LWN.net Logo

LWN.net Weekly Edition for January 13, 2005

Review: Linux Application Development, Second Edition

In the late 1990's, Linux began to attract large-scale attention beyond the relatively small, hacker community which had been working on it for some [LAD cover] time. With all that attention came many new developers who liked what they saw and wanted to be a part of it. The book that many of those developers kept next to their keyboard was the classic Linux Application Development (LAD), by early Red Hat hackers Michael K. Johnson and Erik W. Troan. LAD was published in 1998, meaning that, at this point, it is vastly out of date. The Linux world does not stand still, and does not make life easy for those who would publish technical reference books. Trust your editor on this.

So it was a pleasant surprise to see a new edition of LAD show up in the mail. This core text, it turns out, has not gone out of maintenance after all.

According to the preface:

You can now browse and search the entire content of this book at http://ladweb.net to make this book even more useful to you.

As of this writing, the web site has not caught up with that claim - it still discusses the first edition (and with no "entire content") to browse. One assumes that situation will be rectified in time. If the book is being released under some sort of free license, however, that is not stated explicitly.

The structure and content of the book has not changed all that much from the first edition: LAD still concerns itself with low-level Linux programming, system calls, and some C libraries. The updates are to be found in the details: the text now matches, for the most part, the interfaces provided by the 2.6 kernel and glibc 2.3. Some new interfaces (such as epoll()) have been covered, and there is a new chapter on security pitfalls and how to avoid them. The discussion of the socket interface covers IPv6, the regular expression discussion has been expanded, real-time signals are covered, etc.

With these changes, LAD is, once again, the definitive reference for the low-level Linux C API. Whether you need to learn about memory allocation debugging facilities, the details of process management, file descriptor magic, or more, you're likely to find what you need in this book. Much of that information is also available in generic Unix texts; the difference is that LAD looks at exactly what Linux offers. While Linux follows the relevant standards to a great degree, there are many places where Linux diverges from the standards or offers extra capabilities. A reference book which documents the Linux way of doing things is a good thing.

That said, your editor does have some quibbles with the second edition. One is that the update appears, in many places, to have been done in a hurry. The LGPL is called the "Library General Public License" - but it has not had that name for quite a few years now. The recommended system administration book is Sobel's A Practical Guide to Red Hat Linux 8. The (new) documentation of strace claims that it writes to the standard output, which is not true (it writes to stderr). Passwords, it claims, are usually stored in /etc/passwd. Many flags to the clone() system call are missing; a number of mmap() flags are absent as well. Your editor may have been willing to forgive all of this if the authors, while being nice enough to mention Linux Device Drivers, had noticed that a new edition has come out since 1998.

Perhaps more to the point, however, LAD may be falling behind the way that applications are being developed for Linux. Your editor has certainly done his time writing ioctl() calls to control TTY parameters - but not recently. The chapters on virtual consoles and S-Lang seem rather quaint. While a great deal of Linux software is still developed in C, quite a bit is not. After reading LAD, one might almost conclude that graphical applications simply do not exist under Linux. The authors clearly had to limit their scope, and they cannot be faulted for failing to document, say, the GNOME and KDE libraries. But the second edition could have been an ideal vehicle for pointing developers toward the sorts of tools being used for new code, and away from writing TTY-oriented applications.

That said, application developers still need to understand how to manage memory, create processes, handle signals, work with files, etc. The second edition of Linux Application Development fills that need and more; it is a most welcome update. It will, beyond doubt, find a location very near the keyboards of a great many Linux application hackers.

Comments (2 posted)

Debian and Mozilla - a study in trademarks

The Mozilla Foundation is the keeper of a number of increasingly important projects, including the Firefox web browser and the Thunderbird mail client. These programs are free software, licensed under the Mozilla Public License. Thus, one would think, distributors would have no trouble including these packages in their distributions. As the Debian Project's experience shows, however, free software can still come with certain kinds of strings attached.

The issue at hand is trademarks. Mozilla Foundation software comes with trademarked names, and the use of those names is governed by the Mozilla Trademark Policy. If you want to distribute software called "Mozilla Firefox" or "Mozilla Thunderbird," you must adhere to a strict policy which includes signing an agreement with the Foundation and making almost no changes to the software. No extensions may be added, the list of search engines cannot be changed (they paid to be there, after all), etc. This highly-restrictive policy was never going to work with the Debian Project's needs.

Another approach is the "community edition" policy. A wider (but still narrow) range of changes is allowed, and the distributor can use the names "Firefox Community Edition." The commands can be called firefox and thunderbird. The Foundation maintains a veto right over uses of the "community edition" names, however:

Community members and organizations can start using the "Firefox Community Edition" and "Thunderbird Community Edition" trademarks from day one, but the Mozilla Foundation may require individuals or teams to stop doing so in the future if they are redistributing software with low quality and efforts to remedy the situation have not succeeded.

So anybody distributing a "community edition" must live with the possibility of receiving a "takedown notice" from the Mozilla Foundation at any time. The Foundation's goals are certainly understandable:

...we need to keep enough control over our trademarks to make sure they are a sign of quality and safety. It needs to be impossible, for example, for someone to release a product called 'Firefox' that has added spyware. We want to avoid someone building a highly-optimized but unstable build and passing it off as official.

Most readers will agree that a spyware-enabled Firefox is a bad idea, though whether purveyors of spyware will have much respect for trademarks is an open question.

The Debian Project insists on shipping nothing but free software, and freedom certainly includes the right to modify the code. Debian currently includes patches which may go beyond the trademark policy's guidelines - an extension manager which understands multi-user systems, for example. A strict reading of the community edition guidelines suggests that not even security patches could be distributed without prior approval from the Mozilla Foundation. The Debian Project certainly wants to be able to distribute modified versions of the code; the Project is also known for a close and literal reading of licenses. So the Debian developers are concerned about the whole trademark issue.

The Mozilla Foundation wants to work with Debian to get past these issues:

We want people to use Thunderbird in Debian, and to know they are using Thunderbird, and to get the high quality experience people get from using our Thunderbird. And we want to come to some arrangement with Debian to make that possible.

This arrangement could possibly include allowing Debian to apply its own patches to Firefox and Thunderbird and still use the community names. The Foundation seems to have a fairly high level of trust in Debian's ability to keep the quality up. Debian's users are another story, however:

However, you guys want the freedom to ship software that sucks - or, more to the point and more likely, want to be able to easily give your software to other people and allow them to make it suck and then ship it. If that software ships using our trademarks, then that is incompatible with our trademark goals. So if we can't come to some arrangement that lets Debian use them but asks redistributors to contact us or remove them, then it's increasingly looking like we can't square this circle.

So it looks somewhat like the Foundation would like to make a special policy exemption for Debian. The problem there is that Debian-specific licenses violate section 8 of the Debian Free Software Guidelines. Those guidelines apply to software licenses, not trademark policies, but the principle remains the same. The Debian Project is unlikely to accept a policy which does not extend to its users.

The discussion has quieted - it may have gone into a non-public mode - so it is difficult to say where things stand now. If an agreement cannot be found, Debian will still be able to distribute Firefox and Thunderbird - they are free software - but different names will have to be chosen. "Iceweasel" has been the working code name for this scenario; many other names have been suggested as well. This outcome would not be pleasing to any of the parties involved, however; one assumes it will be avoided if at all possible.

Mozilla is unlikely to be the last project that decides that it wants to achieve some sort of quality control through its trademarks. That wish is understandable, but it is also very much at odds with the spirit of free software, which involves letting go of the code. One has to accept that not everybody will have the same idea of what makes "high quality." Incidents of free software projects being harmed by distribution of poorly-done modifications have been rare, and, perhaps, are not worth the worry that is being put into them here. Mozilla has done an outstanding job of creating powerful and useful software; now, perhaps, the Foundation may want to relax and trust its users just a little more.

Comments (49 posted)

IBM's patent pledge

January 12, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

On January 11, IBM announced that it would make 500 patents available for use in projects using Open Source Initiative (OSI) approved licenses. The list of patents and IBM's pledge is available as a PDF. According to the statement, IBM has indicated it will not assert any of the 500 patents against distributors of open source software, so long as the distributing party does not file lawsuits using patents or other intellectual property rights against open source software.

The list of patents ranges from a "Method and apparatus for batching the receipt of data packets" (U.S. Patent Number 5,260,942) to a "System and method for ensuring QoS in a token ring network" (5,642,421). Given that IBM has listed 500 patents, this reporter has not had time to read each patent, but suffice it to say that the patents cover a wide range of applications from human language processing to web services and data processing.

Reaction to IBM's move has been mixed. OSDL's Stuart Cohen is apparently in support of IBM's pledge, and Larry Lessig was also quoted as saying that it was "exciting."

Others were not so impressed. Florian Mueller points out that "We're talking about roughly one percent of IBM's worldwide patent portfolio. They file that number of patents in about a month's time." Mueller also called it a "diversionary tactic, which may be accurate given IBM's support of the European Patent Directive that has been denounced by many of the leading members of the open source community.

There is ample room for skepticism. IBM's move offers up only a small portion of its patent portfolio for use by open source projects. To put it another way, IBM is withholding the remainder of its patent portfolio, without any assurance that open source projects (with the exception of the Linux kernel) are safe from potential litigation.

We spoke to IBM's manager of worldwide Linux marketing strategy, Adam Jollans, about the patents. Jollans said that IBM was "seeing a shift from innovation in commercial companies to cooperative innovation," and that the patent pledge was a way to support that.

We asked why IBM picked 500 rather than 50 or 5,000, or simply giving open source a pass altogether. Jollans said that IBM "has to start somewhere" and that 500 was a number that would prove it was a significant announcement. No reason was given for holding back the majority of IBM's patent portfolio. Jollans did say that IBM's choice of patents was not random, and were picked because they were "500 that we believe will be useful" to open source.

IBM's move could also be seen as an attempt to take some of the steam out of the anti-software patent movement in Europe as the EU considers a motion to start over with the software patent directive. We also asked why IBM had not chosen to take a stand against software patents altogether. Jollans said that IBM supported patents, but that "patents should reflect innovation rather than just a general idea."

Jollans said that IBM is encouraging other companies to step up and offer the use of their patents for open source as well. Whether or not any companies will do so is yet to be seen.

By offering only a small sample of its patent portfolio, IBM is well-positioned to take offensive action should it ever decide to do so. If there were an open source project that IBM wanted to quash, there are more patents where the first 500 came from. IBM has shown no interest in launching patent attacks against free software, and the company certainly understands what such an attack would do to its standing in the community. Even so, there's no guarantee that IBM will always be so well-intentioned.

Ultimately, IBM's "patent pledge" is a good PR move, but little more. IBM has little to gain from asserting its patents against open source projects, and stands to benefit from the continued development of Linux and other open source projects. By offering a non-aggression pact towards open source projects, IBM effectively says it's OK to develop programs that might infringe on (some of) its patents, so long as those programs are available to IBM under open source terms. That's a far cry from the desired outcome of barring software patents altogether, but it's still a step in the right direction.

Comments (26 posted)

Page editor: Jonathan Corbet

Security

Linux kernel security

There has been a surprising series of kernel security problems reported over the last week. These include:

  • The uselib() vulnerability disclosed by Paul Starzetz. A locking mistake in an old and mostly unused system call creates a race condition which can be exploited to change protections on memory - and compromise the system. The exploit has not been released, but Mr. Starzetz claims that the race is relatively easy to exploit by first consuming large amounts of memory to force the kernel to sleep in the right spot.

  • Paul Starzetz also discovered a race condition in the page fault handler which can only be exploited on SMP systems. If two threads tried to expand the same downward-growing memory segment at the same time, the result could be an exploitable corruption of the page tables.

  • The grsecurity team, frustrated at a seeming lack of interest in security problems among the kernel developers, disclosed five vulnerabilities at once. One of these is a denial-of-service problem where users could lock more than the authorized amount of memory into physical RAM; as it turns out, the kernel developers still are not overly concerned about that problem. The other vulnerabilities require root access (or at least access to physical devices) to exploit; one of them is in a driver which does not compile in 2.6.

Fixes for the first two vulnerabilities have been merged into the pre-2.6.11 BitKeeper repository; the last set will be fixed as well, but with less urgency. Fixes can also be found in the -ac tree and in the updated kernels being issued by distributors.

One concern that has been raised by these disclosures is that the new kernel development model, by encouraging such large changes between releases, is allowing the creation of more security problems. While that worry could yet prove to be justified, all of the vulnerabilities listed above, with the exception of the RLIMIT_MEMLOCK denial of service problem, are present in the 2.4 kernel as well. They were not introduced or enabled by the new development model.

Another concern is more valid, however: the kernel development project does not have an official security contact or process for handling security problems. Developers who know how the kernel process works have no trouble getting consideration for security-related problems and patches, but the whole process looks far more opaque to the rest of the world. There is a clear need for an easily-found contact for kernel security issues. Chris Wright, who has done a fair amount of security-related kernel work, is pushing for improvements in this area, and, most importantly, has volunteered to do much of the work. So chances are this problem will not last much longer.

Comments (11 posted)

New vulnerabilities

bmv: insecure temporary file

Package(s):bmv CVE #(s):CAN-2003-0014
Created:January 11, 2005 Updated:January 12, 2005
Description: Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for SVGAlib, discovered that temporary files are created in an insecure fashion. A malicious local user could cause arbitrary files to be overwritten by a symlink attack.
Alerts:
Debian DSA-633-1 2005-01-11

Comments (none posted)

dillo: format string vulnerability

Package(s):dillo CVE #(s):CAN-2005-0012
Created:January 10, 2005 Updated:January 12, 2005
Description: Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's handling of messages in a_Interface_msg(). An attacker could craft a malicious web page which, when accessed using Dillo, would trigger the format string vulnerability and potentially execute arbitrary code with the rights of the user running Dillo.
Alerts:
Gentoo 200501-11 2005-01-09

Comments (none posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 2005-02-15
Gentoo 200501-23 2005-01-12
Debian DSA-637-1 2005-01-13
Debian DSA-635-1 2005-01-12
Ubuntu USN-56-1 2005-01-07
Fedora FEDORA-2005-001 2005-01-06
Fedora FEDORA-2005-001 2005-01-06

Comments (1 posted)

hylafax: weak hostname and username validation

Package(s):hylafax CVE #(s):CAN-2004-1182
Created:January 11, 2005 Updated:January 13, 2005
Description: Patrice Fournier discovered a vulnerability in the authorization subsystem of hylafax, a flexible client/server fax system. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorized access to the fax system. Fixed in HylaFAX 4.2.1.
Alerts:
Mandrake MDKSA-2005:006 2005-01-12
Debian DSA-634-1 2005-01-11
Gentoo 200501-21 2005-01-11

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kernel: race condition, privilege escalation

Package(s):kernel CVE #(s):CAN-2004-1235 CAN-2004-1337
Created:January 10, 2005 Updated:January 19, 2005
Description: Paul Starzetz discovered a race condition in the ELF library and a.out binary format loaders, which can be locally exploited in several different ways to gain root privileges. (CAN-2004-1235)

Liang Bin found a design flaw in the capability module. After this module was loaded on demand in a running system, all unprivileged user space processes got all kernel capabilities (thus essentially root privileges). (CAN-2004-1337)

Alerts:
Red Hat RHSA-2005:043-01 2005-01-18
Trustix TSLSA-2005-0001 2005-01-13
Fedora FEDORA-2005-013 2005-01-10
Fedora FEDORA-2005-014 2005-01-10
Ubuntu USN-57-1 2005-01-09

Comments (none posted)

Konqueror: Java sandbox vulnerabilities

Package(s):konqueror CVE #(s):CAN-2004-1145
Created:January 11, 2005 Updated:January 12, 2005
Description: According to this KDE Security Advisory, two flaws in the Konqueror web browser make it possible to by pass the sandbox environment which is used to run Java-applets. All versions of KDE up to KDE 3.3.1 inclusive are affected. KDE 3.3.2 is not affected.
Alerts:
Gentoo 200501-16 2005-01-11

Comments (none posted)

lintian: insecure temporary directory

Package(s):lintian CVE #(s):CAN-2004-1000
Created:January 10, 2005 Updated:January 12, 2005
Description: Jeroen van Wolffelaar discovered a problem in lintian, the Debian package checker. The program removes the working directory even if it wasn't created at program start, removing an unrelated file or directory a malicious user inserted via a symlink attack.
Alerts:
Debian DSA-630-1 2005-01-10

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CAN-2004-1177
Created:January 10, 2005 Updated:March 22, 2005
Description: Florian Weimer discovered a cross-site scripting vulnerability in mailman's automatically generated error messages. An attacker could craft an URL containing JavaScript (or other content embedded into HTML) which triggered a mailman error page. When an unsuspecting user followed this URL, the malicious content was copied unmodified to the error page and executed in the context of this page.
Alerts:
Fedora FEDORA-2005-242 2005-03-22
Fedora FEDORA-2005-241 2005-03-22
Red Hat RHSA-2005:235-01 2005-03-21
Debian DSA-674-1 2005-02-10
Mandrake MDKSA-2005:015 2005-01-24
Gentoo 200501-29 2005-01-22
Ubuntu USN-59-1 2005-01-10

Comments (none posted)

namazu2: cross-site scripting vulnerability

Package(s):namazu2 CVE #(s):CAN-2004-1318
Created:January 6, 2005 Updated:January 12, 2005
Description: The namazu2 full text search engine has a cross-site scripting vulnerability that may allow an attacker to display arbitrarily crafted text by the use of specially crafted input information.
Alerts:
Debian DSA-627-1 2005-01-06

Comments (none posted)

nfs-utils: arbitrary code execution

Package(s):nfs-utils CVE #(s):CAN-2004-0946
Created:January 11, 2005 Updated:February 27, 2006
Description: Arjan van de Ven discovered a buffer overflow in rquotad on 64bit architectures; an improper integer conversion could lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could then lead to the execution of arbitrary code.
Alerts:
Fedora-Legacy FLSA:138098 2006-02-25
Red Hat RHSA-2005:014-01 2005-01-12
Mandrake MDKSA-2005:005 2005-01-11

Comments (none posted)

o3read: buffer overflow during file conversion

Package(s):o3read CVE #(s):CAN-2004-1288
Created:January 11, 2005 Updated:January 12, 2005
Description: Wiktor Kopec discovered that the parse_html function in o3read.c copies any number of bytes into a 1024-byte array.
Alerts:
Gentoo 200501-20 2005-01-11

Comments (none posted)

phpgroupware: information disclosure vulnerability

Package(s):phpgroupware CVE #(s):
Created:January 6, 2005 Updated:January 12, 2005
Description: phpgroupware has multiple vulnerabilities that may be exploited for the purpose of information disclosure or a remote compromise.
Alerts:
Gentoo 200501-08 2005-01-06

Comments (none posted)

poppassd_pam: unauthorized password changing

Package(s):poppassd_pam CVE #(s):CAN-2005-0002
Created:January 11, 2005 Updated:January 12, 2005
Description: Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Subsequent investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.
Alerts:
Gentoo 200501-22 2005-01-11

Comments (none posted)

TikiWiki: arbitrary command execution

Package(s):TikiWiki CVE #(s):
Created:January 10, 2005 Updated:January 31, 2005
Description: TikiWiki lacks a check on uploaded images in the Wiki edit page. A malicious user could run arbitrary commands on the server by uploading and calling a PHP script.
Alerts:
Gentoo 200501-41 2005-01-30
Gentoo 200501-12 2005-01-10

Comments (none posted)

UnRTF: Buffer overflow

Package(s):unrtf CVE #(s):
Created:January 11, 2005 Updated:January 12, 2005
Description: An unchecked strcat() in unrtf may overflow the bounds of a static buffer. Using a specially crafted file, possibly delivered by e-mail or over the web, an attacker may execute arbitrary code with the permissions of the user running UnRTF.
Alerts:
Gentoo 200501-15 2005-01-10

