Weekly Vulnerabilities Reports > March 28 to April 3, 2011

Overview

37 new vulnerabilities reported during this period, including 3 critical vulnerabilities and 2 high severity vulnerabilities. This weekly summary report vulnerabilities in 36 products from 29 vendors including Gentoo, Glyphandcog, T1Lib, Foolabs, and Debian. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Resource Management Errors", and "Cross-Site Request Forgery (CSRF)".

  • 23 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 6 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 36 reported vulnerabilities are exploitable by an anonymous user.
  • Gentoo has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Videolan has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

3 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-03-28 CVE-2011-0024 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted capture file.

9.3
2011-03-28 CVE-2010-3276 Videolan Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Videolan VLC Media Player

libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an NSV file.

9.3
2011-03-28 CVE-2010-3275 Videolan Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Videolan VLC Media Player

libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."

9.3

2 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-03-29 CVE-2011-1472 Nokia Improper Authentication vulnerability in Nokia E75 and E75 Firmware

The Nokia E75 phone with firmware before 211.12.01 allows physically proximate attackers to bypass the Device Lock code by entering an unspecified button sequence at boot time.

7.2
2011-03-28 CVE-2011-1420 EMC
Oracle
Permissions, Privileges, and Access Controls vulnerability in multiple products

EMC Data Protection Advisor Collector 5.7 and 5.7.1 on Solaris SPARC platforms uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.

7.2

29 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-03-31 CVE-2011-0727 Gnome Link Following vulnerability in Gnome GDM

GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2) face icon file under /var/cache/gdm/.

6.9
2011-03-30 CVE-2011-1551 Novell Permissions, Privileges, and Access Controls vulnerability in Novell Opensuse Factory

SUSE openSUSE Factory assigns ownership of the /var/log/cobbler/ directory tree to the web-service user account, which might allow local users to gain privileges by leveraging access to this account during root filesystem operations by the Cobbler daemon.

6.9
2011-03-30 CVE-2011-1154 Gentoo Improper Input Validation vulnerability in Gentoo Logrotate

The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.

6.9
2011-03-30 CVE-2009-5064 GNU Permissions, Privileges, and Access Controls vulnerability in GNU Glibc

** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks.

6.9
2011-03-29 CVE-2011-1205 IBM Buffer Errors vulnerability in IBM products

Multiple buffer overflows in unspecified COM objects in Rational Common Licensing 7.0 through 7.1.1.4 in IBM Rational ClearCase 7.0.0.4 through 7.1.1.4, ClearQuest 7.0.0.4 through 7.1.1.4, and other products allow local users to gain privileges via a Trojan horse HTML document in the My Computer zone.

6.9
2011-03-28 CVE-2011-0458 Google Unspecified vulnerability in Google Picasa 3.6

Untrusted search path vulnerability in the Locate on Disk feature in Google Picasa before 3.8 allows local users to gain privileges via a Trojan horse executable file in the current working directory.

6.9
2011-03-31 CVE-2011-0764 T1Lib
Foolabs
Glyphandcog
Improper Input Validation vulnerability in multiple products

t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf.

6.8
2011-03-28 CVE-2011-1167 Libtiff Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libtiff

Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value.

6.8
2011-03-28 CVE-2011-0545 Symantec Cross-Site Request Forgery (CSRF) vulnerability in Symantec Liveupdate Administrator 2.2.2.9

Cross-site request forgery (CSRF) vulnerability in adduser.do in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts, and possibly have unspecified other impact, via the userRole parameter.

6.8
2011-03-30 CVE-2011-1550 Gentoo
Novell
Permissions, Privileges, and Access Controls vulnerability in Gentoo Logrotate

The default configuration of logrotate on SUSE openSUSE Factory uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories for the (1) cobbler, (2) inn, (3) safte-monitor, and (4) uucp packages.

6.3
2011-03-30 CVE-2011-1549 Gentoo Permissions, Privileges, and Access Controls vulnerability in Gentoo Logrotate

The default configuration of logrotate on Gentoo Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories under /var/log/ for packages.

6.3
2011-03-30 CVE-2011-1548 Gentoo
Debian
Permissions, Privileges, and Access Controls vulnerability in Gentoo Logrotate

The default configuration of logrotate on Debian GNU/Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by /var/log/postgresql/.

6.3
2011-03-29 CVE-2011-0441 PHP Link Following vulnerability in PHP 5.3.5

The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/.

6.3
2011-03-28 CVE-2011-0440 Mahara Cross-Site Request Forgery (CSRF) vulnerability in Mahara

Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that delete blogs.

5.8
2011-03-30 CVE-2011-1097 Samba Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Samba Rsync

rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data.

5.1
2011-03-31 CVE-2011-1175 Digium Denial Of Service vulnerability in Asterisk TCP/TLS Server NULL Pointer Dereference

tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API.

5.0
2011-03-31 CVE-2011-1174 Digium Resource Management Errors vulnerability in Digium Asterisk

manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a series of manager sessions involving invalid data.

5.0
2011-03-31 CVE-2011-0963 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco NAC Guest Server and NAC Guest Server Software

The default configuration of the RADIUS authentication feature on the Cisco Network Admission Control (NAC) Guest Server with software before 2.0.3 allows remote attackers to bypass intended access restrictions and obtain network connectivity via unspecified vectors, aka Bug ID CSCtj66922.

5.0
2011-03-29 CVE-2010-1675 Quagga Resource Management Errors vulnerability in Quagga

bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute.

5.0
2011-03-29 CVE-2010-1674 Quagga Denial Of Service vulnerability in Quagga BGP Daemon Null Pointer Deference

The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute.

5.0
2011-03-31 CVE-2011-1554 T1Lib
Foolabs
Glyphandcog
Numeric Errors vulnerability in multiple products

Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764.

4.3
2011-03-31 CVE-2011-1553 T1Lib
Foolabs
Glyphandcog
Resource Management Errors vulnerability in multiple products

Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764.

4.3
2011-03-31 CVE-2011-1552 T1Lib
Foolabs
Glyphandcog
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6, teTeX, and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764.

4.3
2011-03-31 CVE-2010-3695 Horde Cross-Site Scripting vulnerability in Horde Groupware and IMP

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration.

4.3
2011-03-29 CVE-2011-1176 MPM ITK Project
Debian
The configuration merger in itk.c in the Steinar H.
4.3
2011-03-29 CVE-2011-0892 HP Cross-Site Scripting vulnerability in HP Diagnostics 7.5/8.0

Cross-site scripting (XSS) vulnerability in HP Diagnostics 7.5x and 8.0x before 8.05.54.225 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

4.3
2011-03-28 CVE-2011-1524 Symantec Cross-Site Scripting vulnerability in Symantec Liveupdate Administrator

Cross-site scripting (XSS) vulnerability in the management login GUI page in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to inject arbitrary web script or HTML via the username field, as demonstrated by injecting an IFRAME element into the event log, a different vulnerability than CVE-2011-0545.

4.3
2011-03-28 CVE-2011-0760 Adminofsystem
Wordpress
Cross-Site Request Forgery (CSRF) vulnerability in Adminofsystem WP Related Posts 1.0

Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter.

4.3
2011-03-28 CVE-2011-0439 Mahara Cross-Site Scripting vulnerability in Mahara

Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via the Pieforms select box.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-03-29 CVE-2011-0728 Michael Hudson Doyle Cross-Site Scripting vulnerability in Michael Hudson-Doyle Loggerhead

Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view.

3.5
2011-03-30 CVE-2011-1155 Gentoo Resource Management Errors vulnerability in Gentoo Logrotate

The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.

1.9
2011-03-30 CVE-2011-1098 Gentoo Race Condition vulnerability in Gentoo Logrotate

Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place.

1.9