Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for November 4, 2004
Freeing the firmware
Few of us have multiprocessor systems sitting on our desks - or so we might think. The truth of the matter is that a typical computer contains several processors, only one of which is normally considered to be "the" processor. The others make the various subsystems and peripherals work; they live on the motherboard, in the video card, in the network adaptor, etc. Each of those processors needs a program to run. Traditionally, this "firmware" has been burned into some sort of read-only memory in the hardware itself. Manufacturers have figured out, however, that some money can be saved by leaving out the ROM and forcing the host processor to download the firmware at load time. The firmware can be shipped on the installation CD, where it gets put into the system along with the driver.Hardware installation CDs for free operating systems are still rather rare, however - and systems like Linux tend to avoid that approach in the first place. It is much nicer if the operating system simply works with the hardware presented to it without requiring a separate software installation step. The result is an easier experience for the user, and also for the hardware vendor, who typically does not want to try to support even a few of the numerous Linux and BSD variants in widespread use.
Shipping drivers with the operating system itself has generally been a successful approach. Linux systems work on a vast variety of hardware, including many devices which have long since ceased to be supported by their manufacturers. With few exceptions, users can upgrade to a new kernel and expect their hardware to still work. There is no need to go scrambling around the net looking for updated drivers.
If the driver needs to download firmware into the device, however, the situation changes. Somehow, the driver must get a copy of the firmware to feed to its hardware. The 2.6 kernel has a nice mechanism which allows a driver to ask user space for the firmware bits, but user space must have the firmware to answer those requests. The firmware can usually be found on the installation CD; sometimes it can be downloaded from the net as well. But users would rather not have to go looking for firmware just to make their computers work. And, if the device is not brand new, the installation CD may be lost; at that point, finding the firmware may be just about impossible.
So it would be nice if the firmware could be shipped with the operating system itself. The old practice of linking the firmware into the driver itself is frowned upon in recent times for licensing and other reasons. Loading the driver from user space is a fine solution, however; the firmware request mechanisms work nicely, and the distributors can deal with the problem of getting the user-space side of things working in a transparent way.
The only problem is that firmware typically comes with a restrictive license which does not have redistribution in mind. In many cases, firmware redistribution is prohibited entirely, or the situation is, at best, ambiguous. Thus, for example, the Prism54 firmware page reads as follows:
In today's legal climate, the "we figure it's only fair" license strikes some users as inadequate. Distributors, fearful of being sued, really need to have a license which makes their right to redistribute the firmware clear. Without that license, most of them will not ship the device firmware, and the distribution will not support the hardware in any sort of easy way. So attempts to get vendors to put their firmware under a reasonable license have been going on for years.
Recently, those efforts have been stepped up a bit, thanks, especially, to efforts in the OpenBSD camp. The OpenBSD developers, too, have been starting off with quiet, private requests to the vendors. If those requests do not get an acceptable response, however, a call is made for the community to make its feelings clear. The hope is that, if enough people send coherent, polite notes saying that their future hardware purchasing decisions depend on proper free operating system support, the vendors will wake up and allow that support to happen.
As the project has announced recently, this approach seems to be having some success. Atmel, for example, has just decided to make its firmware available under a BSD-style license. Theo de Raadt, who is behind the OpenBSD effort to make wireless chipset firmware available, told us that the situation is reaching the point where the vendors can be played off against each other. Enough vendors have made their firmware and/or programming information available that the rest can be credibly threatened with a loss of business if they do not follow suit.
Not all vendors are convinced of this fact yet, however, so the OpenBSD folks are asking for help in contacting vendors. If the Linux community joins in with the BSD crowd, our combined voices might just be enough to make a difference. OpenBSD is, in particular, looking to apply pressure against Intel and TI, both of which have not, as yet, made their firmware distributable. Target contacts for TI and for Intel have been published. Interested people are encouraged to contact these vendors and let them know that proper free operating system support is a deciding factor in how they choose hardware. Needless to say, these messages should be professional and polite; flaming vendors will not help, and could be counterproductive.