Comments (1 posted)

vilistextum: buffer overflow vulnerability

Package(s):vilistextum CVE #(s):CAN-2004-1299
Created:January 6, 2005 Updated:January 12, 2005
Description: Vilistextum has a buffer overflow vulnerability that can allows an attacker to execute arbitrary code via a maliciously created web page.
Alerts:
Gentoo 200501-10 2005-01-06

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270
Created:December 17, 2004 Updated:February 9, 2005
Description: cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter.
Alerts:
SuSE SUSE-SR:2005:003 2005-02-04
Mandrake MDKSA-2005:008 2005-01-17
Gentoo 200412-25:02 2004-12-28
Red Hat RHSA-2005:013-01 2005-01-12
Gentoo 200412-25 2004-12-28
Fedora FEDORA-2004-559 2004-12-17
Fedora FEDORA-2004-560 2004-12-17

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

debmake: insecure temp directories

Package(s):debmake CVE #(s):CAN-2004-1179
Created:December 23, 2004 Updated:January 4, 2005
Description: debmake contains a script that can make insecure temporary directories. This can be used by a symlink attack to create and overwrite arbitrary files.
Alerts:
Ubuntu USN-49-1 2004-12-23

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

ethereal: multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-1139 CAN-2004-1140 CAN-2004-1141 CAN-2004-1142
Created:December 20, 2004 Updated:January 13, 2005
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.8, including:
  • Bug in DICOM dissection discovered by Bing could make Ethereal crash (CAN-2004-1139).
  • An invalid RTP timestamp could make Ethereal hang and create a large temporary file (CAN-2004-1140).
  • The HTTP dissector could access previously-freed memory (CAN-2004-1141).
  • Brian Caswell discovered that an improperly formatted SMB could make Ethereal hang (CAN-2004-1142).
Alerts:
Conectiva CLA-2005:916 2005-01-13
Debian DSA-613-1 2004-12-21
Mandrake MDKSA-2004:152 2004-12-20
Gentoo 200412-15 2004-12-19

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):Gallery CVE #(s):CAN-2004-1106
Created:November 8, 2004 Updated:January 17, 2005
Description: Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery.
Alerts:
Debian DSA-642-1 2005-01-17
Gentoo 200411-10:01 2004-11-06

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temp file

Package(s):groff CVE #(s):CAN-2004-1296
Created:December 20, 2004 Updated:January 17, 2005
Description: Javier Fernández-Sanguino Peña discovered that the auxiliary scripts "eqn2graph" and "pic2graph" created temporary files in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Ubuntu USN-43-1 2004-12-20

Comments (1 posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

htmlheadline: insecure temporary files

Package(s):htmlheadline CVE #(s):CAN-2004-1181
Created:January 3, 2005 Updated:January 4, 2005
Description: Javier Fernández-Sanguino Peña has discovered multiple insecure uses of temporary files that could lead to overwriting arbitrary files via a symlink attack.
Alerts:
Debian DSA-622-1 2005-01-03

Comments (none posted)

imlib: buffer overflows in image decoding

Package(s):imlib CVE #(s):CAN-2004-1026
Created:December 6, 2004 Updated:January 13, 2005
Description: Pavel Kankovsky discovered that several overflows found in the libXpm library also applied to imlib. He also fixed a number of other potential flaws. A remote attacker could entice a user to view a carefully-crafted image file, which would potentially lead to execution of arbitrary code with the rights of the user viewing the image. This affects any program that makes use of the imlib library.
Alerts:
Mandrake MDKSA-2005:007 2005-01-12
Gentoo 200501-19 2005-01-11
Ubuntu USN-55-1 2005-01-06
Debian DSA-628-1 2005-01-06
Ubuntu USN-53-1 2004-12-29
Debian DSA-618-1 2004-12-24
Red Hat RHSA-2004:651-01 2004-12-10
Gentoo 200412-03 2004-12-06

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kdelibs: unwanted email origination

