Whither Fedora Legacy?
Users of the Fedora Core distribution (or any other distribution, for that
matter) are well advised to understand its security update policies.
Fedora does not backport security fixes into the version of the affected
program which was originally shipped with the distribution; instead, the
application is simply updated to the current version. Security updates are
made for approximately one year, after which the Fedora project moves on to
supporting its newer versions. Sometimes the support period is shorter;
Fedora Core 2, which was
released on
May 18, 2004, is currently
scheduled
to become unsupported on March 21.
It is worth noting that, for as long as it lasts, the Fedora Project's
security support is excellent. Updates are released quickly, and are
easily tracked using yum, up2date, or apt.
When Fedora stops supporting a release, it "transfers" that release to the
Fedora Legacy project. Fedora
Legacy is not part of Fedora itself; it is, instead, a separate,
community-based effort dedicated to making security updates available to
older Fedora Core and Red Hat Linux releases. The project's policy, as
stated in the FAQ, is
to support old Fedora Core releases for two release cycles after the
transfer.
When Fedora Legacy is working well, it is a highly useful service. With a
simple tweak to a yum configuration file, it is possible to keep
an older system current with almost no effort.
Unfortunately, the last update to Fedora Core 1 came out on
December 3, 2004. Any Fedora Core 1 systems which rely upon
Fedora Legacy for updates are currently vulnerable to holes in the kernel,
xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a
complete stop for over a month. We attempted to ask (via the posted
contact address) what was going on, but got no response.
A look at the project's mailing list shows that there are still signs of
life. There is an open
issues document which is still being maintained; it shows a substantial
number of packages needing updates, along with their bugzilla URLs. There
was also one message about the stoppage and
whether support for Fedora Core 1 had been dropped:
No, but a combination of lack of manpower, downtime on the build
server and the fact that we are releasing Red Hat 7.3, Red Hat 9
and Fedora Core 1 packages together means that the project is
grinding to a halt. As soon as the build server comes back I will
try and clear a lot of the backlog.
Keeping a distribution current with security patches is hard, tedious, and
often thankless work. It's the sort of work that people tend to demand to
be paid to do. Projects like Debian and Gentoo demonstrate that this job
can be done, and done well, on a volunteer basis, however. But it would
appear that the requisite effort is not there for the Fedora Legacy
project. Without the needed resources - developer time, systems to build
packages on, and testing - a project like Fedora Legacy will fail. People
who care about the security of older Fedora Core distributions - and the
long-term value of Fedora releases in general - might want to think about
what they can do to help the Fedora Legacy project get its process
restarted.
Comments (7 posted)
A look at Quasar Accounting
While Linux has made great strides in terms of application availability in
recent years, one area where Linux is still quite weak is accounting
software. More than a few open source diehards still turn to Quicken,
QuickBooks and/or TurboTax when it comes time to do the counting up.
When the GPL'ed version of Quasar
Accounting was announced
last week by Linux Canada, Inc., we decided it was time to take a look to
see if Quasar could give Linux users the features they need to do their
accounting solely on Linux. We also interviewed Linux Canada's Phil
Tonnellier about the application, and the decision to release parts of the
application under the GPL.
The GPL'ed components of Quasar include its client and server accounting
software. The point-of-sale components are not available under the GPL and
require a commercial license. Still, the accounting software components provide
all the features necessary for users who need to use Quasar for small
business accounting.
Tonnellier said that the company chose to release Quasar under the GPL for
several reasons. First, he said that the company "wanted to give
something back" since the company had been using Linux for retail
systems since 1995. He also said that there is a bit of pride in the
product as well:
We believe in our product. We believe in the quality of the source code,
and we believe that FOSS is the future of software. We feel that Quasar in
GPL can be the leading FOSS accounting system for the world. There is a
desire to get more eyes on the code and more testers to make Quasar a
better product.
In addition, Tonnellier said that making the source code available was part
of trying to build a strong reseller network for Quasar. As for keeping
part of the code closed, Tonnellier said that the company's revenues have
been primarily derived from sales to retail businesses, and that
"most retailers requiring point-of-sale can easily afford the Quasar
license fees, and indeed they may feel better knowing we have an income
stream and will remain strong for them in the future."
