It was reported [1] that threads in Mono were not properly cleaned up upon finalization, so if one thread was resurrected, it would be possible to see the pointer to freed memory. This could lead to unintended information disclosure, and possibly a crash. This has been corrected upstream [2]. [1] https://bugzilla.novell.com/show_bug.cgi?id=678515 [2] https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91
Created mono tracking bugs for this issue Affects: fedora-all [bug 694934]
There are additional flaws that were fixed in mono, but judging by their descriptions, they are only problems when moonlight is used (which we do not ship). For reference, and because we may want to patch them as well (since the fix was done in mono): CVE-2011-0989: https://bugzilla.novell.com/show_bug.cgi?id=667077 https://github.com/mono/mono/commit/035c8587c0d8d307e45f1b7171a0d337bb451f1e The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, does not properly restrict data types, which allows remote attackers to modify internal read-only data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file, as demonstrated by modifying a C# struct. CVE-2011-0990: https://bugzilla.novell.com/show_bug.cgi?id=667077 https://github.com/mono/mono/commit/2f00e4bbb2137130845afb1b2a1e678552fc8e5c Race condition in the FastCopy optimization in the Array.Copy method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to trigger a buffer overflow and modify internal data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file in which a thread makes a change after a type check but before a copy action. CVE-2011-0991: https://bugzilla.novell.com/show_bug.cgi?id=660422 https://bugzilla.novell.com/show_bug.cgi?id=667077 https://github.com/mono/mono/commit/3f8ee42b8c867d9a4c18c22657840d072cca5c3a https://github.com/mono/mono/commit/89d1455a80ef13cddee5d79ec00c06055da3085c https://github.com/mono/mono/commit/8eb1189099e02372fd45ca1c67230eccf1edddc0 Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to finalizing and then resurrecting a DynamicMethod instance. CVE-2011:0992: https://bugzilla.novell.com/show_bug.cgi?id=667077 https://bugzilla.novell.com/show_bug.cgi?id=678515 https://bugzilla.redhat.com/show_bug.cgi?id=694933 https://github.com/mono/mono/commit/722f9890f09aadfc37ae479e7d946d5fc5ef7b91 Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to cause a denial of service (plugin crash) or obtain sensitive information via vectors related to member data in a resurrected MonoThread instance.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.