| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for October 28, 2004
The Grumpy Editor's guide to free documentation licenses
| This article is part of the LWN Grumpy Editor series. |
This is not the case for licenses covering documentation. There seems to be little consensus on which rights authors need to retain, and which should be relinquished. Indeed, there is little agreement on why documentation should be free. Many of the reasons for keeping software free (ability to look at the source to see how it works, ability to correct misfeatures) do not apply to documentation. Obtaining a manual in "original source" form may be helpful for cranking out more copies, but that source will reveal little which is not already evident in the text. Software, when distributed in binary form, is a black box which hides its internal nature. Documentation, on the other hand, expresses its ideas on its face; it is transparent.
Or, at least, it should be. Certainly your editor has produced writings which fail on that front at times.
So why should documentation be free? Your editor has a renewed interest in free documentation licenses for a couple of different contexts. One is a longstanding item on LWN's "good intentions" list: putting our original content under a free license. The other is the almost-imminent publication of a book, which will certainly be released under free terms. In both cases, the motivations are similar:
- Free software changes rapidly; its documentation has, in rare cases,
been known to lag a little behind. If the original author is unable
or unwilling to update a document to match current reality, somebody
else should be able to do so.
- Some readers never got the memo saying that English is The Language;
they can have funny ideas about having manuals in their own tongue.
It is rare that the original author can produce a translation in even
one alternative language, but there are often people with the interest
and skill who can do such translations. A free license should certainly
enable that work to happen.
- Collections of documents can be good things. Consider the massive "All
About Linux" books which were published in the mid-1990's, which were
generally made of the Linux Documentation Project's output, combined
with duct tape. Taking excerpts from free documentation can also be
useful; a book on Python database programming could benefit from, say,
Python and PostgreSQL introductions taken from other books.
- A printed book is unlikely to be available everywhere there might be an interested reader, but a free, downloadable book is available anywhere a net connection can be found.
For the purposes of updating and creating other sorts of derived works, having the "original" source of a free document is important - though not absolutely necessary. If nothing else is available, a free license, a scanner, and some sort of character recognition software can fill in. Translations and distribution do not necessarily require source; PDF files may be all that is required. Since not all free licenses are driven by the same goals, they do not all require the distribution of a machine-editable version of the text.
Documentation licenses address one other area which is typically not an issue with licenses applying to code: that of artistic integrity. Some authors feel that their words should be distributed intact, or not at all; others insist that certain types of material not be removed from their works. A survey of documentation licenses will find a number of "thou shalt not modify the text" terms. Such licenses will, for the purposes of this article, be considered non-free. A document which cannot be modified resembles a program which cannot be recompiled; it may have its uses, but it is also a dead end.
Creative Commons
The Creative Commons project is trying to address the current impoverishment of the public domain by encouraging the release of artistic works under any of a set of licenses. Many of the creative commons licenses forbid the creation of derived works or any sort of commercial use; they are thus, by this survey's standards, non-free. There are two licenses which lack those terms, however, being the Attribution 2.0 and Attribution-ShareAlike 2.0 licenses.
The Creative Commons licenses are explicitly written as contracts; they read:
The Attribution license allows the creation and distribution of derived works. Distributed copies must include a copy of the license - or at least a URL pointing to it; additional restrictions may not be imposed on the original work. Any distributed copy must include attribution giving credit to the original author, along with the author's URL pointing to the original version. The "ShareAlike" version of the license is GPL-like in that it requires derived works to carry the same license.
Interestingly, the Creative Commons 2.0 licenses explicitly disclaim any warranty or indemnification. Earlier versions of the license offered a warranty by the author that he or she was entitled to offer the work under those terms.
The Creative Commons licenses say nothing about the format in which works are distributed. By your editor's reading of the licenses, distribution of a derived work in PDF format, with no availability of the work in its original format, is allowed.
