| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for November 24, 2004
The Linux Core Consortium
Last week, Conectiva, Mandrakesoft, Progeny and Turbolinux announced the creation of the Linux Core Consortium (LCC), a project to create a common implementation of the Linux Standard Base (LSB) 2.0. According to the group's press release, the LCC plans to create this implementation by the first quarter of 2005. In addition to the four member companies, several organizations issued public statements of support, including Red Hat, Novell, Sun, HP, Computer Associates, the Free Standards Group and Open Source Development Labs.To get a little more information than was contained in the press release, we talked with Progeny's Ian Murdock, and touched base with Mandrakesoft's Gaël Duval and Novell's Bruce Lowry about the LCC.
According to Murdock, the key message is that the LCC is "first and foremost about making the LSB stronger." He noted that the LSB is useful, but "implementation standards are always more powerful than paper standards." He was quick to point out that there were several differences between the LCC and the failed UnitedLinux effort:
The LCC also isn't burdened with SCO as a member, which is a strong bonus in and of itself.
Murdock also said that the LCC is an important goal for Progeny as well. "We can address both our Debian and RPM customers with that common core, which is obviously why we're interested in extending to RPM as well." He also said it was "a shame" that so much attention is focused on the difference between RPM and Debian packages, and that he'd like to see Debian directly involved in the LCC.
We asked what it would take for another company to join the organization. Murdock indicated that the members were eager to have other companies join the LCC, and that they've invited Red Hat and Novell, but they haven't completely sorted out requirements. We asked Duval if there would be a monetary requirement for other organizations. He said no, at least at this time.
Both Murdock and Duval made it clear that the LCC would also welcome non-profit organizations like Debian, and they were also looking at a way to allow participation from individual developers. Murdock said that the LCC would have "more to say in the coming weeks."
...we're trying to compliment existing efforts in the Linux Standards Base. The right way to go about that is to be open and inclusive, the end result will be nothing short of a Linux implementation standard built by the community and industry. If that's the result, then the result will be a Linux that is not owned by a single Linux company and that will be good for all involved.
Of course, the LCC would have a stronger position if the two biggest players in the industry were involved. While Red Hat and Novell have made polite noises about the LCC, they haven't committed to it. We asked Lowry whether Novell's public statement of support would translate into more concrete action with regards to the LCC. According to Lowry:
We also requested comment from Red Hat regarding its intentions towards the LCC, but have not received a reply in time for this article. Murdock said he can think of reasons why Red Hat and Novell might not choose to participate:
Many in the open source community were disappointed that the UnitedLinux consortium did not release a working product to the community. Instead, UnitedLinux was only available as source through the original vendors, rather than a working product anyone could download. Murdock said that the LCC would make available an installable version of the distribution that would be useful for developers, though he added it "won't be interesting to use on its own."
As Murdock noted, an implementation of the LSB 2.0 standard would be much more useful and powerful than the standard on paper. We're eager to see the LCC's first release, and hope this goes a long way towards increasing interoperability between Linux distributions and providing a unified platform for software vendors and open source developers to write to.
De-worming the net
Worms are a problem on the net. Even users of operating systems which tend not to be afflicted by this sort of malware are affected when worm-caused traffic clogs the net or brings down sites of interest. So everybody has an interest in finding ways to reduce the number of worm infections.Researcher Douglas Barnes has taken a look at the problem and come up with a new set of recommendations. His work is written up in this 50-page PDF document. We took a look at his work, with an emphasis on its implications for the free software community.
The paper starts by pointing out that market forces have failed to put an end to the worm problem. Indeed, the characteristics of the software market tend to encourage the creation and use of vulnerable software. The company which wins in the market is the one which is able to get its product adopted first and establish the de facto standards. So manufacturers have a great incentive to emphasize features and time to market over security. Since moving away from buggy software can be difficult, software vendors tend not to pay much of a cost for security incidents which involve their products.
The author notes that free software is a pleasant exception to this problem:
Some commenters (notably Bruce Schneier) have proposed that software vendors should be made legally liable for flaws in their products. At that point, they will have a strong motivation to take the time to get things right. Mr. Barnes, however, thinks that the liability approach will not work. Many quirks in the U.S. justice system make it hard to win a suit based on software flaws; these include the enforceability of "click-wrap" licenses, the notion that the vendor is not the real cause of security problems (the crackers are), and the interesting precedent that loss of data is not considered to be "physical harm." The potential harm to free software projects is also mentioned as a reason to avoid the litigation approach.