Quasar requires a database backend, either PostgreSQL, Firebird or
Sybase. Since MySQL is also extremely popular with the open source
community, we asked Tonnellier why Quasar didn't support MySQL as
well. According to Tonnellier, they didn't feel MySQL was quite ready in
2000 when Quasar development started:
We felt that MySQL did not meet all of our requirements for handling
referential integrity and PostgreSQL actually failed some tests. Thus we
chose Firebird and Sybase to work with. Since then PostgreSQL and MySQL
have come a long way in features and reliability. But to be honest, we have
been so busy working on features that we did not revisit the use of
PostgreSQL and MySQL. With the release to open source, we did take another
look at PostgreSQL and created the interface. One day we want to do the
same for MySQL, but just have not had the time.
Since Quasar has long been a closed-source application, we asked what kind
of preparation Linux Canada had to do in order to release the code under
the GPL. Tonnellier said that it was more complicated than just throwing
the source out into the wild:
There is a tremendous amount of work to prepare for open source. Especially
when you consider that the work has to be done in addition to running your
regular business to maintain a revenue stream. We needed to make sure that
the code is presentable and easy to build. We needed to remove any third
party dependencies. We needed to figure out a way to earn a living after
open source. We needed to define all of our new support packages. We needed
to prepare the web site and all of the manuals. We needed to set up proper
mailing lists and support forums. We needed to ensure our Internet server
could handle the traffic and was properly configured.
How does Quasar compare with QuickBooks? Tonnellier noted that Quasar is
missing QuickBooks' payroll component, but that Quasar "has very
powerful inventory control, including auto ordering and merchandise cost
landing." A list of Quasar's features can be found on the Linux
Canada website.
This reporter downloaded the Quasar packages for SUSE Linux 9.2. and took
Quasar for a test drive. Linux Canada has provided source code and packages
![[Quasar screenshot]](/images/ns/quasar-sm.jpg)
for Fedora Core, Mandrake Red Hat, Slackware, and SUSE. We tested Quasar
with the PostgreSQL backend, which was a bit tricky to set up initially,
but once we got it working it was smooth sailing.
For Linux users who want an accounting package for individual use, Quasar
is probably overkill. However, the package has plenty of features that make
it attractive to small businesses that have to manage invoices, inventory,
purchase orders, vendor payments and so forth.
The interface was fairly intuitive, even though this reporter is decidedly
not well-versed in accounting. Quasar also includes an extensive online
help system so that almost every window and dialog has an associated help
file that explains the current operation. We did run into the occasional
glitch, such as the Item Lookup dialog. When searching for a Department for
an item, clicking on "New" brings up a "Department Master" dialog that
refuses to accept user input until the Item Lookup window is
closed. However, we didn't find many glitches of this nature.
Overall, Quasar is a decent accounting application that seems to have most
of the features that a small business would need, excepting the payroll
functions that Tonnellier alluded to. This is, of course, a feature that
many businesses will still need to have, and will probably keep many
businesses from turning to Quasar.
Despite the rough edges, we'd recommend that users evaluate Quasar to see
if it would suit their needs. Since Quasar is now licensed under the GPL, the Linux community
can help Linux Canada add the features and polish it needs to be
competitive with proprietary accounting applications. Given the number of
users and organizations that would benefit from, and have been looking for,
an open source accounting software system, Quasar shouldn't have any
shortage of developers willing to take it to the next level.
Comments (5 posted)
This week's Bad Law Proposal
The state of California has long been known for innovative public policies
and laws. Sometimes, the state can be truly visionary in its policies,
and, sometimes...
Senator Kevin Murray, from Los Angeles, has put forward a
proposed law which would attack the dreaded scourge of peer-to-peer
file sharing networks. In particular, the proposed law reads:
Any person or entity that sells, offers for sale, advertises,
distributes, disseminates, provides, or otherwise makes available
peer-to-peer file sharing software that enables its user to
electronically disseminate commercial recordings or audiovisual
works via the Internet or any other digital network, and who fails
to exercise reasonable care in preventing use of that software to
commit an unlawful act with respect to a commercial recording or
audiovisual work... is punishable, in addition to any other penalty or
fine imposed, by a fine not exceeding two thousand five hundred
dollars ($2,500), imprisonment in a county jail for a period not to
exceed one year, or by both that fine and imprisonment.
