LWN.net Logo

LWN.net Weekly Edition for November 11, 2004

An open source licensing white paper

The Olliance Group has announced the availability of a white paper entitled "Open Source Intellectual Property and Licensing Compliance: A Survey and Analysis of Industry Best Practices." The paper is available for free download to those willing to fill in a registration form.
Advertisement

The press release includes a recommendation from the president of the Free Standards Group, and the paper itself includes a foreward by OSDL head Stuart Cohen. So one might conclude that it would be a relatively high-clue work on how to interpret and comply with free software licenses. The sad truth, however, is that it appears to have been thrown together quickly (it contains a number of grammatical errors, for example), and the ultimate goals of its authors are unclear at best.

The purpose of the paper seems to be to help companies figure out how to avoid "open source risk." But that risk is not defined or justified anywhere in the paper. The closest it gets is toward the end, where we read:

The best defense against the risk of losing proprietary IP to certain open source licenses such as the GPL or Mozilla is through a sound compliance program that minimizes the risk of inadvertent commingling of open source code and proprietary code.

In other words, we have the same old "the GPL can cause you to lose your intellectual property" argument. This line has been debunked numerous times: there is nothing in the GPL which can legally force a company to loosen its death grip in its valuable IP. The GPL can subject a non-compliant company to copyright infringement suits, fines, and injunctions stopping distribution of a product. These are real risks which should be understood by any company which is considering incorporating GPL-licensed code into its products. But it is discouraging to see representatives of the Free Standards Group and OSDL putting their names on a report that brings back the "lose all your IP" scarecrow.

Oh, there is one other risk mentioned on the same page:

However, open source licenses, unlike proprietary software licenses, are generally not irrevocable--meaning that a company that has violated a license term may have its right to use the software revoked. While we do not know of any case in which this has happened, it remains a possibility that companies should be aware of.

In fact, the revocable nature of the GPL came out at the end of the KDE wars, when Richard Stallman revoked the right of the KDE developers to distribute the FSF's code, then magnanimously forgave them their sins:

More precisely, those who as of September 4, 2000 have used some FSF code in violation of the GPL solely by linking it with Qt, and thus have forfeited the right to use that code under the GPL, will once again have full GPL permissions to use that code upon switching to a GPL-covered version of Qt.

The real point, however, is that revocability is certainly not a feature which is unique to free software licenses. Consider the Windows XP EULA:

6. TERMINATION. Without prejudice to any other rights, Microsoft may cancel this EULA if you do not abide by the terms and conditions of this EULA, in which case you must destroy all copies of the Product and all of its component parts.

Almost any proprietary software license includes a term like this one. Olliance's claim that such terms are unique to free software licenses is simply false.

So what does Olliance recommend be done to address those scary free software risks? The first step is to perform an audit of every free application in use in the company. Employees are to be required to document every program they use, its version numbers, the dates over which it has been used, the reason why it is used, the manager who approved its use, and so on. A database is then to be built containing all of that information. What then is to be done with this database is not entirely clear.

Some other "best practices" include:

  • Requiring written approval by an "open source review board" before any open source application may be used.

  • Requiring a separate approval before modifying any free software.

  • Getting warranties from suppliers that they use no open source software, or that any such use is documented and indemnified.

In the midst of all this is a recommendation which actually makes sense:

Forbidding the modification of open source software or its inclusion in any product that is distributed, without further detailed analysis, and executive level management review, for companies that have significant intellectual property at risk.

OK, so maybe it doesn't make that much sense. The core of this recommendation is, however: think before you incorporate free software into your products. One could extend that to "think before you incorporate any software copyrighted by others into your products," but that would be asking a lot of the authors of this particular work.

As far as your editor can tell, the goal of this particular white paper is to stoke fears about open source licensing, and to urge companies to create a vast, grinding bureaucracy to impede the adoption of free software internally. Following its recommendations is unlikely to make many companies safer, but it will increase the apparent costs of using free software. There is a place for documentation of the real risks of using code copyrighted by others - both free and proprietary - and on how to avoid distributing products which violate free software licenses. But this paper does not fill that role.

