Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for November 11, 2004
An open source licensing white paper
The Olliance Group has announced the availability of a white paper entitled "Open Source Intellectual Property and Licensing Compliance: A Survey and Analysis of Industry Best Practices." The paper is available for free download to those willing to fill in a registration form.The press release includes a recommendation from the president of the Free Standards Group, and the paper itself includes a foreward by OSDL head Stuart Cohen. So one might conclude that it would be a relatively high-clue work on how to interpret and comply with free software licenses. The sad truth, however, is that it appears to have been thrown together quickly (it contains a number of grammatical errors, for example), and the ultimate goals of its authors are unclear at best.
The purpose of the paper seems to be to help companies figure out how to avoid "open source risk." But that risk is not defined or justified anywhere in the paper. The closest it gets is toward the end, where we read:
In other words, we have the same old "the GPL can cause you to lose your intellectual property" argument. This line has been debunked numerous times: there is nothing in the GPL which can legally force a company to loosen its death grip in its valuable IP. The GPL can subject a non-compliant company to copyright infringement suits, fines, and injunctions stopping distribution of a product. These are real risks which should be understood by any company which is considering incorporating GPL-licensed code into its products. But it is discouraging to see representatives of the Free Standards Group and OSDL putting their names on a report that brings back the "lose all your IP" scarecrow.
Oh, there is one other risk mentioned on the same page:
In fact, the revocable nature of the GPL came out at the end of the KDE wars, when Richard Stallman revoked the right of the KDE developers to distribute the FSF's code, then magnanimously forgave them their sins:
The real point, however, is that revocability is certainly not a feature which is unique to free software licenses. Consider the Windows XP EULA:
Almost any proprietary software license includes a term like this one. Olliance's claim that such terms are unique to free software licenses is simply false.
So what does Olliance recommend be done to address those scary free software risks? The first step is to perform an audit of every free application in use in the company. Employees are to be required to document every program they use, its version numbers, the dates over which it has been used, the reason why it is used, the manager who approved its use, and so on. A database is then to be built containing all of that information. What then is to be done with this database is not entirely clear.
Some other "best practices" include:
- Requiring written approval by an "open source review board" before any
open source application may be used.
- Requiring a separate approval before modifying any free software.
- Getting warranties from suppliers that they use no open source software, or that any such use is documented and indemnified.
In the midst of all this is a recommendation which actually makes sense:
OK, so maybe it doesn't make that much sense. The core of this recommendation is, however: think before you incorporate free software into your products. One could extend that to "think before you incorporate any software copyrighted by others into your products," but that would be asking a lot of the authors of this particular work.
As far as your editor can tell, the goal of this particular white paper is to stoke fears about open source licensing, and to urge companies to create a vast, grinding bureaucracy to impede the adoption of free software internally. Following its recommendations is unlikely to make many companies safer, but it will increase the apparent costs of using free software. There is a place for documentation of the real risks of using code copyrighted by others - both free and proprietary - and on how to avoid distributing products which violate free software licenses. But this paper does not fill that role.
Sendmail X
Sendmail has a difficult reputation. It is the canonical example of how large, complex programs are subject to security problems. It has a configuration file format which makes obfuscated Perl code seem highly readable by comparison. Its performance when dealing with large amounts of mail is held to be inferior. One could, of course, point out that sendmail's security problems appear to be mostly behind it, that few people ever have to look at the raw configuration file, and that sendmail was a cherished gift, once upon a time, to anybody who had ever tried to convince delivermail to route a message along a uucp bang path, by way of the Arpanet, from a CSNet node. For all of its blemishes, sendmail has been a crucial and valuable part of the network's infrastructure for many years.After all those years, however, sendmail may just be due for a major upgrade. As it turns out, work on the next generation of sendmail, called sendmail X, has been under way for some time. Some early code has been made available; sendmail X 0.0.16 is available from this page. Do note that it is billed as "pre-alpha" code; using it on a server which handles real mail is probably not a good idea.
A lengthy design document for sendmail X is available; it gives some insight into what the next version of sendmail will look like. The first impression that comes out is that sendmail X will be so different that one wonders why the "sendmail" name is being used at all. Sendmail X is a completely new mail transfer agent, redesigned and rewritten from the beginning.
As is the norm for contemporary MTA design, sendmail X is implemented as a set of (relatively) small, cooperating processes. The system is divided in this way:
- The queue manager is the core of sendmail X; its job is to
manage messages as they move through the system, make delivery
decisions, etc.
