabling DNAv4 on unencrypted Wi-Fi
networks.
CVE-ID
CVE-2012-3725 : Mark Wuergler of Immunity, Inc.
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue was addressed by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in libpng's
handling of PNG images. These issues were addressed through improved
validation of PNG images.
CVE-ID
CVE-2011-3026 : Juri Aedla
CVE-2011-3048
CVE-2011-3328
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted JPEG image may lead to an
unexpected application termination or arbitrary code execution
Description: A double free issue existed in ImageIO's handling of
JPEG images. This issue was addressed through improved memory
management.
CVE-ID
CVE-2012-3726 : Phil of PKJE Consulting
ImageIO
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow issue existed in libTIFF's handling
of TIFF images. This issue was addressed through improved validation
of TIFF images.
CVE-ID
CVE-2012-1173 : Alexander Gavrun working with HP's Zero Day
Initiative
International Components for Unicode
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use ICU may be vulnerable to an unexpected
application termination or arbitrary code execution
Description: A stack buffer overflow existed in the handling of ICU
locale IDs. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2011-4599
IPSec
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Loading a maliciously crafted racoon configuration file may
lead to arbitrary code execution
Description: A buffer overflow existed in the handling of racoon
configuration files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2012-3727 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An invalid pointer dereference issue existed in the
kernel's handling of packet filter ioctls. This may allow an attacker
to alter kernel memory. This issue was addressed through improved
error handling.
CVE-ID
CVE-2012-3728 : iOS Jailbreak Dream Team
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine kernel memory layout
Description: An uninitialized memory access issue existed in the
Berkeley Packet Filter interpreter, which led to the disclosure of
memory content. This issue was addressed through improved memory
initialization.
CVE-ID
CVE-2012-3729 : Dan Rosenberg
libxml
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Viewing a maliciously crafted web page may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple vulnerabilities existed in libxml, the most
serious of which may lead to an unexpected application termination or
arbitrary code execution. These issues were addressed by applying the
relevant upstream patches.
CVE-ID
CVE-2011-1944 : Chris Evans of Google Chrome Security Team
CVE-2011-2821 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-2834 : Yang Dingning of NCNIPC, Graduate University of
Chinese Academy of Sciences
CVE-2011-3919 : Juri Aedla
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Mail may present the wrong attachment in a message
Description: A logic issue existed in Mail's handling of
attachments. If a subsequent mail attachment used the same Content-ID
as a previous one, the previous attachment would be displayed, even
in the case where the 2 mails originated from different senders. This
could facilitate some spoofing or phishing attacks. This issue was
addressed through improved handling of attachments.
CVE-ID
CVE-2012-3730 : Angelo Prado of the salesforce.com Product Security
Team
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Email attachments may be read without user's passcode
Description: A logic issue existed in Mail's use of Data Protection
on email attachments. This issue was addressed by properly setting
the Data Protection class for email attachments.
CVE-ID
CVE-2012-3731 : Stephen Prairie of Travelers Insurance, Erich
Stuntebeck of AirWatch
Mail
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker may spoof the sender of a S/MIME signed message
Description: S/MIME signed messages displayed the untrusted 'From'
address, instead of the name associated with the message signer's
identity. This issue was addressed by displaying the address
associated with the message signer's identity when it is available.
CVE-ID
CVE-2012-3732 : An anonymous researcher
Messages
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may unintentionally disclose the existence of their
email addresses
Description: When a user had multiple email addresses associated
with iMessage, replying to a message may have resulted in the reply
being sent from a different email address. This may disclose another
email address associated to the user's account. This issue was
addressed by always replying from the email address the original
message was sent to.
CVE-ID
CVE-2012-3733 : Rodney S. Foley of Gnomesoft, LLC
Office Viewer
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Unencrypted document data may be written to a temporary file
Description: An information disclosure issue existed in the support
for viewing Microsoft Office files. When viewing a document, the
Office Viewer would write a temporary file containing data from the
viewed document to the temporary directory of the invoking process.
For an application that uses data protection or other encryption to
protect the user's files, this could lead to information
disclosure. This issue was addressed by avoiding creation of
temporary files when viewing Office documents.
CVE-ID
CVE-2012-3734 : Salvatore Cataudella of Open Systems Technologies
OpenGL
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation. These issues were addressed through
improved validation of GLSL shaders.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device could briefly
view the last used third-party app on a locked device
Description: A logic issue existed with the display of the "Slide to
Power Off" slider on the lock screen. This issue was addressed
through improved lock state management.