The GNU Free Documentation License
The GNU Project's recommended license for documentation is the Free Documentation License; it is complicated and, by some accounts, not truly free. In places, the FDL has clearly been written with the idea of furthering the Free Software Foundation's particular goals.The FDL is GPL-like, in that it allows the creation and distribution of modified versions, but any derived versions must carry the same license. The FDL places limits on modifications, however. Any derived versions must carry the original's "History," "Acknowledgments," and "Dedications" sections, along with a full copy of the FDL. Beyond that, however, the FDL creates the concepts of "invariant sections" and "cover texts"; these features of the FDL are at the heart of the disagreement over its status as a free license.
An invariant section is not allowed to address the primary topic of the text. Instead, it deals with the "relationship" between the author(s) and publisher and the subject:
The FDL requires that all invariant sections be included in any derived work, and that, as indicated by their name, these sections not be modified. The purpose of invariant sections is clear: it enables the GNU project to include the GNU Manifesto (and related texts) in manuals and to forbid its removal. Thus, documents can be made to serve two roles: describing the subject matter of interest, and promoting the agenda of the group which created the document.
"Cover texts" are short passages which must, in some conditions, appear on the front and back cover of any distributed copy of the work. Use of cover texts is only required when over 100 copies are being distributed. Distributing large numbers of copies also obligates the distributor to make a "transparent" version of the document - one which is machine editable - available. The "transparent" copy need not be the original source; a plain text file stripped of markup will do. People who distribute a small number of copies can, if they wish, distribute them in an "opaque" format which does not allow editing.
An FDL-licensed work with no invariant sections and no cover texts is, by most peoples' reckoning, free. The inclusion of text which cannot be modified or deleted obviously changes the picture, and many people consider documents with those features to be non-free. Certainly the FDL makes certain types of derived products, such as those using an excerpt from an FDL-licensed work, difficult. An author wishing to take a few sections from the GNU emacs manual must drag along the entire FDL, the entire GPL, the GNU manifesto, the "Distribution" section, and the cover texts as well. In practice, these requirements will make that sort of use almost impossible.
The FDL makes no statement with regard to warranties or indemnification, other than to note that the document may carry warranty disclaimers outside of the license. It is also careful to note that warranty disclaimers cannot modify any other aspect of the license.
Open Publication License
The Open Publication License (OPL) dates back to 1999. Among other things, it is used for the Perens Open Source Series of books. The OPL is a relatively simple license; it allows redistribution of works, with or without modifications, in any format. The distributed copies must be licensed under the terms of the OPL, but nothing in the license requires that an editable version be made available. Modified versions must include a pointer back to the original, along with the usual notifications that changes have been made. The OPL includes a warranty disclaimer.
In its plain form, the OPL is a free license. It includes two "options," however, which can change the situation. "Option A" is a prohibition on the distribution of "substantive" modifications - essentially anything beyond reformatting or typo fixes. "Option B" is a restriction on commercial redistribution. If either of these options is exercised, the license becomes non-free. There does not appear to be anything prohibiting a person who distributes a derived work from adding options to the license, even if the original author chose not to use them.
The Creative Commons licenses and the FDL both include prohibitions on the use of "technical measures" to deprive recipients of the works of their rights under the license. The OPL, like many older licenses, has no such requirement. An OPL-licensed document could, conceivably, be distributed in some sort of DRM-infested electronic book format that, in practice, deprived the reader of the right to copy or modify the document.
Common Documentation License
The Common Documentation License was published by Apple Computer in 2001. It is a GPL-like license, requiring that all derived works carry the same license. It makes no requirement regarding credit to the original author beyond stating that copyright notices must be preserved. Derived works need not carry a pointer back to the original. Distribution in any format is allowed, with no requirement to make an editable format available. There is no restriction on the application of DRM schemes to CDL-licensed works. This license does carry a strong warranty disclaimer.
Design Science License
The Design Science License is, perhaps, the most direct attempt to translate the GPL into the world of text. It allows the usual freedoms, but requires that all derived works carry the same license.
The DSL takes a strong approach with regard to editable formats; it requires that any person distributing the document make it available in "the preferred form for editing." This requirement is rather firmer than the FDL's terms; a plain text file will not suffice unless that is how the work was created in the first place.