- The SMTP server accepts incoming mail from the net and passes
them to the queue manager. Actually, the queue manager is involved
throughout the SMTP conversation; it is consulted on whether to accept
the connection in the first place,
and it may have actually delivered the mail before the text is
acknowledged.
- The SMTP client passes mail on to other systems for delivery.
- The address resolver is charged with understanding - and
rewriting - recipient addresses. This process also handles DNS
blacklisting and other types of address-based filtering.
- The master control program gets all of the other processes going and handles termination, restarts, and crash recovery. This program is actually derived from the BSD inetd source.
In addition, there will be a collection of local delivery agents, mail filter processes, etc.
Much thought has been given to performance, to the point that may cause some to wonder if there might be some premature optimization going on. For example, the SMTP server has been designed to use an Apache-style mode, where multiple processes exist, each of which runs several server threads. This design will certainly add complexity to the server, but few sites are likely to benefit from the associated performance increase.
System administrators will be glad to know that the sendmail.cf configuration file is gone. Sendmail X will use a C-like configuration syntax, similar to that used by BIND. Configuration of real-world mail systems will, perhaps, never be an entirely simple task, but sendmail X should be easier to set up than its predecessor.
Unsurprisingly, security is said to be a core design goal. The multi-process design is clearly motivated by security concerns, though the relatively high level of interaction between these processes may complicate things. The qmail design, for example, has a far lower level of interaction and trust between its components - though that approach leads to problems of its own. There are no setuid programs in sendmail X. It is necessary to run the master control program as root; it then handles any privileged tasks that it can before starting the subsidiary processes under a different user ID. Thus, for example, it binds to the SMTP port before starting the SMTP server. Since the master control program does not actually handle mail or communicate with the outside, it should be relatively hard to compromise.
The code consists of almost 600 C files. In some ways it resembles the qmail code; it has many short files with reimplementations of many functions normally found in the C library. A special string type is used to avoid buffer overruns. A casual look suggests that the code really is being written with security in mind. That much new code is sure to have a surprise or two in it somewhere, however.
The author of sendmail X (Claus Aßmann) claims to have been running it since the beginning of the year without losing any mail. Even so, it will probably be some time before it is put forward as a viable option for production sites. What happens then will be interesting. Sendmail X will be jumping into an environment where several other options exist and are in wide use. The MTA ecosystem has, over the years, gone from being a single-program monoculture to a diverse field with several alternatives. Sendmail X will have to be significantly better than those alternatives, and much better than sendmail 8, to be widely successful in that environment.
(Thanks to Xose Vazquez Perez for drawing our attention to this project).
The state of RTAI
After the Approaches to realtime Linux article drew a great deal of interest, we decided to drill down and offer a closer look at one of the projects mentioned therein: The Real Time Application Interface (RTAI) project, whose developers felt that our portrayal of the project was not entirely accurate. To set things straight, we touched base with RTAI hackers Philippe Gerum and Paolo Mantegazza.First, we learned that there are actually two ongoing projects, the first is the original RTAI project, funded by the Dipartimento di Ingegneria Aerospaziale, Politecnico di Milano (DIAPM). The other project is RTAI/Fusion, which is a different approach that merges the RTAI interfaces with the Xenomai development framework.
The RTAI project with Linux RealTime (LXRT) uses several kernel modules to gain the realtime functionality that one may need. RTAI makes changes in the Linux interrupt and scheduling policies to provide real time capabilities within the non-real time Linux environment. According to the RTAI website:
The original RTAI project was designed specifically for DIAPM projects, says Mantegazza:
On the other hand, Xenomai was designed to allow developers to port applications from other realtime systems, and therefore it takes a different approach. Gerum describes Xenomai as a "kind of generic RTOS (Real Time Operating System) core" that enable a developer to plug in their own real-time APIs. Gerum says the idea was that most RTOS vendors offer the same functionality, but with "different API window dressings." Xenomai was designed to "provide one generic core running side-by-side with the Linux kernel" that would allow for different APIs.
The RTAI/Fusion project that is now under development works with a "vanilla" Linux kernel running on top of the Adeos (Adaptive Domain Environment for Operating Systems) nanokernel. By running the Linux kernel and Fusion under the Adeos nanokernel, Fusion cooperates with Linux and allows developers to use "any number of real-time APIs at the same time."