CVE-ID
CVE-2012-3735 : Chris Lawrence DBB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the termination of FaceTime
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2012-3736 : Ian Vitek of 2Secure AB
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: All photos may be accessible at the lock screen
Description: A design issue existed in the support for viewing
photos that were taken at the lock screen. In order to determine
which photos to permit access to, the passcode lock consulted the
time at which the device was locked and compared it to the time that
a photo was taken. By spoofing the current time, an attacker could
gain access to photos that were taken before the device was locked.
This issues was addressed by explicitly keeping track of the photos
that were taken while the device was locked.
CVE-ID
CVE-2012-3737 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to a locked device may perform
FaceTime calls
Description: A logic issue existed in the Emergency Dialer screen,
which permitted FaceTime calls via Voice Dialing on the locked
device. This could also disclose the user's contacts via contact
suggestions. This issue was addressed by disabling Voice Dialing on
the Emergency Dialer screen.
CVE-ID
CVE-2012-3738 : Ade Barkah of BlueWax Inc.
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: Using the camera from the screen lock could in some
cases interfere with automatic lock functionality, allowing a person
with physical access to the device to bypass the Passcode Lock
screen. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3739 : Sebastian Spanninger of the Austrian Federal
Computing Centre (BRZ)
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved lock state
management.
CVE-ID
CVE-2012-3740 : Ian Vitek of 2Secure AB
Restrictions
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A user may be able to make purchases without entering Apple
ID credentials
Description: After disabling Restrictions, iOS may not ask for the
user's password during a transaction. This issue was addressed by
additional enforcement of purchase authorization.
CVE-ID
CVE-2012-3741 : Kevin Makens of Redwood High School
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Websites may use characters with an appearance similar to
the lock icon in their titles
Description: Websites could use a Unicode character to create a lock
icon in the page title. This icon was similar in appearance to the
icon used to indicate a secure connection, and could have lead the
user to believe a secure connection had been established. This issue
was addressed by removing these characters from page titles.
CVE-ID
CVE-2012-3742 : Boku Kihara of Lepidum
Safari
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Passwords may autocomplete even when the site specifies that
autocomplete should be disabled
Description: Password input elements with the autocomplete attribute
set to "off" were being autocompleted. This issue was addressed
through improved handling of the autocomplete attribute.
CVE-ID
CVE-2012-0680 : Dan Poltawski of Moodle
System Logs
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Sandboxed apps may obtain system log content
Description: Sandboxed apps had read access to /var/log directory,
which may allow them to obtain sensitive information contained in
system logs. This issue was addressed by denying sandboxed apps
access to the /var/log directory.
CVE-ID
CVE-2012-3743
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may appear to have been sent by an arbitrary
user
Description: Messages displayed the return address of an SMS message
as the sender. Return addresses may be spoofed. This issue was
addressed by always displaying the originating address instead of the
return address.
CVE-ID
CVE-2012-3744 : pod2g
Telephony
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An SMS message may disrupt cellular connectivity
Description: An off-by-one buffer overflow existed in the handling
of SMS user data headers. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2012-3745 : pod2g
UIKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: An attacker that gains access to a device's filesystem may
be able to read files that were being displayed in a UIWebView
Description: Applications that use UIWebView may leave unencrypted
files on the file system even when a passcode is enabled. This issue
was addressed through improved use of data protection.
CVE-ID
CVE-2012-3746 : Ben Smith of Box
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2011-3016 : miaubiz
CVE-2011-3021 : Arthur Gerkis
CVE-2011-3027 : miaubiz
CVE-2011-3032 : Arthur Gerkis
CVE-2011-3034 : Arthur Gerkis
CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur
Gerkis
CVE-2011-3036 : miaubiz
CVE-2011-3037 : miaubiz
CVE-2011-3038 : miaubiz
CVE-2011-3039 : miaubiz
CVE-2011-3040 : miaubiz
CVE-2011-3041 : miaubiz
CVE-2011-3042 : miaubiz
CVE-2011-3043 : miaubiz
CVE-2011-3044 : Arthur Gerkis
CVE-2011-3050 : miaubiz
CVE-2011-3053 : miaubiz
CVE-2011-3059 : Arthur Gerkis
CVE-2011-3060 : miaubiz
CVE-2011-3064 : Atte Kettunen of OUSPG
CVE-2011-3068 : miaubiz
CVE-2011-3069 : miaubiz
CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative
CVE-2011-3073 : Arthur Gerkis
CVE-2011-3074 : Slawomir Blazek
CVE-2011-3075 : miaubiz
CVE-2011-3076 : miaubiz
CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team
CVE-2011-3081 : miaubiz
CVE-2011-3086 : Arthur Gerkis
CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz
CVE-2011-3090 : Arthur Gerkis
CVE-2011-3105 : miaubiz
CVE-2011-3913 : Arthur Gerkis
CVE-2011-3924 : Arthur Gerkis
CVE-2011-3926 : Arthur Gerkis
CVE-2011-3958 : miaubiz
CVE-2011-3966 : Aki Helin of OUSPG
CVE-2011-3968 : Arthur Gerkis
CVE-2011-3969 : Arthur Gerkis
CVE-2011-3971 : Arthur Gerkis
CVE-2012-0682 : Apple Product Security
CVE-2012-0683 : Dave Mandelin of Mozilla
CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team
using AddressSanitizer, Jose A. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2012-3691 : Apple
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A malicious website may be able to replace the contents of
an iframe on another site
Description: A cross-origin issue existed in the handling of iframes
in popup windows. This issue was addressed through improved origin
tracking.
