LWN.net Logo

LWN.net Weekly Edition for October 21, 2004

Ubuntu Linux and the future of Debian

The much-anticipated Ubuntu 4.10 release happened on October 20. There are a number of interesting things about Ubuntu, including its commercial backing, use of "4.10" as its initial release number, and its desire to change the world through provocative artwork. But the most interesting thing, perhaps, is the amount of attention that Ubuntu has received. New distributions are not exactly an unusual thing; why all the excitement about Ubuntu?

The money behind Ubuntu is certainly one reason; new distributions may pop up every week, but few of them have a reported 40 paid developers behind them. When a new distribution has that sort of backing, people have a reason to assume that there is something interesting going on, and that it may stay around for a while.

The quality of the hackers that Ubuntu was able to attract is also clearly a factor. Ubuntu employs a number of well-known developers from the GNOME, FreeDesktop.org, and Debian communities, among others. When top-quality developers get together behind a new project, interesting things tend to happen.

Ubuntu also makes promises which resonate with a great many users. A quick, single-CD installation process backed up by a huge network-based package repository. A strong emphasis on the best desktop experience that Linux can offer. Bleeding-edge packages combined with a promise of free support for 18 months. A promise of a six-month release cycle backed up by some of the developers who lived up to that promise with the GNOME project. A general sort of cool buzz.

Those are all good reasons for Ubuntu to succeed, but there may be something else going on here. Ubuntu may have found a way to become the preferred interface between users and the Debian project.

Debian has a lot of appeal. It is an excruciatingly free distribution characterized by a widely recognized technical excellence. It offers a variety of packages which is second to none and a package management system which is unequaled elsewhere. But Debian scares away a number of potential users. Its "stable" release is painfully out of date most of the time, the "unstable" release is rather too bleeding-edge for many users (while still being slow to pick up new releases at times), and the middle-of-the-road "testing" release seems to offer the worst of both "stable" and "unstable." The process of creating a new stable release looks chaotic, with no timeline for an actual release in sight. The community seems to spend rather too much time arguing about the free status of firmware and documentation and packaging up obscure tools and too little time simply creating a current distribution with a broader appeal. Debian is a great institution, but it worries a number of people.

Ubuntu is the promise of all the good things about Debian without many of the problems. As a stabilized version of Debian sid, it has a remarkably current set of packages. For some software (e.g. GNOME 2.8) Ubuntu was, by design, ahead of everybody else. The release cycle is well defined, and the support period has been made clear from the beginning. There is the obligatory friendly installer as well. Ubuntu looks like a Debian which stays current, and which is safe for ordinary people to use.

Ubuntu is certainly not the first company which has made a go at being a more civilized Debian distribution; others include Progeny, Linspire, Lycoris, UserLinux, and even Corel's old offering. Ubuntu looks rather more community-oriented than many of the other commercial, Debian-based distributions, however; Linspire may be good at attracting attention and lawsuits, but few people would consider it to be truly open or part of the community. Appearances matter, and Ubuntu appears to have the right people and attitude.

Interestingly, Ubuntu appears to have made a bigger splash than even UserLinux, which is arguably a more community-oriented, Debian-based distribution. The UserLinux project is clearly well aware of Ubuntu, to the point of adding an entry to the UserLinux FAQ on the differences between the two distributions:

A key difference is UbuntuLinux is a (free) product offering from a single commercial entity (Canonical Ltd.) whereas UserLinux is created through a community development model.

UserLinux aims to create a standard core for ISV's/whomever to support. This includes very little real packaging of custom software beyond pieces to 'brand' the system. Most of the system is packaged upstream and maintained upstream. Ubuntu aims to create a Debian based desktop distribution and contains a very large number of custom packages. For example, Debian Sarge ships with GNOME 2.6 while Ubuntu is forked off of Unstable around the same time that Sarge did, but ships GNOME 2.8 with significant modifications.

For the purposes of public image in mid-October, 2004, one might state the Ubuntu has added a significant amount of value (or at least changes) to Debian, and has a stable release out now. UserLinux looks to be mostly a rebranding effort with no releases available yet. From that viewpoint, it's not surprising that Ubuntu is currently hogging the spotlight. That situation could change as UserLinux pulls its first release together and gets its distributed support network going.

UserLinux would be well advised to do these things soon.

