LWN.net Logo

LWN.net Weekly Edition for October 7, 2004

A busy week for the courts

Various courts in the U.S. have handed down a set of decisions in the last week which have strong implications for the free software community. Here is a quick rundown of what the courts have been saying.

bnetd

The developers of bnetd had a straightforward goal: they wanted to be able to engage in networked gameplay, using their legally-purchased Blizzard games, without dealing with Blizzard's Battle.net servers. So they reverse-engineered the protocol used by Blizzard's games to talk to the server and implemented bnetd, which provides the same functionality. bnetd is licensed under the GPL.

Blizzard did not like bnetd. The provision of alternative servers took players of Blizzard's games out of the company's control; it was no longer possible to throw advertisements at players. The Battle.net servers also check the registration key provided by the game client; if the key turns out not to be valid, or if multiple players attempt to use the same key, access to the server will be denied. The bnetd developers never quite got around to implementing the key checks; free software developers have little patience with that sort of thing, and, in any case, Blizzard provides no way for third parties to check the validity of registration keys.

Blizzard's response was to send takedown notices, then file suit with a number of copyright infringement and contract claims. On September 30, a U.S. District Court in Missouri agreed with Blizzard, finding the bnetd developers guilty of breach of contract and violation of the anti-circumvention clauses of the Digital Millennium Copyright Act. The full ruling is available in PDF format.

The contracts in question are the license agreement for the games and the terms of use for Battle.net. Among other things, these contracts forbid reverse engineering of the software and running services that compete with Battle.net. The court found that the EULA and TOU were binding in all respects. Among other things, a license agreement can forbid reverse engineering in all cases and that is just fine with the court.

With regard to the DMCA charges, the court concluded that, by reverse engineering the handshake used to control access to the games' "Battle.net mode," the bnetd developers did circumvent an access control mechanism. In their defense, the developers stated that they fell within the DMCA's exemption for those trying to achieve interoperability. The court disagreed:

The Court find that the defendants' actions constituted more than enabling interoperability. The bnetd emulator developed by the defendants always allows the Blizzard game to access Battle.net mode features even if the user does not have a valid or unique CD Key, because the bnetd emulator does not determine whether the CD Key is valid or currently in use by another player. Unauthorized copies of the Blizzard games were played on bnetd servers. Then, defendants distributed the bnetd program for free. Because the bnetd source code was freely available, others developed additional Battle.net emulators based on the bnetd source code.... Finally, the defendants did not create an independently created computer program. The bnetd program was intended as a functional alternative to the Battle.net service. Once game play starts there are no differences between Battle.net and the bnetd emulator from the standpoint of a user who is actually playing the game.

It is hard to know how to read this reasoning. Interoperability, it seems, is only a defense if the resulting program does not do anything interesting, and if it is not distributed as free software.

The court also found that the developers had violated the DMCA's provisions regarding trafficking in anti-circumvention devices:

The defendants' purpose in developing the bnetd server was to avoid the anti-circumvention restrictions of the game and to avoid the restricted access to Battle.net. Thus, the sole purpose of the bnetd emulator was not to enable interoperability. The bnetd emulator had limited commercial purpose because it was free and available to anyone who wanted to copy and use the program.

This language contradicts the court's statement of the "undisputed facts" in the first part of the ruling:

The users of the Battle.net service have occasionally experienced difficulties with the service. Blizzard has also received complaints about user profanity and users who cheated to win games by modifying Blizzard's software ("client hacks")... To address their frustrations with Battle.net, the defendants joined a group of non-profit volunteer game hobbyists, programmers, and other individuals called the "bnet project."

The above is, remember, an undisputed fact. The court chose, however, to ignore that fact and recast the purpose of bnetd to suit its reasoning. On top of that, the idea that bnetd is a circumvention device because it carries a free license is truly chilling.

The end result is that Blizzard is able to place strong restrictions on the users of its games, preventing them from communicating via any sort of alternative service. Free software developers have been restricted in the sort of code they can develop, and the value of Blizzard's games for its own customers has been reduced. There are certainly problems with the DMCA which allow this sort of thing to happen. This is, however, also a problem with proprietary software; free software users do not have to cope with restrictions of this type. Unfortunately, it may be a long time before we see free games which offer the sort of experience provided by the best of today's proprietary offerings.

Diebold

The Diebold case was the source of another important ruling (PDF). In this case, Diebold attempted to use the DMCA to shut down distribution of leaked internal messages between its employees regarding problems with Diebold's electronic voting systems. The core of the ruling was that Diebold misused the DMCA by attempting to force a takedown of material which was not copyrightable.