CVE-ID
CVE-2011-3067 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S,
iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-
site disclosure of information
Description: A cross-origin issue existed in the handling of iframes
and fragment identifiers. This issue was addressed through improved
origin tracking.
CVE-ID
CVE-2012-2815 : Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt,
and Dan Boneh of the Stanford University Security Laboratory
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Look-alike characters in a URL could be used to masquerade a
website
Description: The International Domain Name (IDN) support and Unicode
fonts embedded in Safari could have been used to create a URL which
contains look-alike characters. These could have been used in a
malicious website to direct the user to a spoofed site that visually
appears to be a legitimate domain. This issue was addressed by
supplementing WebKit's list of known look-alike characters. Look-
alike characters are rendered in Punycode in the address bar.
CVE-ID
CVE-2012-3693 : Matt Cooley of Symantec
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A canonicalization issue existed in the handling of
URLs. This may have led to cross-site scripting on sites which use
the location.href property. This issue was addressed through improved
canonicalization of URLs.
CVE-ID
CVE-2012-3695 : Masato Kinugawa
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to HTTP
request splitting
Description: An HTTP header injection issue existed in the handling
of WebSockets. This issue was addressed through improved WebSockets
URI sanitization.
CVE-ID
CVE-2012-3696 : David Belcher of the BlackBerry Security Incident
Response Team
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A maliciously crafted website may be able to spoof the value
in the URL bar
Description: A state management issue existed in the handling of
session history. Navigations to a fragment on the current page may
cause Safari to display incorrect information in the URL bar. This
issue was addressed through improved session state tracking.
CVE-ID
CVE-2011-2845 : Jordi Chancel
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to the
disclosure of the disclosure of memory contents
Description: An uninitialized memory access issue existed in the
handling of SVG images. This issue was addressed through improved
memory initialization.
CVE-ID
CVE-2012-3650 : Apple
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be "6.0".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJQWeYHAAoJEPefwLHPlZEwFlwP/1Ib/2m8K7orlPb3zmsKTyjo
3T0rFqu1LbXNzwLRhan7E7KiJoQ7U6yVO4045o/19AYZM+zGVNnHsCkUc3+Vcpa5
TZIM9Rik2iXKMxzttFfc5tvhE1u18PstsDLU/jvyW+s3XxMVL54wnSmW1R+P0de0
8+Q++IANogUj+scJzQkTaFDNDN5v1p0BT0+cifCcqktXB4H/PoaQ7drIWiDGYB/9
n4IL5AjM0BJBzWkldfjPimZ0BseSA0BxdeVCopmAgdnigyB60G4cWGzkU7E35VnP
dWgdU9rnIIvGGe/vP912f7AoPtWs1b8n6DYCJgGRXvaRfPoHFUlXaRoVB6vJlMVs
JXyMrw/RSDfYEgJdNbFOSxyJXHUkTkt4+aNW4KcoMR6raI/W5zKDyMEICw1wpkwP
id6Dz4e6ncf+cfvAFqXpk02OC7iJqn71IJN2MvU/hC7797l++PINIoOHwJZolt+T
xL3wV8p3Lk8K6lZx3Q9Tu6Dd7GYkxtjLCgV1NgdHOwPKDUOJ47oG6RjZAd6hpicp
RqYXbk5bJpd3nZv+X6FrCZqGfeuwREWW7FJ0dI+/8ohlnisTz16f48W9FtuN3HIj
bmxFJ46P4LGxrizwDSdBngxf3Utkh+7hGLuMH51/jR8+tCqDIEgpKBA+2F+IOmyP
XtT4lS60xKz63YSg79dd
=LvMt
-----END PGP SIGNATURE-----
| VAR-201203-0121 | CVE-2012-1557 |
Parallels Plesk Panel of admin/plib/api-rpc/Agent.php In SQL Injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201203-0857 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. Parallels Plesk is a server virtualization automation solution. Parallels Plesk has a security vulnerability that allows anonymous attackers to authenticate and remotely invade Plesk servers without allowing unauthorized access to and modification of the server.
Attackers can exploit this issue to perform unauthorized actions on the affected application. Successfully exploiting this issue results in complete compromise of the application.
