LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Linux: security through obscurity?
For all of you smug Linux users out there who think that you need not worry about the sorts of security issues that plague users of certain proprietary operating systems: this eWeek column seeks to bring you back to reality:
Talk about "security through obscurity"! The only thing keeping these scourges off of Linux and the Mac OS is that it's not worth the work to get such business. The exact same thing is true of spyware and adware. Of course you could write such things for the Mac and Linux and they would work.
So, it seems, the only reason that Linux does not suffer a constant series of worms, and that Linux users are not continually trying to fight off spyware and related nastiness, is that we are such a backwater that nobody even feels a wish to attack us. We're not actually more secure; we're just too boring to bother messing with.
We don't buy it. The "not popular enough" argument may help make victims feel better and make them feel that they need not worry about perhaps changing operating systems, but it does not stand up to scrutiny.
Attackers have numerous reasons for doing the things they do. One of them is simply attracting attention and becoming in some way famous, even if that fame, such as it is, only attaches to a pseudonym somewhere. If you are trying to show your 31337 credentials by compromising Windows systems, you'll find that the barriers to entry are fairly high: there are, shall we say, a lot of people playing in that space. Certainly, one would think, at least one malware author would be attracted by the relatively green, uncrowded pastures of the Linux world? If nothing else, it would make a nice break while somebody else's worm is ravishing corporate networks worldwide.
Along these lines, it's worth noting that the white-hat security researchers certainly do not find free software to be too obscure to merit their attention. One need not read Bugtraq for long to see that there is a steady stream of issues with free software being reported there.
Another reason to attack systems is monetary gain. Access to zombie networks can now be bought and sold, as can information stolen by spyware or advertisements delivered by adware. There are millions of Linux systems attached to the net; many of them are in prominent locations with access to high-bandwidth network connections. They would make delightful spam relays or denial-of-service attackers. If an attacker could compromise 1000 of those millions of systems, he or she would have a nice little corral full of zombies which, one thinks, would be worth the trouble.
Spammers seem to think that getting around SpamAssassin's tests is worth the extra effort. Certainly, one might think, being able to dump ads into Linux browsers, or direct them to unwanted pages, would merit a few minutes of somebody's time. The ultimate payoff might be smaller, but an attacker could have the entire field to himself.
There are, in other words, incentives to compromise Linux systems on a wide scale. Compromises do happen, but the sort of widespread trouble experienced by others has, so far, been absent from the Linux world. The idea that nobody with the requisite skills has even tried to create such an incident is hard to believe. One can only assume that such attempts have been made, but that they have not succeeded.
Linux systems are not immune from the ills of modern computing. There will almost certainly be some unpleasant episodes in the future. Recent reports have made it clear that Linux-based browsers are not free of exploitable bugs. As the free mail clients become increasingly complex and powerful, somebody will certainly find a way to compromise them. Last week's Red Hat security update phishing attempt was clumsy in the extreme - social engineering attacks that assume a victim simultaneously smart enough to untar and build an attack program and dumb enough to actually do it are unlikely to go far. As long as our mail clients do not allow programs in incoming mail to be run, these attacks will be relatively hard - but somebody, somewhere will probably figure out how to do it.
Third-party applications could turn out to be an area worthy of special concern in the future. More home users could lead to more people who will, without question, install that "cool music download utility" found, without source, on some obscure web site. Eventually those users will learn the error of their ways - through hard experience. In the mean time, this risk can be mitigated by insisting on free applications, and by having the bulk of interesting applications be available directly from the network of distribution mirrors. There have been several attempts to put trojan horses into programs downloaded by free software users, but these attempts have always been detected quickly, and they have affected very few people.
Our security is insufficient, and, eventually, somebody is going to demonstrate that to the world. There will, beyond doubt, be lots of snide columns posted when that happens. We must continue to work to prevent this occurrence, and to minimize the damage when it happens. In the mean time, however, we need not accept claims that only obscurity keeps attackers away from Linux.
New vulnerabilities
apache: arbitrary code execution
| Package(s): | apache | CVE #(s): | CAN-2004-0940 | |||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | December 14, 2004 | |||||||||||||||||||||
| Description: | According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Archive::Zip: Virus detection evasion
| Package(s): | Archive::Zip | CVE #(s): | |||||||
| Created: | October 29, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | Archive::Zip can be used by email scanning software (like amavisd-new) to
uncompress attachments before virus scanning. By modifying the
uncompressed size of archived files in the global header of the ZIP file,
it is possible to fool Archive::Zip into thinking some files inside the
archive have zero length.