There is a warranty disclaimer in the DSL, though it does not explicitly disclaim warranties of noninfringement.
Conclusion
A significant amount of documentation has been released under the BSD license or the GPL. Putting a BSD-like license on a document makes some sense; it allows any sort of use as long as the copyright notices are preserved. Putting the GPL onto a document makes the author's intent clear in an informal sort of way, but the GPL was not written for this sort of application. The GPL refers explicitly to "programs" and acts like compiling and running programs; how such language applies to documents is unclear at best.
So which license would a grumpy editor use? Your editor co-authored a book which was released under the FDL. But the next edition is unlikely to go out under that license; the restrictions imposed by the FDL are simply too heavy. Any of the remaining licenses described above would probably be usable, though one of the licenses with a copyleft term looks preferable. No decision has been made on that subject; stay tuned.
The GPL and license infection
This disappointing Financial Times article has been more than adequately refuted by commenters on LWN and many other places. As FUD attacks go, this one was one of the more laughable in recent times. However, there is one point this article raises which is still occasionally trotted out by those trying to make people afraid of the GPL. It has been a while since we have looked at this claim, so it is worth a quick review pass.Here's what "distinguished professor" Richard Epstein has to say:
Mr. Epstein does not, of course, tell his readers just where he obtains his information about the "apparent intention" of the GPL. Certainly it does not come from the vast amounts of text written by the creators and supporters of the GPL, who have never made this claim. Only the SCO group believes it has a license with this sort of power, and they seem to be having a hard time convincing others of this fact.
The relevant section of the GPL is this:
What that means is that, if, say, Windows were to be combined with GPL-licensed code in such a way so to create a derived product, the only way of distributing Windows which would comply with the license would be to put the whole thing under the terms of the GPL. Note that the GPL does not address the use of a combined program at all - only its distribution. Distribution under non-compliant terms would indeed be a violation of the license.
What happens then? Unlicensed distribution of copyrighted material is a straightforward legal matter. The person or company doing this sort of distribution can be sued for copyright infringement. Fines can be imposed, and distribution of the offending product can be halted with an injunction. Failure to comply with the license can also cause the infringer to lose the right to use the software in the first place.
These can be heavy penalties. In particular, a company which has worked hard to get a product to market can be devastated by a court-ordered halt to that product's distribution. Such are the risks of working with other peoples' copyrighted code; there is nothing unique to the GPL here. Mr. Epstein is right to say that no court would force proprietary code into the open as a result of a GPL violation. But it is only people like Mr. Epstein who raise that issue in the first place. It remains true that straw men are the easiest to knock down. What the community needs to do is to help ensure that such straw men are recognized for what they are.
Page editor: Jonathan Corbet
Security
Security news
The World Bank Technology Risk Checklist
So you have done your best to secure your network, but you are wondering if you have really done everything possible. One useful way to find out would be to take a look at the World Bank Technology Risk Checklist (PDF format). This 31-page document asks a few hundred questions about your security setup. They cover a wide range of topics, including risk management ("Who is responsible for keeping records of cyber intrusions, costs of remediation, response time, and documenting procedures and processes?"), policy management ("Does your information security organization report to the IT organization, or is it a separate organization that maintains its independence and freedom from conflicts of interest?"), cyber intelligence ("When applying a patch to any system vulnerability, do you have a process for verifying the integrity, and testing the proper functioning of the patch?"), access controls ("Do you check for modems attached to PCs, routers, or printers?"), vulnerability testing ("Do your penetration tests encompass social engineering?"), wireless access ("Is someone responsible for tracking the number of employees with WLANs at home?"), and more.The list is long and comprehensive; if you have answers for all of the questions, chances are you run a tight network.
Killing web browsers - part II
Last week's discussion on crashing web browsers with random input noted that, of all the browsers tested, only Internet Explorer survived. Since then, Michal Zalewski has posted a followup stating that, eventually, IE fell over as well. So, as Mr. Zalewski put it:
Grim indeed. It will be interesting to see which browser manages to clean up its act first.
