LWN.net Logo

LWN.net Weekly Edition for January 20, 2005

Whither Fedora Legacy?

Users of the Fedora Core distribution (or any other distribution, for that matter) are well advised to understand its security update policies. Fedora does not backport security fixes into the version of the affected program which was originally shipped with the distribution; instead, the application is simply updated to the current version. Security updates are made for approximately one year, after which the Fedora project moves on to supporting its newer versions. Sometimes the support period is shorter; Fedora Core 2, which was released on May 18, 2004, is currently scheduled to become unsupported on March 21.

It is worth noting that, for as long as it lasts, the Fedora Project's security support is excellent. Updates are released quickly, and are easily tracked using yum, up2date, or apt.

When Fedora stops supporting a release, it "transfers" that release to the Fedora Legacy project. Fedora Legacy is not part of Fedora itself; it is, instead, a separate, community-based effort dedicated to making security updates available to older Fedora Core and Red Hat Linux releases. The project's policy, as stated in the FAQ, is to support old Fedora Core releases for two release cycles after the transfer.

When Fedora Legacy is working well, it is a highly useful service. With a simple tweak to a yum configuration file, it is possible to keep an older system current with almost no effort.

Unfortunately, the last update to Fedora Core 1 came out on December 3, 2004. Any Fedora Core 1 systems which rely upon Fedora Legacy for updates are currently vulnerable to holes in the kernel, xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a complete stop for over a month. We attempted to ask (via the posted contact address) what was going on, but got no response.

A look at the project's mailing list shows that there are still signs of life. There is an open issues document which is still being maintained; it shows a substantial number of packages needing updates, along with their bugzilla URLs. There was also one message about the stoppage and whether support for Fedora Core 1 had been dropped:

No, but a combination of lack of manpower, downtime on the build server and the fact that we are releasing Red Hat 7.3, Red Hat 9 and Fedora Core 1 packages together means that the project is grinding to a halt. As soon as the build server comes back I will try and clear a lot of the backlog.

Keeping a distribution current with security patches is hard, tedious, and often thankless work. It's the sort of work that people tend to demand to be paid to do. Projects like Debian and Gentoo demonstrate that this job can be done, and done well, on a volunteer basis, however. But it would appear that the requisite effort is not there for the Fedora Legacy project. Without the needed resources - developer time, systems to build packages on, and testing - a project like Fedora Legacy will fail. People who care about the security of older Fedora Core distributions - and the long-term value of Fedora releases in general - might want to think about what they can do to help the Fedora Legacy project get its process restarted.

Comments (7 posted)

A look at Quasar Accounting

January 19, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

While Linux has made great strides in terms of application availability in recent years, one area where Linux is still quite weak is accounting software. More than a few open source diehards still turn to Quicken, QuickBooks and/or TurboTax when it comes time to do the counting up.

When the GPL'ed version of Quasar Accounting was announced last week by Linux Canada, Inc., we decided it was time to take a look to see if Quasar could give Linux users the features they need to do their accounting solely on Linux. We also interviewed Linux Canada's Phil Tonnellier about the application, and the decision to release parts of the application under the GPL.

The GPL'ed components of Quasar include its client and server accounting software. The point-of-sale components are not available under the GPL and require a commercial license. Still, the accounting software components provide all the features necessary for users who need to use Quasar for small business accounting.

Tonnellier said that the company chose to release Quasar under the GPL for several reasons. First, he said that the company "wanted to give something back" since the company had been using Linux for retail systems since 1995. He also said that there is a bit of pride in the product as well:

We believe in our product. We believe in the quality of the source code, and we believe that FOSS is the future of software. We feel that Quasar in GPL can be the leading FOSS accounting system for the world. There is a desire to get more eyes on the code and more testers to make Quasar a better product.

In addition, Tonnellier said that making the source code available was part of trying to build a strong reseller network for Quasar. As for keeping part of the code closed, Tonnellier said that the company's revenues have been primarily derived from sales to retail businesses, and that "most retailers requiring point-of-sale can easily afford the Quasar license fees, and indeed they may feel better knowing we have an income stream and will remain strong for them in the future."

