Executive Summary
Summary | |
---|---|
Title | gnome-vfs2 security and bug fix update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:0131 | First vendor Publication | 2013-01-08 |
Vendor | RedHat | Last vendor Modification | 2013-01-08 |
Severity (Vendor) | Low | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The gnome-vfs2 packages provide the GNOME Virtual File System, which is the foundation of the Nautilus file manager. neon is an HTTP and WebDAV client library embedded in the gnome-vfs2 packages. A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory. (CVE-2009-2473) This update also fixes the following bugs: * When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly. (BZ#580855) * In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem. (BZ#586015) * Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly. (BZ#621394) * Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem. (BZ#772307) * Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive. (BZ#822817) All gnome-vfs2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 518215 - CVE-2009-2473 neon: billion laughs DoS attack 580855 - Cannot delete folder contents if the name of the folder contains spaces 621394 - can't delete symlink to other filesystem 822817 - Fix Gnome VFS components to not stat every file on an ClearCase mvfs filesystem 848822 - Problem while loading OAFIID: GNOME_Panel_TrashApplet |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-0131.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21012 | |||
Oval ID: | oval:org.mitre.oval:def:21012 | ||
Title: | RHSA-2013:0131: gnome-vfs2 security and bug fix update (Low) | ||
Description: | neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0131-00 CESA-2013:0131 CVE-2009-2473 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnome-vfs2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23415 | |||
Oval ID: | oval:org.mitre.oval:def:23415 | ||
Title: | ELSA-2013:0131: gnome-vfs2 security and bug fix update (Low) | ||
Description: | neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0131-00 CVE-2009-2473 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | gnome-vfs2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27176 | |||
Oval ID: | oval:org.mitre.oval:def:27176 | ||
Title: | DEPRECATED: ELSA-2013-0131 -- gnome-vfs2 security and bug fix update (low) | ||
Description: | [2.16.2-10.el5] - Prevent trash applet crashing (#848822) [2.16.2-9.el5] - Prevent deleting items linking out of the trash (#586015) - Do not stat every file on an ClearCase mvfs filesystem (#822817) - Do not silently skip directory having no read permission during copy (#772307) - Allow trashing symlink to filesystem root that does not support trashing (#621394) - CVE-2009-2473 gnome-vfs2 embedded neon: billion laughs DoS attack (#540548) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0131 CVE-2009-2473 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnome-vfs2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9461 | |||
Oval ID: | oval:org.mitre.oval:def:9461 | ||
Title: | neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||
Description: | neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2473 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2011-09-07 | Name : Mac OS X v10.6.4 Multiple Vulnerabilities (2010-007) File : nvt/gb_macosx_su10-007.nasl |
2011-08-09 | Name : CentOS Update for neon CESA-2009:1452 centos4 i386 File : nvt/gb_CESA-2009_1452_neon_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for neon CESA-2009:1452 centos5 i386 File : nvt/gb_CESA-2009_1452_neon_centos5_i386.nasl |
2009-11-11 | Name : SLES10: Security update for neon File : nvt/sles10_neon.nasl |
2009-11-11 | Name : SLES11: Security update for libneon File : nvt/sles11_libneon27.nasl |
2009-11-11 | Name : SuSE Security Summary SUSE-SR:2009:018 File : nvt/suse_sr_2009_018.nasl |
2009-09-28 | Name : RedHat Security Advisory RHSA-2009:1452 File : nvt/RHSA_2009_1452.nasl |
2009-09-28 | Name : CentOS Security Advisory CESA-2009:1452 (neon) File : nvt/ovcesa2009_1452.nasl |
2009-09-02 | Name : Fedora Core 10 FEDORA-2009-8794 (neon) File : nvt/fcore_2009_8794.nasl |
2009-09-02 | Name : Fedora Core 11 FEDORA-2009-8815 (neon) File : nvt/fcore_2009_8815.nasl |
2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:221 (libneon0.27) File : nvt/mdksa_2009_221.nasl |
2009-08-27 | Name : Neon Certificate Spoofing and Denial of Service Vulnerability File : nvt/secpod_neon_cert_spoofing_n_dos_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57423 | Expat XML Parser Malformed UTF-8 Sequence Handling DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0131.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1452.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0131.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130108_gnome_vfs2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0131.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090921_neon_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2010-11-10 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_5.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_neon-6549.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1452.nasl - Type : ACT_GATHER_INFO |
2009-10-30 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libneon-devel-091012.nasl - Type : ACT_GATHER_INFO |
2009-10-30 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libneon-devel-091012.nasl - Type : ACT_GATHER_INFO |
2009-10-30 | Name : The remote openSUSE host is missing a security update. File : suse_libneon-devel-6550.nasl - Type : ACT_GATHER_INFO |
2009-10-29 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libneon-devel-091012.nasl - Type : ACT_GATHER_INFO |
2009-10-29 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_neon-6548.nasl - Type : ACT_GATHER_INFO |
2009-09-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1452.nasl - Type : ACT_GATHER_INFO |
2009-08-25 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-221.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8815.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8794.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:56:38 |
|
2013-01-08 09:18:12 |
|