Comments (8 posted)

Sendmail X

Sendmail has a difficult reputation. It is the canonical example of how large, complex programs are subject to security problems. It has a configuration file format which makes obfuscated Perl code seem highly readable by comparison. Its performance when dealing with large amounts of mail is held to be inferior. One could, of course, point out that sendmail's security problems appear to be mostly behind it, that few people ever have to look at the raw configuration file, and that sendmail was a cherished gift, once upon a time, to anybody who had ever tried to convince delivermail to route a message along a uucp bang path, by way of the Arpanet, from a CSNet node. For all of its blemishes, sendmail has been a crucial and valuable part of the network's infrastructure for many years.

After all those years, however, sendmail may just be due for a major upgrade. As it turns out, work on the next generation of sendmail, called sendmail X, has been under way for some time. Some early code has been made available; sendmail X 0.0.16 is available from this page. Do note that it is billed as "pre-alpha" code; using it on a server which handles real mail is probably not a good idea.

A lengthy design document for sendmail X is available; it gives some insight into what the next version of sendmail will look like. The first impression that comes out is that sendmail X will be so different that one wonders why the "sendmail" name is being used at all. Sendmail X is a completely new mail transfer agent, redesigned and rewritten from the beginning.

As is the norm for contemporary MTA design, sendmail X is implemented as a set of (relatively) small, cooperating processes. The system is divided in this way:

  • The queue manager is the core of sendmail X; its job is to manage messages as they move through the system, make delivery decisions, etc.

  • The SMTP server accepts incoming mail from the net and passes them to the queue manager. Actually, the queue manager is involved throughout the SMTP conversation; it is consulted on whether to accept the connection in the first place, and it may have actually delivered the mail before the text is acknowledged.

  • The SMTP client passes mail on to other systems for delivery.

  • The address resolver is charged with understanding - and rewriting - recipient addresses. This process also handles DNS blacklisting and other types of address-based filtering.

  • The master control program gets all of the other processes going and handles termination, restarts, and crash recovery. This program is actually derived from the BSD inetd source.

In addition, there will be a collection of local delivery agents, mail filter processes, etc.

Much thought has been given to performance, to the point that may cause some to wonder if there might be some premature optimization going on. For example, the SMTP server has been designed to use an Apache-style mode, where multiple processes exist, each of which runs several server threads. This design will certainly add complexity to the server, but few sites are likely to benefit from the associated performance increase.

System administrators will be glad to know that the sendmail.cf configuration file is gone. Sendmail X will use a C-like configuration syntax, similar to that used by BIND. Configuration of real-world mail systems will, perhaps, never be an entirely simple task, but sendmail X should be easier to set up than its predecessor.

Unsurprisingly, security is said to be a core design goal. The multi-process design is clearly motivated by security concerns, though the relatively high level of interaction between these processes may complicate things. The qmail design, for example, has a far lower level of interaction and trust between its components - though that approach leads to problems of its own. There are no setuid programs in sendmail X. It is necessary to run the master control program as root; it then handles any privileged tasks that it can before starting the subsidiary processes under a different user ID. Thus, for example, it binds to the SMTP port before starting the SMTP server. Since the master control program does not actually handle mail or communicate with the outside, it should be relatively hard to compromise.

The code consists of almost 600 C files. In some ways it resembles the qmail code; it has many short files with reimplementations of many functions normally found in the C library. A special string type is used to avoid buffer overruns. A casual look suggests that the code really is being written with security in mind. That much new code is sure to have a surprise or two in it somewhere, however.

The author of sendmail X (Claus Aßmann) claims to have been running it since the beginning of the year without losing any mail. Even so, it will probably be some time before it is put forward as a viable option for production sites. What happens then will be interesting. Sendmail X will be jumping into an environment where several other options exist and are in wide use. The MTA ecosystem has, over the years, gone from being a single-program monoculture to a diverse field with several alternatives. Sendmail X will have to be significantly better than those alternatives, and much better than sendmail 8, to be widely successful in that environment.

(Thanks to Xose Vazquez Perez for drawing our attention to this project).

Comments (17 posted)

The state of RTAI

November 10, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

After the Approaches to realtime Linux article drew a great deal of interest, we decided to drill down and offer a closer look at one of the projects mentioned therein: The Real Time Application Interface (RTAI) project, whose developers felt that our portrayal of the project was not entirely accurate. To set things straight, we touched base with RTAI hackers Philippe Gerum and Paolo Mantegazza.

First, we learned that there are actually two ongoing projects, the first is the original RTAI project, funded by the Dipartimento di Ingegneria Aerospaziale, Politecnico di Milano (DIAPM). The other project is RTAI/Fusion, which is a different approach that merges the RTAI interfaces with the Xenomai development framework.