Quasar requires a database backend, either PostgreSQL, Firebird or Sybase. Since MySQL is also extremely popular with the open source community, we asked Tonnellier why Quasar didn't support MySQL as well. According to Tonnellier, they didn't feel MySQL was quite ready in 2000 when Quasar development started:

We felt that MySQL did not meet all of our requirements for handling referential integrity and PostgreSQL actually failed some tests. Thus we chose Firebird and Sybase to work with. Since then PostgreSQL and MySQL have come a long way in features and reliability. But to be honest, we have been so busy working on features that we did not revisit the use of PostgreSQL and MySQL. With the release to open source, we did take another look at PostgreSQL and created the interface. One day we want to do the same for MySQL, but just have not had the time.

Since Quasar has long been a closed-source application, we asked what kind of preparation Linux Canada had to do in order to release the code under the GPL. Tonnellier said that it was more complicated than just throwing the source out into the wild:

There is a tremendous amount of work to prepare for open source. Especially when you consider that the work has to be done in addition to running your regular business to maintain a revenue stream. We needed to make sure that the code is presentable and easy to build. We needed to remove any third party dependencies. We needed to figure out a way to earn a living after open source. We needed to define all of our new support packages. We needed to prepare the web site and all of the manuals. We needed to set up proper mailing lists and support forums. We needed to ensure our Internet server could handle the traffic and was properly configured.

How does Quasar compare with QuickBooks? Tonnellier noted that Quasar is missing QuickBooks' payroll component, but that Quasar "has very powerful inventory control, including auto ordering and merchandise cost landing." A list of Quasar's features can be found on the Linux Canada website.

This reporter downloaded the Quasar packages for SUSE Linux 9.2. and took Quasar for a test drive. Linux Canada has provided source code and packages [Quasar screenshot] for Fedora Core, Mandrake Red Hat, Slackware, and SUSE. We tested Quasar with the PostgreSQL backend, which was a bit tricky to set up initially, but once we got it working it was smooth sailing.

For Linux users who want an accounting package for individual use, Quasar is probably overkill. However, the package has plenty of features that make it attractive to small businesses that have to manage invoices, inventory, purchase orders, vendor payments and so forth.

The interface was fairly intuitive, even though this reporter is decidedly not well-versed in accounting. Quasar also includes an extensive online help system so that almost every window and dialog has an associated help file that explains the current operation. We did run into the occasional glitch, such as the Item Lookup dialog. When searching for a Department for an item, clicking on "New" brings up a "Department Master" dialog that refuses to accept user input until the Item Lookup window is closed. However, we didn't find many glitches of this nature.

Overall, Quasar is a decent accounting application that seems to have most of the features that a small business would need, excepting the payroll functions that Tonnellier alluded to. This is, of course, a feature that many businesses will still need to have, and will probably keep many businesses from turning to Quasar.

Despite the rough edges, we'd recommend that users evaluate Quasar to see if it would suit their needs. Since Quasar is now licensed under the GPL, the Linux community can help Linux Canada add the features and polish it needs to be competitive with proprietary accounting applications. Given the number of users and organizations that would benefit from, and have been looking for, an open source accounting software system, Quasar shouldn't have any shortage of developers willing to take it to the next level.

Comments (5 posted)

This week's Bad Law Proposal

The state of California has long been known for innovative public policies and laws. Sometimes, the state can be truly visionary in its policies, and, sometimes...

Senator Kevin Murray, from Los Angeles, has put forward a proposed law which would attack the dreaded scourge of peer-to-peer file sharing networks. In particular, the proposed law reads:

Any person or entity that sells, offers for sale, advertises, distributes, disseminates, provides, or otherwise makes available peer-to-peer file sharing software that enables its user to electronically disseminate commercial recordings or audiovisual works via the Internet or any other digital network, and who fails to exercise reasonable care in preventing use of that software to commit an unlawful act with respect to a commercial recording or audiovisual work... is punishable, in addition to any other penalty or fine imposed, by a fine not exceeding two thousand five hundred dollars ($2,500), imprisonment in a county jail for a period not to exceed one year, or by both that fine and imprisonment.