Some in the Linux community will, doubtless, be dismayed by the fact that this firmware is only available in binary form. The Debian project will argue for years on whether a BSD-licensed binary is distributable or not. The fact is that it would be fun to have the source and a toolchain so that interested people could reprogram their hardware. But that is unlikely to happen for most hardware, and, in any case, the situation is little different than with firmware which is distributed in the hardware itself. It's simply a cookie which must be fed to the hardware to convince it to do its job. If we can distribute the cookies with our operating systems, we can have hardware which works out of the box. That seems like a goal worth writing some mail for.
[As a postscript, it should be noted that talks with Conexant regarding the Prism54 firmware are proceeding. Prism54 driver hacker Luis Rodriguez tells us that the conversation is continuing and that he is confident that the issue will be resolved soon.]
The state of BSD
Being LWN, we understandably tend to focus on Linux distributions and developments in open source that have are interesting from the Linux perspective. However, Linux distributions aren't the only free OSes worth using. Most LWN readers are probably familiar with the "name brands" of BSD distributions, if not the distributions themselves. This week we thought we'd take a quick look at the status of each of the BSD distributions.
FreeBSD
FreeBSD is probably the most widely-used BSD, though it supports fewer hardware platforms than OpenBSD or NetBSD. The FreeBSD project maintains several development branches. The FreeBSD-STABLE branch represents the production-quality release, while FreeBSD-CURRENT is the version in development that's due to become STABLE. The STABLE release, at this time, is taken from the FreeBSD 4.x series, and new development is mostly being done in the 5.x series.
The 4.x series is available for x86 and Alpha, while the 5.x series adds AMD's x86_64, Intel's Itanium, pc98 and Sparc 64-bit chips to the Tier 1 architectures. Ports for PowerPC and MIPS are in development. According to the FreeBSD website, the 5.3 release should mark the first STABLE release taken from the 5.x tree. 5.3rc2 was released on October 31.
The 5.x release includes a number of interesting features and changes to FreeBSD, including SMPng, Kernel Scheduled Entities (KSE), the UFS2 file system, support for Cardbus and Bluetooth devices, and a move to GCC 3.3.x from GCC 2.95.x. The 4.x release included SMP support, but it was not compiled in the GENERIC kernel by default, and SMPng brings some significant improvements to SMP performance.
NetBSD
NetBSD's main claim to fame is portability and the wide range of hardware platforms supported by the OS. Not to disparage Linux or the other BSD distributions, but NetBSD is the undisputed master of portability, with support for everything from x86 CPUs to DEC VAX computers and the Sony PlayStation2. NetBSD also has wide support for emulating other CPU and hardware platforms, including Linux, FreeBSD, Solaris, SunOS, HPUX, Amiga Unix, IRIX, Ultrix and others. FreeBSD and OpenBSD also support binary emulation for many OSes, though not quite as many.
NetBSD releases are broken into NetBSD-release, NetBSD-current and formal releases. A formal release is an "official" release, while NetBSD-release is the formal release plus bug fixes for the next release. The NetBSD-current release is the cutting-edge, development version of NetBSD. The NetBSD team is pushing towards version 2.0. The fourth release candidate for 2.0 was tagged on October 8 with a final release expected soon. The current NetBSD release is 1.6.2, released on March 1, 2004.
OpenBSD
OpenBSD has a reputation as one of the most secure OSes available, and the main OpenBSD page boasts "Only one remote hole in the default install, in more than 8 years!" The OpenBSD distribution also includes a wide range of cryptographic software and support for cryptography hardware. The OpenBSD team is also active in developing OpenSSH.
The OpenBSD team issues a release roughly every six months. OpenBSD 3.6 was officially released on October 29, with a slew of new features, fixes and support for additional hardware. 3.6 adds SMP support for x86 and AMD 64-bit CPUs, a new Network Time Protocol daemon in the base system, and many bug and security fixes. The new release also includes an improved DHCP client and daemon, StackGhost overflow protection for OpenBSD/sparc, and a new hotplug daemon.
Dragonfly BSD
The new kid on the block, DragonFly BSD, forked off of the FreeBSD 4.x tree. DragonFly BSD 1.0 was released on July 12, 2004. The DragonFly team does not maintain separate stable branch as of yet, and DragonFly runs only on x86 hardware.