So how is the worm problem to be solved? Mr. Barnes has three suggestions:
- Bug Bounties. The success of bounties offered to those who report
security-related bugs in programs like Netscape and djbdns is remarked
upon. Mr. Barnes notes, however, that software companies are
generally uninterested in offering bug bounties. So, he says,
bounties should be imposed upon them by way of a publicly-administered
program. Software publishers would contribute to a fund which would
be used to pay bounties.
- Quality standards for software. The idea here is that worms should be
treated as if they were an environmental issue; some sort of
regulatory agency would be empowered to impose standards upon
software. No suggestions for specific standards are made.
- Penalties for use of insecure software. Users, this paper claims, do not sufficiently value security in software. To help them see the error of their ways, a penalty would be imposed on users who insist on running software known to be insecure.
Establishing this sort of regulatory regime looks like an uphill battle, to say the least. That is likely to be a good thing; the imposition of a heavy-handed, low-clue regulatory agency upon the software industry could easily do more harm than good. But the community can - and does - benefit from these ideas already.
Free software projects with the requisite funding have used bug bounties before; the original such bounty may well have been Donald Knuth's rewards to those who found bugs in TeX. Even in the absence of cash bounties, numerous white-hat researchers can be seen digging for security bugs in free software for the reputation benefits and the sheer fun of it. Perhaps groups like OSDL could consider offering bounties on security bugs in certain bodies of code as a way of encouraging this process.
Free projects often have software quality standards as well, though they vary greatly from one project to the next. Peer review can help to find any of a number of obvious mistakes; in some projects, code is increasingly unlikely to be accepted if it is not seen as being up to certain standards. Many project could benefit from stronger standards, however, and from some sort of documentation of just what their standards are.
The community has little sympathy for penalizing users for their software choices, certainly. Still, that approach can be seen in some corners. Firefox will nag at people who use a version known to have vulnerabilities. Hopelessly insecure packages become unsupported and unavailable from distributions, forcing users to find an alternative. But the community has put most of its effort into an alternative approach: making it as easy as possible to run a system without known vulnerabilities. Most modern distributions can be kept updated with little or no effort; it's almost harder not to patch them.
So, perhaps, the free software community already has most of the tools it needs to contribute toward a worm-free net. No regulatory action required. All that is needed is to get the rest of the software community to catch up.
A followup on comment policy
Last week, we posted a request for comments on a proposed policy change which would limit comment posting privileges to paying subscribers. One should not post an RFC if one is not prepared to get comments; we got over 150 (at last count) of them. As a result of our reading of these comments, the proposed policy change will probably not go into effect.While a wide variety of opinions was posted, there seems to be something close to a consensus on two points:
- The problem of noise posts on LWN really is not all that bad. Not
yet, at least.
- The non-subscribing posters have worthwhile things to say, and there are numerous readers who have legitimate reasons for not subscribing.
The overall sense we got from the posted comments is that silencing the non-subscribing commenters is an overreaction to a small problem and not warranted - or desirable - at this time. So we will not do it.
There were various alternative ideas posted, some of which we will likely act upon in the relatively near future. These include:
- Marking comments in such a way that makes the subscription status of
their posters evident. This one is easy and will likely be done.
- Add optional filtering capabilities for subscribers, making it possible to hide comments from specific people, or from non-subscribers in general.
There have been suggestions for active moderation of comments. Frankly, the editors of LWN have no time for, or interest in, running any sort of comment approval process. That process would be no fun at all, and there would be no way to do it without coming across as censors. Active moderation of comments can also increase the risk of legal hassles resulting from defamatory or infringing comments.
Moderation by LWN's readers has also been raised as a possibility, though not everybody likes that idea. We could consider the introduction of a reader moderation or recommendation scheme, but that is likely to be further in the future. The programming requirements are higher, and our current server would be unlikely to handle the additional database load in any sort of graceful manner.
Some other suggestions have been made. One was to publicly reveal the real-world identity of abusive posters. Problems with that approach are (1) we do not require readers to provide us with that information, and (2) even when we have it, revealing it would violate our privacy policy. We take that policy seriously, and will not be compromising it. Another idea was simply revoking comment privileges from abusive posters. The problem there is that, as long as LWN accounts are free, a blocked poster can simply create a new account and start over.
This has been an interesting exercise, anyway. In the end, LWN exists for its readers; if we do not serve your needs, there is little point in our being here. So we greatly appreciate the time you all have taken to provide feedback on our ideas. Rest assured that this feedback has been heard, and that we will continue to work to make LWN the best that it can be.
Page editor: Jonathan Corbet
Security
Who gets CERT's attention
Backers of proprietary software have, at times in the past, resorted to claims that Linux and free software are the subject of more CERT advisories than other systems. Such claims have been strikingly absent recently. Since our detractors have apparently been too busy to tally up CERT's output this year, we've decided to do it for them. Here's the full list of CERT's 2004 "technical cyber security alerts":
| ID | Date | Vulnerability | Linux | Windows | Other |
|---|---|---|---|---|---|
| TA04-028A | Jan 28 | MyDoom.B virus |  |
||
| TA04-033A | Feb. 2 | Multiple Internet Explorer holes | |
||
| TA04-036A | Feb. 5 | Check Point Firewall HTTP parsing | |
||
| TA04-041A | Feb. 10 | Multiple ASN.1 holes | |
||
| TA04-070A | Mar. 10 | Outlook mailto: handling vulnerability | |
||
| TA04-078A | Mar. 19 | Multiple OpenSSL vulnerabilities | |
||
| TA04-099A | Apr. 8 | Outlook Express MHTML cross-domain | |
||
| TA04-104A | Apr. 14 | Multiple vulnerabilities in Microsoft products | |
||
| TA04-111A | Apr. 20 | TCP/BGP session termination | |
|
|
| TA04-111B | Apr. 20 | Cisco IOS SNMP message handling | |
||
| TA04-147A | May 26 | CVS heap overflow | |
||
| TA04-160A | Jun. 9 | Oracle SQL injection | |
||
| TA04-163A | Jun. 11 | Internet Explorer cross-domain redirect | |
||
| TA04-174A | Jun. 22 | Multiple DHCP vulnerabilities | |
||
| TA04-184A | Jul. 2 | Internet Explorer ADOBD.Stream control | |
||
| TA04-196A | Jul. 14 | Multiple Windows/Outlook vulnerabilities | |
||
| TA04-212A | Jul. 30 | "Critical" Windows/IE remote code execution | |
||
| TA04-217A | Aug. 4 | Multiple libpng vulnerabilities | |
||
| TA04-245A | Sep. 1 | Multiple Oracle vulnerabilities | |
||
| TA04-247A | Sep. 3 | MIT Kerberos 5 | |
||
| TA04-260A | Sep. 16 | Microsoft JPEG component | |
||
| TA04-261A | Sep. 17 | Multiple Mozilla vulnerabilities | |
||
| TA04-293A | Nov. 10 | Multiple Internet Explorer vulnerabilities | |
||
| TA04-315A | Nov. 11 | Internet Explorer buffer overflow | |
||
| TA04-316A | Nov. 11 | IOS input queue vulnerability | |
||
| TOTALS: | 7 | 13 | 6 |
Now, one can raise all sorts of complaints about this table. The logic that assigns the Mozilla vulnerability to Linux could also, easily, have charged it to Windows as well. The process by which CERT chooses vulnerabilities worthy of "cyber security alerts" is poorly understood. And so on.
There are seven vulnerabilities in the Linux column - and that is seven too many. But that is far less than the count in the proprietary columns. The Windows vulnerabilities include many which affect a large percentage of users; instead, very few users were affected by most of the Linux problems. The CERT advisory count is a flawed measure at best, but, within its limits, it shows that things could be a lot worse.