Of course, "peer-to-peer file sharing software" is a vague term, so Sen. Murray makes it even more so:

As used in this section, "peer-to-peer file sharing software" means software that once installed and launched, enables the user to connect his or her computer to a network of other computers on which the users of these computers have made available recording or audiovisual works for electronic dissemination to other users who are connected to the network.

It does not require a particularly expansive reading of that language to conclude that, say, a Linux distribution with an FTP client or web browser meets that definition. The law does not address what "reasonable care" means, but, presumably, "no attempt whatsoever to prevent the distribution of proprietary materials" would not make the grade. The paranoid among us might well see an attempt to outlaw free software here....except for the little problem that this law would be equally applicable to any general-purpose, proprietary operating system.

This bill will most probably encounter a rough road, and, with luck, will not be passed. It is, however, another result of a view which is being encouraged by the entertainment industry (and others): software is an inherently dangerous tool which must be heavily regulated. Manufacturers and distributors of cooking knives, hand guns, gasoline, automobiles, etc. are not required to design their products in such a way as to prevent the commission of the obvious crimes which those products enable. But software is a riskier item, and cannot be trusted.

The free software community values the freedom it has: if we have a particular need, the only thing that stands between us and satisfying that need is the requisite hacking time. Increasingly, however, we are hearing that our code is illegal in some part of the world or other, regardless of its intent or legitimate uses. This problem is only likely to get worse as the Powers That Be try to get a handle on the strong, but relatively uncontrolled free software world.

Comments (12 posted)

Page editor: Jonathan Corbet

Security

Vulnerabilities and updates in 2004

2004 was another busy year for those concerned with the security of their systems. The LWN security database shows that the top-tier distributors issued 1660 updates in 2004 in response to 396 vulnerabilities. Once again, the kernel leads the list for the sheer number of vulnerabilities: 19 of them last year. Apache comes in second with 12 vulnerabilities - though that figure mixes versions 1 and 2 which, arguably, should be kept separate.

For the curious, here's the beginning of our table showing vulnerabilities and resulting alerts for 2004:

Vulnerability Debian Fedora Fedora Legacy Gentoo Mandrake Red Hat SuSE Ubuntu
a2ps X X X
abcm2ps X
acrobat X
acroread X
acroread X X
apache X X X
apache X X X X X X X
apache X X X
apache X X X
apache X X X X X X X
apache X X X X
apache X X X X X
apache X X
apache X
apache X X
apache X X X X
apache X X X X X X
archive::zip X X
aspell X X
atari800 X
automake X

For the full table, in its bandwidth- and browser-busting glory, see this page over here.

When viewing this table, please keep in mind one fundamental limitation it has: we have no way of marking when a given distribution is not affected by a vulnerability. So, if no alerts show for a specific combination of distributor and vulnerability, it means either (1) the distributor did not bother to issue an update, or (2) that distribution was not vulnerable. Someday we hope to get to where we can distinguish between those two situations.

Comments (6 posted)

Security news

Verizon persists with European email blockade (Register)

The Register reports that Verizon has come up with a novel way of reducing spam delivered to its customers: blocking all email from Europe. "Verizon three million DSL customers waiting for emails from Europe were advised to use alternative forms of communication. 'If it's really important you might want to make a phone call...'"

Comments (31 posted)

New vulnerabilities

apache: temporary file vulnerability

Package(s):apache CVE #(s):
Created:January 19, 2005 Updated:January 19, 2005
Description: Javier Fernández-Sanguino Peña noticed that the Apache 1.3 "check_forensic" script created temporary files in an insecure manner.
Alerts:
Ubuntu USN-65-1 2005-01-19

Comments (none posted)

chbg: buffer overflow

Package(s):chbg CVE #(s):CAN-2004-1264
Created:January 18, 2005 Updated:February 2, 2005
Description: Danny Lungstrom discovered a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine.
Alerts:
Mandrake MDKSA-2005:027 2005-02-01
Debian DSA-644-1 2005-01-18