The RTAI project with Linux RealTime (LXRT) uses several kernel modules to gain the realtime functionality that one may need. RTAI makes changes in the Linux interrupt and scheduling policies to provide real time capabilities within the non-real time Linux environment. According to the RTAI website:

RTAI offers the same services of the Linux kernel core, adding the features of an industrial real time operating system. It consists basically of an interrupt dispatcher: RTAI mainly traps the peripherals interrupts and if necessary re-routes them to Linux. It is not an intrusive modification of the kernel; it uses the concept of HAL (hardware abstraction layer) to get information from Linux and to trap some fundamental functions. This HAL provides few dependencies to Linux Kernel. This leads to a simple adaptation in the Linux kernel, an easy RTAI port from version to version of Linux and an easier use of other operating systems instead of RTAI. RTAI considers Linux as a background task running when no real time activity occurs.

The original RTAI project was designed specifically for DIAPM projects, says Mantegazza:

The whole of RTAI, so LXRT also, was born to satisfy DIAPM needs first, it was made available much as it is in the form 'if you like it use it.' Bugs fixing apart, there is very little of RTAI that has been done to show up or to solve non DIAPM problems. However our applications are not trivial, you can bet we have_pushed/are_pushing LXRT to the extremes.

On the other hand, Xenomai was designed to allow developers to port applications from other realtime systems, and therefore it takes a different approach. Gerum describes Xenomai as a "kind of generic RTOS (Real Time Operating System) core" that enable a developer to plug in their own real-time APIs. Gerum says the idea was that most RTOS vendors offer the same functionality, but with "different API window dressings." Xenomai was designed to "provide one generic core running side-by-side with the Linux kernel" that would allow for different APIs.

The RTAI/Fusion project that is now under development works with a "vanilla" Linux kernel running on top of the Adeos (Adaptive Domain Environment for Operating Systems) nanokernel. By running the Linux kernel and Fusion under the Adeos nanokernel, Fusion cooperates with Linux and allows developers to use "any number of real-time APIs at the same time."

Given that there are a number of real time projects for Linux, not to mention the other various RTOSes, we asked whether it would be possible to come up with a "one size fits all" solution for real time operating systems. Mantegazza says yes, but Gerum is not so sure:

Since the traditional RTOS vendors did not succeed in capturing more than a half of the real-time market during the last 20 years, the rest consisting of home-grown solutions, I guess that the answer is no. This said, it should be possible to have a real-time framework which is extensible enough to allow people to build their real-time solution of choice over it. The system would simply provide a few canned interfaces in order to be usable out of the box, by people with common needs.

Simple design and straightforward code layers make the above possible. For instance, DSP-like applications do not necessarily need a full-fledged multi-tasking infrastructure; basic interrupt handlers with predictable preemption time are often enough here. On the other hand, you are not going to run a complete telecom software stack over interrupt service routines, so you need a complete RTOS core and rich utility libraries.

It's important to note that RTAI/Fusion would not replace RTAI/LXRT so much as envelope it, if successful. According to Gerum, the plan is to "refactor the original RTAI 3.x interfaces over Fusion, if this technology is successful."

What's left to implement in Fusion? Gerum says there are several things left to be done:

What remains is about porting to other CPU architectures, extending the toolset and the available canned real-time interfaces including new traditional RTOS emulations.

Fusion already provides a full-fledged event-driven simulator with a nifty GUI for debugging applications on the host system; GDB can also be used to debug the real-time threads in user-space on the target. However, LTT (Linux Trace Toolkit) support is missing, for instance.

Users that are interested in trying RTAI/Fusion can get a jump-start with Debian, which has RTAI packages in testing and unstable.

Though the Real Time market is a small niche of the Linux community, it's good to see healthy projects like RTAI/LXRT and RTAI/Fusion that will give Linux the opportunity to achieve the goal of world domination.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Security news

Habeas returns

Remember Habeas? This is the company which copyrighted a bit of haiku, then restricted the right to include that "work of art" in the headers of an email message. Only non-spam messages could contain the poem without violating the license. The idea was that mail filters could look for the Habeas mark and, upon finding it, deliver the mail with confidence that it was legitimate.