The purpose, character, nature of the use, and the effect of the use upon the potential market for or value of the copyrighted work all indicate that at least part of the email archive is not protected by copyright law. The email archive was posted or hyperlinked to for the purpose of informing the public about the problems associated with Diebold's electronic voting machines. It is hard to imagine a subject the discussion of which could be more in the public interest.

The Diebold ruling may not affect free software developers directly, but it should serve to put some limits on the use of DMCA takedown notices.

Kodak

A court in Rochester, NY (Kodak's home town) has found that Sun has infringed upon three of Kodak's patents. Kodak claims that Sun should owe it just over $1 billion for its crime. Intellectual property suits, it seems, are increasingly the strategy of choice for businesses in decline.

The patents (numbers 5,421,012, 5,226,161, and 5,206,951) all read about the same; they would appear to describe any of a number of object request brokers or remote procedure call mechanisms. If they are upheld, Kodak can be expected to begin shaking down technology companies across the U.S.; they would be unlikely to limit themselves to those working with Java.

This looks like a case with a reasonably high likelihood of being reversed on appeal. In the mean time, it serves as yet another reminder of what software patents are doing to the computing industry in the U.S. Until the U.S. patent system is reformed, these lawsuits will be a constant threat. One can only hope that the parts of the world which do not, yet, recognize software patents are paying attention.

SCO

The SCO group had a minor setback in the IBM case when Judge Kimball denied two of the company's motions regarding scheduling. The ruling is up on Groklaw. The judge had little sympathy for SCO's position:

However, there is nothing in the Amended Scheduling Order that precludes IBM from filing motions for summary judgment, and there is nothing in the Scheduling Order that relieves SCO from responding to such motions. Thus, it is puzzling that SCO seeks to "enforce" the Amended Scheduling Order when there is nothing in that Order to justify SCO's request for a significant delay in filing its responses.

The big ruling - on IBM's motion for a summary judgment on its tenth counterclaim (stating that its Linux work does not infringe SCO's copyrights) - is still pending. (What is also pending, incidentally, is the agreement with SCO's lawyers on putting a cap on SCO's legal costs. SCO may have encountered some difficulties in closing that deal.)

Comments (25 posted)

Red Hat acquiring Netscape Enterprise Solutions software

October 6, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Last week, Red Hat announced it had reached a deal to buy some of the software from the Netscape Enterprise Suite. Red Hat spokesperson Leigh Day said that the deal has not yet been finalized, but that it is expected to close in the next two weeks.

Red Hat is paying $23 million for the software, but what is it getting, and why does the company want to buy software that it could develop instead? Day said that Red Hat is getting Netscape's Directory Server, Certificate Management, messaging and calendering software. According to Day, it was worth spending the $23 million because "Red Hat is gaining a tried and true technology that would take years to develop on its own." The company will also be taking on a team of developers from AOL/Netscape that have been working on the software. Though Netscape was acquired several years ago, the Directory Server software was still under active development. Netscape Directory Server 6.2 was released last December.

It doesn't take a marketing expert to divine Red Hat's motives for the acquisition. When going head-to-head with Microsoft or Novell, Red Hat needs a mature directory services and groupware suite. Day confirmed that Red Hat would be using its acquisition to compete directly with directory server offerings from Microsoft and Novell.

She also noted that Netscape's software is in use by a number of enterprise and government agencies. Whether Red Hat will gain those customers as part of the acquisition is another question. Day said that Red Hat has not yet announced whether the company would be taking over support for current users of Netscape Security Solutions. She also wasn't sure whether Red Hat's final product would support operating systems other than Linux. Netscape Directory Server currently runs on HP-UX, Solaris, Windows NT and 2000 and Red Hat Advanced Server.

Red Hat currently ships OpenLDAP with its enterprise products. What does Netscape Directory Server offer that OpenLDAP does not? Both technologies implement the features of the Lightweight Directory Access Protocol (LDAP), but a glance at the features list for Netscape Directory Services shows that there are several features not implemented in OpenLDAP, including schema updates, server-side sort of search results, and a number of other features. Netscape's software also offers GUI administration tools and tuning tools that are probably a bit more user-friendly than OpenLDAP's tools.

In keeping with Red Hat's open source policy, Red Hat will be releasing the software under the GPL, according to Day. As with the Sistina Global File System (GFS) software, it will be between six and twelve months before the code is released. Why such a lengthy process? Day said that Red Hat would use this time to optimize the code for its products, and for a community development process. Day said that the software would also be usable with Fedora, but wasn't sure if it would be released as part of Fedora Core.