Of course, "peer-to-peer file sharing software" is a vague term, so
Sen. Murray makes it even more so:
As used in this section, "peer-to-peer file sharing software" means
software that once installed and launched, enables the user to
connect his or her computer to a network of other computers on
which the users of these computers have made available recording or
audiovisual works for electronic dissemination to other users who
are connected to the network.
It does not require a particularly expansive reading of that language to
conclude that, say, a Linux distribution with an FTP client or web browser
meets that definition. The law does not address what "reasonable care"
means, but, presumably, "no attempt whatsoever to prevent the distribution
of proprietary materials" would not make the grade. The paranoid among us
might well see an attempt to outlaw free software here....except for the
little problem that this law would be equally applicable
to any general-purpose, proprietary operating system.
This bill will most probably encounter a rough road, and, with luck, will
not be passed. It is, however, another result of a view which is being
encouraged by the entertainment industry (and others): software is an inherently
dangerous tool which must be heavily regulated. Manufacturers and
distributors of cooking knives, hand guns, gasoline, automobiles, etc. are
not required to design their products in such a way as to prevent the
commission of the obvious crimes which those products enable. But software
is a riskier item, and cannot be trusted.
The free software community values the freedom it has: if we have a
particular need, the only thing that stands between us and satisfying that
need is the requisite hacking time. Increasingly, however, we are hearing
that our code is illegal in some part of the world or other, regardless of
its intent or legitimate uses. This problem is only likely to get worse as
the Powers That Be try to get a handle on the strong, but relatively
uncontrolled free software world.
Comments (12 posted)
Page editor: Jonathan Corbet
Security
Vulnerabilities and updates in 2004
2004 was another busy year for those concerned with the security of their
systems. The LWN security database shows that the top-tier distributors
issued 1660 updates in 2004 in response to 396 vulnerabilities. Once
again, the kernel leads the list for the sheer number of vulnerabilities:
19 of them last year. Apache comes in second with 12 vulnerabilities -
though that figure mixes versions 1 and 2 which, arguably, should be kept
separate.
For the curious, here's the beginning of our table showing vulnerabilities
and resulting alerts for 2004:
For the full table, in its bandwidth- and browser-busting glory, see this page over here.
When viewing this table, please keep in mind one fundamental limitation it
has: we have no way of marking when a given distribution is not affected by
a vulnerability. So, if no alerts show for a specific combination of
distributor and vulnerability, it means either (1) the distributor did
not bother to issue an update, or (2) that distribution was not
vulnerable. Someday we hope to get to where we can distinguish between
those two situations.
Comments (6 posted)
Security news
Verizon persists with European email blockade (Register)
The Register
reports
that Verizon has come up with a novel way of reducing spam delivered to its
customers: blocking all email from Europe. "
Verizon three million
DSL customers waiting for emails from Europe were advised to use
alternative forms of communication. 'If it's really important you might
want to make a phone call...'"
Comments (31 posted)
New vulnerabilities
apache: temporary file vulnerability
| Package(s): | apache |
CVE #(s): | |
| Created: | January 19, 2005 |
Updated: | January 19, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the Apache 1.3 "check_forensic"
script created temporary files in an insecure manner. |
| Alerts: |
|
Comments (none posted)
chbg: buffer overflow
| Package(s): | chbg |
CVE #(s): | CAN-2004-1264
|
| Created: | January 18, 2005 |
Updated: | February 2, 2005 |
| Description: |
Danny Lungstrom discovered a vulnerability in chbg, a tool to change
background pictures. A maliciously crafted configuration/scenario
file could overflow a buffer and lead to the execution of arbitrary
code on the victim's machine. |
| Alerts: |
|
Comments (none posted)
gatos: buffer overflow
| Package(s): | gatos |
CVE #(s): | CAN-2005-0016
|
| Created: | January 17, 2005 |
Updated: | January 17, 2005 |
| Description: |
Erik Sjölund discovered a buffer overflow in xatitv, one of the programs in
the gatos package, that is used to display video with certain ATI video
cards. xatitv is installed setuid root in order to gain direct access to
the video hardware. |
| Alerts: |
|
Comments (none posted)
gopher: multiple vulnerabilities
| Package(s): | gopher |
CVE #(s): | CAN-2004-0560
CAN-2004-0561
|