Limited technical details are available at this time. We will update this BID as more information emerges.
Parallels Plesk Panel versions 7.6.1 through 10.3.1 are vulnerable. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Parallels Plesk Panel Unspecified SQL Injection Vulnerability
SECUNIA ADVISORY ID:
SA48262
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48262/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48262
RELEASE DATE:
2012-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/48262/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48262/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48262
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Parallels Plesk Panel, which can
be exploited by malicious people to conduct SQL injection attacks.
Certain unspecified input passed to admin/plib/api-rpc/Agent.php is
not properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
Please see the vendor's advisory for a list of affected versions.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://kb.parallels.com/en/113321
http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html#10216
http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html#10216
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201210-0414 | CVE-2012-5320 | Sagem F@ST 2604 of password.cgi Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in password.cgi in Sagem F@ST 2604 253180972B allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword parameter. Sagem F@st is a router product. Sagem F@st 2604 has a cross-site request forgery vulnerability. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Sagem F@st 2604 Cross-Site Request Forgery Vulnerability
SECUNIA ADVISORY ID:
SA48088
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48088/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48088
RELEASE DATE:
2012-02-28
DISCUSS ADVISORY:
http://secunia.com/advisories/48088/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48088/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48088
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Sagem F@st 2604, which can be
exploited by malicious people to conduct cross-site request forgery
attacks. This can be exploited to e.g. change an administrator's
password by tricking a logged in administrator into visiting a
malicious web site.
SOLUTION:
Do not browse untrusted sites or follow untrusted links while being
logged-in to the application.
PROVIDED AND/OR DISCOVERED BY:
KinG Of PiraTeS
ORIGINAL ADVISORY:
http://www.exploit-db.com/exploits/18504/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201203-0222 | CVE-2012-0359 |
Cisco Cius Remote Denial of Service Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201202-0762 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Cisco Cius with software before 9.2(1) SR2 allows remote attackers to cause a denial of service (device crash or hang) via malformed network traffic, aka Bug ID CSCto71445. Cisco Cius is an Android tablet from Cisco. A security hole exists in Cisco Cius handling malformed communications. A remote unauthenticated attacker could exploit this vulnerability to perform a denial of service attack on an affected device. Allow Cius to stop responding and need to reboot to get normal functionality. Cisco Cius is prone to a remote denial-of-service vulnerability.
Cisco Cius versions prior to 9.2(1) SR2 are vulnerable.
This issue is being tracked by Cisco Bug ID CSCto71445. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Cius Denial of Service Vulnerability
Advisory ID: cisco-sa-20120229-cius
Revision 1.0
For Public Release 2012 February 29 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Cisco Cius Software contains a denial of service vulnerability that
could cause the device to stop responding.
Cisco has released free software updates that address this
vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cius
Affected Products
=================
The Cius mobile collaboration device is an Android-based platform
built for business. Cius can be used as a standalone 7-inch tablet,
or as a desk phone and multimedia collaboration device when docked in
a Cius Media Station.
Vulnerable Products
+------------------
The following products are affected by the vulnerability detailed in
this advisory:
* Cius Wifi devices running Cius Software Version 9.2(1) SR1 and
prior
Products Confirmed Not Vulnerable
+--------------------------------
Cius 4G products first shipped with Cius Software Version 9.2(2), and
are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
This vulnerability is documented in CSCto71445 and has been assigned
Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0359.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCto71445 ("Cisco Cius Denial of Service Vulnerability")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the device to
crash or become non-responsive, requiring a device reboot.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to
consult the Cisco Security Advisories and Responses archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
+------------------------------------------------------------+
| Affected | Affected Version | First Fixed |
| Product | | Version |
|-----------------+---------------------+--------------------|
| Cisco Cius | 9.2(1) SR1 and | 9.2(1) SR2 |
| | prior | |
+------------------------------------------------------------+
Workarounds
===========
There are no workarounds for the vulnerability disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cius
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk9OSCwACgkQQXnnBKKRMNDrBwD/aPMMYLj2qPkg+koL7vuIMO8y
LbhwVgJLPpk8eTLYzHoA+gMruWU7JSNhwwrCkp+DzQ2Q5baXrtZozDgL4Rmfi8l7
=RXkm
-----END PGP SIGNATURE-----
| VAR-201409-0044 | CVE-2012-1417 | Yealink VOIP Phone of Local Phone Cross-site scripting vulnerability in books and blacklists |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com. Yealink VOIP Phone is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
For more information:
SA48299
Please see the vendor's advisory for a list of affected products. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
IBM Maximo Asset Management Products Weakness and Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA48299
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48299/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48299
RELEASE DATE:
2012-03-07
DISCUSS ADVISORY:
http://secunia.com/advisories/48299/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48299/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48299
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in IBM
Maximo Asset Management and IBM Maximo Asset Management Essentials,
which can be exploited by malicious users to disclose sensitive
information and conduct SQL injection attacks and by malicious people
to conduct spoofing attacks, cross-site scripting attacks, cross-site
request forgery attacks, and cause a DoS (Denial of Service).
