The USB that ate Linux
Robert X. Cringely has
reported
on a new threat to Linux: a Microsoft-driven version of the USB standard
which will not be usable by Linux. The article is rather short on details,
but the idea seems to be that only "trusted" USB devices could be written
to, and the mechanism for identifying and communicating with these devices
would be closed. You'll be able to install Linux on your future
motherboard, but it will not be able to work with the new USB devices.
This sort of story comes around fairly regularly. Long-time LWN readers
will remember some past worries:
- Once upon a time, the "Merced" architecture from Intel was to be
the future of computing. Unfortunately, Merced was under
nondisclosure, and, in any case, getting gcc to generate code for that
architecture was said to be beyond the capabilities of its developers.
In the reality, Merced, later named Itanium, had top-quality Linux
support from the beginning. We're still waiting for the "future of
computing" part, though.
- The I2O specification was kept under wraps for some time, and it
looked like Linux would be unable to drive any I2O-based hardware.
Richard Stallman called I2O
"a broad plan to keep hardware specifications secret".
As it turned out, the specifications were released, and Linux supports
I2O without trouble.
In other words, we have seen this sort of thing before. Fears of
Linux-killer hardware turned out to be misplaced even in the 1990's, when
Linux was a far smaller commercial force than it is now. In the current
climate, it is hard to imagine the hardware companies adopting a
fundamental technology (a processor or bus architecture, say) that was
deliberately closed to non-Microsoft operating systems. Not all vendors
rush out to embrace Linux, BSD, and MacOS users, but few will see a
business case in explicitly excluding them. Especially if that exclusion
would consolidate the position of a company which has not always
distinguished itself with its considerate treatment of its "partners."
On the other hand, proprietary hardware and digital restrictions management
schemes do bear watching. The troubles Linux has had with playing DVDs
have been well documented. The "broadcast flag" will restrict the ability
of Linux systems to work with digital radio receivers in the future.
"Trusted computing" schemes may keep Linux off some hardware altogether.
There are threats out there, but an exclusionary USB specification
is probably not one of them. Nobody besides Cringely seems to know
much about this new USB standard, however, and the Linux USB developers are
not particularly worried about it. For the time being, the rest of us
probably need not worry either.
Comments (7 posted)
What's coming in Fedora Core 3
The final release of Fedora Core 3 isn't expected until
November 1, but
with the
release of Fedora Core 3 test 2 (FC3t2) on Monday (a week later
than originally planned) we decided to check in and see what users could
expect from the next release of Fedora Core. We also contacted Red Hat to
see if Cristian Gafton or another representative would be available to talk
about Fedora, and its relation to Red Hat's commercial products, but they
were unable to provide a representative to speak to LWN by deadline.
This release marks the addition of the GNOME 2.8 release candidate, KDE
3.3.0, X.org 6.8.0, and the udev
device model.
We gave FC3t2 a try on an Athlon XP 2000 system with 1 GB of RAM. One thing
we noticed was that the media check failed all of the disks we burned, but
we were able to perform an install from the media without any
problems. This seems to be an
issue that came up during tests of FC3 test 1 as well. While bugs and
glitches are to be expected in test releases, we note this particular issue
so that users trying out FC3t2 do not burn through a stack of blanks in a
futile attempt to burn four good disks.
Users will find that the default partitioning has changed a bit since
Fedora Core 2. By default, the installer will attempt to set up LVM rather
than the standard "simple" partitioning most Linux users are used to. There
seem to be a few bugs left in the partitioning tool, as the installer
informed us we were "probably out of disk space" when attempting to
install. However, when we performed an install using a standard
partitioning scheme, all went well. No doubt, this will be ironed out by
the time that FC3 final is released.
Fedora Core 3 marks the Fedora team's second stab at SELinux, and they are
asking that users give SELinux another try as well. According to Colin
Walters, this release marks a scaled-back approach that should cause fewer
problems while still providing additional security for "select system
daemons."
Instead of the original "strict" policy which covered everything, a new
"targeted" policy has been developed which only applies SELinux
restrictions to a few select system daemons. Regular user login sessions
are unrestricted.
The initial approach to SELinux was probably a too-radical departure for
many users, so we're happy to see the Fedora team taking a more moderate
approach that will (we hope) build support for SELinux over time.
However, the actual documentation and tools for SELinux leave a bit to be
desired, as Matias
Feliciano points out on the fedora-devel list. While the "targeted"
policy is "mostly
invisible" to the end-user, so is the documentation for users
who want to customize and tweak their SELinux policy.
FC3t2 marks the introduction of the udev device model to Fedora. The udev
device model implements devfs in userspace, creating a dynamic
/dev that allows consistent naming of devices. Users upgrading
from test 1 or installing udev on
test 1 reported a few bugs, but we didn't see any problems with udev
from a clean install.
Despite the occasional glitch in the test release, FC3 is shaping up
nicely. It's not a radical change from FC2, most of the changes are package
upgrades and further refinement of existing features. The udev device model
is probably one of the most major changes that users will see in FC3.
It bears mentioning that the Fedora Core development process still seems to
be shy on community involvement. However, Red Hat and the Fedora team have
provided a usable Linux distribution with many of the cutting-edge technologies
that users want to try. From that perspective, we think that Fedora has
become a success.
Comments (4 posted)
Reforming WIPO
There is a movement afoot, initially pushed by Brazil and Argentina, to
change the mission of the World Intellectual Property Organization (WIPO).
An
information
page is available. There is also
the text
of a declaration (PDF) which will be debated in Geneva on
September 30. "
As an intergovernmental organization, however,
WIPO embraced a culture of creating and expanding monopoly privileges,
often without regard to consequences. The continuous expansion of these
privileges and their enforcement mechanisms has led to grave social and
economic costs, and has hampered and threatened other important systems of
creativity and innovation.... We do not ask that WIPO abandon efforts to
promote the appropriate protection of intellectual property, or abandon all
efforts to harmonize or improve these laws. But we insist that WIPO work
from the broader framework described in the 1974 agreement with the UN, and
to take a more balanced and realistic view of the social benefits and costs
of intellectual property rights as a tool, but not the only tool, for
supporting creativity [and] intellectual activity."
Comments (3 posted)
LWN update
Occasionally we get a message noting that we have not been posting "LWN
update" articles, and wondering how things are going. We are still trying
to keep a lid on such articles, but we're about to hit an important
anniversary. It is now two years since we
began
the subscription experiment, so the time seems right for a look at how
things are going.
Our goal at the outset was 4,000 subscribers. As of this writing, LWN has
just under 3,300 active, paid subscriptions - up from about 2,700 at this
time last year. Things are clearly headed in the right direction, even if
they are not yet where we would like them to be. The next big test will be
to see what happens over the next month as the "great expiration" sets in.
We got a big group of subscribers right at the beginning, and many of their
subscriptions will expire (again) in the next few weeks. Last year's
"great renewal" brought in enough cash to see through the slow parts of the
year (we're sure glad we hung onto it at the beginning); with luck that
will happen again. Our subscription renewal rate tends to be quite high,
and you can be sure that we are grateful for it.
We're looking to add more new subscribers, of course. The external authors
program has helped to fill out our content, but LWN could really
benefit from another editor who could write original content and provide a
bit of redundancy. We will continue to work to find those subscribers;
going out and marketing LWN to new readers has proved to be a challenge,
however.
Meanwhile, we plan to continue to do our best to provide top-quality,
comprehensive coverage of the Linux and free software community. Many
thanks for your continued support; it is a pleasure to write for this group
of readers.
[As an aside: we have noted for a while a certain number of people creating
accounts without giving us working email addresses, then trying to sign up
for our mailing lists. That is clearly not going to work. If you do not
get the mail you expect, please try going into the My
Account area and making sure we're sending it somewhere useful.]
Comments (17 posted)
Page editor: Jonathan Corbet
Security
An introduction to SELinux
September 22, 2004
This article was contributed by Jake Edge.
It has taken nearly four years for Security Enhanced Linux (SELinux) to
make its way into some of the more mainstream distributions, but that process
is accelerating. First released by the US National Security Agency (NSA),
in December 2000, SELinux has been incorporated into Fedora Core 2 (and the
test versions of Fedora Core 3), Debian and Gentoo and will likely see more
distributions that support it and more deployments in the future. It
seems like a good time to take an in-depth look at how SELinux can
increase the security of Linux.