Given that there are a number of real time projects for Linux, not to mention the other various RTOSes, we asked whether it would be possible to come up with a "one size fits all" solution for real time operating systems. Mantegazza says yes, but Gerum is not so sure:
Simple design and straightforward code layers make the above possible. For instance, DSP-like applications do not necessarily need a full-fledged multi-tasking infrastructure; basic interrupt handlers with predictable preemption time are often enough here. On the other hand, you are not going to run a complete telecom software stack over interrupt service routines, so you need a complete RTOS core and rich utility libraries.
It's important to note that RTAI/Fusion would not replace RTAI/LXRT so much as envelope it, if successful. According to Gerum, the plan is to "refactor the original RTAI 3.x interfaces over Fusion, if this technology is successful."
What's left to implement in Fusion? Gerum says there are several things left to be done:
Fusion already provides a full-fledged event-driven simulator with a nifty GUI for debugging applications on the host system; GDB can also be used to debug the real-time threads in user-space on the target. However, LTT (Linux Trace Toolkit) support is missing, for instance.
Users that are interested in trying RTAI/Fusion can get a jump-start with Debian, which has RTAI packages in testing and unstable.
Though the Real Time market is a small niche of the Linux community, it's good to see healthy projects like RTAI/LXRT and RTAI/Fusion that will give Linux the opportunity to achieve the goal of world domination.
Page editor: Jonathan Corbet
Security
Security news
Habeas returns
Remember Habeas? This is the company which copyrighted a bit of haiku, then restricted the right to include that "work of art" in the headers of an email message. Only non-spam messages could contain the poem without violating the license. The idea was that mail filters could look for the Habeas mark and, upon finding it, deliver the mail with confidence that it was legitimate.The folks at Habeas were, apparently, surprised to discover that spammers are not as respectful as one might like of copyright law - or much of anything else. It did not take them all that long to start including the Habeas headers in their solicitations, especially once they figured out that filters like SpamAssassin gave a strong bonus to such messages. Rather than being a guarantee of legitimacy, the Habeas headers quickly became one of the most reliable indicators of spam. The SpamAssassin bonus came out, and Habeas disappeared from view.
The company is still there, however, and they have not given up. A new press release issued by the company celebrates the fact that SpamAssassin 3.0 once again gives a bonus to Habeas-marked mail. There is a new twist, however: Habeas now implements an online whitelist of senders whose mail is really thought to be legitimate. Strangely enough, getting onto the whitelist requires that a fee be paid to Habeas.
This new service might just work for certain kinds of commercial emailers, as long as Habeas sticks to its anti-spam standards. We may be seeing the beginning of a shift to a reputation-based mechanism for the filtering of email. Blacklists were clearly the first step in that direction, but they are limited in their scope. A scheme which can track positive reputations might, just, bring a finer degree of control to the spam filtering problem. Or it might just herald an era where purchasing yet another useless digital certificate will be required to get email delivered at all. Either way, it is a development worth watching.
Some Linux kernel security vulnerabilities
Paul Starzetz has discovered a set of security holes in the kernel ELF loader; click below for the details. Essentially, bugs in how the kernel interprets binaries could conceivably be exploited by a local attacker to obtain root privileges or leak information from the kernel. Paul discusses 2.4, but fixes for these problems have just been merged for 2.6 as well. Expect a set of distributor updates in the near future.