1) The weakness is caused due to the about option in the help menu
displaying an otherwise restricted username.
2) Input passed via the "uisessionid" parameter to an unspecified
script is not properly verified before being used to redirect users.
This can be exploited to redirect users to arbitrary web sites.
3) Input passed via the "controlid" parameter to imicon.jsp and the
"reportType" parameter to an unspecified script is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
4) Input passed via the "uisesionid" parameter to ui/ and maximo.jsp
is not properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
5) Certain input in Start Center Layout and Configuration is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
6) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
requests. This can be exploited to e.g. conduct web cache poisoning
and cross-site scripting attacks by tricking a logged in user into
visiting a malicious web site.
7) An error when handling multiple UI sessions in an HTTP session can
be exploited to consume large amounts of memory and render the server
unusable.
8) Certain input passed to the KPI component is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are reported in versions 6.2, 7.1, and 7.5.
SOLUTION:
Apply APAR or interim fix (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM (IV09157, IV09189, IV09190, IV09193, IV09194, IV09197, IV09200,
IV09202, IV09198):
http://www.ibm.com/support/docview.wss?uid=swg21584666
http://xforce.iss.net/xforce/xfdb/72004
http://xforce.iss.net/xforce/xfdb/72006
http://xforce.iss.net/xforce/xfdb/71996
http://xforce.iss.net/xforce/xfdb/71999
http://xforce.iss.net/xforce/xfdb/72008
http://xforce.iss.net/xforce/xfdb/72612
http://xforce.iss.net/xforce/xfdb/72000
http://xforce.iss.net/xforce/xfdb/71985
http://xforce.iss.net/xforce/xfdb/72001
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
SOLUTION:
Filter malicious characters and character sequences using a proxy
| VAR-201203-0225 | CVE-2012-0370 |
Cisco Wireless LAN Controller Service disruption on devices ( Device reload ) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201202-0375 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.0 and 7.1 before 7.1.91.0, when WebAuth is enabled, allow remote attackers to cause a denial of service (device reload) via a sequence of (1) HTTP or (2) HTTPS packets, aka Bug ID CSCtt47435. Allows an unauthenticated attacker to send a series of HTTP or HTTPS messages to a controller configured with WebAuth, which can overload the device. This vulnerability can be triggered in both wireless and wired segments, requiring three TCP handshakes.
This issue is tracked by Cisco Bug ID CSCtt47435.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq24002. Workarounds are available that mitigate some of these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Affected Products
=================
The Cisco WLC product family is affected by multiple vulnerabilities.
Affected versions of Cisco ASA Software vary depending on the specific
vulnerability.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
Each of the following products is affected by at least one of the
vulnerabilities covered in this Security Advisory:
* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers
Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco
NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility
Controllers, have reached end-of-software maintenance. The following
table includes the end-of-life document URL for each model:
+-------------------------------------------------------------------+
|Model |End of Life Document URL |
|----------------------+--------------------------------------------|
|Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6308/ |
| |prod_end-of-life_notice0900aecd805d22b0.html|
|----------------------+--------------------------------------------|
|Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6307/ |
| |prod_end-of-life_notice0900aecd803387a9.html|
|----------------------+--------------------------------------------|
|Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ |
|Modules for ISR |modules/ps2797/ |
| |prod_end-of-life_notice0900aecd806aeb34.html|
|----------------------+--------------------------------------------|
|Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ |
|Wireless Express |wireless/ps7306/ps7320/ps7339/ |
|Mobility Controllers |end_of_life_c51-568040.html |
+-------------------------------------------------------------------+
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
* In the command-line interface, issue the show sysinfo command as
shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol. An attacker can exploit this
vulnerability by connecting to the controller over TCP port 1023. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the DoS vulnerabilities could allow an
unauthenticated attacker to cause an affected device to reload.
Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
If a given release train is vulnerable, then the earliest possible
releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable.
+-------------------------------------------------------------------+
| Vulnerability/Bug ID | Affected | First Fixed Release |
| | Release | |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCts81997) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1M | Not Vulnerable |
| |------------+-----------------------|
| | 4.2 | Not Vulnerable |
| |------------+-----------------------|
| | 4.2M | Not Vulnerable |
| |------------+-----------------------|
| | 5.0 | Not Vulnerable |
| |------------+-----------------------|
| IPv6DoS Vulnerability | 5.1 | Not Vulnerable |
|(CSCtt07949) |------------+-----------------------|
| | 5.2 | Not Vulnerable |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCtt47435) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| Unauthorized Access | 5.0 | Vulnerable; Migrate |
| Vulnerability (CSCtu56709) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.4 |
| |------------+-----------------------|
| | 7.1 | Not Vulnerable |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
+-------------------------------------------------------------------+
Recommended Releases
+-------------------
The "Recommended Release" table lists the releases which have fixes
for all the published vulnerabilities at the time of this Advisory.