There is clearly a market for distributors who impose some order upon the Debian development process. With these distributors in place, the undisciplined nature of the Debian release process does not matter anywhere near as much. The emergence of successful, value-added, Debian-based distributions may be one of the best things to happen to Debian in some time.

Comments (36 posted)

A look at LionShare

October 20, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Peer-to-peer (P2P) technologies have been continually vilified, not to mention legally challenged, by the entertainment industry and other groups as a haven for anonymously sharing digital content illegally. The LionShare project seeks to legitimize P2P as an academic resource by doing away with anonymous file-sharing and adding features appropriate to an educational environment. LionShare is in development at Penn State University thanks to a grant from the Andrew W. Mellon Foundation. To get up to speed on LionShare, we talked with four members of the LionShare team, project leader Mike Halm and LionShare developers Alex Valentine, Lorin Metzger and Derek Morr.

The major influence for the LionShare project was the Visual Image User Study (VIUS) that was completed last September. LionShare came from a proof-of-concept prototype developed during work on VIUS. The project now has a $1.1 million grant from the Andrew W. Mellon Foundation to develop LionShare 1.0. The grant started last year on October 1, and the team plans to have the 1.0 release ready by September 30, 2005. The first public release alpha went live at the end of September.

LionShare differs from traditional P2P networks in a number of ways. First and foremost, LionShare is designed to be a private, secure network. LionShare users will communicate with "PeerServers" to provide file sharing even when users are not online and for centralized management. The PeerServers will allow users to make files available to others authorized to retrieve the files, or even just as a backup of local files they wish to have available from multiple locations. Morr did note that the software will feature user quotas, to ensure that users do not abuse the backup features.

The software will also feature collaboration tools, such as P2P chat, not present in some file sharing utilities. Authentication will not be required for a user to search the network, but authentication will be necessary to actually retrieve or share files. The LionShare white paper also calls for the LionShare client to provide organizational features as well as search and retrieval capability already present in clients like LimeWire. The LionShare will allow users to search their own filesystems, though Morr pointed out that LionShare's organizational features are not as comprehensive as tools like Beagle or Apple's SpotLight.

At this point, however, LionShare's codebase is still in an alpha state. Morr said that the current alpha that's available on the website is missing the security components that will set LionShare apart from other P2P networks. Metzger noted that the next release should have the security integration, though the release will still be an alpha release.

LionShare is based on the LimeWire 4.0 codebase using a modified Gnutella protocol, and is entirely written in Java. The client and server software are available under the GNU General Public License, while the SASL-CA software is under a BSD-type license. At this point, the LionShare team said that there are "some discussions here and there" between the LionShare developers and the LimeWire developers, but not a "concrete, everyday partnership," but that the LimeWire developers are pleased to see their codebase being used in other projects.

Since the LionShare source code is available, how will the developers ensure that others aren't able to utilize the source to build anonymous LionShare client software? According to Morr, it wouldn't matter if someone were to tamper with the client software. "In order to get any kind of public file, you have to certify or authenticate...the other end wouldn't authorize you to access the file."

In addition to requiring authentication, LionShare is designed to allow file restriction based on identity or user roles. Users will be able to set Access Control Lists (ACLs) to restrict sharing of a file to individual users, groups or to all authenticated members. Morr said that the attributes will come from the authentication servers, so that the institutions running LionShare servers will be able to fine-tune the criteria for file sharing. One potential hurdle for educational institutions looking to join a LionShare network is the lack of a standardized schema for ACLs. Morr acknowledged that each institution was likely to have its own schema at the moment, that wouldn't be compatible with other institutions. However, a standardized LDAP schema for higher education called eduPerson is being developed by Internet2, a partner organization for LionShare.

Morr also pointed out that LionShare was designed to allow users to authenticate against a number of different sources. He said that the project was doing a lot of work to make LionShare work with "whatever authentication you have," including LDAP directories and Kerberos sources. Morr said that LionShare should be compatible with Microsoft's Active Directory as well, though they haven't tested that as of yet.

We also asked whether LionShare would protect authorized users from accidentally sharing sensitive or personal files with the wrong set of users. For example, could LionShare prevent a user from accidentally sharing all of their files with all authenticated LionShare users? The LionShare developers said that they had thought about this, and would try to solve the problem with by having "a good UI" that would let users know that they were sharing files.

Whether LionShare will catch on beyond the academic setting is anyone's guess. There are valid reasons for integrating authentication into P2P for academic or business uses, but that approach will become unwieldy for larger P2P uses such as downloading Linux ISOs. We'll be watching the development of LionShare with interest, and are looking forward to further releases to evaluate how useful the project will be in the long run.

Comments (none posted)

A couple of applications from your future desktop

By many (but not all) accounts, the Linux desktop has achieved something close to parity with some of the proprietary alternatives, in terms of both capability and usability. The desktop developers are certainly not ready to declare victory and sit back, however; the pace of development is, if anything, still increasing. As an example of where things are going, we decided to take a quick look at a couple of bleeding-edge applications which have been attracting attention recently.

The first of these is tomboy, a simple desktop note-taking tool. Tomboy implements a set of note cards, each of which contains text and links to other cards. The idea is not particularly new, but the implementation has been thought out well. Some of the best ideas from Wiki-style web sites have been absorbed - typing a WikiWord into a note creates and links to a new note using that word as its title. Links can also be created through a "link" button or by dragging and dropping. A simple search capability can quickly find notes containing a given string.

Nat Friedman was impressed by this application:

Note taking is something I do all the time, and which previously was the realm of "emacs ~/randomname.txt" for me.... We all had our horrible little solutions to this problem, and Tomboy has stepped in to fill the gap in a big way.

I'm not sure it's clear to everyone just how big a space Tomboy has carved out. If Tomboy can own note taking for me, that's one of the main purposes of my computer.

[Tomboy screenshot]

Your editor was, with some effort, able to get tomboy running on a Debian unstable system; this application requires a number of highly-current Mono and GTK libraries. There are some rough edges and missing capabilities, which should come as little surprise for an application this new. Even so, tomboy makes note taking and organization into a quick and easy task; it is good at staying out of the way. If the current trend continues, tomboy should quickly reach a level of functionality and stability that will earn it a place on most distribution disks.

Meanwhile, quite a bit of attention has recently been focused on beagle, which is currently at a lofty 0.0.2 release. Beagle appears to be the GNOME project's answer to Microsoft's search plans and Google's (Windows) offering; it provides a quick way to find things on the desktop. Think of it as a modern version of locate, but with a few enhancements.

One core beagle feature is its collection of "filters," which enable searches of a wide variety of files typically found on a Linux desktop system - and some that aren't. Supported file types include Microsoft Office, OpenOffice.org, PDF, source code in a number of programming languages, and a number of image and audio file formats (only metadata is indexed). Beagle can also search email (mostly limited to evolution users for now), tomboy notes, weblog entries in the "Blam!" format, application launchers, and more.

Underneath it all, beagle uses the (still unmerged) inotify mechanism to learn about changes to the filesystem. New or modified files can be indexed immediately; there should be no need for a massive "thrash the disk" job running in the middle of the night. As an added touch, search results which are currently displayed for the user are updated to reflect the latest filesystem changes.

There is a command-line search tool which may be used to search beagle, but the primary interface to the system is best ("bleeding-edge search tool"). The project has put together a collection of best screenshots which gives a good idea of what beagle can currently do.

While tomboy is primarily the work of one developer (Alex Graveley), beagle is a rather larger affair. The beagle roadmap posted on October 4 shows that quite a few Novell hackers have been set to work on beagle. At the top of their list is basic usability work, things like "Not crashing or failing, most of the time." Among other things, it seems there are memory leak problems in Mono which have to be worked around. Email integration remains on the list ("The primary goal will be Evolution mail integration; patches for other mail clients will, of course, be accepted."). Work continues on the search interface; among other things, search will be integrated into the GNOME file selection dialog.

Longer-term goals include reworking dashboard to sit on top of beagle, adding beagle searches to nautilus, and, somehow, better encapsulating the relationships between desktop objects.

Beagle is very much an early-stage project; it can be difficult to install, and it is not available in packaged form for most distributions. There is also that "not crashing for failing" issue. But it has reached a point where the suicidally early adopters are finding it useful, and progress is happening quickly. Linux, it seems, will not be left behind when it comes to desktop search capabilities.

Comments (20 posted)

Page editor: Jonathan Corbet

Security

How to kill a web browser

Michal Zalewski recently decided to look for exploitable vulnerabilities in web browsers. So he write a little CGI script which generates random HTML and feeds it to the browser; a refresh tag is used so that the browser will repeatedly request new pages - until things come to a crashing halt. Mr. Zalewski reported his results on Bugtraq as "a mini-farce." It seems that most of the browsers he tested fared rather poorly.

The key word here is "most." One browser was able to absorb noisy input indefinitely without crashing; that browser was Internet Explorer.

There has been quite a bit of talk recently about Internet Explorer's security problems, and how the alternatives - both free and proprietary - are more secure. So this kind of result is somewhat embarrassing. As Mr. Zalewski put it:

It appears that the overall quality of code, and more importantly, the amount of QA, on various browsers touted as "secure", is not up to par with MSIE; the type of a test I performed requires no human interaction and involves nearly no effort. Only MSIE appears to be able to consistently handle malformed input well, suggesting this is the only program that underwent rudimentary security QA testing with a similar fuzz utility.

So what sort of HTML turned out to be problematic? A few examples have been posted - but all you smug, free-software-using folks might want to think twice before clicking on them. Use of a tool like wget is probably more appropriate. One of the examples, which, as your smug, free-software-using editor can attest, kills Firefox is, in its entirety:

    <HTML><INPUT

The post notes that this bug is probably exploitable, and that many others certainly exist. The tester also does nothing involving either cascading style sheets or JavaScript - one suspect that those areas might, just maybe, be the source of a bug or two themselves.

The Mozilla project has been quick to capitalize on the recent bout of Internet Explorer security problems. This incident demonstrates, however, that the free software community can, at times, be a little too quick to claim better security. Testing against malformed input has been a standard quality assurance technique for decades; the fact that Mozilla, seemingly, has not done this testing is a little discouraging. Security can be a winning point for free software, but it doesn't happen automatically. If we're going to claim to have a more secure product, we should be sure we've done the homework first. Meanwhile, expect a new set of Mozilla patches sometime soon.

Comments (37 posted)

Security news

Security fixes in 2.6.9

Alan Cox has sent out an announcement regarding a couple of tty-related security fixes which were included in the 2.6.9 kernel release. One of them is, conceivably, remotely exploitable, though it appears to be impossible to exploit in most cases. 2.4 and 2.2 kernels are also vulnerable; expect distributor updates shortly. Click below for the details.

Full Story (comments: none)

New vulnerabilities

apache: mod_ssl cipher negotiation problem

Package(s):apache CVE #(s):CAN-2004-0885
Created:October 15, 2004 Updated:November 4, 2004
Description: Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite.
Alerts:
Conectiva CLA-2004:885 2004-11-04
Mandrake MDKSA-2004:122 2004-11-01
Gentoo 200410-21 2004-10-21
OpenPKG OpenPKG-SA-2004.044 2004-10-15

Comments (none posted)

BNC: input validation flaw

Package(s):bnc CVE #(s):
Created:October 15, 2004 Updated:October 19, 2004
Description: The BNC IRC proxying server contains an input validation flaw which can be remotely exploited for the purpose of running IRC commands.
Alerts:
Gentoo 200410-13 2004-10-15

Comments (none posted)

cvs: information disclosure

Package(s):cvs CVE #(s):CAN-2004-0778
Created:October 20, 2004 Updated:October 20, 2004
Description: CVS (prior to version 1.1.17) contains an undocumented switch which may be used by an attacker to verify the existence of files and whether the CVS process can access them.
Alerts:
Mandrake MDKSA-2004:108 2004-10-19

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

libpng: integer overflows

Package(s):libpng CVE #(s):CAN-2004-0955
Created:October 20, 2004 Updated:October 25, 2004
Description: A new set of integer overflows has been found in the libpng library; these overflows could perhaps be exploited (by way of a malicious image file) to execute arbitrary code.
Alerts:
Ubuntu USN-1-1 2004-10-22
Debian DSA-571-1 2004-10-20
Debian DSA-570-1 2004-10-20

Comments (1 posted)

phpMyAdmin: Vulnerability in MIME-based transformation

Package(s):phpMyAdmin CVE #(s):
Created:October 18, 2004 Updated:October 19, 2004
Description: A defect was found in phpMyAdmin's MIME-based transformation system, when used with "external" transformations. A remote attacker could exploit this vulnerability to execute arbitrary commands on the server with the rights of the HTTP server user.
Alerts:
Gentoo 200410-14 2004-10-18

Comments (none posted)

PostgreSQL: Insecure temporary file use in make_oidjoins_check

Package(s):PostgreSQL CVE #(s):CAN-2004-0977
Created:October 18, 2004 Updated:December 20, 2004
Description: The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user.
Alerts:
Red Hat RHSA-2004:489-01 2004-12-20
Mandrake MDKSA-2004:149 2004-12-13
OpenPKG OpenPKG-SA-2004.046 2004-10-29
Debian DSA-577-1 2004-10-29
Ubuntu USN-6-1 2004-10-27
Gentoo 200410-16 2004-10-18

Comments (none posted)

WordPress: HTTP response splitting and XSS vulnerabilities

Package(s):wordpress CVE #(s):
Created:October 14, 2004 Updated:December 20, 2004
Description: WordPress is vulnerable to HTTP response splitting and cross-site scripting attacks, due to the lack of input validation in the administration panel scripts. A malicious user could inject arbitrary response data, leading to content spoofing, web cache poisoning and other cross-site scripting or HTTP response splitting attacks. This could result in compromising the victim's data or browser.
Alerts:
Gentoo 200410-12:02 2004-10-14
Gentoo 200410-12 2004-10-14

Comments (none posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

ncompress: Buffer overflow

Package(s):compress uncompress ncompress CVE #(s):CAN-2001-1413
Created:October 11, 2004 Updated:December 14, 2004
Description: compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress.
Alerts:
Red Hat RHSA-2004:536-01 2004-12-13
Gentoo 200410-08 2004-10-09

Comments (none posted)

cups: information leak

Package(s):cups CVE #(s):CAN-2004-0923
Created:October 5, 2004 Updated:October 14, 2004
Description: CUPS has an information leakage problem when printing to SMB shares requiring authentication.
Alerts:
Debian DSA-566-1 2004-10-14
Gentoo 200410-06 2004-10-09
Fedora FEDORA-2004-331 2004-10-05

Comments (none posted)

cups: denial of service

Package(s):cups cupsys CVE #(s):CAN-2004-0558
Created:September 15, 2004 Updated:October 14, 2004
Description: Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
Alerts:
Conectiva CLA-2004:872 2004-10-14
Fedora FEDORA-2004-275 2004-09-28
Slackware SSA:2004-266-01 2004-09-22
Whitebox WBSA-2004:449-01 2004-09-20
Gentoo 200409-25 2004-09-20
SuSE SUSE-SA:2004:031 2004-09-15
Red Hat RHSA-2004:449-01 2004-09-15
Mandrake MDKSA-2004:097 2004-09-15
Debian DSA-545-1 2004-09-15

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

ed: Insecure temporary file handling

Package(s):ed CVE #(s):CVE-2000-1137
Created:October 11, 2004 Updated:October 13, 2004
Description: ed insecurely creates temporary files in world-writeable directories with predictable names. Given that ed is used in various system shell scripts, they are by extension affected by the same vulnerability. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When ed is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200410-07 2004-10-09

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

Gaim: remote code execution vulnerability

Package(s):gaim CVE #(s):CAN-2004-0500
Created:August 12, 2004 Updated:October 18, 2004
Description: The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability in the MSN-protocol parsing functions.
Alerts:
Fedora-Legacy FLSA:1237 2004-10-16
Whitebox WBSA-2004:400-01 2004-09-20
Slackware SSA:2004-239-01 2004-08-26
Fedora FEDORA-2004-279 2004-08-26
Fedora FEDORA-2004-278 2004-08-26
Mandrake MDKSA-2004:081 2004-08-12
SuSE SUSE-SA:2004:025 2004-08-12
Gentoo 200408-12 2004-08-12

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Ubuntu USN-35-1 2004-11-30
Ubuntu USN-7-1 2004-10-27
Red Hat RHSA-2004:480-01 2004-10-20
Red Hat RHSA-2004:494-01 2004-10-20
Mandrake MDKSA-2004:102 2004-09-22
Debian DSA-547-1 2004-09-16

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kernel information leak

Package(s):kernel CVE #(s):CAN-2004-0415
Created:August 3, 2004 Updated:October 26, 2004
Description: Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.