The DragonFly BSD team has several goals for the distribution, including a better packaging system, and a different approach to system design:
DragonFly has some lofty goals set for its caching, messaging API, and user API, but it may be some time before these goals are realized. The status page shows the relative development of each of DragonFly BSD's main goals.
Readers interested in a history of the BSDs should visit the BSD Family Tree, which details the history of FreeBSD, NetBSD and OpenBSD, with a little about Apple's Mac OS X and Darwin thrown in for good measure.
Enterprise Linux: is it broken?
Ever since Red Hat launched its "enterprise" distribution, complaints have been heard from many quarters. The enterprise distributions, it is said, go against the spirit of Linux: they include per-CPU licensing and simply cost too much. Even the vendors of proprietary operating systems sneer at enterprise Linux, stating that it is more expensive than their own offerings.The latest contribution to this debate is this white paper from Lineox. It states:
Few readers will be surprised to learn that the answer to this problem is support services offered by Lineox. The company seems, in particular, to want to attract current enterprise Linux customers with less expensive software update services. In other words, they want to capitalize on the enterprise distributors' work in creating the distribution and getting the customer to install it by poaching those customers at support contract renewal time.
The attacks on enterprise Linux offerings do not seem entirely justified. One has to wonder just who is really harmed by these business plans. The first place to look might be the customers, who, after all, are paying significant amounts of money for enterprise contracts. Clearly these customers are finding something worthwhile; Red Hat sells hundreds of thousands of subscriptions, and, according to its first quarter results, the renewal rate remains above 85%. In a time when most companies are looking closely at their expenditures, RHEL subscriptions would be allowed to lapse if they were not considered worthwhile.
One can claim that these customers are paying premium amounts for the Red Hat brand name. This may well be true; branding has been an explicit part of Red Hat's business plan since the Bob Young days. Customers take comfort in brands; this need not be a problem for people who feel themselves immune to the allure of any particular brand name.
The per-CPU nature of RHEL subscriptions irks some people in the community. The restriction applies to support, however. If you just want the security updates, just get them directly from Red Hat's advisories and install them yourself. Red Hat has imposed no restrictions on the software which are inconsistent with its licensing; it is hard to see who is harmed by its activities.
The enterprise distributions have not taken any choices away from people who choose not to use them. The quality of the freely-available Linux distributions has never been higher - and many of them offer support to match. Debian's release cycle may be slow, but the project has never dropped security support for its stable distributions in the mean time. Fedora offers many of the features of RHEL without the price tag or the wait; the project has also provided top-quality security support for Fedora Core 1 for the last year. Ubuntu promises bleeding-edge software and 18 months of support for free. SUSE, Mandrakesoft, Conectiva, and others provide reasonably-priced offerings. Companies like Progeny and Lineox, and projects like Fedora Legacy offer support that picks up where the original distributor leaves off.
Any of these offerings makes a more than adequate platform for just about any business or personal operation. They have the same software as the enterprise offerings, and they benefit from the work of numerous hackers whose salaries are paid by enterprise subscribers. About the only things they lack are (1) branding, and (2) certifications from vendors like Oracle. Certainly the lack of an Oracle endorsement should not be a major problem for people who find enterprise distributions to be insufficiently free.
It is not surprising that many people in the community feel no need for the enterprise offerings. It is unsurprising that some businesses are trying to undercut the enterprise distributors by selling cut-rate repackagings of the enterprise distributions and updates. But it is a little strange that some people feel such a need to condemn the vendors of enterprise Linux and undermine their business. Enterprise subscriptions have helped to bring Linux into new situations and fund the further development of free software, all without violating any licenses or restricting anybody's choices. It is not at all clear that the community would be better off if the enterprise products did not exist.
Page editor: Jonathan Corbet
Security
Linux: security through obscurity?
