Upstream information

CVE-2011-0989 at MITRE

Description

The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, does not properly restrict data types, which allows remote attackers to modify internal read-only data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file, as demonstrated by modifying a C# struct.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5.8
Vector AV:N/AC:M/Au:N/C:N/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 667077 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 11 SP1
  • libmoon0 >= 2.4.1-0.5.1
  • moonlight-plugin >= 2.4.1-0.5.1
  • moonlight-tools >= 2.4.1-0.5.1
Builds
SAT Patch Nr: 4246
openSUSE 11.3
  • libmoon0-debuginfo >= 2.4.1-0.2.1
  • moonlight-debugsource >= 2.4.1-0.2.1
  • moonlight-plugin-debuginfo >= 2.4.1-0.2.1
openSUSE 11.3
  • libmoon-devel >= 2.4.1-0.2.1
  • libmoon0 >= 2.4.1-0.2.1
  • moonlight-desktop >= 2.4.1-0.2.1
  • moonlight-desktop-devel >= 2.4.1-0.2.1
  • moonlight-plugin >= 2.4.1-0.2.1
  • moonlight-tools >= 2.4.1-0.2.1
  • moonlight-web-devel >= 2.4.1-0.2.1
openSUSE 11.4
  • libmoon-devel >= 2.4.1-0.3.1
  • libmoon0 >= 2.4.1-0.3.1
  • moonlight-desktop >= 2.4.1-0.3.1
  • moonlight-desktop-devel >= 2.4.1-0.3.1
  • moonlight-plugin >= 2.4.1-0.3.1
  • moonlight-tools >= 2.4.1-0.3.1
  • moonlight-web-devel >= 2.4.1-0.3.1
openSUSE 11.4
  • libmoon-devel >= 2.4.1-0.3.1
  • libmoon0 >= 2.4.1-0.3.1
  • libmoon0-debuginfo >= 2.4.1-0.3.1
  • moonlight-debugsource >= 2.4.1-0.3.1
  • moonlight-desktop >= 2.4.1-0.3.1
  • moonlight-desktop-devel >= 2.4.1-0.3.1
  • moonlight-plugin >= 2.4.1-0.3.1
  • moonlight-plugin-debuginfo >= 2.4.1-0.3.1
  • moonlight-tools >= 2.4.1-0.3.1
  • moonlight-web-devel >= 2.4.1-0.3.1
Patchnames:
libmoon-devel


Status of this issue by product and package

Product(s) Source package State
SUSE Linux Enterprise Desktop 11 SP1 moonlight Released
SUSE Linux Enterprise Desktop 11 SP2 moonlight Released
SUSE Linux Enterprise Desktop 11 SP3 moonlight Released
SUSE Linux Enterprise Desktop 11 SP4 moonlight Released