headers
Emilien Girault | 10 Feb 16:42
Favicon
Gravatar

[vs] CVE-2012-1037 GLPI <= 0.80.61 LFI/RFI

Hi,

I found a File Inclusion vulnerability in GLPI <= 0.80.61. I contacted the project team; 
the bug is now patched and a new version is available (0.80.7).

I've published the advisory on fulldisclosure:

http://seclists.org/fulldisclosure/2012/Feb/157 <http://seclists.org/fulldisclosure/2012/Feb/157>

CVE-2012-1037: GLPI <= 0.80.61 LFI/RFI

Severity: Important

Vendor: GLPI - http://www.glpi-project.org

Versions Affected
=================

All versions between 0.78 and 0.80.61

Description
===========

GLPI fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file:

  [...]
  checkLoginUser();

  if (isset($_GET["popup"])) {
     $_SESSION["glpipopup"]["name"] = $_GET["popup"];
(Continue reading)

Permalink | Reply | 0 comments |
headers
Henri Salo | 10 Feb 12:36
Picon
Gravatar

imagemagick invalid validation DoS CVE-2012-0247 and CVE-2012-02478

Concerning ImageMagick 6.7.5-0 and earlier:

CVE-2012-0247: When parsing a maliciously crafted image with incorrect offset and count in the
ResolutionUnit tag in EXIF IFD0, ImageMagick copies two bytes into an invalid address.
CVE-2012-0248: When parsing a maliciously crafted image with an IFD whose all IOP tags' value offsets
point to the beginning of the IFD itself. As a result, ImageMagick parses the IFD structure indefinitely,
causing a denial of service.

For more details please read: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286
CERT-FI: http://www.cert.fi/haavoittuvuudet/2012/haavoittuvuus-2012-021.html (finnish)
Reported to Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659339

- Henri Salo
Permalink | Reply | 0 comments |
headers
Florian Weimer | 10 Feb 01:24
Picon

CVE request: surf

surf does not protect its cookie jar against access read access from
other local users, as reported by Jakub Wilk in this Debian bug:

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296>

Could someone please assign a CVE for this?

uzbl <http://uzbl.org/> (in the uzbl-browser wrapper script) and
netsurf <http://www.netsurf-browser.org/> (the nsgtk_check_homedir
function creates the dot directory with world-readable settings) have
a similar issue, but are from different code bases.  I think those
should get distinct CVEs, too.
Permalink | Reply | 1 comment |
headers
Kurt Seifried | 9 Feb 18:20
Picon
Favicon

MySQL 0-day - does it need a CVE?

https://lists.immunityinc.com/pipermail/canvas/2012-February/000011.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

We are releasing a working MySQL 5.5.20 remote 0day exploit with this
update.The exploit has been tested with mysql-5.5.20-debian6.0-i686.deb
on Debian 6.0.

Best,
Intevydis Ltd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8xdTEACgkQY8Flb3OI+Q2zXwCfQL5y+R8n+ipdMYIRdoVPkEdF
yeoAn26p3KmY0+WYFqKrb9/A3frNo2Xm
=m+1k
-----END PGP SIGNATURE-----

Does this need a CVE # or have you already gotten one from Mitre?

--

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
Permalink | Reply | 7 comments |
headers
Moritz Muehlenhoff | 8 Feb 18:26
Picon
Favicon

CVE request: apr - Hash DoS vulnerability

Hi,
APR (Apache Portable Runtime) is affected by the hash collision DoS 
class, please assign a CVE ID:

The upstream discussion can be found here:
http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html

Cheers,
        Moritz
Permalink | Reply | 1 comment |
headers
Kurt Seifried | 7 Feb 02:05
Picon
Favicon

CVE request: Hash DoS vulnerability (ocert-2011-003)

So going through various things looks like Ocaml is vulnerable and has
not had a CVE # assigned for this issue yet.

Discussion of the issue takes place on the mailing list, here is a link
for the originating thread:

http://www.mail-archive.com/caml-list-MZpvjPyXg2s <at> public.gmane.org/msg01477.html

There doesn't appear to be a fix yet.

--

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
Permalink | Reply | 2 comments |
headers
Solar Designer | 6 Feb 10:42
Favicon

CVE-2011-4325 Linux kernel: nfs: diotest4 from LTP crash client

Hi,

I could not find this one on oss-security.

http://rhn.redhat.com/errata/RHSA-2012-0007.html says "A flaw was found
in the Linux kernel's NFS implementation. A local, unprivileged user
could use this flaw to cause a denial of service.  (CVE-2011-4325,
Moderate)"

https://bugzilla.redhat.com/show_bug.cgi?id=755455 mentions "null
pointer deref" in its title and says "diotest4 from LTP will crash
client on NFS mount. Not a regression, 5.7 GA kernel has the same
issue."  It refers to:

Upstream commit:
http://git.kernel.org/linus/1ae88b2e4 (v2.6.31-rc6)

The commit message:

"We can't call nfs_readdata_release()/nfs_writedata_release() without
first initialising and referencing args.context. Doing so inside
nfs_direct_read_schedule_segment()/nfs_direct_write_schedule_segment()
causes an Oops.