New vulnerabilities
bugzilla: remote vulnerability
| Package(s): | bugzilla | CVE #(s): | ||||
| Created: | November 23, 2004 | Updated: | November 23, 2004 | |||
| Description: | Bugzilla versions prior to 2.16.7 have a vulnerability which allows a remote user to remove keywords from a ticket even without the necessary permissions. Such an action, however, would trigger the usual e-mail detailing the changes, making it easy to discover what happened and what was changed. | |||||
| Alerts: |
| |||||
cyrus-imap: multiple remote vulnerabilities
| Package(s): | cyrus-imap | CVE #(s): | CAN-2004-1012 CAN-2004-1013 | ||||||||||||||||||||||||||||||
| Created: | November 23, 2004 | Updated: | December 3, 2004 | ||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been found in Cyrus IMAP Server <= 2.2.8 that could allow remote execution of arbitrary code. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
fchron: denial of service vulnerabilities
| Package(s): | fcron | CVE #(s): | CAN-2004-1031 CAN-2004-1030 CAN-2004-1032 CAN-2004-1033 | |||
| Created: | November 18, 2004 | Updated: | November 23, 2004 | |||
| Description: | The fchron command scheduler has multiple vulnerabilities that may allow a local user to cause a denial of service. | |||||
| Alerts: |
| |||||
kernel: vulnerabilities in the smb file system
| Package(s): | kernel | CVE #(s): | CAN-2004-0883 CAN-2004-0949 | |||||||||||||||
| Created: | November 19, 2004 | Updated: | December 14, 2004 | |||||||||||||||
| Description: | During an audit of the smb file system implementation within Linux, several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. See these advisories: Linux kernel binfmt_elf loader vulnerabilities and Memory leak in 2.4.27 kernel for more information. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ProZilla: Multiple vulnerabilities
| Package(s): | ProZilla | CVE #(s): | CAN-2004-1120 | ||||||
| Created: | November 23, 2004 | Updated: | February 1, 2005 | ||||||
| Description: | ProZilla contains several exploitable buffer overflows in the code handling the network protocols. A remote attacker could setup a malicious server and entice a user to retrieve files from that server using ProZilla. This could lead to the execution of arbitrary code with the rights of the user running ProZilla. | ||||||||
| Alerts: |
| ||||||||
xorg-x11: integer overflows
| Package(s): | xorg-x11 | CVE #(s): | CAN-2004-0914 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 18, 2004 | Updated: | September 12, 2005 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The X.Org libXpm library has several integer overflow vulnerabilities An attacker can modify XPM images to execute malicious code. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery | CVE #(s): | CAN-2004-1106 | ||||||
| Created: | November 8, 2004 | Updated: | January 17, 2005 | ||||||
| Description: | Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery. | ||||||||
| Alerts: |
| ||||||||
ImageMagick: EXIF buffer overflow
| Package(s): | ImageMagick | CVE #(s): | CAN-2004-0981 | ||||||||||||
| Created: | November 8, 2004 | Updated: | December 8, 2004 | ||||||||||||
| Description: | ImageMagick fails to do proper bounds checking when handling image files with EXIF information. An attacker could use an image file with specially-crafted EXIF information to cause arbitrary code execution with the permissions of the user running ImageMagick. See this advisory for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PostgreSQL: Insecure temporary file use in make_oidjoins_check
| Package(s): | PostgreSQL | CVE #(s): | CAN-2004-0977 | ||||||||||||||||||
| Created: | October 18, 2004 | Updated: | December 20, 2004 | ||||||||||||||||||
| Description: | The make_oidjoins_check script insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When make_oidjoins_check is called, this would result in file overwrite with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: arbitrary code execution
| Package(s): | apache | CVE #(s): | CAN-2004-0940 | |||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | December 14, 2004 | |||||||||||||||||||||
| Description: | According to an Apache announcement, a vulnerability exists in the Apache HTTP server, version 1.3. The problem is a potential buffer overflow in the "get_tag" function of Apache's SSI module "mod_include". It allows local users who can create SSI documents to execute arbitrary code as the Apache run-time user via SSI documents that trigger a content length calculation error. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
apache2: denial of service
| Package(s): | apache | CVE #(s): | CAN-2004-0942 | |||||||||||||||||||||
| Created: | November 10, 2004 | Updated: | November 26, 2004 | |||||||||||||||||||||
| Description: | Versions of Apache 2.0 prior to 2.0.53 contain a bug in the header parsing code which can allow a remote denial of service attack given sufficient bandwidth. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
aspell: bounds checking problem
| Package(s): | aspell | CVE #(s): | CAN-2004-0548 | |||||||||
| Created: | June 17, 2004 | Updated: | December 20, 2004 | |||||||||
| Description: | Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker. | |||||||||||
| Alerts: |
| |||||||||||
BNC: Buffer overflow vulnerability
| Package(s): | bnc | CVE #(s): | |||||||
| Created: | November 16, 2004 | Updated: | December 1, 2004 | ||||||