New vulnerabilities
apache2: denial of service
| Package(s): | apache | CVE #(s): | CAN-2004-0942 | |||||||||||||||||||||
| Created: | November 10, 2004 | Updated: | November 26, 2004 | |||||||||||||||||||||
| Description: | Versions of Apache 2.0 prior to 2.0.53 contain a bug in the header parsing code which can allow a remote denial of service attack given sufficient bandwidth. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
dhcp: format string vulnerability
| Package(s): | dhcp | CVE #(s): | CAN-2004-1006 | |||||||||
| Created: | November 4, 2004 | Updated: | July 13, 2005 | |||||||||
| Description: | Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server. | |||||||||||
| Alerts: |
| |||||||||||
freeamp: arbitrary code execution
| Package(s): | freeamp | CVE #(s): | CAN-2004-0964 | |||
| Created: | November 8, 2004 | Updated: | November 10, 2004 | |||
| Description: | Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf. | |||||
| Alerts: |
| |||||
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery | CVE #(s): | CAN-2004-1106 | ||||||
| Created: | November 8, 2004 | Updated: | January 17, 2005 | ||||||
| Description: | Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery. | ||||||||
| Alerts: |
| ||||||||
gnats: format string vulnerability
| Package(s): | gnats | CVE #(s): | CAN-2004-0623 | |||
| Created: | November 9, 2004 | Updated: | November 10, 2004 | |||
| Description: | Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code. | |||||
| Alerts: |
| |||||
gzip: insecure temporary files
| Package(s): | gzip | CVE #(s): | CAN-2004-0970 | ||||||
| Created: | November 8, 2004 | Updated: | December 7, 2004 | ||||||
| Description: | Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack. | ||||||||
| Alerts: |
| ||||||||
Kaffeine, gxine: remotely exploitable buffer overflow
| Package(s): | Kaffeine gxine | CVE #(s): | ||||
| Created: | November 8, 2004 | Updated: | November 11, 2004 | |||
| Description: | KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well. An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code. See this SecurityTracker advisory for details. | |||||
| Alerts: |
| |||||
ImageMagick: EXIF buffer overflow
| Package(s): | ImageMagick | CVE #(s): | CAN-2004-0981 | ||||||||||||
| Created: | November 8, 2004 | Updated: | December 8, 2004 | ||||||||||||
| Description: | ImageMagick fails to do proper bounds checking when handling image files with EXIF information. An attacker could use an image file with specially-crafted EXIF information to cause arbitrary code execution with the permissions of the user running ImageMagick. See this advisory for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mtink: insecure tempfile handling
| Package(s): | mtink | CVE #(s): | ||||
| Created: | November 9, 2004 | Updated: | November 10, 2004 | |||
| Description: | Tavis Ormandy from Gentoo Linux discovered that mtink uses insecure permissions on temporary files. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When mtink is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. | |||||
| Alerts: |
| |||||
ruby: infinite loop
| Package(s): | ruby | CVE #(s): | CAN-2004-0983 | ||||||||||||||||||||||||
| Created: | November 8, 2004 | Updated: | May 15, 2005 | ||||||||||||||||||||||||
| Description: | The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
samba: remote DoS vulnerability
| Package(s): | samba | CVE #(s): | CAN-2004-0930 CAN-2004-0882 | |||||||||||||||||||||||||||||||||
| Created: | November 8, 2004 | Updated: | December 1, 2004 | |||||||||||||||||||||||||||||||||
| Description: | According to this Samba advisory a remote
attacker could cause an smbd process to consume abnormal amounts of system
resources due to an input validation error when matching filenames
containing wildcard characters. Versions of Samba 3.0.x up to and
including 3.0.7 are vulnerable.
There is also an advisory about possible buffer overruns in smbd. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
shadow: unauthorized modification of account information
| Package(s): | shadow | CVE #(s): | CAN-2004-1001 | |||||||||||||||
| Created: | November 4, 2004 | Updated: | November 23, 2004 | |||||||||||||||
| Description: | The shadow user account utilities have a potential problem with the chfn and chsh utilities that may allow unauthorized users to modify account properties. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
zgv: multiple buffer overflows
| Package(s): | zgv | CVE #(s): | |||||||
| Created: | November 8, 2004 | Updated: | December 14, 2004 | ||||||
| Description: | Multiple arithmetic overflows have been detected in the image processing code of zgv. An attacker could entice a user to open a specially-crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. See this BugTraq advisory for more information. | ||||||||
| Alerts: |
| ||||||||
zip: arbitrary code execution
| Package(s): | zip | CVE #(s): | CAN-2004-1010 | ||||||||||||||||||||||||
| Created: | November 5, 2004 | Updated: | February 2, 2005 | ||||||||||||||||||||||||
| Description: | HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Updated vulnerabilities
Archive::Zip: Virus detection evasion
| Package(s): | Archive::Zip | CVE #(s): | |||||||
| Created: | October 29, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | Archive::Zip can be used by email scanning software (like amavisd-new) to
uncompress attachments before virus scanning. By modifying the
uncompressed size of archived files in the global header of the ZIP file,
it is possible to fool Archive::Zip into thinking some files inside the
archive have zero length.