Cisco recommends upgrading to a release equal to or later than the
release in the "Recommended Releases" table.
+-------------------------------------------------------------------+
| Affected Release | Recommended Release |
|------------------------------+------------------------------------|
| 7.0 | 7.0.230.0 |
|------------------------------+------------------------------------|
| 7.1 | 7.1.91.0 |
|------------------------------+------------------------------------|
| 7.2 | 7.2.103.0 |
+-------------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Cisco Wireless LAN Controllers Unauthorized Access Vulnerability CPU
based ACLs can be configured to block access to the affected WLC on
TCP port 1023. After ACLs are defined, they can be applied to the
management interface, the access point manager (AP-manager) interface,
or any of the dynamic interfaces for client data traffic or to the
Network Processing Unit (NPU) interface for traffic to the controller
CPU.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM
fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz
=lRis
-----END PGP SIGNATURE-----
| VAR-201203-0226 | CVE-2012-0371 | Cisco Wireless LAN Controller Device configuration vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.4, when CPU-based ACLs are enabled, allow remote attackers to read or modify the configuration via unspecified vectors, aka Bug ID CSCtu56709. The problem is Bug ID CSCtu56709 It is a problem.The setting may be read or changed by a third party. The Cisco Wireless LAN Controller is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. Allows unauthenticated attackers to view and modify the configuration on the Cisco WLC affected by this vulnerability. Wireless controllers configured with CPU-based ACLs are more affected by this vulnerability, and an attacker can connect to TCP port 1023 to exploit this vulnerability.
This issue is being tracked by Cisco Bug ID CSCtu56709. Workarounds are available that mitigate some of these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Affected Products
=================
The Cisco WLC product family is affected by multiple vulnerabilities.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
Each of the following products is affected by at least one of the
vulnerabilities covered in this Security Advisory:
* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers
Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco
NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility
Controllers, have reached end-of-software maintenance. The following
table includes the end-of-life document URL for each model:
+-------------------------------------------------------------------+
|Model |End of Life Document URL |
|----------------------+--------------------------------------------|
|Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6308/ |
| |prod_end-of-life_notice0900aecd805d22b0.html|
|----------------------+--------------------------------------------|
|Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6307/ |
| |prod_end-of-life_notice0900aecd803387a9.html|
|----------------------+--------------------------------------------|
|Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ |
|Modules for ISR |modules/ps2797/ |
| |prod_end-of-life_notice0900aecd806aeb34.html|
|----------------------+--------------------------------------------|
|Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ |
|Wireless Express |wireless/ps7306/ps7320/ps7339/ |
|Mobility Controllers |end_of_life_c51-568040.html |
+-------------------------------------------------------------------+
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
* In the command-line interface, issue the show sysinfo command as
shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
This vulnerability can be exploited from both wired and wireless
segments. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the DoS vulnerabilities could allow an
unauthenticated attacker to cause an affected device to reload.
Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
If a given release train is vulnerable, then the earliest possible
releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable.
+-------------------------------------------------------------------+
| Vulnerability/Bug ID | Affected | First Fixed Release |
| | Release | |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCts81997) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1M | Not Vulnerable |
| |------------+-----------------------|
| | 4.2 | Not Vulnerable |
| |------------+-----------------------|
| | 4.2M | Not Vulnerable |
| |------------+-----------------------|
| | 5.0 | Not Vulnerable |
| |------------+-----------------------|
| IPv6DoS Vulnerability | 5.1 | Not Vulnerable |
|(CSCtt07949) |------------+-----------------------|
| | 5.2 | Not Vulnerable |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCtt47435) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| Unauthorized Access | 5.0 | Vulnerable; Migrate |
| Vulnerability (CSCtu56709) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.4 |
| |------------+-----------------------|
| | 7.1 | Not Vulnerable |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
+-------------------------------------------------------------------+
Recommended Releases
+-------------------
The "Recommended Release" table lists the releases which have fixes
for all the published vulnerabilities at the time of this Advisory.
Cisco recommends upgrading to a release equal to or later than the
release in the "Recommended Releases" table.