Comments (none posted)

gatos: buffer overflow

Package(s):gatos CVE #(s):CAN-2005-0016
Created:January 17, 2005 Updated:January 17, 2005
Description: Erik Sjölund discovered a buffer overflow in xatitv, one of the programs in the gatos package, that is used to display video with certain ATI video cards. xatitv is installed setuid root in order to gain direct access to the video hardware.
Alerts:
Debian DSA-640-1 2005-01-17

Comments (none posted)

gopher: multiple vulnerabilities

Package(s):gopher CVE #(s):CAN-2004-0560 CAN-2004-0561
Created:January 13, 2005 Updated:January 17, 2005
Description: Gopher's gopherd has an integer overflow vulnerability and the gopher log routine has a format string vulnerability.
Alerts:
Debian DSA-638-1 2005-01-13

Comments (none posted)

kernel: i386 SMP page fault handler privilege escalation

Package(s):kernel CVE #(s):CAN-2005-0001
Created:January 14, 2005 Updated:February 25, 2005
Description: Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details.
Alerts:
Fedora-Legacy FLSA:2336 2005-02-24
SuSE SUSE-SA:2005:010 2005-02-25
SuSE SUSE-SA:2005:005 2005-02-04
Mandrake MDKSA-2005:022 2005-01-25
Red Hat RHSA-2005:017-01 2005-01-21
Red Hat RHSA-2005:016-01 2005-01-21
SuSE SUSE-SA:2005:003 2005-01-21
Ubuntu USN-60-0 2005-01-14
Fedora FEDORA-2005-025 2005-01-13
Fedora FEDORA-2005-026 2005-01-13

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

mozilla: buffer overflow

Package(s):mozilla CVE #(s):CAN-2004-1316
Created:January 14, 2005 Updated:January 17, 2005
Description: iSEC Security Research has discovered a buffer overflow bug in the way Mozilla handles NNTP URLs. If a user visits a malicious web page or is convinced to click on a malicious link, it may be possible for an attacker to execute arbitrary code on the victim's machine.
Alerts:
Red Hat RHSA-2005:038-01 2005-01-13

Comments (none posted)

mysql-dfsg: insecure temporary files

Package(s):mysql-dfsg CVE #(s):CAN-2005-0004
Created:January 18, 2005 Updated:March 25, 2005
Description: Javier Fernández-Sanguino Peña noticed that the "mysqlaccess" program created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program.
Alerts:
Fedora-Legacy FLSA:2129 2005-03-24
Mandrake MDKSA-2005:036 2005-02-10
Gentoo 200501-33 2005-01-23
Debian DSA-647-1 2005-01-19
Ubuntu USN-63-1 2005-01-18

Comments (none posted)

playmidi: buffer overflow

Package(s):playmidi CVE #(s):CAN-2005-0020
Created:January 17, 2005 Updated:January 20, 2005
Description: Erik Sjölund discovered that playmidi, a MIDI player, contains a setuid root program with a buffer overflow that can be exploited by a local attacker.
Alerts:
Mandrake MDKSA-2005:010 2005-01-19
Debian DSA-641-1 2005-01-17

Comments (none posted)

queue: buffer overflows

Package(s):queue CVE #(s):CAN-2004-0555
Created:January 18, 2005 Updated:January 19, 2005
Description: "jaguar" of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system.
Alerts:
Debian DSA-643-1 2005-01-18

Comments (none posted)

Squid: multiple vulnerabilities

Package(s):squid CVE #(s):CAN-2005-0094 CAN-2005-0095
Created:January 17, 2005 Updated:February 2, 2005
Description: Squid contains a vulnerability in the gopherToHTML function and incorrectly checks the 'number of caches' field when parsing WCCP_I_SEE_YOU messages. Furthermore the NTLM code contains two errors. One is a memory leak in the fakeauth_auth helper and the other is NULL pointer dereferencing error.
Alerts:
Gentoo 200502-04:02 2005-02-02
Fedora FEDORA-2005-106 2005-02-01
Fedora FEDORA-2005-105 2005-02-01
Conectiva CLA-2005:923 2005-01-26
Mandrake MDKSA-2005:014 2005-01-24
Ubuntu USN-67-1 2005-01-20
Debian DSA-651-1 2005-01-20
Gentoo 200501-25 2005-01-16