An attacker could send a carefully crafted ZIP archive containing a virus file and evade detection on some email virus-scanning software relying on Archive::Zip for decompression. | ||||||||
| Alerts: |
| ||||||||
MIME-tools: parsing bug
| Package(s): | MIME-tools | CVE #(s): | |||||||
| Created: | November 2, 2004 | Updated: | November 2, 2004 | ||||||
| Description: | According to this RoaringPenguin advisory, there's a bug in MIME-tools: It mis-parses things like boundary="" and apparently there's a virus that uses an empty boundary. | ||||||||
| Alerts: |
| ||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL | CVE #(s): | CAN-2004-0977 | ||||||||||||||||||
| Created: | October 18, 2004 | Updated: | December 20, 2004 | ||||||||||||||||||
| Description: | The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Speedtouch USB driver: Privilege escalation vulnerability
| Package(s): | Speedtouch USB driver | CVE #(s): | |||||||
| Created: | November 2, 2004 | Updated: | November 11, 2004 | ||||||
| Description: | The Speedtouch USB driver contains multiple format string vulnerabilities in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made syslog() system call. A malicious local user could exploit this vulnerability by causing a buffer overflow, and potentially allowing the execution of arbitrary code with escalated privileges. | ||||||||
| Alerts: |
| ||||||||
apache: mod_ssl cipher negotiation problem
| Package(s): | apache | CVE #(s): | CAN-2004-0885 | ||||||||||||
| Created: | October 15, 2004 | Updated: | November 4, 2004 | ||||||||||||
| Description: | Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite. | ||||||||||||||
| Alerts: |
| ||||||||||||||
apache: arbitrary code execution
| Package(s): | apache | CVE #(s): | CAN-2004-0940 | |||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | December 14, 2004 | |||||||||||||||||||||
| Description: | According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
aspell: bounds checking problem
| Package(s): | aspell | CVE #(s): | CAN-2004-0548 | |||||||||
| Created: | June 17, 2004 | Updated: | December 20, 2004 | |||||||||
| Description: | Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker. | |||||||||||
| Alerts: |
| |||||||||||
cabextract: missing directory sanitizing
| Package(s): | cabextract | CVE #(s): | CAN-2004-0916 | |||
| Created: | October 28, 2004 | Updated: | November 2, 2004 | |||
| Description: | The cabinet file extraction tool cabextract may allow arbitrary files in upper directories to be overwritten. | |||||
| Alerts: |
| |||||
catdoc: insecure temp file
| Package(s): | catdoc | CVE #(s): | CAN-2003-0193 | |||
| Created: | October 28, 2004 | Updated: | November 2, 2004 | |||
| Description: | The xlsview utility in catdoc has a vulnerability that may allow local users to overwrite arbitrary files using a symlink attack on predictable temporary file names. | |||||
| Alerts: |
| |||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Cherokee: format string vulnerability
| Package(s): | cherokee | CVE #(s): | ||||
| Created: | November 1, 2004 | Updated: | November 2, 2004 | |||
| Description: | Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokee_logger_ncsa_write_string() function. Using a specially crafted URL when authenticating via auth_pam, a malicious user may be able to crash the server or execute arbitrary code on the target machine with permissions of the user running Cherokee. | |||||
| Alerts: |
| |||||
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress | CVE #(s): | CAN-2001-1413 | ||||||
| Created: | October 11, 2004 | Updated: | December 14, 2004 | ||||||
| Description: | compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress. | ||||||||
| Alerts: |
| ||||||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: denial of service
| Package(s): | freeradius | CVE #(s): | CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 | |||||||||
| Created: | September 22, 2004 | Updated: | February 2, 2005 | |||||||||
| Description: | FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. | |||||||||||
| Alerts: |
| |||||||||||
gaim: buffer overflow in MSN protocol
| Package(s): | gaim | CVE #(s): | CAN-2004-0891 | ||||||||||||||||||
| Created: | October 25, 2004 | Updated: | February 11, 2005 | ||||||||||||||||||
| Description: | A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gaim: command execution via smiley themes
| Package(s): | gaim | CVE #(s): | CAN-2004-0784 CAN-2004-0785 | |||||||||
| Created: | October 21, 2004 | Updated: | November 12, 2004 | |||||||||
| Description: | gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector. | |||||||||||
| Alerts: |
| |||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2004-0827 | ||||||||||||||||||
| Created: | September 16, 2004 | Updated: | November 30, 2004 | ||||||||||||||||||
| Description: | The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iptables: missing initialization
| Package(s): | iptables | CVE #(s): | CAN-2004-0986 | ||||||||||||
| Created: | November 1, 2004 | Updated: | February 11, 2005 | ||||||||||||
| Description: | Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: multiple buffer overflows
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0989 | |||||||||||||||||||||||||||||||||
| Created: | October 28, 2004 | Updated: | February 28, 2005 | |||||||||||||||||||||||||||||||||
| Description: | libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||