Meanwhile, an improved version of mangleme, Mr. Zalewski's testing tool, has been released. This version has been ported to Python (for some reason) and includes some extra tests; its authors claim to have found a different set of IE crashes.
Fake Red Hat security update
By now, many of you have probably seen the fake Red Hat "security update" mail in your mailboxes; for those who have not had the pleasure, click below to see what it looks like. An analysis of the "security update" has been posted; it's a simple trojan which installs a root account and mails system administration to a remote account. This particular attempt was so clumsy that it is unlikely to have fooled many people. The next one may be more sophisticated, however; be careful out there.
New vulnerabilities
ecartis: unauthorized access to admin interface
| Package(s): | ecartis | CVE #(s): | CAN-2004-0913 | |||
| Created: | October 21, 2004 | Updated: | October 27, 2004 | |||
| Description: | The ecartis mailing list manager has a vulnerability in which an attacker in the same domain as the list admin can gain administrator privileges and alter list settings. | |||||
| Alerts: |
| |||||
gaim: buffer overflow in MSN protocol
| Package(s): | gaim | CVE #(s): | CAN-2004-0891 | ||||||||||||||||||
| Created: | October 25, 2004 | Updated: | February 11, 2005 | ||||||||||||||||||
| Description: | A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gaim: command execution via smiley themes
| Package(s): | gaim | CVE #(s): | CAN-2004-0784 CAN-2004-0785 | |||||||||
| Created: | October 21, 2004 | Updated: | November 12, 2004 | |||||||||
| Description: | gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector. | |||||||||||
| Alerts: |
| |||||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: netfilter integer underflow
| Package(s): | kernel | CVE #(s): | CAN-2004-0816 | |||
| Created: | October 27, 2004 | Updated: | October 27, 2004 | |||
| Description: | 2.6 kernels prior to 2.6.8 contain an integer underflow vulnerability in the netfilter firewall code which can be exploited to crash the machine. | |||||
| Alerts: |
| |||||
MIT-krb5: insecure temporary file
| Package(s): | mit-krb5 | CVE #(s): | CAN-2004-0971 | |||
| Created: | October 25, 2004 | Updated: | October 27, 2004 | |||
| Description: | The send-pr.sh script creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When send-pr.sh is called, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. | |||||
| Alerts: |
| |||||
mpg123: buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2004-0982 | |||||||||
| Created: | October 27, 2004 | Updated: | November 2, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s-r5 contain a buffer overflow in the getauthfromURL() and http_open() functions. | |||||||||||
| Alerts: |
| |||||||||||
Netatalk: insecure tempfile handling in etc2ps.sh
| Package(s): | netatalk | CVE #(s): | CAN-2004-0974 | ||||||
| Created: | October 25, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | The etc2ps.sh script creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When etc2ps.sh is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. | ||||||||
| Alerts: |
| ||||||||
rssh: format string vulnerability
| Package(s): | rssh | CVE #(s): | ||||
| Created: | October 27, 2004 | Updated: | October 28, 2004 | |||
| Description: | The 'rssh' restricted remote shell utility contains a format string vulnerability which can be exploited to execute arbitrary code with the rights of the user. Version 2.2.2 fixes the problem. | |||||
| Alerts: |
| |||||
socat: format string vulnerability
| Package(s): | socat | CVE #(s): | ||||
| Created: | October 25, 2004 | Updated: | October 27, 2004 | |||
| Description: | socat up to version 1.4.0.2 contains a syslog() based format string vulnerability. Further investigation showed that this vulnerability could, under some circumstances, lead to local or remote execution of arbitrary code with the privileges of the socat process. See this socat advisory for additional details. | |||||
| Alerts: |
| |||||
xpdf: integer overflows
| Package(s): | xpdf kpdf cupsys | CVE #(s): | CAN-2004-0888 CAN-2004-0889 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | February 18, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several xpdf integer overflow vulnerabilities can be exploited via a mal-formed PDF document. Similar vulnerabilities can be found in kpdf and in cupsys which share code. Additional information can be found in this KDE security advisory. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL | CVE #(s): | CAN-2004-0977 | ||||||||||||||||||