Linux, like UNIX, has its security based on what is known as
Discretionary Access Control (DAC) which means that access to objects
is governed by the identity of an authenticated user.
It is discretionary because the user can
(sometimes unwittingly) pass their permissions to others on the system.
A simple "chmod a+w somefile" is an example of a command that
a Linux user can execute that opens up permissions on a file to all
other users in the system.
In addition, any program that is run by a user has at least the
permissions of that user.
This allows malicious, badly configured, or exploitable programs to use
the full permissions of the user executing them and can lead to unexpected
security breaches.
If, for example, the cat program had an exploitable
buffer overrun bug and a particular file could trigger that bug and cause
it to delete the files in a user's home directory, standard Linux access
control would not prevent it. Any user that could be tricked into
executing cat badfile would be susceptible.
SELinux, on the other hand, uses a Mandatory Access Control (MAC)
mechanism that seeks to only allow a program the access it needs to do
its job and not all the access that the user running it has. In the
example above, cat could be configured to only have read
access to any files that the user has read access to
and any attempt to write or delete any file in the system
would be prevented. The administrator can prevent programs from having
unneeded access and only allow the user to grant that portion of their
access that is needed by the normal functioning of the program.
MAC embodies the idea that "those things which are not explicitly
permitted are forbidden."
At its core, SELinux defines a security attribute called a type
and assigns types to various resources
handled by the kernel: processes, files, directories, sockets, etc.
The usage of the term type is unfortunate in that it implies all files
would be one type, all directories another, etc. This is not the case
as each individual resource could have its own type.
Each type in the system is associated with a set of rights for
each other type in the system and
those rights govern what kinds of operations can be performed.
This model is known as Type Enforcement (TE) and is the subject of a
patent granted to Secure Systems Corp. (SSC), one of the contractors that
worked with the NSA on parts of SELinux. At one time there were concerns
that the patent would preclude SELinux from being distributed under the
GPL, but the SSC
Statement of Assurance
seems to have alleviated those concerns.
SELinux augments the traditional TE model with the
addition of Role-Based Access Control (RBAC). Instead of directly
associating a user with a type, RBAC associates users with one or more
roles in the system and associates one or more types with each of
those roles.
The permissions checks are still handled by the TE system and RBAC just
provides a simpler way to manage users.
SELinux provides a much richer set of permissions than the
read, write, execute permissions that UNIX users are used to. There
are separate permissions that govern all of the kinds of operations
you can do on a file (create, delete, rename, unlink, etc.) as well as
specific kinds of permissions for directories, sockets, semaphores, etc.
Permissions are stored as bits in an access vector and SELinux has three
types of these vectors: allowed, auditallow, and auditdeny. The allowed
vector governs whether the operation is permitted. Auditallow and auditdeny
determine whether the operation is logged if it is allowed or denied.
It should be noted that all of the permissions checking that is done by
SELinux is done after the normal Linux permissions checks are performed.
If a user cannot read a file due to the rwx permissions, the
SELinux access control mechanism is not consulted.
One would guess that with all of this fine-grained control over permissions,
SELinux would be very complex to set up and that would be true, but the
NSA and the distributions have done a great deal of the necessary
groundwork. As part of
their release, the NSA also released policy definitions to be used as a
starting point for SELinux administrators. Various distributions have
tweaked these definitions for their specific needs, but it is still a very
complex and somewhat fragile framework. This author had difficulty with
various cron jobs on a Fedora Core 2 SELinux system and the
mailing list
archives have quite a few queries from administrators trying to get
the permissions set correctly for their specific needs. Based on this
message it would appear that Fedora Core 3
has ratcheted down
the checking that SELinux will do in the default install.
An upcoming article will give a more "hands-on" approach to exploring SELinux
using Fedora Core 3 test2 including looks at the policies defined and how
they are used to provide more protection than a standard Linux installation.