| Created: | January 13, 2005 |
Updated: | January 17, 2005 |
| Description: |
Gopher's gopherd has an integer overflow vulnerability and
the gopher log routine has a format string vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
mozilla: buffer overflow
| Package(s): | mozilla |
CVE #(s): | CAN-2004-1316
|
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
iSEC Security Research has discovered a buffer overflow bug in the way
Mozilla handles NNTP URLs. If a user visits a malicious web page or is
convinced to click on a malicious link, it may be possible for an attacker
to execute arbitrary code on the victim's machine. |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: insecure temporary files
| Package(s): | mysql-dfsg |
CVE #(s): | CAN-2005-0004
|
| Created: | January 18, 2005 |
Updated: | March 25, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program
created temporary files in an insecure manner. This could allow a
symbolic link attack to create or overwrite arbitrary files with the
privileges of the user invoking the program. |
| Alerts: |
|
Comments (none posted)
playmidi: buffer overflow
| Package(s): | playmidi |
CVE #(s): | CAN-2005-0020
|
| Created: | January 17, 2005 |
Updated: | January 20, 2005 |
| Description: |
Erik Sjölund discovered that playmidi, a MIDI player, contains a setuid
root program with a buffer overflow that can be exploited by a local
attacker. |
| Alerts: |
|
Comments (none posted)
queue: buffer overflows
| Package(s): | queue |
CVE #(s): | CAN-2004-0555
|
| Created: | January 18, 2005 |
Updated: | January 19, 2005 |
| Description: |
"jaguar" of the Debian Security Audit Project has discovered several buffer
overflows in queue, a transparent load balancing system. |
| Alerts: |
|
Comments (none posted)
Squid: multiple vulnerabilities
| Package(s): | squid |
CVE #(s): | CAN-2005-0094
CAN-2005-0095
|
| Created: | January 17, 2005 |
Updated: | February 2, 2005 |
| Description: |
Squid contains a vulnerability in the gopherToHTML function and incorrectly
checks the 'number of caches' field when parsing WCCP_I_SEE_YOU messages.
Furthermore the NTLM code contains two errors. One is a memory leak in the
fakeauth_auth helper and the other is NULL pointer dereferencing error. |
| Alerts: |
|
Comments (none posted)
tnftp: arbitrary file overwriting
| Package(s): | tnftp |
CVE #(s): | CAN-2004-1294
|
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
According to this advisory, the
'mget' function in cmds.c lacks validation of the filenames that are
supplied by the server. An attacker running an FTP server could supply
clients with malicious filenames, potentially allowing the overwriting of
arbitrary files with the permission of the connected user. |
| Alerts: |
|
Comments (none posted)
twiki: arbitrary shell command execution
| Package(s): | twiki |
CVE #(s): | |
| Created: | January 14, 2005 |
Updated: | January 17, 2005 |
| Description: |
A vulnerability in twiki was found where a remote attacker could exploit it
to run arbitrary shell commands on the server. For further information, see
this announcement. |
| Alerts: |
|
Comments (none posted)
vim: symbolic link attack
| Package(s): | vim |
CVE #(s): | CAN-2005-0069
|
| Created: | January 18, 2005 |
Updated: | February 18, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the auxiliary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim). |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
bmv: insecure temporary file
| Package(s): | bmv |
CVE #(s): | CAN-2003-0014
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for
SVGAlib, discovered that temporary files are created in an insecure
fashion. A malicious local user could cause arbitrary files to be
overwritten by a symlink attack. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
cups: multiple vulnerabilities
| Package(s): | cups |
CVE #(s): | CAN-2004-1267
CAN-2004-1268
CAN-2004-1269
CAN-2004-1270
|
| Created: | December 17, 2004 |
Updated: | February 9, 2005 |
| Description: |
cups has a denial of service vulnerability in the lppasswd utility
and a remote code execution vulnerability in the hpgltops filter. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
dillo: format string vulnerability
| Package(s): | dillo |
CVE #(s): | CAN-2005-0012
|
| Created: | January 10, 2005 |
Updated: | January 12, 2005 |
| Description: |
Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's
handling of messages in a_Interface_msg(). An attacker could craft a
malicious web page which, when accessed using Dillo, would trigger the
format string vulnerability and potentially execute arbitrary code with the
rights of the user running Dillo. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2004-1139
CAN-2004-1140
CAN-2004-1141
CAN-2004-1142
|
| Created: | December 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.8, including:
- Bug in DICOM dissection discovered by Bing could make Ethereal crash
(CAN-2004-1139).