+-------------------------------------------------------------------+
| Affected Release | Recommended Release |
|------------------------------+------------------------------------|
| 7.0 | 7.0.230.0 |
|------------------------------+------------------------------------|
| 7.1 | 7.1.91.0 |
|------------------------------+------------------------------------|
| 7.2 | 7.2.103.0 |
+-------------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other. After ACLs are defined, they can be applied to the
management interface, the access point manager (AP-manager) interface,
or any of the dynamic interfaces for client data traffic or to the
Network Processing Unit (NPU) interface for traffic to the controller
CPU.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM
fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz
=lRis
-----END PGP SIGNATURE-----
| VAR-201203-0224 | CVE-2012-0369 |
Cisco Wireless LAN Controller Service disruption on devices ( Device reload ) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201202-0457 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Wireless LAN Controller (WLC) devices with software 6.0 and 7.0 before 7.0.220.0, 7.1 before 7.1.91.0, and 7.2 before 7.2.103.0 allow remote attackers to cause a denial of service (device reload) via a sequence of IPv6 packets, aka Bug ID CSCtt07949. Allows an unauthenticated attacker to send a series of IPv6 messages to the controller, which can overload the device.
An unauthenticated attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is tracked by Cisco Bug ID CSCtt07949.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq24002. Workarounds are available that mitigate some of these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Affected Products
=================
The Cisco WLC product family is affected by multiple vulnerabilities.
Affected versions of Cisco ASA Software vary depending on the specific
vulnerability.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
Each of the following products is affected by at least one of the
vulnerabilities covered in this Security Advisory:
* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers
Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco
NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility
Controllers, have reached end-of-software maintenance. The following
table includes the end-of-life document URL for each model:
+-------------------------------------------------------------------+
|Model |End of Life Document URL |
|----------------------+--------------------------------------------|
|Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6308/ |
| |prod_end-of-life_notice0900aecd805d22b0.html|
|----------------------+--------------------------------------------|
|Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6307/ |
| |prod_end-of-life_notice0900aecd803387a9.html|
|----------------------+--------------------------------------------|
|Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ |
|Modules for ISR |modules/ps2797/ |
| |prod_end-of-life_notice0900aecd806aeb34.html|
|----------------------+--------------------------------------------|
|Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ |
|Wireless Express |wireless/ps7306/ps7320/ps7339/ |
|Mobility Controllers |end_of_life_c51-568040.html |
+-------------------------------------------------------------------+
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
* In the command-line interface, issue the show sysinfo command as
shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
This vulnerability can be exploited from both wired and wireless
segments. A TCP three-way handshake is needed in order to exploit
this vulnerability. An attacker can exploit this
vulnerability by connecting to the controller over TCP port 1023. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the DoS vulnerabilities could allow an
unauthenticated attacker to cause an affected device to reload.
Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
If a given release train is vulnerable, then the earliest possible
releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable.
+-------------------------------------------------------------------+
| Vulnerability/Bug ID | Affected | First Fixed Release |
| | Release | |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCts81997) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1M | Not Vulnerable |
| |------------+-----------------------|
| | 4.2 | Not Vulnerable |
| |------------+-----------------------|
| | 4.2M | Not Vulnerable |
| |------------+-----------------------|
| | 5.0 | Not Vulnerable |
| |------------+-----------------------|
| IPv6DoS Vulnerability | 5.1 | Not Vulnerable |
|(CSCtt07949) |------------+-----------------------|
| | 5.2 | Not Vulnerable |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCtt47435) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| Unauthorized Access | 5.0 | Vulnerable; Migrate |
| Vulnerability (CSCtu56709) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.4 |
| |------------+-----------------------|
| | 7.1 | Not Vulnerable |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
+-------------------------------------------------------------------+
Recommended Releases
+-------------------
The "Recommended Release" table lists the releases which have fixes
for all the published vulnerabilities at the time of this Advisory.
Cisco recommends upgrading to a release equal to or later than the
release in the "Recommended Releases" table.
+-------------------------------------------------------------------+
| Affected Release | Recommended Release |
|------------------------------+------------------------------------|
| 7.0 | 7.0.230.0 |
|------------------------------+------------------------------------|
| 7.1 | 7.1.91.0 |
|------------------------------+------------------------------------|
| 7.2 | 7.2.103.0 |
+-------------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Cisco Wireless LAN Controllers Unauthorized Access Vulnerability CPU
based ACLs can be configured to block access to the affected WLC on
TCP port 1023. After ACLs are defined, they can be applied to the
management interface, the access point manager (AP-manager) interface,
or any of the dynamic interfaces for client data traffic or to the
Network Processing Unit (NPU) interface for traffic to the controller
CPU.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM
fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz
=lRis
-----END PGP SIGNATURE-----
| VAR-201203-0013 | CVE-2011-4487 | Cisco Unified Communications Manager and Cisco Business Edition In SQL Injection vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) with software 6.x and 7.x before 7.1(5b)su5, 8.0 before 8.0(3a)su3, and 8.5 and 8.6 before 8.6(2a)su1 and Cisco Business Edition 3000 with software before 8.6.3 and 5000 and 6000 with software before 8.6(2a)su1 allows remote attackers to execute arbitrary SQL commands via a crafted SCCP registration, aka Bug ID CSCtu73538. The problem is Bug ID CSCtu73538 It is a problem.Skillfully crafted by a third party SCCP Through any registration SQL The command may be executed.