Comments (35 posted)
New vulnerabilities
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
glFTPd: Local buffer overflow vulnerability
| Package(s): | glFTPd |
CVE #(s): | |
| Created: | September 21, 2004 |
Updated: | September 22, 2004 |
| Description: |
The glFTPd server is vulnerable to a buffer overflow in the 'dupescan'
program. This vulnerability is due to an unsafe strcpy() call which can
cause the program to crash when a large argument is passed. A local user
with malicious intent can pass a parameter to the dupescan program that
exceeds the size of the buffer, causing it to overflow. This can lead the
program to crash, and potentially allow arbitrary code execution with the
permissions of the user running glFTPd, which could be the root user. |
| Alerts: |
|
Comments (none posted)
heimdal: root escalation
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0794
|
| Created: | September 16, 2004 |
Updated: | September 22, 2004 |
| Description: |
The Heimdal FTP daemon has several bugs that can allow a remote
attacker to gain root privileges. |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2004-0827
|
| Created: | September 16, 2004 |
Updated: | November 30, 2004 |
| Description: |
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format. |
| Alerts: |
|
Comments (none posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflow bug
| Package(s): | mpg123 |
CVE #(s): | CAN-2004-0805
|
| Created: | September 16, 2004 |
Updated: | January 11, 2005 |
| Description: |
The mpg123 audio playing utility has a buffer overflow
bug that may allow arbitrary execution of code. |
| Alerts: |
|
Comments (none posted)
phpGroupWare: cross site scripting vulnerability
| Package(s): | phpgroupware |
CVE #(s): | |
| Created: | September 16, 2004 |
Updated: | September 22, 2004 |
| Description: |
The wiki module in phpGroupWare has a cross-site scripting vulnerability. |
| Alerts: |
|
Comments (none posted)
SnipSnap: HTTP errors
| Package(s): | snipsnap-bin |
CVE #(s): | |
| Created: | September 22, 2004 |
Updated: | September 22, 2004 |
| Description: |
SnipSnap, a content management system, is vulnerable to several "HTTP response splitting" attacks, leading to cross-site scripting and cache poisoning problems. Version 1.0_beta1 fixes things. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflows
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-1379
|
| Created: | September 22, 2004 |
Updated: | April 9, 2006 |
| Description: |
xine-lib (through version 1_rc6) contains buffer overflows in the subtitle parsing and DVD sub-picture decoder code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups cupsys |
CVE #(s): | CAN-2004-0558
|
| Created: | September 15, 2004 |
Updated: | October 14, 2004 |
| Description: |
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
httpd: mod_ssl input filter denial of service vulnerability
| Package(s): | httpd |
CVE #(s): | CAN-2004-0748
|
| Created: | September 2, 2004 |
Updated: | September 23, 2004 |
| Description: |
Apache httpd has a denial of service vulnerability in mod_ssl in which
an attacker can force
an SSL connection to abort, resulting in the Apache child process entering
an infinite loop. This affects httpd versions up to and including
2.0.50. |
| Alerts: |
|
Comments (none posted)
apache2: IPv6 denial of service
| Package(s): | httpd apache2 |
CVE #(s): | CAN-2004-0747
CAN-2004-0751
CAN-2004-0786
CAN-2004-0809
|
| Created: | September 15, 2004 |
Updated: | October 6, 2004 |
| Description: |
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5: double-free and ASN.1 parsing
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0642
CAN-2004-0643
CAN-2004-0644
CAN-2004-0772
|
| Created: | August 31, 2004 |
Updated: | September 21, 2004 |
| Description: |
Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execute arbitrary
code. See CAN-2004-0642, CAN-2004-0643 and CAN-2004-0772. An infinite
loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote
attacker may be able to trigger this flaw and cause a denial of
service. See CAN-2004-0644. See this CERT
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
lha: stack-based buffer overflow
| Package(s): | lha |
CVE #(s): | CAN-2004-0769
CAN-2004-0771
CAN-2004-0694
CAN-2004-0745
|
| Created: | September 2, 2004 |
Updated: | October 14, 2004 |
| Description: |
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
OpenOffice: information disclosure
| Package(s): | openoffice.org |
CVE #(s): | CAN-2004-0752
|
| Created: | September 15, 2004 |
Updated: | October 20, 2004 |
| Description: |
OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