An attacker could send a carefully crafted ZIP archive containing a virus file and evade detection on some email virus-scanning software relying on Archive::Zip for decompression. | ||||||||
| Alerts: |
| ||||||||
cabextract: missing directory sanitizing
| Package(s): | cabextract | CVE #(s): | CAN-2004-0916 | |||
| Created: | October 28, 2004 | Updated: | November 2, 2004 | |||
| Description: | The cabinet file extraction tool cabextract may allow arbitrary files in upper directories to be overwritten. | |||||
| Alerts: |
| |||||
catdoc: insecure temp file
| Package(s): | catdoc | CVE #(s): | CAN-2003-0193 | |||
| Created: | October 28, 2004 | Updated: | November 2, 2004 | |||
| Description: | The xlsview utility in catdoc has a vulnerability that may allow local users to overwrite arbitrary files using a symlink attack on predictable temporary file names. | |||||
| Alerts: |
| |||||
Cherokee: format string vulnerability
| Package(s): | cherokee | CVE #(s): | ||||
| Created: | November 1, 2004 | Updated: | November 2, 2004 | |||
| Description: | Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokee_logger_ncsa_write_string() function. Using a specially crafted URL when authenticating via auth_pam, a malicious user may be able to crash the server or execute arbitrary code on the target machine with permissions of the user running Cherokee. | |||||
| Alerts: |
| |||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
iptables: missing initialization
| Package(s): | iptables | CVE #(s): | CAN-2004-0986 | ||||||||||||
| Created: | November 1, 2004 | Updated: | February 11, 2005 | ||||||||||||
| Description: | Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: multiple buffer overflows
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0989 | |||||||||||||||||||||||||||||||||
| Created: | October 28, 2004 | Updated: | February 28, 2005 | |||||||||||||||||||||||||||||||||
| Description: | libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
lvm10: creates insecure temporary directory
| Package(s): | lvm10 | CVE #(s): | CAN-2004-0972 | |||||||||||||||
| Created: | November 1, 2004 | Updated: | July 25, 2005 | |||||||||||||||
| Description: | Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
MIME-tools: parsing bug
| Package(s): | MIME-tools | CVE #(s): | |||||||
| Created: | November 2, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | According to this RoaringPenguin advisory, there's a bug in MIME-tools: It mis-parses things like boundary="" and apparently there's a virus that uses an empty boundary. | ||||||||
| Alerts: |
| ||||||||
perl: insecure temp file creation
| Package(s): | perl | CVE #(s): | CAN-2004-0976 | ||||||
| Created: | November 2, 2004 | Updated: | December 7, 2004 | ||||||
| Description: | Trustix Secure Linux has discovered some vulnerabilities in the perl package. The utility "instmodsh", the Perl package "PPPort.pm", and several test scripts (which are not shipped and only used during build) created temporary files in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program, or building the perl package, respectively. | ||||||||
| Alerts: |
| ||||||||
ppp: denial of service
| Package(s): | ppp | CVE #(s): | |||||||
| Created: | October 29, 2004 | Updated: | November 3, 2004 | ||||||
| Description: | Improper verification of header fields lets an attacker make the pppd
server access memory it isn't allowed to, and crash the server. There is
no possibility of code execution, as there is no data being copied, just a
pointer dereferenced. It is not even entirely clear that this vulnerability can be exploited to deny service to anybody other than the attacker.
See this security focus advisory for details. | ||||||||
| Alerts: |
| ||||||||
proxytunnel: format string vulnerability
| Package(s): | proxytunnel | CVE #(s): | CAN-2004-0992 | |||
| Created: | November 3, 2004 | Updated: | November 3, 2004 | |||
| Description: | Versions of proxytunnel prior to 1.2.3 contain a format string vulnerability which could be exploited by a hostile remote server to execute arbitrary code. | |||||
| Alerts: |
| |||||
Speedtouch USB driver: Privilege escalation vulnerability
| Package(s): | Speedtouch USB driver | CVE #(s): | |||||||
| Created: | November 2, 2004 | Updated: | November 11, 2004 | ||||||
| Description: | The Speedtouch USB driver contains multiple format string vulnerabilities in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made syslog() system call. A malicious local user could exploit this vulnerability by causing a buffer overflow, and potentially allowing the execution of arbitrary code with escalated privileges. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL | CVE #(s): | CAN-2004-0977 | ||||||||||||||||||
| Created: | October 18, 2004 | Updated: | December 20, 2004 | ||||||||||||||||||
| Description: | The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: mod_ssl cipher negotiation problem
| Package(s): | apache | CVE #(s): | CAN-2004-0885 | ||||||||||||
| Created: | October 15, 2004 | Updated: | November 4, 2004 | ||||||||||||
| Description: | Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite. | ||||||||||||||
| Alerts: |
| ||||||||||||||
aspell: bounds checking problem
| Package(s): | aspell | CVE #(s): | CAN-2004-0548 | |||||||||
| Created: | June 17, 2004 | Updated: | December 20, 2004 | |||||||||
| Description: | Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker. | |||||||||||
| Alerts: |
| |||||||||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress | CVE #(s): | CAN-2001-1413 | ||||||
| Created: | October 11, 2004 | Updated: | December 14, 2004 | ||||||