| Description: | Leon Juranic discovered that BNC fails to do proper bounds checking when checking server response. An attacker could exploit this to cause a Denial of Service and potentially execute arbitrary code with the permissions of the user running BNC. | ||||||||
| Alerts: |
| ||||||||
bogofilter: denial of service
| Package(s): | bogofilter | CVE #(s): | CAN-2004-1007 | |||
| Created: | November 17, 2004 | Updated: | November 17, 2004 | |||
| Description: | Bogofilter has a vulnerability in its quoted-printable processing code which may be exploited to crash the process. | |||||
| Alerts: |
| |||||
cdrecord: failure to drop privilege
| Package(s): | cdrecord | CVE #(s): | CAN-2004-0806 | |||||||||||||||
| Created: | September 8, 2004 | Updated: | February 21, 2005 | |||||||||||||||
| Description: | The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress | CVE #(s): | CAN-2001-1413 | ||||||
| Created: | October 11, 2004 | Updated: | December 14, 2004 | ||||||
| Description: | compress and uncompress do not properly check bounds on command line options, including the filename. Large parameters would trigger a buffer overflow. By supplying a carefully crafted filename or other option, an attacker could execute arbitrary code on the system. A local attacker could only execute code with his own rights, but since compress and uncompress are called by various daemon programs, this might also allow a remote attacker to execute code with the rights of the daemon making use of ncompress. | ||||||||
| Alerts: |
| ||||||||
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CAN-2004-0884 | |||||||||||||||||||||||||||||||||||||||
| Created: | October 7, 2004 | Updated: | March 16, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
dhcp: format string vulnerability
| Package(s): | dhcp | CVE #(s): | CAN-2004-1006 | |||||||||
| Created: | November 4, 2004 | Updated: | July 13, 2005 | |||||||||
| Description: | Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server. | |||||||||||
| Alerts: |
| |||||||||||
ez-ipupdate: format string vulnerability
| Package(s): | ez-ipupdate | CVE #(s): | CAN-2004-0980 | |||||||||
| Created: | November 11, 2004 | Updated: | November 17, 2004 | |||||||||
| Description: | ez-ipupdate, a dynamic DNS file updating utility, has a format string vulnerability that can lead to the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: denial of service
| Package(s): | freeradius | CVE #(s): | CAN-2004-0938 CAN-2004-0960 CAN-2004-0961 | |||||||||
| Created: | September 22, 2004 | Updated: | February 2, 2005 | |||||||||
| Description: | FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. | |||||||||||
| Alerts: |
| |||||||||||
gaim: buffer overflow in MSN protocol
| Package(s): | gaim | CVE #(s): | CAN-2004-0891 | ||||||||||||||||||
| Created: | October 25, 2004 | Updated: | February 11, 2005 | ||||||||||||||||||
| Description: | A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2004 | Updated: | February 25, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
gimps: insecure installation
| Package(s): | gimps | CVE #(s): | ||||
| Created: | November 18, 2004 | Updated: | November 23, 2004 | |||
| Description: | The GIMPS, SETI@home and ChessBrain applications have installation vulnerabilities caused by installation with improper file ownerships. User-owned files can be run with root privileges on initialization. | |||||
| Alerts: |
| |||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gzip: insecure temporary files
| Package(s): | gzip | CVE #(s): | CAN-2004-0970 | ||||||
| Created: | November 8, 2004 | Updated: | December 7, 2004 | ||||||
| Description: | Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack. | ||||||||
| Alerts: |
| ||||||||
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick | CVE #(s): | CAN-2004-0827 | ||||||||||||||||||
| Created: | September 16, 2004 | Updated: | November 30, 2004 | ||||||||||||||||||
| Description: | The ImageMagick graphics library has several buffer overflow vulnerabilities that allow an attacker to crash the reading process by creating mal-formed video or image files in the AVI, BMP, or DIB format. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iptables: missing initialization
| Package(s): | iptables | CVE #(s): | CAN-2004-0986 | ||||||||||||
| Created: | November 1, 2004 | Updated: | February 11, 2005 | ||||||||||||
| Description: | Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2: multiple buffer overflows
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0989 | |||||||||||||||||||||||||||||||||
| Created: | October 28, 2004 | Updated: | February 28, 2005 | |||||||||||||||||||||||||||||||||
| Description: | libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
libxpm4: stack and integer overflows
| Package(s): | libxpm4 | CVE #(s): | CAN-2004-0687 CAN-2004-0688 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 16, 2004 | Updated: | February 14, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
lvm10: creates insecure temporary directory
| Package(s): | lvm10 | CVE #(s): | CAN-2004-0972 | |||||||||||||||
| Created: | November 1, 2004 | Updated: | July 25, 2005 | |||||||||||||||
| Description: | Trustix Secure Linux discovered a vulnerability in a supplemental script of the lvm10 package. The program "lvmcreate_initrd" created a temporary directory in an insecure way, which could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc | CVE #(s): | CAN-2004-0494 | |||||
| Created: | September 2, 2004 | Updated: | January 5, 2005 | |||||
| Description: | Midnight Commander has a vfs vulnerability with shell quoting in extfs perl scripts. | |||||||
| Alerts: |
| |||||||