The folks at Habeas were, apparently, surprised to discover that spammers are not as respectful as one might like of copyright law - or much of anything else. It did not take them all that long to start including the Habeas headers in their solicitations, especially once they figured out that filters like SpamAssassin gave a strong bonus to such messages. Rather than being a guarantee of legitimacy, the Habeas headers quickly became one of the most reliable indicators of spam. The SpamAssassin bonus came out, and Habeas disappeared from view.

The company is still there, however, and they have not given up. A new press release issued by the company celebrates the fact that SpamAssassin 3.0 once again gives a bonus to Habeas-marked mail. There is a new twist, however: Habeas now implements an online whitelist of senders whose mail is really thought to be legitimate. Strangely enough, getting onto the whitelist requires that a fee be paid to Habeas.

This new service might just work for certain kinds of commercial emailers, as long as Habeas sticks to its anti-spam standards. We may be seeing the beginning of a shift to a reputation-based mechanism for the filtering of email. Blacklists were clearly the first step in that direction, but they are limited in their scope. A scheme which can track positive reputations might, just, bring a finer degree of control to the spam filtering problem. Or it might just herald an era where purchasing yet another useless digital certificate will be required to get email delivered at all. Either way, it is a development worth watching.

Comments (none posted)

Some Linux kernel security vulnerabilities

Paul Starzetz has discovered a set of security holes in the kernel ELF loader; click below for the details. Essentially, bugs in how the kernel interprets binaries could conceivably be exploited by a local attacker to obtain root privileges or leak information from the kernel. Paul discusses 2.4, but fixes for these problems have just been merged for 2.6 as well. Expect a set of distributor updates in the near future.

Full Story (comments: 14)

New vulnerabilities

apache2: denial of service

Package(s):apache CVE #(s):CAN-2004-0942
Created:November 10, 2004 Updated:November 26, 2004
Description: Versions of Apache 2.0 prior to 2.0.53 contain a bug in the header parsing code which can allow a remote denial of service attack given sufficient bandwidth.
Alerts:
Gentoo 200411-18 2004-11-10
Ubuntu USN-23-1 2004-11-11
Fedora FEDORA-2004-420 2004-11-12
Fedora FEDORA-2004-421 2004-11-12
Red Hat RHSA-2004:562-01 2004-11-12
Mandrake MDKSA-2004:135 2004-11-15
Trustix TSLSA-2004-0061 2004-11-19

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Debian DSA-584-1 2004-11-04
Red Hat RHSA-2005:212-01 2005-04-12
Fedora-Legacy FLSA:152835 2005-07-10

Comments (none posted)

freeamp: arbitrary code execution

Package(s):freeamp CVE #(s):CAN-2004-0964
Created:November 8, 2004 Updated:November 10, 2004
Description: Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf.
Alerts:
Debian DSA-587-1 2004-11-08

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):Gallery CVE #(s):CAN-2004-1106
Created:November 8, 2004 Updated:January 17, 2005
Description: Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery.
Alerts:
Gentoo 200411-10:01 2004-11-06
Debian DSA-642-1 2005-01-17

Comments (none posted)

gnats: format string vulnerability

Package(s):gnats CVE #(s):CAN-2004-0623
Created:November 9, 2004 Updated:November 10, 2004
Description: Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code.
Alerts:
Debian DSA-590-1 2004-11-09

Comments (none posted)

gzip: insecure temporary files

Package(s):gzip CVE #(s):CAN-2004-0970
Created:November 8, 2004 Updated:December 7, 2004
Description: Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack.
Alerts:
Debian DSA-588-1 2004-11-08
Mandrake MDKSA-2004:142 2004-12-06

Comments (none posted)

Kaffeine, gxine: remotely exploitable buffer overflow

Package(s):Kaffeine gxine CVE #(s):
Created:November 8, 2004 Updated:November 11, 2004
Description: KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well. An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code. See this SecurityTracker advisory for details.
Alerts:
Gentoo 200411-14:01 2004-11-07

Comments (none posted)

ImageMagick: EXIF buffer overflow

Package(s):ImageMagick CVE #(s):CAN-2004-0981
Created:November 8, 2004 Updated:December 8, 2004
Description: ImageMagick fails to do proper bounds checking when handling image files with EXIF information. An attacker could use an image file with specially-crafted EXIF information to cause arbitrary code execution with the permissions of the user running ImageMagick. See this advisory for more information.
Alerts:
Gentoo 200411-11:01 2004-11-06
Debian DSA-593-1 2004-11-16
Mandrake MDKSA-2004:143 2004-12-06
Red Hat RHSA-2004:636-01 2004-12-08

Comments (none posted)

mtink: insecure tempfile handling

Package(s):mtink CVE #(s):
Created:November 9, 2004 Updated:November 10, 2004
Description: Tavis Ormandy from Gentoo Linux discovered that mtink uses insecure permissions on temporary files. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When mtink is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200411-17 2004-11-09

Comments (none posted)

ruby: infinite loop

Package(s):ruby CVE #(s):CAN-2004-0983
Created:November 8, 2004 Updated:May 15, 2005
Description: The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.
Alerts:
Debian DSA-586-1 2004-11-08
Mandrake MDKSA-2004:128 2004-11-08
Ubuntu USN-20-1 2004-11-08
Fedora FEDORA-2004-402 2004-11-11
Fedora FEDORA-2004-403 2004-11-11
Gentoo 200411-23 2004-11-16
Red Hat RHSA-2004:635-01 2004-12-13
Fedora-Legacy FLSA:152768 2005-05-12

Comments (none posted)

samba: remote DoS vulnerability

Package(s):samba CVE #(s):CAN-2004-0930 CAN-2004-0882
Created:November 8, 2004 Updated:December 1, 2004
Description: According to this Samba advisory a remote attacker could cause an smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Versions of Samba 3.0.x up to and including 3.0.7 are vulnerable.

There is also an advisory about possible buffer overruns in smbd.

Alerts:
Ubuntu USN-22-1 2004-11-10
Gentoo 200411-21 2004-11-11
Mandrake MDKSA-2004:131 2004-11-10
SuSE SUSE-SA:2004:040 2004-11-15
Trustix TSLSA-2004-0058 2004-11-15
Red Hat RHSA-2004:632-01 2004-11-16
Ubuntu USN-29-1 2004-11-18
Mandrake MDKSA-2004:136 2004-11-18
Conectiva CLA-2004:899 2004-11-25
Fedora FEDORA-2004-460 2004-11-29
Fedora FEDORA-2004-459 2004-11-29

Comments (none posted)

shadow: unauthorized modification of account information

Package(s):shadow CVE #(s):CAN-2004-1001
Created:November 4, 2004 Updated:November 23, 2004
Description: The shadow user account utilities have a potential problem with the chfn and chsh utilities that may allow unauthorized users to modify account properties.
Alerts:
Gentoo 200411-09 2004-11-04
Debian DSA-585-1 2004-11-05
Mandrake MDKSA-2004:126 2004-11-04
Ubuntu USN-17-1 2004-11-04
Conectiva CLA-2004:894 2004-11-23

Comments (none posted)

zgv: multiple buffer overflows

Package(s):zgv CVE #(s):
Created:November 8, 2004 Updated:December 14, 2004
Description: Multiple arithmetic overflows have been detected in the image processing code of zgv. An attacker could entice a user to open a specially-crafted image file, potentially resulting in execution of arbitrary code with the rights of the user running zgv. See this BugTraq advisory for more information.
Alerts:
Gentoo 200411-12:01 2004-11-07
Debian DSA-608-1 2004-12-14

Comments (none posted)

zip: arbitrary code execution

Package(s):zip CVE #(s):CAN-2004-1010
Created:November 5, 2004 Updated:February 2, 2005
Description: HexView discovered a buffer overflow in the zip package. The overflow is triggered by creating a ZIP archive of files with very long path names. This vulnerability might result in execution of arbitrary code with the privileges of the user who calls zip. This flaw may lead to privilege escalation on systems which automatically create ZIP archives of user supplied files, like backup systems or web applications.
Alerts:
Ubuntu USN-18-1 2004-11-05
Fedora FEDORA-2004-400 2004-11-08
Fedora FEDORA-2004-399 2004-11-08
Gentoo 200411-16 2004-11-09
Mandrake MDKSA-2004:141 2004-11-25
Red Hat RHSA-2004:634-01 2004-12-16
Debian DSA-624-1 2004-01-05
Fedora-Legacy FLSA:2255 2005-02-01

Comments (1 posted)

Updated vulnerabilities

Archive::Zip: Virus detection evasion

Package(s):Archive::Zip CVE #(s):
Created:October 29, 2004 Updated:November 2, 2004
Description: Archive::Zip can be used by email scanning software (like amavisd-new) to uncompress attachments before virus scanning. By modifying the uncompressed size of archived files in the global header of the ZIP file, it is possible to fool Archive::Zip into thinking some files inside the archive have zero length.
An attacker could send a carefully crafted ZIP archive containing a virus file and evade detection on some email virus-scanning software relying on Archive::Zip for decompression.
Alerts:
Gentoo 200410-31 2004-10-29
Mandrake MDKSA-2004:118 2004-11-01

Comments (none posted)

MIME-tools: parsing bug

Package(s):MIME-tools CVE #(s):
Created:November 2, 2004 Updated:November 2, 2004
Description: According to this RoaringPenguin advisory, there's a bug in MIME-tools: It mis-parses things like boundary="" and apparently there's a virus that uses an empty boundary.
Alerts:
Mandrake MDKSA-2004:123 2004-11-01
Gentoo 200411-06 2004-11-02

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
EnGarde ESA-20040317-003 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Debian DSA-465-1 2004-03-17
Gentoo 200403-03 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Red Hat RHSA-2004:121-01 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Trustix TSLSA-2004-0012 2004-03-17
Whitebox WBSA-2004:120-01 2004-03-22
Fedora FEDORA-2004-095 2004-03-19
Red Hat RHSA-2004:084-01 2004-03-23
Whitebox WBSA-2004:084-01 2004-03-23
Conectiva CLA-2004:834 2004-03-31
Fedora-Legacy FLSA:1395 2004-05-08
Fedora FEDORA-2005-1042 2005-10-31
Red Hat RHSA-2005:829-00 2005-11-02
Red Hat RHSA-2005:830-00 2005-11-02

Comments (1 posted)

PostgreSQL: Insecure temporary file use in make_oidjoins_check

Package(s):PostgreSQL CVE #(s):CAN-2004-0977
Created:October 18, 2004 Updated:December 20, 2004
Description: The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200410-16 2004-10-18
Ubuntu USN-6-1 2004-10-27
Debian DSA-577-1 2004-10-29
OpenPKG OpenPKG-SA-2004.046 2004-10-29
Mandrake MDKSA-2004:149 2004-12-13
Red Hat RHSA-2004:489-01 2004-12-20

Comments (none posted)

Speedtouch USB driver: Privilege escalation vulnerability

Package(s):Speedtouch USB driver CVE #(s):
Created:November 2, 2004 Updated:November 11, 2004
Description: The Speedtouch USB driver contains multiple format string vulnerabilities in modem_run, pppoa2 and pppoa3. This flaw is due to an improperly made syslog() system call. A malicious local user could exploit this vulnerability by causing a buffer overflow, and potentially allowing the execution of arbitrary code with escalated privileges.
Alerts:
Gentoo 200411-04 2004-11-02
Mandrake MDKSA-2004:130 2004-11-10

Comments (none posted)

apache: mod_ssl cipher negotiation problem

Package(s):apache CVE #(s):CAN-2004-0885
Created:October 15, 2004 Updated:November 4, 2004
Description: Apache's mod_ssl module may allow content to be retrieved without proper negotiation of the requested cipher suite.
Alerts:
OpenPKG OpenPKG-SA-2004.044 2004-10-15
Gentoo 200410-21 2004-10-21
Mandrake MDKSA-2004:122 2004-11-01
Conectiva CLA-2004:885 2004-11-04

Comments (none posted)

apache: arbitrary code execution

Package(s):apache CVE #(s):CAN-2004-0940
Created:October 29, 2004 Updated:December 14, 2004
Description: According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error.
Alerts:
OpenPKG OpenPKG-SA-2004.047 2004-10-29
Slackware SSA:2004-305-01 2004-11-01
Gentoo 200411-03 2004-11-02
Trustix TSLSA-2004-0056 2004-11-05
Debian DSA-594-1 2004-11-17
Mandrake MDKSA-2004:134 2004-11-15
Red Hat RHSA-2004:600-01 2004-12-13

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Gentoo 200406-14 2004-06-17
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Mandrake MDKSA-2004:153 2004-12-20

Comments (none posted)

cabextract: missing directory sanitizing

Package(s):cabextract CVE #(s):CAN-2004-0916
Created:October 28, 2004 Updated:November 2, 2004
Description: The cabinet file extraction tool cabextract may allow arbitrary files in upper directories to be overwritten.
Alerts:
Debian DSA-574-1 2004-10-28

Comments (none posted)

catdoc: insecure temp file

Package(s):catdoc CVE #(s):CAN-2003-0193
Created:October 28, 2004 Updated:November 2, 2004
Description: The xlsview utility in catdoc has a vulnerability that may allow local users to overwrite arbitrary files using a symlink attack on predictable temporary file names.
Alerts:
Debian DSA-575-1 2004-10-28

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Mandrake MDKSA-2004:091 2004-09-07
Fedora FEDORA-2004-297 2004-09-09
Fedora FEDORA-2004-298 2004-09-09
Gentoo 200409-18 2004-09-14
Fedora-Legacy FLSA:2058 2005-02-20

Comments (none posted)

Cherokee: format string vulnerability

Package(s):cherokee CVE #(s):
Created:November 1, 2004 Updated:November 2, 2004
Description: Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokee_logger_ncsa_write_string() function. Using a specially crafted URL when authenticating via auth_pam, a malicious user may be able to crash the server or execute arbitrary code on the target machine with permissions of the user running Cherokee.
Alerts:
Gentoo 200411-02 2004-11-01

Comments (none posted)

ncompress: Buffer overflow

Package(s):compress uncompress ncompress CVE #(s):CAN-2001-1413
Created:October 11, 2004 Updated:December 14, 2004
Description: compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress.
Alerts:
Gentoo 200410-08 2004-10-09
Red Hat RHSA-2004:536-01 2004-12-13

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Gentoo 200410-05 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Mandrake MDKSA-2004:106 2004-10-07
Trustix TSLSA-2004-0053 2004-10-08
Debian DSA-563-1 2004-10-12
Debian DSA-563-2 2004-10-12
Debian DSA-563-3 2004-10-14
Debian DSA-568-1 2004-10-16
Conectiva CLA-2004:889 2004-11-11
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Fedora-Legacy FLSA:2137 2005-02-17
SuSE SUSE-SA:2005:013 2005-03-03
Mandrake MDKSA-2005:054 2005-03-15

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15
Red Hat RHSA-2005:005-01 2005-01-05

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Debian DSA-500-1 2004-05-01
Red Hat RHSA-2004:344-01 2004-08-18
Fedora FEDORA-2004-546 2004-12-15

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
Gentoo 200409-24 2004-09-20
Fedora FEDORA-2004-303 2004-09-21
Conectiva CLA-2004:880 2004-10-27
Fedora-Legacy FLSA:2076 2004-11-05
SuSE SUSE-SA:2006:026 2006-05-30

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Gentoo 200409-29 2004-09-22
Red Hat RHSA-2004:609-01 2004-11-12
Fedora-Legacy FLSA:2187 2005-02-01

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Slackware SSA:2004-296-01 2004-10-25
Gentoo 200410-23 2004-10-24
Ubuntu USN-8-1 2004-10-27
Mandrake MDKSA-2004:117 2004-11-01
Red Hat RHSA-2004:604-01 2004-10-20
Fedora-Legacy FLSA:2188 2005-02-10

Comments (none posted)

gaim: command execution via smiley themes

Package(s):gaim CVE #(s):CAN-2004-0784 CAN-2004-0785
Created:October 21, 2004 Updated:November 12, 2004
Description: gaim may allow arbitrary commands to be executed via shell meta characters in the the tar file name that is dragged to the smiley selector.
Alerts:
Mandrake MDKSA-2004:110 2004-10-21
Conectiva CLA-2004:884 2004-11-04
Red Hat RHSA-2004:400-01 2004-09-07

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora FEDORA-2004-286 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Red Hat RHSA-2004:466-01 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-549-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Mandrake MDKSA-2004:095-1 2004-09-17
Gentoo 200409-28 2004-09-21
Slackware SSA:2004-266-02 2004-09-22
Conectiva CLA-2004:875 2004-10-18
Fedora-Legacy FLSA:2005 2005-02-23

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200410-10 2004-10-10
Ubuntu USN-5-1 2004-10-27
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Gentoo 200410-10:02 2004-10-10
Fedora-Legacy FLSA:136323 2006-01-09
Mandriva MDKSA-2006:051 2006-02-28

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Gentoo 200410-18 2004-10-20
Ubuntu USN-3-1 2004-10-27
Red Hat RHSA-2005:081-01 2005-09-28

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Gentoo 200408-16 2004-08-16
Red Hat RHSA-2005:256-01 2005-05-18

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Gentoo 200410-19 2004-10-21
Ubuntu USN-4-1 2004-10-27
Fedora FEDORA-2004-356 2004-11-11
Red Hat RHSA-2004:586-01 2004-12-20
Mandrake MDKSA-2004:159 2004-12-29
Debian DSA-636-1 2005-01-12
Red Hat RHSA-2005:261-01 2005-04-28
Fedora-Legacy FLSA:152848 2005-11-13

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Red Hat RHSA-2004:373-01 2004-08-04
Whitebox WBSA-2004:373-01 2004-08-19
Fedora-Legacy FLSA:1944 2005-02-20

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Ubuntu USN-13-1 2004-11-01
Gentoo 200411-15 2004-11-08
Mandriva MDKSA-2006:038 2006-02-08

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Red Hat RHSA-2003:126-01 2003-04-14
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:264-01 2003-09-09
Conectiva CLA-2003:737 2003-09-12
Mandrake MDKSA-2003:093 2003-09-18
Debian DSA-710-1 2005-04-18

Comments (none posted)

imagemagick: buffer overflow vulnerability

Package(s):imagemagick CVE #(s):CAN-2004-0827
Created:September 16, 2004 Updated:November 30, 2004
Description: The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Alerts:
Debian DSA-547-1 2004-09-16
Mandrake MDKSA-2004:102 2004-09-22
Red Hat RHSA-2004:494-01 2004-10-20
Red Hat RHSA-2004:480-01 2004-10-20
Ubuntu USN-7-1 2004-10-27
Ubuntu USN-35-1 2004-11-30

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Mandrake MDKSA-2004:089 2004-09-07
Fedora FEDORA-2004-300 2004-09-09
Fedora FEDORA-2004-301 2004-09-09
Gentoo 200409-12 2004-09-08
Red Hat RHSA-2004:465-01 2004-09-15
Debian DSA-548-1 2004-09-16
Debian DSA-552-1 2004-09-22
Conectiva CLA-2004:870 2004-09-28
Debian DSA-548-2 2005-10-26

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Red Hat RHSA-2003:316-01 2003-11-24
Gentoo 200404-10 2004-04-09
Debian DSA-492-1 2004-04-18
Fedora FEDORA-2004-115 2004-05-11
Fedora FEDORA-2004-154 2004-06-03
Mandrake MDKSA-2004:148 2004-12-13

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Debian DSA-580-1 2004-11-01
Mandrake MDKSA-2004:125 2004-11-04
Ubuntu USN-81-1 2005-02-11
Fedora-Legacy FLSA:2252 2005-02-10

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Ubuntu USN-11-1 2004-10-28
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Gentoo 200411-08 2004-11-03
Debian DSA-589-1 2004-11-09
Debian DSA-591-1 2004-11-09
Ubuntu USN-21-1 2004-11-09
Fedora FEDORA-2004-411 2004-11-11
Fedora FEDORA-2004-412 2004-11-11
Ubuntu USN-25-1 2004-11-15
Mandrake MDKSA-2004:132 2004-11-15
Debian DSA-601-1 2004-11-29
Debian DSA-602-1 2004-11-29
Ubuntu USN-33-1 2004-11-29
Red Hat RHSA-2004:638-01 2004-12-17
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2006:0194-01 2006-02-01
Mandriva MDKSA-2006:114 2006-06-27

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
OpenPKG OpenPKG-SA-2004.035 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
Debian DSA-536-1 2004-08-04
Gentoo 200408-03 2004-08-05
Trustix TSLSA-2004-0040 2004-08-05
Conectiva CLA-2004:856 2004-08-06
Slackware SSA:2004-222-01 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-223-01 2004-08-09
Mandrake MDKSA-2004:082 2004-08-12
Whitebox WBSA-2004:402-01 2004-08-19
Gentoo 200408-22 2004-08-23
Red Hat RHSA-2004:421-01 2004-08-04
Fedora-Legacy FLSA:1943 2005-02-08

Comments (1 posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:February 28, 2005
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2004-353 2004-10-28
Ubuntu USN-10-1 2004-10-28
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Trustix TSLSA-2004-0055 2004-10-29
Gentoo 200411-05 2004-11-02
Debian DSA-582-1 2004-11-02
Mandrake MDKSA-2004:127 2004-11-04
Red Hat RHSA-2004:615-01 2004-11-12
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:650-01 2004-12-16
Ubuntu USN-89-1 2005-02-28

Comments (