Comments (none posted)

tnftp: arbitrary file overwriting

Package(s):tnftp CVE #(s):CAN-2004-1294
Created:January 14, 2005 Updated:January 17, 2005
Description: According to this advisory, the 'mget' function in cmds.c lacks validation of the filenames that are supplied by the server. An attacker running an FTP server could supply clients with malicious filenames, potentially allowing the overwriting of arbitrary files with the permission of the connected user.
Alerts:
Gentoo 200501-24 2005-01-14

Comments (none posted)

twiki: arbitrary shell command execution

Package(s):twiki CVE #(s):
Created:January 14, 2005 Updated:January 17, 2005
Description: A vulnerability in twiki was found where a remote attacker could exploit it to run arbitrary shell commands on the server. For further information, see this announcement.
Alerts:
Conectiva CLA-2005:918 2005-01-14

Comments (none posted)

vim: symbolic link attack

Package(s):vim CVE #(s):CAN-2005-0069
Created:January 18, 2005 Updated:February 18, 2005
Description: Javier Fernández-Sanguino Peña noticed that the auxiliary scripts "tcltags" and "vimspell.sh" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the script (either by calling it directly or by execution through vim).
Alerts:
Red Hat RHSA-2005:122-01 2005-02-18
Red Hat RHSA-2005:036-01 2005-02-15
Mandrake MDKSA-2005:029 2005-02-02
Ubuntu USN-61-1 2005-01-18

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

bmv: insecure temporary file

Package(s):bmv CVE #(s):CAN-2003-0014
Created:January 11, 2005 Updated:January 12, 2005
Description: Peter Samuelson, upstream maintainer of bmv, a PostScript viewer for SVGAlib, discovered that temporary files are created in an insecure fashion. A malicious local user could cause arbitrary files to be overwritten by a symlink attack.
Alerts:
Debian DSA-633-1 2005-01-11

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270
Created:December 17, 2004 Updated:February 9, 2005
Description: cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter.
Alerts:
SuSE SUSE-SR:2005:003 2005-02-04
Mandrake MDKSA-2005:008 2005-01-17
Gentoo 200412-25:02 2004-12-28
Red Hat RHSA-2005:013-01 2005-01-12
Gentoo 200412-25 2004-12-28
Fedora FEDORA-2004-559 2004-12-17
Fedora FEDORA-2004-560 2004-12-17

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

dillo: format string vulnerability

Package(s):dillo CVE #(s):CAN-2005-0012
Created:January 10, 2005 Updated:January 12, 2005
Description: Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's handling of messages in a_Interface_msg(). An attacker could craft a malicious web page which, when accessed using Dillo, would trigger the format string vulnerability and potentially execute arbitrary code with the rights of the user running Dillo.
Alerts:
Gentoo 200501-11 2005-01-09

Comments (none posted)

ethereal: multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-1139 CAN-2004-1140 CAN-2004-1141 CAN-2004-1142
Created:December 20, 2004 Updated:January 13, 2005
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.8, including:
  • Bug in DICOM dissection discovered by Bing could make Ethereal crash (CAN-2004-1139).
  • An invalid RTP timestamp could make Ethereal hang and create a large temporary file (CAN-2004-1140).
  • The HTTP dissector could access previously-freed memory (CAN-2004-1141).
  • Brian Caswell discovered that an improperly formatted SMB could make Ethereal hang (CAN-2004-1142).
Alerts:
Conectiva CLA-2005:916 2005-01-13
Debian DSA-613-1 2004-12-21
Mandrake MDKSA-2004:152 2004-12-20
Gentoo 200412-15 2004-12-19

Comments (none posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 2005-02-15
Gentoo 200501-23 2005-01-12
Debian DSA-637-1 2005-01-13
Debian DSA-635-1 2005-01-12
Ubuntu USN-56-1 2005-01-07
Fedora FEDORA-2005-001 2005-01-06
Fedora FEDORA-2005-001 2005-01-06