| Description: | compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress. | ||||||||
| Alerts: |
| ||||||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ecartis: unauthorized access to admin interface
| Package(s): | ecartis | CVE #(s): | CAN-2004-0913 | |||
| Created: | October 21, 2004 | Updated: | October 27, 2004 | |||
| Description: | The ecartis mailing list manager has a vulnerability in which an attacker in the same domain as the list admin can gain administrator privileges and alter list settings. | |||||
| Alerts: |
| |||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: denial of service
| Package(s): | freeradius | CVE #(s): | CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 | |||||||||
| Created: | September 22, 2004 | Updated: | February 2, 2005 | |||||||||
| Description: | FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. | |||||||||||
| Alerts: |
| |||||||||||
gaim: buffer overflow in MSN protocol
| Package(s): | gaim | CVE #(s): | CAN-2004-0891 | ||||||||||||||||||
| Created: | October 25, 2004 | Updated: | February 11, 2005 | ||||||||||||||||||
| Description: | A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gaim: command execution via smiley themes
| Package(s): | gaim | CVE #(s): | CAN-2004-0784 CAN-2004-0785 | |||||||||
| Created: | October 21, 2004 | Updated: | November 12, 2004 | |||||||||
| Description: | gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector. | |||||||||||
| Alerts: |
| |||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2004-0827 | ||||||||||||||||||
| Created: | September 16, 2004 | Updated: | November 30, 2004 | ||||||||||||||||||
| Description: | The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel: netfilter integer underflow
| Package(s): | kernel | CVE #(s): | CAN-2004-0816 | |||
| Created: | October 27, 2004 | Updated: | October 27, 2004 | |||
| Description: | 2.6 kernels prior to 2.6.8 contain an integer underflow vulnerability in the netfilter firewall code which can be exploited to crash the machine. | |||||
| Alerts: |
| |||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libxpm4: stack and integer overflows
| Package(s): | libxpm4 | CVE #(s): | CAN-2004-0687 CAN-2004-0688 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 16, 2004 | Updated: | February 14, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc | CVE #(s): | CAN-2004-0494 | ||||||||||||
| Created: | September 2, 2004 | Updated: | January 5, 2005 | ||||||||||||
| Description: | Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
MIT-krb5: insecure temporary file
| Package(s): | mit-krb5 | CVE #(s): | CAN-2004-0971 | |||
| Created: | October 25, 2004 | Updated: | October 27, 2004 | |||
| Description: | The send-pr.sh script creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When send-pr.sh is called, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. | |||||
| Alerts: |
| |||||
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird | CVE #(s): | CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908 | ||||||||||||||||||||||||
| Created: | September 20, 2004 | Updated: | January 13, 2005 | ||||||||||||||||||||||||
| Description: | Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. See the CERT advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mpg123: buffer overflow bug
| Package(s): | mpg123 | CVE #(s): | CAN-2004-0805 | ||||||||||||
| Created: | September 16, 2004 | Updated: | January 11, 2005 | ||||||||||||
| Description: | The mpg123 audio playing utility has a buffer overflow bug that may allow arbitrary execution of code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mpg123: buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2004-0982 | |||||||||
| Created: | October 27, 2004 | Updated: | November 2, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s-r5 contain a buffer overflow in the getauthfromURL() and http_open() functions. | |||||||||||
| Alerts: |
| |||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
mysql: several vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 | |||||||||||||||||||||||||||||||||
| Created: | October 11, 2004 | Updated: | April 6, 2005 | |||||||||||||||||||||||||||||||||
| Description: | Several problems have been discovered in MySQL. Oleksandr Byelkin noticed that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis noticed that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall. (CAN-2004-0837) | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Netatalk: insecure tempfile handling in etc2ps.sh
| Package(s): | netatalk | CVE #(s): | CAN-2004-0974 | ||||||
| Created: | October 25, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | The etc2ps.sh script creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When etc2ps.sh is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. | ||||||||
| Alerts: |
| ||||||||
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet | CVE #(s): | CAN-2004-0911 | ||||||||||||
| Created: | October 4, 2004 | Updated: | March 28, 2005 | ||||||||||||
| Description: | Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user). | ||||||||||||||
| Alerts: |
| ||||||||||||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pavuk: buffer overflow
| Package(s): | pavuk | CVE #(s): | CAN-2004-0456 | |||||||||
| Created: | June 30, 2004 | Updated: | November 11, 2004 | |||||||||
| Description: | Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. | |||||||||||
| Alerts: |
| |||||||||||
php: remotely exploitable memory errors
| Package(s): | php | CVE #(s): | CAN-2004-0594 |
| Created: | July 14, 2004 | Updated: | February 7, 2005 |
| Description: | Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature | ||