Vulnerabilities > CVE-2013-1591 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Stack-based buffer overflow in libpixman, as used in Pale Moon before 15.4 and possibly other products, has unspecified impact and context-dependent attack vectors. NOTE: this issue might be resultant from an integer overflow in the fast_composite_scaled_bilinear function in pixman-inlines.h, which triggers an infinite loop.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20130327_PIXMAN_ON_SL6_X.NASL description An integer overflow flaw was discovered in one of pixman last seen 2020-03-18 modified 2013-03-28 plugin id 65716 published 2013-03-28 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65716 title Scientific Linux Security Update : pixman on SL6.x i386/x86_64 (20130327) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(65716); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/27"); script_cve_id("CVE-2013-1591"); script_name(english:"Scientific Linux Security Update : pixman on SL6.x i386/x86_64 (20130327)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An integer overflow flaw was discovered in one of pixman's manipulation routines. If a remote attacker could trick an application using pixman into performing a certain manipulation, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-1591) All applications using pixman must be restarted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=6305 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2e917955" ); script_set_attribute( attribute:"solution", value: "Update the affected pixman, pixman-debuginfo and / or pixman-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pixman"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pixman-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pixman-devel"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"pixman-0.26.2-5.el6_4")) flag++; if (rpm_check(release:"SL6", reference:"pixman-debuginfo-0.26.2-5.el6_4")) flag++; if (rpm_check(release:"SL6", reference:"pixman-devel-0.26.2-5.el6_4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pixman / pixman-debuginfo / pixman-devel"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0687.NASL description From Red Hat Security Advisory 2013:0687 : Updated pixman packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pixman is a pixel manipulation library for the X Window System and Cairo. An integer overflow flaw was discovered in one of pixman last seen 2020-06-01 modified 2020-06-02 plugin id 68798 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68798 title Oracle Linux 6 : pixman (ELSA-2013-0687) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0687 and # Oracle Linux Security Advisory ELSA-2013-0687 respectively. # include("compat.inc"); if (description) { script_id(68798); script_version("1.7"); script_cvs_date("Date: 2019/09/30 10:58:18"); script_cve_id("CVE-2013-1591"); script_bugtraq_id(58193); script_xref(name:"RHSA", value:"2013:0687"); script_name(english:"Oracle Linux 6 : pixman (ELSA-2013-0687)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2013:0687 : Updated pixman packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pixman is a pixel manipulation library for the X Window System and Cairo. An integer overflow flaw was discovered in one of pixman's manipulation routines. If a remote attacker could trick an application using pixman into performing a certain manipulation, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-1591) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All applications using pixman must be restarted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2013-March/003390.html" ); script_set_attribute( attribute:"solution", value:"Update the affected pixman packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pixman"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pixman-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"pixman-0.26.2-5.el6_4")) flag++; if (rpm_check(release:"EL6", reference:"pixman-devel-0.26.2-5.el6_4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pixman / pixman-devel"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0687.NASL description Updated pixman packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pixman is a pixel manipulation library for the X Window System and Cairo. An integer overflow flaw was discovered in one of pixman last seen 2020-06-01 modified 2020-06-02 plugin id 65714 published 2013-03-28 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65714 title RHEL 6 : pixman (RHSA-2013:0687) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0687. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(65714); script_version("1.13"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id("CVE-2013-1591"); script_bugtraq_id(58193); script_xref(name:"RHSA", value:"2013:0687"); script_name(english:"RHEL 6 : pixman (RHSA-2013:0687)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated pixman packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pixman is a pixel manipulation library for the X Window System and Cairo. An integer overflow flaw was discovered in one of pixman's manipulation routines. If a remote attacker could trick an application using pixman into performing a certain manipulation, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-1591) Users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All applications using pixman must be restarted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:0687" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-1591" ); script_set_attribute( attribute:"solution", value: "Update the affected pixman, pixman-debuginfo and / or pixman-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pixman"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pixman-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pixman-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:0687"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"pixman-0.26.2-5.el6_4")) flag++; if (rpm_check(release:"RHEL6", reference:"pixman-debuginfo-0.26.2-5.el6_4")) flag++; if (rpm_check(release:"RHEL6", reference:"pixman-devel-0.26.2-5.el6_4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pixman / pixman-debuginfo / pixman-devel"); } }NASL family Fedora Local Security Checks NASL id FEDORA_2013-2414.NASL description Update to pixman 0.28 to address CVE-2013-1591 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-02-27 plugin id 64900 published 2013-02-27 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64900 title Fedora 18 : pixman-0.28.0-1.fc18 (2013-2414) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-2414. # include("compat.inc"); if (description) { script_id(64900); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-1591"); script_xref(name:"FEDORA", value:"2013-2414"); script_name(english:"Fedora 18 : pixman-0.28.0-1.fc18 (2013-2414)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to pixman 0.28 to address CVE-2013-1591 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=910149" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099334.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?22033d60" ); script_set_attribute( attribute:"solution", value:"Update the affected pixman package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:pixman"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"pixman-0.28.0-1.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pixman"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0746.NASL description An updated rhev-hypervisor6 package that fixes several security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796) A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797) A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory. (CVE-2013-1798) An integer overflow flaw was discovered in one of pixman last seen 2020-06-01 modified 2020-06-02 plugin id 78955 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78955 title RHEL 6 : rhev-hypervisor6 (RHSA-2013:0746) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0746. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(78955); script_version("1.11"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id("CVE-2013-1591", "CVE-2013-1796", "CVE-2013-1797", "CVE-2013-1798"); script_bugtraq_id(58193, 58604, 58605, 58607); script_xref(name:"RHSA", value:"2013:0746"); script_name(english:"RHEL 6 : rhev-hypervisor6 (RHSA-2013:0746)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated rhev-hypervisor6 package that fixes several security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way KVM handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level. (CVE-2013-1796) A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host. (CVE-2013-1797) A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory. (CVE-2013-1798) An integer overflow flaw was discovered in one of pixman's manipulation routines. If a remote attacker could trick an application using pixman into performing a certain manipulation, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-1591) Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797, and CVE-2013-1798. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2013-2266 (a bind issue) CVE-2012-5195, CVE-2012-5526, CVE-2012-6329, and CVE-2013-1667 (perl issues) This update contains the fixes from the following errata : ovirt-node: RHBA-2013:0745 libvirt: RHBA-2013:0725 vdsm: RHBA-2013:0704 kernel: RHSA-2013:0744 Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues." ); # https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c6b506c4" ); # https://rhn.redhat.com/errata/RHBA-2013-0745.html script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHBA-2013:0745" ); # https://rhn.redhat.com/errata/RHBA-2013-0725.html script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHBA-2013:0725" ); # https://rhn.redhat.com/errata/RHBA-2013-0704.html script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHBA-2013:0704" ); script_set_attribute( attribute:"see_also", value:"https://rhn.redhat.com/errata/RHSA-2013-0744.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:0746" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-1591" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-1798" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-1796" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-1797" ); script_set_attribute( attribute:"solution", value:"Update the affected rhev-hypervisor6 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/31"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:0746"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"rhev-hypervisor6-6.4-20130415.0.el6_4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rhev-hypervisor6"); } }NASL family SuSE Local Security Checks NASL id SUSE_11_LIBPIXMAN-1-0-130726.NASL description A stack-based buffer overflow in the pixman library has been fixed. (CVE-2013-1591) last seen 2020-06-05 modified 2013-08-23 plugin id 69457 published 2013-08-23 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69457 title SuSE 11.3 Security Update : libpixman (SAT Patch Number 8119) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-686.NASL description libpixman was updated to fix a stack based buffer overflow (CVE-2013-1591). last seen 2020-06-05 modified 2014-06-13 plugin id 75131 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75131 title openSUSE Security Update : pixman (openSUSE-SU-2013:1421-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-116.NASL description Updated pixman packages fix security vulnerability : Stack-based buffer overflow in libpixman has unspecified impact and attack vectors (CVE-2013-1591). last seen 2020-06-01 modified 2020-06-02 plugin id 66128 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66128 title Mandriva Linux Security Advisory : pixman (MDVSA-2013:116) NASL family Fedora Local Security Checks NASL id FEDORA_2013-2450.NASL description Update to pixman 0.28 to address CVE-2013-1591 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-03-04 plugin id 64974 published 2013-03-04 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64974 title Fedora 17 : pixman-0.28.0-1.fc17 (2013-2450) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0687.NASL description Updated pixman packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pixman is a pixel manipulation library for the X Window System and Cairo. An integer overflow flaw was discovered in one of pixman last seen 2020-06-01 modified 2020-06-02 plugin id 65725 published 2013-03-29 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65725 title CentOS 6 : pixman (CESA-2013:0687)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.palemoon.org/releasenotes-ng.shtml
- https://bugzilla.redhat.com/show_bug.cgi?id=910149
- http://rhn.redhat.com/errata/RHSA-2013-0746.html
- http://cgit.freedesktop.org/pixman/commit/?id=de60e2e0e3eb6084f8f14b63f25b3cbfb012943f
- http://rhn.redhat.com/errata/RHSA-2013-0687.html
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0077
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:116
- https://support.f5.com/csp/article/K51392553