Exploiting this issue could allow an authenticated attacker to compromise the affected device, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue is tracked by Cisco Bug ID CSCtu73538. This component features scalable, distributed, and highly available enterprise Voice over IP call processing. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Unified Communications Manager Skinny Client Control Protocol Vulnerabilities
Advisory ID: cisco-sa-20120229-cucm
Revision 1.0
For Public Release 2012 February 29 16:00 UTC (GMT)
Summary
=======
Cisco Unified Communications Manager devices may allow a remote,
unauthenticated attacker with the ability to send crafted Skinny
Client Control Protocol (SCCP) messages to an affected device to cause
a reload or execute attacker-controlled SQL code.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications. Both SCCP ports (TCP ports 2000 and
2443) are affected. Successful exploitation could cause
a loss of all voice services that are being handled by the affected
device. After the device restarts, voice services will be restored.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtu73538 - Cisco Unified Communications Manager SCCP Registration may Cause Reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu73538 - Cisco Unified Communications Manager Vulnerable to Blind SQL
Injection During Registration
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could allow an unauthenticated, remote attacker to
trigger a device reload or execute SQL commands against the back-end
database. A successful SQL injection could result in the retrieval or
modification of data or a persistent denial of service (DoS) condition
on the affected device. In the case of a device reload, Cisco Unified
Communications Manager will restart the affected processes, but
repeated attacks may result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-cucm
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
- -------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
- -----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
These vulnerabilities were publicly disclosed on Bugtraq on November
8, 2011. The Cisco Product Security Incident Response Team (PSIRT) is
not aware of any malicious use of the vulnerabilities described in
this advisory.
These vulnerabilities were reported to Cisco by Felix Lindner of
Recurity Labs GmbH and discovered by Sandro Gauci.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cucm
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNqIACgkQQXnnBKKRMNBgiwD/VfOphiCJTL6Xr02s2BRqsbFZ
YO1PFL1hH7CQ7g5l0OYA/3hfhS/3G6Fxm7we72icPhrmtT2Vq0OkPOaKChoXgmM6
=5Cwc
-----END PGP SIGNATURE-----
| VAR-201203-0012 | CVE-2011-4486 | Cisco Unified Communications Manager and Cisco Business Edition Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (CUCM) with software 6.x and 7.x before 7.1(5b)su5, 8.0 before 8.0(3a)su3, and 8.5 and 8.6 before 8.6(2a)su1 and Cisco Business Edition 3000 with software before 8.6.3 and 5000 and 6000 with software before 8.6(2a)su1 allow remote attackers to cause a denial of service (device reload) via a crafted SCCP registration, aka Bug ID CSCtu73538. The problem is Bug ID CSCtu73538 It is a problem.Skillfully crafted by a third party SCCP Service disruption through the registration of ( Device reload ) There is a possibility of being put into a state.
An attacker can exploit this issue to cause an interruption in voice services or cause the affected device to reload, denying service to legitimate users.
This issue is tracked by Cisco Bug ID CSCtu73538.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications. Both SCCP ports (TCP ports 2000 and
2443) are affected. After the device restarts, voice services will be restored. Successful exploitation could allow the attacker to modify
certain sections of the SQL database that are utilized by the device.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtu73538 - Cisco Unified Communications Manager SCCP Registration may Cause Reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu73538 - Cisco Unified Communications Manager Vulnerable to Blind SQL
Injection During Registration
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could allow an unauthenticated, remote attacker to
trigger a device reload or execute SQL commands against the back-end
database. A successful SQL injection could result in the retrieval or
modification of data or a persistent denial of service (DoS) condition
on the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-cucm
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
- -------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
- -----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
These vulnerabilities were publicly disclosed on Bugtraq on November
8, 2011. The Cisco Product Security Incident Response Team (PSIRT) is
not aware of any malicious use of the vulnerabilities described in
this advisory.
These vulnerabilities were reported to Cisco by Felix Lindner of
Recurity Labs GmbH and discovered by Sandro Gauci.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cucm
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNqIACgkQQXnnBKKRMNBgiwD/VfOphiCJTL6Xr02s2BRqsbFZ
YO1PFL1hH7CQ7g5l0OYA/3hfhS/3G6Fxm7we72icPhrmtT2Vq0OkPOaKChoXgmM6
=5Cwc
-----END PGP SIGNATURE-----