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):Gallery CVE #(s):CAN-2004-1106
Created:November 8, 2004 Updated:January 17, 2005
Description: Jim Paris has discovered a cross-site scripting vulnerability in Gallery. By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the users gallery.
Alerts:
Debian DSA-642-1 2005-01-17
Gentoo 200411-10:01 2004-11-06

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temp file

Package(s):groff CVE #(s):CAN-2004-1296
Created:December 20, 2004 Updated:January 17, 2005
Description: Javier Fernández-Sanguino Peña discovered that the auxiliary scripts "eqn2graph" and "pic2graph" created temporary files in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Ubuntu USN-43-1 2004-12-20

Comments (1 posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

hylafax: weak hostname and username validation

Package(s):hylafax CVE #(s):CAN-2004-1182
Created:January 11, 2005 Updated:January 13, 2005
Description: Patrice Fournier discovered a vulnerability in the authorization subsystem of hylafax, a flexible client/server fax system. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorized access to the fax system. Fixed in HylaFAX 4.2.1.
Alerts:
Mandrake MDKSA-2005:006 2005-01-12
Debian DSA-634-1 2005-01-11
Gentoo 200501-21 2005-01-11

Comments (none posted)

imlib: buffer overflows in image decoding

Package(s):imlib CVE #(s):CAN-2004-1026
Created:December 6, 2004 Updated:January 13, 2005
Description: Pavel Kankovsky discovered that several overflows found in the libXpm library also applied to imlib. He also fixed a number of other potential flaws. A remote attacker could entice a user to view a carefully-crafted image file, which would potentially lead to execution of arbitrary code with the rights of the user viewing the image. This affects any program that makes use of the imlib library.
Alerts:
Mandrake MDKSA-2005:007 2005-01-12
Gentoo 200501-19 2005-01-11
Ubuntu USN-55-1 2005-01-06
Debian DSA-628-1 2005-01-06
Ubuntu USN-53-1 2004-12-29
Debian DSA-618-1 2004-12-24
Red Hat RHSA-2004:651-01 2004-12-10
Gentoo 200412-03 2004-12-06

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kerberos5: execution of arbitrary code by authenticated user

Package(s):kerberos5 CVE #(s):CAN-2004-1189
Created:December 21, 2004 Updated:February 15, 2005
Description: There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.
Alerts:
Red Hat RHSA-2005:045-01 2005-02-15
Red Hat RHSA-2005:012-01 2005-01-19
Conectiva CLA-2005:917 2005-01-13
Ubuntu USN-58-1 2005-01-10
Debian DSA-629-1 2005-01-07
Gentoo 200501-05 2005-01-05
Mandrake MDKSA-2004:156 2004-12-22
Fedora FEDORA-2004-564 2004-12-21
Fedora FEDORA-2004-563 2004-12-21
Trustix TSLSA-2004-0069 2004-12-21

Comments (none posted)

kernel: race condition, privilege escalation

Package(s):kernel CVE #(s):CAN-2004-1235 CAN-2004-1337
Created:January 10, 2005 Updated:January 19, 2005
Description: Paul Starzetz discovered a race condition in the ELF library and a.out binary format loaders, which can be locally exploited in several different ways to gain root privileges. (CAN-2004-1235)

Liang Bin found a design flaw in the capability module. After this module was loaded on demand in a running system, all unprivileged user space processes got all kernel capabilities (thus essentially root privileges). (CAN-2004-1337)

Alerts:
Red Hat RHSA-2005:043-01 2005-01-18
Trustix TSLSA-2005-0001 2005-01-13
Fedora FEDORA-2005-013 2005-01-10
Fedora FEDORA-2005-014 2005-01-10
Ubuntu USN-57-1 2005-01-09

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

Konqueror: Java sandbox vulnerabilities

Package(s):konqueror CVE #(s):CAN-2004-1145
Created:January 11, 2005 Updated:January 12, 2005
Description: According to this KDE Security Advisory, two flaws in the Konqueror web browser make it possible to by pass the sandbox environment which is used to run Java-applets. All versions of KDE up to KDE 3.3.1 inclusive are affected. KDE 3.3.2 is not affected.
Alerts:
Gentoo 200501-16 2005-01-11

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29<