Package(s):kdelibs CVE #(s):
Created:January 4, 2005 Updated:January 4, 2005
Description: The Konqueror browser (via kdelibs) contains a vulnerability which can cause it to send email without the user's interaction or consent. See this bug report for details.
Alerts:
Mandrake MDKSA-2004:160 2004-12-29

Comments (none posted)

kerberos5: execution of arbitrary code by authenticated user

Package(s):kerberos5 CVE #(s):CAN-2004-1189
Created:December 21, 2004 Updated:February 15, 2005
Description: There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.
Alerts:
Red Hat RHSA-2005:045-01 2005-02-15
Red Hat RHSA-2005:012-01 2005-01-19
Conectiva CLA-2005:917 2005-01-13
Ubuntu USN-58-1 2005-01-10
Debian DSA-629-1 2005-01-07
Gentoo 200501-05 2005-01-05
Mandrake MDKSA-2004:156 2004-12-22
Fedora FEDORA-2004-564 2004-12-21
Fedora FEDORA-2004-563 2004-12-21
Trustix TSLSA-2004-0069 2004-12-21

Comments (none posted)

kernel: 32bit emulation privilege escalation

Package(s):kernel CVE #(s):CAN-2004-1144
Created:December 23, 2004 Updated:January 5, 2005
Description: The 2.4 Linux Kernel on the AMD64 platform has a missing argument checking vulnerability that can allow a local attacker to gain root privileges.
Alerts:
Red Hat RHSA-2004:689-01 2004-12-23
SuSE SUSE-SA:2004:046 2004-12-22

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CAN-2004-1308
Created:December 22, 2004 Updated:May 19, 2005
Description: The libtiff image manipulation library contains several exploitable buffer overflows.
Alerts:
Fedora-Legacy FLSA:152815 2005-05-18
Red Hat RHSA-2005:035-01 2005-02-15
Conectiva CLA-2005:920 2005-01-20
Red Hat RHSA-2005:019-01 2005-01-13
SuSE SUSE-SA:2005:001 2005-01-10
Fedora FEDORA-2005-598 2005-01-07
Fedora FEDORA-2005-597 2005-01-07
Ubuntu USN-54-1 2005-01-06
Mandrake MDKSA-2005:002 2005-01-06
Mandrake MDKSA-2005:001 2005-01-06
Gentoo 200501-06 2005-01-05
Debian DSA-626-1 2005-01-06
Debian DSA-617-1 2004-12-24
Fedora FEDORA-2004-577 2004-12-22
Fedora FEDORA-2004-576 2004-12-22
Ubuntu USN-46-1 2004-12-22

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:February 28, 2005
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005
Description: There are several stack and integer overflow bugs in the libXpm code of XFree86 that may be used for a denial of service.
Alerts:
Conectiva CLA-2005:924 2005-02-14
Red Hat RHSA-2005:004-01 2005-01-12
Red Hat RHSA-2004:537-01 2004-12-02
Ubuntu USN-27-1 2004-11-17
Mandrake MDKSA-2004:124 2004-11-04
Debian DSA-561-1 2004-10-11
Gentoo 200410-09 2004-10-09
Debian DSA-560-1 2004-10-07
Red Hat RHSA-2004:479-01 2004-10-06
Red Hat RHSA-2004:478-01 2004-10-04
Gentoo 200409-34 2004-09-27
SuSE SUSE-SA:2004:034 2004-09-17
Mandrake MDKSA-2004:099 2004-09-15
Mandrake MDKSA-2004:098 2004-09-15

Comments (none posted)

LinPopUp: buffer overflow in message reply

Package(s):linpopup CVE #(s):CAN-2004-1282
Created:January 4, 2005 Updated:January 10, 2005
Description: Stephen Dranger discovered that LinPopUp contains a buffer overflow in string.c, triggered when replying to a remote user message. A remote attacker could craft a malicious message that, when replied to using LinPopUp, would exploit the buffer overflow. This would result in the execution of arbitrary code with the privileges of the user running LinPopUp.
Alerts:
Debian DSA-632-1 2005-01-10
Gentoo 200501-01 2005-01-04