| Created: | October 18, 2004 | Updated: | December 20, 2004 | ||||||||||||||||||
| Description: | The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: mod_ssl cipher negotiation problem
| Package(s): | apache | CVE #(s): | CAN-2004-0885 | ||||||||||||
| Created: | October 15, 2004 | Updated: | November 4, 2004 | ||||||||||||
| Description: | Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite. | ||||||||||||||
| Alerts: |
| ||||||||||||||
aspell: bounds checking problem
| Package(s): | aspell | CVE #(s): | CAN-2004-0548 | |||||||||
| Created: | June 17, 2004 | Updated: | December 20, 2004 | |||||||||
| Description: | Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker. | |||||||||||
| Alerts: |
| |||||||||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress | CVE #(s): | CAN-2001-1413 | ||||||
| Created: | October 11, 2004 | Updated: | December 14, 2004 | ||||||
| Description: | compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress. | ||||||||
| Alerts: |
| ||||||||
cvs: information disclosure
| Package(s): | cvs | CVE #(s): | CAN-2004-0778 | |||
| Created: | October 20, 2004 | Updated: | October 20, 2004 | |||
| Description: | CVS (prior to version 1.1.17) contains an undocumented switch which may be used by an attacker to verify the existence of files and whether the CVS process can access them. | |||||
| Alerts: |
| |||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: denial of service
| Package(s): | freeradius | CVE #(s): | CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 | |||||||||
| Created: | September 22, 2004 | Updated: | February 2, 2005 | |||||||||
| Description: | FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. | |||||||||||
| Alerts: |
| |||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2004-0827 | ||||||||||||||||||
| Created: | September 16, 2004 | Updated: | November 30, 2004 | ||||||||||||||||||
| Description: | The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel information leak
| Package(s): | kernel | CVE #(s): | CAN-2004-0415 | ||||||||||||||||||||||||||||||||||||
| Created: | August 3, 2004 | Updated: | October 26, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth 2.4.27 release candidate. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libpng: integer overflows
| Package(s): | libpng | CVE #(s): | CAN-2004-0955 | |||||||||
| Created: | October 20, 2004 | Updated: | October 25, 2004 | |||||||||
| Description: | A new set of integer overflows has been found in the libpng library; these overflows could perhaps be exploited (by way of a malicious image file) to execute arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
libxpm4: stack and integer overflows
| Package(s): | libxpm4 | CVE #(s): | CAN-2004-0687 CAN-2004-0688 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 16, 2004 | Updated: | February 14, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc | CVE #(s): | CAN-2004-0494 | ||||||||||||
| Created: | September 2, 2004 | Updated: | January 5, 2005 | ||||||||||||
| Description: | Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird | CVE #(s): | CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908 | ||||||||||||||||||||||||
| Created: | September 20, 2004 | Updated: | January 13, 2005 | ||||||||||||||||||||||||
| Description: | Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mpg123: buffer overflow bug
| Package(s): | mpg123 | CVE #(s): | CAN-2004-0805 | ||||||||||||
| Created: | September 16, 2004 | Updated: | January 11, 2005 | ||||||||||||
| Description: | The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
mysql: several vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 | |||||||||||||||||||||||||||||||||
| Created: | October 11, 2004 | Updated: | April 6, 2005 | |||||||||||||||||||||||||||||||||
| Description: | Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837) | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet | CVE #(s): | CAN-2004-0911 | ||||||||||||
| Created: | October 4, 2004 | Updated: | March 28, 2005 | ||||||||||||
| Description: | Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). | ||||||||||||||
| Alerts: |
| ||||||||||||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
OpenOffice: information disclosure
| Package(s): | openoffice.org | CVE #(s): | CAN-2004-0752 | |||||||||
| Created: | September 15, 2004 | Updated: | October 20, 2004 | |||||||||
| Description: | OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files. | |||||||||||
| Alerts: |
| |||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||
| Alerts: |
| |||||