Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Apr 2011 20:06:51 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Moonlight release 2.4.1 with security fixes

Hi,

The Novell Mono developers are just releasing Moonlight (the Mono
Silverlight equivalent) security updates for several critical issues.

The first 3 issues were reported to the Mono team by Jeroen Frijters
(http://www.ikvm.net/).

The fixed versions is 2.4.1 for the 2.4 branch and 3.99.3 for the 3.99
(Moonlight 4 preview) branch.

The main Novell tracker bug for this update:
https://bugzilla.novell.com/show_bug.cgi?id=667077


CVE-2011-0989: modification of read-only values via
RuntimeHelpers.InitializeArray
https://github.com/mono/mono/commit/035c8587c0d8d307e45f1b7171a0d337bb451f1e

The modification of read-only variables (e.g. from outside the sandbox)
could be used for breaking out of the moonlight sandboxing.


CVE-2011-0990: buffer overflow due to race condition in in Array.FastCopy
https://github.com/mono/mono/commit/2f00e4bbb2137130845afb1b2a1e678552fc8e5c

Similar to the above, an array element could be changed to a privileged
read-only element which would then be overwritten.
(So not a lowlevel buffer overflow, but a sandboxing violation/break out.)



CVE-2011-0991: use-after-free due to DynamicMethod resurrection
https://github.com/mono/mono/commit/8eb1189099e02372fd45ca1c67230eccf1edddc0
https://github.com/mono/mono/commit/89d1455a80ef13cddee5d79ec00c06055da3085c


Also fixed in this update:
CVE-2011-0992: information leak due to improper thread finalization
https://bugzilla.novell.com/show_bug.cgi?id=678515
https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