We also wondered whether any patents would be part of the deal. Netscape was issued several patents related to directory services prior to their acquisition by AOL. Patent 6,366,913 was issued to Netscape for "Centralized directory services supporting dynamic group membership," which no doubt applies to Netscape's Directory Server. Patent 6,094,485, covering a method for "SSL step-up" may apply to Netscape's Certificate Management software. Netscape also was issued patents for an automatic client configuration system, a system for schedule and task management, and others that may apply to the suite of applications Red Hat is buying. Day said that Red Hat's legal team is "probably still looking into that." One hopes that the lawyers are looking carefully, as it would not do to acquire the software while leaving AOL with the patents related to the software. Red Hat may also find need of a defensive patent portfolio in the future.

In the long run, this should be very good for the Linux and open source community. The addition of Netscape's directory software and groupware solutions will give Linux yet another feature that it needs to compete with Microsoft in the enterprise market.

Comments (9 posted)

Page editor: Jonathan Corbet

Security

Inside SELinux on Fedora Core 3

October 6, 2004

This article was contributed by Jake Edge.

Following up on a previous overview of Security Enhanced Linux (SELinux), this article looks more closely at the implementation of Security Enhanced Linux (SELinux) in Fedora Core 3 test2 (FC3).

FC3 provides two separate SELinux policies, a default "targeted" policy and the more restrictive "strict" policy. The targeted policy focuses on a handful of specific system daemons and locks down their access while allowing the rest of the system to run using the standard Linux security mechanisms. The FC3 SELinux FAQ describes the reasoning behind the targeted policy:

Initially, when SELinux was included in Fedora Core, the NSA strict policy was enforced. For testing purposes, this helped to find hundreds of problems in the strict policy. In addition, it became obvious that applying a single strict policy to the many environments of Fedora users was not feasible. Managing a single strict policy for anything other than default installation was going to require local expertise.

There are 9 daemons currently handled by the targeted policy, all network services of various sorts (httpd, named, snmpd, etc.) and more daemons will be added to the policy in the future.

The top-level configuration file (/etc/selinux/config) for SELinux on FC3 allows one to choose which of the policies to use and also what enforcement level to use. In particular, the "permissive" level is useful for finding problems in the policy for a specific installation as it just warns when the policy has been violated. Once the policy has been adjusted, the level can be set to "enforcing," which will cause SELinux to enforce the policies. In addition, the enforcement level can be set to "disabled" which effectively turns off SELinux. Any changes made to the configuration file require a reboot to take effect, but the enforcement level can be changed in a running system using the setenforce command.

While changing the enforcement level is painless, the same is not true for changing policies. SELinux uses the extended attributes in Linux filesystems to permanently associate a security context with each file and when changing policies, the attributes of many files in the filesystem must also be changed. The fixfiles command is available to traverse the filesystem and make the required changes based on the information provided in the file_contexts file associated with the policy. file_contexts maps a regular expression describing some subtree of the filesystem (possibly down to an individual file) to a security context and fixfiles (and the related setfiles command) parse this file and set the attributes appropriately. FC3 puts the SELinux configuration in the /etc/selinux directory and the specifics for each policy in /etc/selinux/<policyname>. For example: /etc/selinux/targeted/contexts/file_contexts provides the security context configuration for files in the targeted policy.

To support examining the security context of various entities in the SELinux system, the -Z command line parameter has been added to several standard utilities. The ls, ps, and id commands have been modified to display the security context of files, processes and users respectively and are very useful when diagnosing policy issues.

To get a sense of what goes into the policy configuration and how complex it is, we examined the targeted policy configuration for the ntpd program. Once the selinux-policy-targeted-sources package is installed, the configuration file for ntpd can be found in /etc/selinux/targeted/src/policy/domains/program/ntpd.te. This file specifies the access that the daemon will be allowed to have and should specify all of the system entities (files, sockets, etc.) that the program needs to access for correct operation. The level of detail required in this file is rather eye opening:

  • Types are defined for the drift file and for the network port used by ntpd
  • All of the file and directory types that are used by the daemon are also specified with what access is granted for each
  • Read access is granted for the urandom device
  • Network access is granted
  • Access to bind to the udp port that it uses and socket creation access for datagram and stream sockets is granted
  • Capabilities allowing it to use the nice() system call are granted
  • etc.
It would appear that a fair amount of work went into figuring out all of the various pieces that go into this configuration for what, at first blush, would seem a fairly simple system daemon. Multiply this level of complexity by the number of daemons in a typical system and one can see why some critics of SELinux call it too complicated to be useful. On the other hand, SELinux does provide very fine grained control over access to system resources and in certain applications, that control is very desirable.

