Bug 694933 (CVE-2011-0989, CVE-2011-0990, CVE-2011-0991, CVE-2011-0992) - CVE-2011-0989 CVE-2011-0990 CVE-2011-0991 CVE-2011-0992 mono: multiple vulnerabilities fixed in 2.4.1/3.99.3
Summary: CVE-2011-0989 CVE-2011-0990 CVE-2011-0991 CVE-2011-0992 mono: multiple vulner...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2011-0989, CVE-2011-0990, CVE-2011-0991, CVE-2011-0992
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110406,reported=20110408,sou...
Depends On: 694934
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-08 23:24 UTC by Vincent Danen
Modified: 2019-06-10 10:57 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:57:46 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-04-08 23:24:37 UTC
It was reported [1] that threads in Mono were not properly cleaned up upon finalization, so if one thread was resurrected, it would be possible to see the pointer to freed memory.  This could lead to unintended information disclosure, and possibly a crash.

This has been corrected upstream [2].

[1] https://bugzilla.novell.com/show_bug.cgi?id=678515
[2] https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91

Comment 1 Vincent Danen 2011-04-08 23:25:56 UTC
Created mono tracking bugs for this issue

Affects: fedora-all [bug 694934]

Comment 2 Vincent Danen 2011-04-13 22:16:43 UTC
There are additional flaws that were fixed in mono, but judging by their descriptions, they are only problems when moonlight is used (which we do not ship).

For reference, and because we may want to patch them as well (since the fix was done in mono):

CVE-2011-0989:
https://bugzilla.novell.com/show_bug.cgi?id=667077
https://github.com/mono/mono/commit/035c8587c0d8d307e45f1b7171a0d337bb451f1e

The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono,
when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, does not
properly restrict data types, which allows remote attackers to modify
internal read-only data structures, and cause a denial of service
(plugin crash) or corrupt the internal state of the security manager,
via a crafted media file, as demonstrated by modifying a C# struct.

CVE-2011-0990:
https://bugzilla.novell.com/show_bug.cgi?id=667077
https://github.com/mono/mono/commit/2f00e4bbb2137130845afb1b2a1e678552fc8e5c

Race condition in the FastCopy optimization in the Array.Copy method
in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x
before 3.99.3 is used, allows remote attackers to trigger a buffer
overflow and modify internal data structures, and cause a denial of
service (plugin crash) or corrupt the internal state of the security
manager, via a crafted media file in which a thread makes a change
after a type check but before a copy action.

CVE-2011-0991:
https://bugzilla.novell.com/show_bug.cgi?id=660422
https://bugzilla.novell.com/show_bug.cgi?id=667077
https://github.com/mono/mono/commit/3f8ee42b8c867d9a4c18c22657840d072cca5c3a
https://github.com/mono/mono/commit/89d1455a80ef13cddee5d79ec00c06055da3085c
https://github.com/mono/mono/commit/8eb1189099e02372fd45ca1c67230eccf1edddc0

Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1
or 3.x before 3.99.3 is used, allows remote attackers to cause a
denial of service or possibly have unspecified other impact via
vectors related to finalizing and then resurrecting a DynamicMethod
instance.

CVE-2011:0992:
https://bugzilla.novell.com/show_bug.cgi?id=667077
https://bugzilla.novell.com/show_bug.cgi?id=678515
https://bugzilla.redhat.com/show_bug.cgi?id=694933
https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91

Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1
or 3.x before 3.99.3 is used, allows remote attackers to cause a
denial of service (plugin crash) or obtain sensitive information via
vectors related to member data in a resurrected MonoThread instance.

Comment 3 Product Security DevOps Team 2019-06-10 10:57:46 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.