- An invalid RTP timestamp could make Ethereal hang and create a large
temporary file (CAN-2004-1140).
- The HTTP dissector could access previously-freed memory
(CAN-2004-1141).
- Brian Caswell discovered that an improperly formatted SMB could
make Ethereal hang (CAN-2004-1142).
|
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow in MSN protocol
| Package(s): | gaim |
CVE #(s): | CAN-2004-0891
|
| Created: | October 25, 2004 |
Updated: | February 11, 2005 |
| Description: |
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer. |
| Alerts: |
|
Comments (none posted)
Gallery: cross-site scripting vulnerability
| Package(s): | Gallery |
CVE #(s): | CAN-2004-1106
|
| Created: | November 8, 2004 |
Updated: | January 17, 2005 |
| Description: |
Jim Paris has discovered a cross-site scripting vulnerability in
Gallery. By sending a carefully crafted URL, an attacker can inject and
execute script code in the victim's browser window, and potentially
compromise the users gallery. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temp file
| Package(s): | groff |
CVE #(s): | CAN-2004-1296
|
| Created: | December 20, 2004 |
Updated: | January 17, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered that the auxiliary scripts
"eqn2graph" and "pic2graph" created temporary files in an insecure
way, which allowed exploitation of a race condition to create or
overwrite files with the privileges of the user invoking the program. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hylafax: weak hostname and username validation
| Package(s): | hylafax |
CVE #(s): | CAN-2004-1182
|
| Created: | January 11, 2005 |
Updated: | January 13, 2005 |
| Description: |
Patrice Fournier discovered a vulnerability in the authorization
subsystem of hylafax, a flexible client/server fax system. A local or
remote user guessing the contents of the hosts.hfaxd database could
gain unauthorized access to the fax system. Fixed in HylaFAX
4.2.1. |
| Alerts: |
|
Comments (none posted)
imlib: buffer overflows in image decoding
| Package(s): | imlib |
CVE #(s): | CAN-2004-1026
|
| Created: | December 6, 2004 |
Updated: | January 13, 2005 |
| Description: |
Pavel Kankovsky discovered that several overflows found in the libXpm
library also applied to imlib. He also fixed a number of other potential
flaws. A remote attacker could entice a user to view a carefully-crafted
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the imlib library. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iptables: missing initialization
| Package(s): | iptables |
CVE #(s): | CAN-2004-0986
|
| Created: | November 1, 2004 |
Updated: | February 11, 2005 |
| Description: |
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kerberos5: execution of arbitrary code by authenticated user
| Package(s): | kerberos5 |
CVE #(s): | CAN-2004-1189
|
| Created: | December 21, 2004 |
Updated: | February 15, 2005 |
| Description: |
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to execute
arbitrary code on a Key Distribution Center (KDC) server. |
| Alerts: |
|
Comments (none posted)
kernel: race condition, privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2004-1235
CAN-2004-1337
|
| Created: | January 10, 2005 |
Updated: | January 19, 2005 |
| Description: |
Paul Starzetz discovered a race condition in the ELF library and a.out
binary format loaders, which can be locally exploited in several
different ways to gain root privileges. (CAN-2004-1235)
Liang Bin found a design flaw in the capability module. After this
module was loaded on demand in a running system, all unprivileged user
space processes got all kernel capabilities (thus essentially root
privileges). (CAN-2004-1337) |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
Konqueror: Java sandbox vulnerabilities
| Package(s): | konqueror |
CVE #(s): | CAN-2004-1145
|
| Created: | January 11, 2005 |
Updated: | January 12, 2005 |
| Description: |
According to this KDE
Security Advisory, two flaws in the Konqueror web browser make it
possible to by pass the sandbox environment which is used to run
Java-applets. All versions of KDE up to KDE 3.3.1 inclusive are affected.
KDE 3.3.2 is not affected. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