Comments (8 posted)

New vulnerabilities

cups: information leak

Package(s):cups CVE #(s):CAN-2004-0923
Created:October 5, 2004 Updated:October 14, 2004
Description: CUPS has an information leakage problem when printing to SMB shares requiring authentication.
Alerts:
Debian DSA-566-1 2004-10-14
Gentoo 200410-06 2004-10-09
Fedora FEDORA-2004-331 2004-10-05

Comments (none posted)

freenet6: file protection problem

Package(s):freenet6 CVE #(s):CAN-2004-0563
Created:September 30, 2004 Updated:October 6, 2004
Description: freenet6 has a protection problem which allows the username and password to be read from a configuration file.
Alerts:
Debian DSA-555-1 2004-09-30

Comments (none posted)

net-acct: temporary file vulnerability

Package(s):net-acct CVE #(s):CAN-2004-0851
Created:October 6, 2004 Updated:October 6, 2004
Description: Net-acct (an IP accounting daemon) version 0.71 suffers from a temporary file vulnerability.
Alerts:
Debian DSA-559-1 2004-10-06

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

php: information disclosure and file upload vulnerabilities

Package(s):php CVE #(s):
Created:October 6, 2004 Updated:October 6, 2004
Description: Versions of PHP prior to 4.3.9 suffer from vulnerabilities which can disclose the contents of random memory to an attacker and allow uploads of files to any location writable by the web server.
Alerts:
Gentoo 200410-04 2004-10-06

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 14, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Alerts:
Fedora-Legacy FLSA:152794 2005-11-14
Mandrake MDKSA-2004:145 2004-12-06
Debian DSA-557-1 2004-10-04

Comments (none posted)

samba: unauthorized file access

Package(s):samba CVE #(s):CAN-2004-0815
Created:October 1, 2004 Updated:October 14, 2004
Description: A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection.

According to this errata only Samba 3.0.x <= 3.0.2a contains the exploitable code.

Alerts:
Conectiva CLA-2004:873 2004-10-14
Fedora-Legacy FLSA:2102 2004-10-13
Debian DSA-600-1 2004-10-07
SuSE SUSE-SA:2004:035 2004-10-05
Red Hat RHSA-2004:498-01 2004-10-04
Mandrake MDKSA-2004:104 2004-10-01
Trustix TSLSA-2004-0051 2004-10-01

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Alerts:
Red Hat RHSA-2005:377-01 2005-04-26
Fedora FEDORA-2005-281 2005-04-01
Fedora FEDORA-2005-280 2005-04-01
Ubuntu USN-102-1 2005-03-29
Fedora-Legacy FLSA:2155 2005-03-24
Gentoo 200410-01 2004-10-01

Comments (none posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache: protected pages vulnerability

Package(s):apache CVE #(s):CAN-2004-0811
Created:September 23, 2004 Updated:September 29, 2004
Description: Apache 2.0.51 may allow the viewing of protected pages because of a problem merging the Satisfy directive.
Alerts:
Gentoo 200409-33 2004-09-24
Trustix TSLSA-2004-0049 2004-09-23

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

cups: denial of service

Package(s):cups cupsys CVE #(s):CAN-2004-0558
Created:September 15, 2004 Updated:October 14, 2004
Description: Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
Alerts:
Conectiva CLA-2004:872 2004-10-14
Fedora FEDORA-2004-275 2004-09-28
Slackware SSA:2004-266-01 2004-09-22
Whitebox WBSA-2004:449-01 2004-09-20
Gentoo 200409-25 2004-09-20
SuSE SUSE-SA:2004:031 2004-09-15
Red Hat RHSA-2004:449-01 2004-09-15
Mandrake MDKSA-2004:097 2004-09-15
Debian DSA-545-1 2004-09-15

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

Gaim: remote code execution vulnerability

Package(s):gaim CVE #(s):CAN-2004-0500
Created:August 12, 2004 Updated:October 18, 2004
Description: The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability in the MSN-protocol parsing functions.
Alerts:
Fedora-Legacy FLSA:1237 2004-10-16
Whitebox WBSA-2004:400-01 2004-09-20
Slackware SSA:2004-239-01 2004-08-26
Fedora FEDORA-2004-279 2004-08-26
Fedora FEDORA-2004-278 2004-08-26
Mandrake MDKSA-2004:081 2004-08-12
SuSE SUSE-SA:2004:025 2004-08-12
Gentoo 200408-12 2004-08-12