For all of you smug Linux users out there who think that you need not worry about the sorts of security issues that plague users of certain proprietary operating systems: this eWeek column seeks to bring you back to reality:
Talk about "security through obscurity"! The only thing keeping these scourges off of Linux and the Mac OS is that it's not worth the work to get such business. The exact same thing is true of spyware and adware. Of course you could write such things for the Mac and Linux and they would work.
So, it seems, the only reason that Linux does not suffer a constant series of worms, and that Linux users are not continually trying to fight off spyware and related nastiness, is that we are such a backwater that nobody even feels a wish to attack us. We're not actually more secure; we're just too boring to bother messing with.
We don't buy it. The "not popular enough" argument may help make victims feel better and make them feel that they need not worry about perhaps changing operating systems, but it does not stand up to scrutiny.
Attackers have numerous reasons for doing the things they do. One of them is simply attracting attention and becoming in some way famous, even if that fame, such as it is, only attaches to a pseudonym somewhere. If you are trying to show your 31337 credentials by compromising Windows systems, you'll find that the barriers to entry are fairly high: there are, shall we say, a lot of people playing in that space. Certainly, one would think, at least one malware author would be attracted by the relatively green, uncrowded pastures of the Linux world? If nothing else, it would make a nice break while somebody else's worm is ravishing corporate networks worldwide.
Along these lines, it's worth noting that the white-hat security researchers certainly do not find free software to be too obscure to merit their attention. One need not read Bugtraq for long to see that there is a steady stream of issues with free software being reported there.
Another reason to attack systems is monetary gain. Access to zombie networks can now be bought and sold, as can information stolen by spyware or advertisements delivered by adware. There are millions of Linux systems attached to the net; many of them are in prominent locations with access to high-bandwidth network connections. They would make delightful spam relays or denial-of-service attackers. If an attacker could compromise 1000 of those millions of systems, he or she would have a nice little corral full of zombies which, one thinks, would be worth the trouble.
Spammers seem to think that getting around SpamAssassin's tests is worth the extra effort. Certainly, one might think, being able to dump ads into Linux browsers, or direct them to unwanted pages, would merit a few minutes of somebody's time. The ultimate payoff might be smaller, but an attacker could have the entire field to himself.
There are, in other words, incentives to compromise Linux systems on a wide scale. Compromises do happen, but the sort of widespread trouble experienced by others has, so far, been absent from the Linux world. The idea that nobody with the requisite skills has even tried to create such an incident is hard to believe. One can only assume that such attempts have been made, but that they have not succeeded.
Linux systems are not immune from the ills of modern computing. There will almost certainly be some unpleasant episodes in the future. Recent reports have made it clear that Linux-based browsers are not free of exploitable bugs. As the free mail clients become increasingly complex and powerful, somebody will certainly find a way to compromise them. Last week's Red Hat security update phishing attempt was clumsy in the extreme - social engineering attacks that assume a victim simultaneously smart enough to untar and build an attack program and dumb enough to actually do it are unlikely to go far. As long as our mail clients do not allow programs in incoming mail to be run, these attacks will be relatively hard - but somebody, somewhere will probably figure out how to do it.
Third-party applications could turn out to be an area worthy of special concern in the future. More home users could lead to more people who will, without question, install that "cool music download utility" found, without source, on some obscure web site. Eventually those users will learn the error of their ways - through hard experience. In the mean time, this risk can be mitigated by insisting on free applications, and by having the bulk of interesting applications be available directly from the network of distribution mirrors. There have been several attempts to put trojan horses into programs downloaded by free software users, but these attempts have always been detected quickly, and they have affected very few people.
Our security is insufficient, and, eventually, somebody is going to demonstrate that to the world. There will, beyond doubt, be lots of snide columns posted when that happens. We must continue to work to prevent this occurrence, and to minimize the damage when it happens. In the mean time, however, we need not accept claims that only obscurity keeps attackers away from Linux.
New vulnerabilities
apache: arbitrary code execution
| Package(s): | apache | CVE #(s): | CAN-2004-0940 | |||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | December 14, 2004 | |||||||||||||||||||||
| Description: | According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Archive::Zip: Virus detection evasion
| Package(s): | Archive::Zip | CVE #(s): | |||||||
| Created: | October 29, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | Archive::Zip can be used by email scanning software (like amavisd-new) to
uncompress attachments before virus scanning. By modifying the
uncompressed size of archived files in the global header of the ZIP file,
it is possible to fool Archive::Zip into thinking some files inside the
archive have zero length.
An attacker could send a carefully crafted ZIP archive containing a virus file and evade detection on some email virus-scanning software relying on Archive::Zip for decompression. | ||||||||
| Alerts: |
| ||||||||
cabextract: missing directory sanitizing
| Package(s): | cabextract | CVE #(s): | CAN-2004-0916 | |||
| Created: | October 28, 2004 | Updated: | November 2, 2004 | |||
| Description: | The cabinet file extraction tool cabextract may allow arbitrary files in upper directories to be overwritten. | |||||
| Alerts: |
| |||||
catdoc: insecure temp file
| Package(s): | catdoc | CVE #(s): | CAN-2003-0193 | |||
| Created: | October 28, 2004 | Updated: | November 2, 2004 | |||
| Description: | The xlsview utility in catdoc has a vulnerability that may allow local users to overwrite arbitrary files using a symlink attack on predictable temporary file names. | |||||
| Alerts: |
| |||||
Cherokee: format string vulnerability
| Package(s): | cherokee | CVE #(s): | ||||
| Created: | November 1, 2004 | Updated: | November 2, 2004 | |||
| Description: | Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokee_logger_ncsa_write_string() function. Using a specially crafted URL when authenticating via auth_pam, a malicious user may be able to crash the server or execute arbitrary code on the target machine with permissions of the user running Cherokee. | |||||
| Alerts: |
| |||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
iptables: missing initialization
| Package(s): | iptables | CVE #(s): | CAN-2004-0986 | ||||||||||||
| Created: | November 1, 2004 | Updated: | February 11, 2005 | ||||||||||||
| Description: | Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: multiple buffer overflows
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0989 | |||||||||||||||||||||||||||||||||
| Created: | October 28, 2004 | Updated: | February 28, 2005 | |||||||||||||||||||||||||||||||||
| Description: | libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
lvm10: creates insecure temporary directory
| Package(s): | lvm10 | CVE #(s): | CAN-2004-0972 | |||||||||||||||
| Created: | November 1, 2004 | Updated: | July 25, 2005 | |||||||||||||||
| Description: | Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
MIME-tools: parsing bug
| Package(s): | MIME-tools | CVE #(s): | |||||||
| Created: | November 2, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | According to this RoaringPenguin advisory, there's a bug in MIME-tools: It mis-parses things like boundary="" and apparently there's a virus that uses an empty boundary. | ||||||||
| Alerts: |
| ||||||||
perl: insecure temp file creation
| Package(s): | perl | CVE #(s): | CAN-2004-0976 | ||||||
| Created: | November 2, 2004 | Updated: | December 7, 2004 | ||||||
| Description: | Trustix Secure Linux has discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively. | ||||||||
| Alerts: |
| ||||||||
ppp: denial of service
| Package(s): | ppp | CVE #(s): | |||||||
| Created: | October 29, 2004 | Updated: | November 3, 2004 | ||||||
| Description: | Improper verification of header fields lets an attacker make the pppd
server access memory it isn't allowed to, and crash the server. There is
no possibility of code execution, as there is no data being copied, just a
pointer dereferenced. It is not even entirely clear that this vulnerability can be exploited to deny service to anybody other than the attacker.
See this security focus advisory for details. | ||||||||
| Alerts: |
| ||||||||
proxytunnel: format string vulnerability
| Package(s): | proxytunnel | CVE #(s): | CAN-2004-0992 | |||
| Created: | November 3, 2004 | Updated: | November 3, 2004 | |||
| Description: | Versions of proxytunnel prior to 1.2.3 contain a format string vulnerability which could be exploited by a hostile remote server to execute arbitrary code. | |||||
| Alerts: |
| |||||
Speedtouch USB driver: Privilege escalation vulnerability
| Package(s): | Speedtouch USB driver | CVE #(s): | |||||||
| Created: | November 2, 2004 | Updated: | November 11, 2004 | ||||||
| Description: | The Speedtouch USB driver contains multiple format string vulnerabilities in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made syslog() system call. A malicious local user could exploit this vulnerability by causing a buffer overflow, and potentially allowing the execution of arbitrary code with escalated privileges. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL | CVE #(s): | CAN-2004-0977 | ||||||||||||||||||
| Created: | October 18, 2004 | Updated: | December 20, 2004 | ||||||||||||||||||
| Description: | The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: mod_ssl cipher negotiation problem
| Package(s): | apache | CVE #(s): | CAN-2004-0885 | ||||||||||||
| Created: | October 15, 2004 | Updated: | November 4, 2004 | ||||||||||||
| Description: | Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite. | ||||||||||||||
| Alerts: |
| ||||||||||||||
aspell: bounds checking problem
| Package(s): | aspell | CVE #(s): | CAN-2004-0548 | |||||||||
| Created: | June 17, 2004 | Updated: | December 20, 2004 | |||||||||
| Description: | Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker. | |||||||||||
| Alerts: |
| |||||||||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress | CVE #(s): | CAN-2001-1413 | ||||||
| Created: | October 11, 2004 | Updated: | December 14, 2004 | ||||||
| Description: | compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress. | ||||||||
| Alerts: |
| ||||||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ecartis: unauthorized access to admin interface
| Package(s): | ecartis | CVE #(s): | CAN-2004-0913 | |||
| Created: | October 21, 2004 | Updated: | October 27, 2004 | |||
| Description: | The ecartis mailing list manager has a vulnerability in which an attacker in the same domain as the list admin can gain administrator privileges and alter list settings. | |||||
| Alerts: |
| |||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: denial of service
| Package(s): | freeradius | CVE #(s): | CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 | |||||||||
| Created: | September 22, 2004 | Updated: | February 2, 2005 | |||||||||
| Description: | FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. | |||||||||||
| Alerts: |
| |||||||||||
gaim: buffer overflow in MSN protocol
| Package(s): | gaim | CVE #(s): | CAN-2004-0891 | ||||||||||||||||||
| Created: | October 25, 2004 | Updated: | February 11, 2005 | ||||||||||||||||||
| Description: | A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gaim: command execution via smiley themes
| Package(s): | gaim | CVE #(s): | CAN-2004-0784 CAN-2004-0785 | |||||||||
| Created: | October 21, 2004 | Updated: | November 12, 2004 | |||||||||
| Description: | gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector. | |||||||||||
| Alerts: |
| |||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2004-0827 | ||||||||||||||||||
| Created: | September 16, 2004 | Updated: | November 30, 2004 | ||||||||||||||||||
| Description: | The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel: netfilter integer underflow
| Package(s): | kernel | CVE #(s): | CAN-2004-0816 | |||
| Created: | October 27, 2004 | Updated: | October 27, 2004 | |||
| Description: | 2.6 kernels prior to 2.6.8 contain an integer underflow vulnerability in the netfilter firewall code which can be exploited to crash the machine. | |||||
| Alerts: |
| |||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libxpm4: stack and integer overflows
| Package(s): | libxpm4 | CVE #(s): | CAN-2004-0687 CAN-2004-0688 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 16, 2004 | Updated: | February 14, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc | CVE #(s): | CAN-2004-0494 | ||||||||||||
| Created: | September 2, 2004 | Updated: | January 5, 2005 | ||||||||||||
| Description: | Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
MIT-krb5: insecure temporary file
| Package(s): | mit-krb5 | CVE #(s): | CAN-2004-0971 | |||
| Created: | October 25, 2004 | Updated: | October 27, 2004 | |||
| Description: | The send-pr.sh script creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When send-pr.sh is called, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. | |||||
| Alerts: |
| |||||
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird | CVE #(s): | CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908 | ||||||||||||||||||||||||
| Created: | September 20, 2004 | Updated: | January 13, 2005 | ||||||||||||||||||||||||
| Description: | Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mpg123: buffer overflow bug
| Package(s): | mpg123 | CVE #(s): | <