A fix for this problem was added to the fifth 2.4.27 release candidate.

Alerts:
Conectiva CLA-2004:879 2004-10-26
Fedora-Legacy FLSA:1804 2004-10-18
Mandrake MDKSA-2004:087 2004-08-26
Gentoo 200408-24 2004-08-25
Whitebox WBSA-2004:413-01 2004-08-19
Red Hat RHSA-2004:327-01 2004-08-18
Fedora FEDORA-2004-251 2004-08-10
Trustix TSLSA-2004-0041 2004-08-09
SuSE SUSE-SA:2004:024 2004-08-09
Red Hat RHSA-2004:413-01 2004-08-03
Red Hat RHSA-2004:418-01 2004-08-03
Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lha: stack-based buffer overflow

Package(s):lha CVE #(s):CAN-2004-0769 CAN-2004-0771 CAN-2004-0694 CAN-2004-0745
Created:September 2, 2004 Updated:October 14, 2004
Description: The lha archiving and compression utility has a stack-based buffer overflow vulnerability. A modified archive could allow an attacker to execute code when a victim extracts or test the archive.
Alerts:
Fedora-Legacy FLSA:1833 2004-10-13
Whitebox WBSA-2004:323-01 2004-09-20
Gentoo 200409-13 2004-09-08
Fedora FEDORA-2004-295 2004-09-08
Fedora FEDORA-2004-294 2004-09-08
Red Hat RHSA-2004:323-01 2004-09-01

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

Midnight Commander: extfs vfs vulnerability

Package(s):mc CVE #(s):CAN-2004-0494
Created:September 2, 2004 Updated:January 5, 2005
Description: Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts.
Alerts:
Red Hat RHSA-2004:464-02 2005-01-05
Red Hat RHSA-2004:464-01 2004-09-15
Fedora FEDORA-2004-273 2004-09-01
Fedora FEDORA-2004-272 2004-09-01

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mozilla products: arbitrary code execution and other vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
Created:September 20, 2004 Updated:January 13, 2005
Description: Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details.
Alerts:
Gentoo 200501-03 2005-01-05
Fedora-Legacy FLSA:2089 2004-10-27
Conectiva CLA-2004:877 2004-10-22
Mandrake MDKSA-2004:107 2004-10-19
SuSE SUSE-SA:2004:036 2004-10-06
Red Hat RHSA-2004:486-01 2004-09-30
Slackware SSA:2004-266-03 2004-09-22
Gentoo 200409-26 2004-09-20

Comments (none posted)

mpg123: buffer overflow bug

Package(s):mpg123 CVE #(s):CAN-2004-0805
Created:September 16, 2004 Updated:January 11, 2005
Description: The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code.
Alerts:
Gentoo 200501-14 2005-01-10
Debian DSA-564-1 2004-10-13
Mandrake MDKSA-2004:100 2004-09-22
Gentoo 200409-20 2004-09-16

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mysql: several vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0835 CAN-2004-0836 CAN-2004-0837
Created:October 11, 2004 Updated:April 6, 2005
Description: Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Alerts:
Ubuntu USN-109-1 2005-04-06
Fedora FEDORA-2004-530 2004-12-08
Ubuntu USN-32-1 2004-11-25
Conectiva CLA-2004:892 2004-11-18
Mandrake MDKSA-2004:119 2004-11-01
OpenPKG OpenPKG-SA-2004.045 2004-10-30
Red Hat RHSA-2004:611-01 2004-10-27
Gentoo 200410-22 2004-10-24
Red Hat RHSA-2004:569-01 2004-10-20
Red Hat RHSA-2004:597-01 2004-10-20
Debian DSA-562-1 2004-10-11

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Alerts:
Ubuntu USN-101-1 2005-03-28
Debian DSA-556-2 2004-10-18
Debian DSA-569-1 2004-10-18
Debian DSA-556-1 2004-10-02

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

OpenOffice: information disclosure

Package(s):openoffice.org CVE #(s):CAN-2004-0752
Created:September 15, 2004 Updated:October 20, 2004
Description: OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files.
Alerts:
Gentoo 200410-17 2004-10-20
Mandrake MDKSA-2004:103 2004-09-27
Red Hat RHSA-2004:446-01 2004-09-15

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):