We should rather be calling nfs_readdata_free()/nfs_writedata_free() in
those cases.

Looking at the O_DIRECT code, the "struct nfs_direct_req" is already
referencing the nfs_open_context for us. Since the readdata and writedata
structures carry a reference to that, we can simplify things by getting rid
(Continue reading)

Permalink | Reply | 2 comments |
headers
Solar Designer | 6 Feb 05:27
Favicon

CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/≤pid>/maps access

Hi,

I just analyzed this issue a little bit and thought I'd post a followup
to the thread on oss-security, but to my surprise I could not find the
issue mentioned in here, even though "nearby" ones (e.g. fixed in RHEL
at about the same time) were brought to this list.  I guess this has to
do with differences in CVE assignment - when an issue already has a CVE
ID, it is less likely to be brought up in here - which I find wrong.
This shouldn't be just a CVE ID assignment list, but a general Open
Source security list.  Anyway, to the specific issue:

http://rhn.redhat.com/errata/RHSA-2012-0007.html says "A missing
validation flaw was found in the Linux kernel's m_stop() implementation.
A local, unprivileged user could use this flaw to trigger a denial of
service. (CVE-2011-3637, Moderate)"  So I wanted to verify whether the
impact is in fact limited to a DoS.  More links:

https://bugzilla.redhat.com/show_bug.cgi?id=747848

The fix, which I confirmed that it's included in at least OpenVZ's
linux-2.6.18-274.17.1.el5.028stab097.1, which is what I happen to care
about at this time:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=76597cd31470fa130784c78fadb4dab2e624a723

-	vma_stop(priv, vma);
+	if (!IS_ERR(vma))
+		vma_stop(priv, vma);

Linus' commit message:
(Continue reading)

Permalink | Reply | 9 comments |
headers
Henri Salo | 3 Feb 14:25
Picon
Gravatar

CVE-request: Joomla! Security News 2012-02-03

And again few Joomla security issues without CVE.

- Henri Salo

----- Forwarded message from Joomla! Developer Network - Security News
<no_reply@...> -----

Date: Fri, 03 Feb 2012 13:11:55 +0000
From: Joomla! Developer Network - Security News <no_reply@...>
To: henri@...
Subject: Joomla! Security News

Joomla! Developer Network - Security News

///////////////////////////////////////////
[20120201] - Core - Information Disclosure

Posted: 01 Feb 2012 09:25 PM PST
http://feedproxy.google.com/~r/JoomlaSecurityNews/~3/PkBR45UJQxo/387-20120201-core-information-disclosure.html?utm_source=feedburner&utm_medium=email

Project: Joomla!
SubProject: All
 Severity: Low
Versions: 2.5.0 and 1.7.0 - 1.7.4
Exploit type: Information Disclosure
Reported Date: 2012-January-29
Fixed Date: 2012-February-02

Description
(Continue reading)

Permalink | Reply | 1 comment |
headers
Marcus Meissner | 3 Feb 11:37
Picon
Favicon
Gravatar

CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations

Hi,

After a customer query likely coming from erroneous Security Scanner output,

this issue from 2002 has no CVE id yet as far as I see:

http://www.kb.cert.org/vuls/id/464113

It describes a problem where firewalls might let some TCP flags combinations
pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn
accept a TCP session it might not have accepted otherwise.

The protection added in Linux 2.4.20 is checking for the RST (reset) flag
when a SYN packet is received, which was I think the main attack scenario.

The relevant part of the 2.4.20 patch is:

@@ -3667,6 +3693,9 @@
                if(th->ack)
                        return 1;

+               if(th->rst)
+                       goto discard;
+
                if(th->syn) {
                        if(tp->af_specific->conn_request(sk, skb) < 0)
                                return 1;

The check still exists in current mainline git, so the issue is still fixed.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ian Campbell | 3 Feb 10:33
Favicon
Gravatar

Adding Xen.org contact to linux-distros security list

Hello,

Would it be possible for myself to be subscribed to the linux-distros
security list as a representative of Xen.org?

Although Xen.org is not a distro we do incorporate upstream software and
one of our upstreams (qemu) uses this list as their embargoed security
announcement channel. We would like to be able to co-ordinate the
release of fixes into our own qemu trees.

Many thanks,

Ian.
Permalink | Reply | 3 comments |

Gmane