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

getmail: filesystem overwrite vulnerability

Package(s):getmail CVE #(s):CAN-2004-0880 CAN-2004-0881
Created:September 23, 2004 Updated:October 4, 2004
Description: Getmail has a vulnerability that may allow a local user to create or overwrite files in any directory on the system.
Alerts:
Slackware SSA:2004-278-01 2004-10-04
Debian DSA-553-1 2004-09-27
Gentoo 200409-32 2004-09-23

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

apache2: IPv6 denial of service

Package(s):httpd apache2 CVE #(s):CAN-2004-0747 CAN-2004-0751 CAN-2004-0786 CAN-2004-0809
Created:September 15, 2004 Updated:October 6, 2004
Description: Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.
Alerts:
Debian DSA-558-1 2004-10-06
Trustix TSLSA-2004-0047 2004-09-16
Mandrake MDKSA-2004:096 2004-09-15
Gentoo 200409-21 2004-09-16
Fedora FEDORA-2004-308 2004-09-16
Fedora FEDORA-2004-307 2004-09-16
SuSE SUSE-SA:2004:032 2004-09-15
Red Hat RHSA-2004:463-01 2004-09-15

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

jabberd: remote denial of service vulnerability

Package(s):jabberd CVE #(s):
Created:September 23, 2004 Updated:September 29, 2004
Description: Jabberd's XML parsing routines have a vulnerability that may be exploited to create a remote denial of service.
Alerts:
Gentoo 200409-31 2004-09-23

Comments (none posted)

kdebase: multiple vulnerabilities

Package(s):kdebase CVE #(s):CAN-2004-0689 CAN-2004-0690 CAN-2004-0721 CAN-2004-0746
Created:August 12, 2004 Updated:October 4, 2004
Description: Three separate vulnerabilities have been identified in the KDE 3.2 "kdebase" package; see this advisory for details. These problems include two temporary file vulnerabilities and a "frame injection" problem in konqueror which could help with phishing attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Alerts:
Red Hat RHSA-2004:412-01 2004-10-04
Conectiva CLA-2004:864 2004-09-13
Fedora FEDORA-2004-293 2004-09-08
Fedora FEDORA-2004-292 2004-09-08
Fedora FEDORA-2004-291 2004-09-08
Fedora FEDORA-2004-290 2004-09-08
Slackware SSA:2004-247-01 2004-09-03
Mandrake MDKSA-2004:086 2004-08-20
Debian DSA-539-1 2004-08-17
Gentoo 200408-13 2004-08-12

Comments (none posted)

kernel information leak

Package(s):kernel CVE #(s):CAN-2004-0415
Created:August 3, 2004 Updated:October 26, 2004
Description: Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.

A fix for this problem was added to the fifth 2.4.27 release candidate.

Alerts:
Conectiva CLA-2004:879 2004-10-26
Fedora-Legacy FLSA:1804 2004-10-18
Mandrake MDKSA-2004:087 2004-08-26
Gentoo 200408-24 2004-08-25
Whitebox WBSA-2004:413-01 2004-08-19
Red Hat RHSA-2004:327-01 2004-08-18
Fedora FEDORA-2004-251 2004-08-10
Trustix TSLSA-2004-0041 2004-08-09
SuSE SUSE-SA:2004:024 2004-08-09
Red Hat RHSA-2004:413-01 2004-08-03
Red Hat RHSA-2004:418-01 2004-08-03
Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lha: stack-based buffer overflow

Package(s):lha CVE #(s):CAN-2004-0769 CAN-2004-0771 CAN-2004-0694 CAN-2004-0745
Created:September 2, 2004 Updated:October 14, 2004
Description: The lha archiving and compression utility has a stack-based buffer overflow vulnerability. A modified archive could allow an attacker to execute code when a victim extracts or test the archive.
Alerts:
Fedora-Legacy FLSA:1833 2004-10-13
Whitebox WBSA-2004:323-01 2004-09-20
Gentoo 200409-13 2004-09-08
Fedora FEDORA-2004-295 2004-09-08
Fedora FEDORA-2004-294 2004-09-08
Red Hat RHSA-2004:323-01 2004-09-01

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

OpenOffice: information disclosure

Package(s):openoffice.org CVE #(s):CAN-2004-0752
Created:September 15, 2004 Updated:October 20, 2004
Description: OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files.
Alerts:
Gentoo 200410-17 2004-10-20
Mandrake MDKSA-2004:103 2004-09-27
Red Hat RHSA-2004:446-01 2004-09-15

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: