LWN.net Logo

LWN.net Weekly Edition for February 3, 2005

Interview: OSI's new president

On January 31, the Open Source Initiative announced an expansion of its efforts and the appointment of Russ Nelson as its president. Mr. Nelson was kind enough to answer a few questions from LWN on the OSI and where he thinks it is headed. The questions, and his answers, can be found below. We thank Russ for taking the time to fill us in.

LWN: So you're the new president of OSI. Why did you take on that role, and where do you anticipate taking the OSI in the near future?

To Infinity ... and Beyond!

No, wait, that's Bruce Perens' line [Bruce worked for Pixar and is in the Toy Story credits].

Never before in history have we had a time when one person of ordinary intelligence can write a program which becomes used by half the worldwide computer-using population. This creates so many problems between countries that I really feel they have to be addressed with a treaty.

I think that the end goal is an international treaty concerning Open Source. Just to take one tiny portion of that issue: today somebody asked us for an "official Spanish version de license MIT". We can't do that. I mean, we could translate it (or more properly find a volunteer to translate it and publish it on opensource.org), but the problem is that almost certainly the author of the MIT-licensed software didn't give us permission to license his software under the Spanish-language MIT license.

In many ways, the OSI appears to have fallen from view. Until this news hit, the most recent item listed on the front page was dated October, 2001. The OSI gets called upon to put its stamp on a license occasionally; what else does the OSI do now? Is it relevant to the free software development process, and how?

When were we ever relevant to the free software development process? We've always been an education/advocacy group. If you're already convinced that open source is a good thing, what more would we say to you? Really, the only time somebody inside the open source community needs to be concerned with us is when they talk to someone outside the community. If that person needs to be whupped around a little, send 'em to us and we'll give 'em what for.

We continue to do what we've always done: talk to people about open source. Calm their fears, and renew their hopes.

The press release states that OSI will set out on "the establishment of principles of Open Source development and best practices" and "the creation of a registry of software projects that adhere to those principles." What need is driving the creation of these principles and the associated registry?

I believe that there is such a thing as an "Open Source effect". That effect requires more than just a license that complies with the Open Source Definition (OSD). We need to be more clear about that, because we sometimes have people who come along and want to create a license which complies with the letter of the OSD but not the spirit. The trouble is that the benefits come with the spirit. We need to do a better job of codifying the spirit.

When you talk about "inclusion of international perspectives and initiatives related to Open Source," what do you mean?

Working towards the end goal (as above) and adding board members from outside the US. We're starting to get some non-US, non-Europe (if you look at the map of locations of Debian developers, there are a LOT of them in Europe) countries that are signing on to open source in a BIG way. Take Brazil for example. We need better representation in those countries.

Why does the OSI need *two* legal counselors? What do they do?

Why does a computer need *two* power supplies? We felt that the job had grown to the point that one sole-proprietor lawyer (Larry Rosen) couldn't do the job anymore, and Larry's open source practice had expanded. It's possible that one law-firm lawyer could have brought in enough resources, but we wanted to share the work. In essence, Mark is inward-facing and Laura is outward-facing. She has been on the license-discuss mailing list for years now. She has also started to help with legally-oriented correspondence. Mark will help us with, among other things, registering the OSI-Certified mark, and with overhauling our bylaws.

How will the new OSI board members be selected? In general, how is the OSI kept accountable to the community it hopes to represent?

We are still a small, self-selecting board. We expect to change that in some way, but the details are still in the air. Having a larger board will take us in that direction no matter what.

How do you expect OSI to work with other free software-oriented groups, such as OSDL and the FSF? Will there be more cooperation in the future?

CAGE MATCH!! BLOOD, GORE, AND DEATH! Er, um, sorry. We had a dinner last summer with OSDL to talk about license proliferation issues. We are on cordial relations with the FSF, AND EXPECT TO TAKE THEM OVER SHORTLY! Sorry, I must apologize for all these capital letters. I don't know where they're coming from. I'll be in Boston in a couple of weeks for Linux World. I expect that I'll run into Bradley Kuhn and HE'LL DIE we'll talk about further ways in which the OSI and FSF could cooperate. I know of no reason why any animosities between us cannot be overcome AND CRUSHED LIKE A BUG.

Is there anything else which you would like to communicate to LWN readers?

Is this the point at which I add various mealy-mouthed corporate statements?

I think it's great to be President of the OSI at this point in time. We've had a strong president in Eric Raymond who took us from nothing to a highly respected member of the open source community. As corporations and governments come to be part of the community, we have to double and redouble our educational and advocacy efforts. We need to make sure that corporations know how to work with individual developers, and that governments know how to set the rules so everybody can work together. And we have to squash software patents, but that's a different interview.

Comments (34 posted)

GNOME and KDE priorities

February 2, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

With the KDE 3.4 and GNOME 2.10 releases on the horizon, we decided to take a look at both projects to see where both desktop teams were focusing their efforts. To get a feel for the priorities of each team, this reporter "test drove" the KDE 3.4 beta 1 using the SUSE 9.2 packages and GNOME 2.9.4 with Ubuntu's Live CD. We also spoke to KDE core developer Zack Rusin about the 3.4 release and GNOME release team member Luis Villa about GNOME's 2.10 release.

Both KDE 3.4 and GNOME 2.10 are incremental releases. That is to say, neither desktop is undergoing dramatic changes in the upcoming release and casual users may not notice many changes. Instead, there are a number of [KDE screenshot] small improvements and enhancements to the current desktop that users will find in each release.

Both projects are concentrating on backward compatibility. KDE's Rusin said that the 3.x series is basically in "maintenance" mode, with the KDE team trying to add features that users want, without major changes that would compromise compatibility with older releases. He noted that one of the goals for the 3.4 release is to maintain binary compatibility with the earlier 3.x releases. GNOME's Villa said that the GTK core toolkit has a strict ABI/API compatibility policy. "If you build against GTK 2.0, you should be able to run against GTK 2.6 with no problems." He also said that other core GNOME libraries provide the same guarantee, "that's why we have Firefox and Eclipse building against us."

According to Villa, the 2.10 release will see more bugfixes than usual. He said that, depending on how you track bugs, the 2.10 release [GNOME screenshot] already includes between 1,000 and 5,000 closed bugs -- and that's before the final feature freezes and bug fixing before the final release. Villa did note that the GNOME team always places a high priority on quality control, but that this release seemed to have a higher than normal number of bugfixes.

Another focus for the GNOME team in 2.10 is implementation of freedesktop.org standards agreed upon by the GNOME and KDE teams. Villa noted that the GNOME team had revamped the menu structure to comply with the freedesktop.org menu specification.

The GNOME release adds a new "Places" menu to the panel that allows the user to quickly navigate between their home folder, the desktop, CD-ROM and network locations. Villa said that the GNOME team has also addressed some of the complaints about the file chooser from the last version of GNOME, and that the typeahead feature has returned.

Both desktops are increasingly friendly for users with disabilities. Villa said that the 2.10 release did not focus on improvements to accessibility because GNOME is "already far and away the leaders in accessiblity."

The KDE team, on the other hand, has made accessibility a major priority in 3.4. One major new feature that users will find in 3.4 is the text to speech system in 3.4, which would be available in many applications. Rusin said there is also a new "mono" theme for 3.4 that would be better for users who had difficulty with the high-color styles used in KDE. Rusin noted that working on accessibility was difficult because it is "such a hugely complicated area," and that the KDE team will continue to add functionality in future releases.

Multimedia has also gotten a boost in GNOME 2.10. According to Villa, the Gstreamer integration is greatly improved in GNOME 2.10. This is the first release where Totem has been integrated into the GNOME release process, and Villa also said it was the first release where the Totem team had worked more closely with the Gstreamer team. Totem had previously worked with Xine, but Villa said that Xine had "legal encumbrances" that made it more difficult for vendors to distribute. There is also a new and improved mixer applet in GNOME 2.10 that hides some of the complexity from the user, at least at first. Villa said users would still be able to get to all of the functionality of their sound card with the mixer, but wouldn't be presented with it at first glance.

Both KDE and GNOME teams have been beefing up their groupware offerings. Rusin told LWN that KDE PIM had been "hugely improved" for 3.4. Kontact has expanded its support of GroupWare servers with support for Novell GroupWise and OpenGroupware.org, and partial support for Microsoft Exchange Server 2000. Kontact also supports OpenExchange Server, eGroupWare and Kolab.

Evolution's latest release includes eplugin, a plugin architecture to allow developers to extend Evolution with new features. Some of the plugins available now include an inline audio player for Evolution, an Exchange account setup plugin and an "automatic contacts" plugin that creates address book entries when a user replies to e-mails. Evolution already includes the Exchange plugin, and Villa said that Evolution was also getting a lot of work to be compatible with Novell GroupWise.

KDE 3.4 marks the first inclusion of aKregator, a feed aggregator for KDE. This writer found aKregator very easy to use, and its integration with Konqueror and Kontact makes it a great choice for KDE users. The KDE team has also beefed up KPDF to include support for the text-to-speech features.

From talking to developers on both teams, it's clear that both desktops are trying to move towards better "enterprise" capability, and making it easier for others to develop applications for the respective desktops. From using both, it's clear to this writer that GNOME and KDE view users differently. GNOME continues to move towards a simple end-user interface, while KDE is more about adding features that users want -- even if it increases complexity.

Users who want to try out GNOME 2.10, without the hassle of compiling GNOME or installing it, should look to the Ubuntu Live CD for the upcoming Hoary Hedgehog release. Rusin said he wasn't aware of any Live CDs with KDE 3.4 beta just yet, but something might pop up on the Knoppix lists.

Comments (12 posted)

Grokster, the Little Engine that Could, Chugs Up One Last Hill

Grokster is the Little Engine That Could. So far, against overwhelming odds, it has successfully dodged every legal bullet a massive horde of entertainment companies - some 28 of them, representing the interests of the music recording and movie industry - have thrown at it. Now, there is one more hill, and it's the steepest of them all, a hearing before the US Supreme Court in March.

There is a lot more at stake than just the fate of a couple of peer-to-peer file sharing services. What's at stake, to quote from one of the many amici briefs filed in this high-profile case (this one by the Computer & Communications Industry Association and NetCoalition) is nothing less than this: it's a push to overturn the court's ruling in Sony Corp. of America v. Universal City Studios, 464 U.S. 417 (1984) (the "Betamax case") and replace it "with new standards that would as a practical matter give the entertainment industry a veto power over the development of innovative products and services."

[Editor's note: due to the length of this article, we have not put the whole thing inline in the Weekly Edition. The full text of PJ's Grokster article may be found on its own page.]

Comments (2 posted)

European software patent update

January 28, 2005

This article was contributed by Tom Chance.

On 24 September 2003, after 19 months of consideration, the European Parliament voted on the software patent directive, and made substantial amendments to exclude patents on pure software and business methods. However, regular rows between the European Council and Parliament; the Council ignoring many of the Parliaments amendments; and the Committee for Legal Affairs of the European Parliament's (JURI) subterfuge tactics to try and push it through, mean that pure software patents in Europe are still a scary possibility

Restart the process?

Under the co-decision rules for European lawmaking, the European Parliament, Commission and the Council all have to agree to the text of the directive before it can come into force. However at this stage in the legislative process (it is now at its second reading), if the European Council continues to ignore the Parliament's amendments, it will be extremely difficult for the European Parliament to keep them.

An absolute majority (two thirds of all MEPs, or at least 367 votes) is required in a second reading for each Council amendment the Parliament wishes to reject. Every MEP absent in the plenary chamber that day and every abstention vote would count in favor of the Council proposal. In 2004, the University of Duisburg-Essen released a study which showed that on average only 56.2% of Italian MEPs took part in the 4,437 roll call votes held in European Parliament between 1999 and 2003. The most diligent MEPs are from Luxembourg with a presence of 85.2%. We would, in other words, have to encourage an abnormally high turnout of MEPs for an issue that struggles to capture their imaginations.

This is even more worrying when you consider that a majority of the MEPs currently in parliament were elected in 2004 and did not even participate in the first reading of the directive. Ten new countries, with no previous say in the directive, also joined the EU in 2004. If the council position is officially announced, the Parliament will be forced to vote on the second reading within three to four months. This would give a relatively new Parliament little opportunity for discussion and consultation, and could lead to software patent loopholes if critical amendments were left out.

On the 2nd of February, JURI is set to decide whether or not to restart the procedure. This decision has only been possible because of a motion, signed by 61 members of the European Parliament, calling for a new first reading of the software patent directive. Poland has also helped significantly by repeatedly postponing the adoption of the Council's software patent agreement, but can only do this for so long before other states pressure them on issues more important to the Polish economy.

A complete restart is one of the best (and only) feasible solutions left. As there are no absolute majority requirements in first readings, it would be easier for European Parliament to pass amendments. The Council would have to have a new first reading, canceling their current pro-software patent position and putting pressure on them to avoid adopting a similar stance so contrary to the will of Parliament. A restart would also enable new member states to have their say from the beginning, making it a more democratic directive.

What can you do?

The only reason we don't have software patents in Europe is because of the efforts of activists protesting and lobbying against them. In Europe, according to the European Patent Office, already 7% of applicants hold more than 50% of patents. If we don't want to go down a path whereby a start-up or open source company with no patents will be forced to pay whatever price larger corporations choose to impose, we must get out there and fight to stop it happening. Here are a few ideas to get you started:

  • Help spread the word about software patents by joining the Web Demo. Register your site at http://demo.ffii.org/.

  • Contact a member of JURI with your concerns about software patents and your support for a restart of the software patent directive. The JURI committee has members from many different European member states, and these MEPs are best contacted by people from their own countries, since they will be much more likely to respond and raise your concerns within JURI. Find your MEPs here.

  • Contact your local MEPs to lobby members of JURI on your behalf. If you don't have time to seriously lobby a member of JURI, get your local MEP to do it for you. MEPs are supposed to represent their constituents, so let them help you get your message across. Find out who they are here.

  • Visit European Parliament in Brussels to lobby MEPs (especially the JURI committee) about software patents. Ask for more information on this mailing list.

  • If you are too busy to do any of the above, you might consider donating to organizations like the FFII and the Electronic Frontier Foundation, who are trying to ensure that software patent legislation is compatible with small and medium enterprises as well as free or open source software. Large software companies employ people to do nothing but patent lobbying, so we need to support those people who are opposing them as much as possible.

(Edward Griffith-Jones contributed to the writing of this article).

Comments (13 posted)

Page editor: Jonathan Corbet

Security

Address space randomization in 2.6

Arjan van de Ven has posted a series of patches which add some address space randomization to the 2.6 kernel. With these patches applied, each process's stack will begin at a random location, and the beginning of the memory area used for mmap() (which is where shared libraries go, among other things) will be randomized as well. These patches represent an improvement in the kernel's security infrastructure, but the reception on the public lists has been surprisingly hostile.

Many buffer overflow exploits, especially those used in large-scale attacks, contain hardcoded addresses. An exploit which overflows a stack variable will place some executable code on the stack; it then overwrites the return pointer so that the broken function "returns" into the exploit code. If you look at a given distribution's shipped version of a vulnerable program, an exploit will always be able to place its payload at the same address on the stack, so it can contain that address directly. If, instead, the exploit author does not know ahead of time where the payload will end up, actually getting the computer to execute that code will be much harder.

That is why the stack randomization patch helps. When the stack location is deterministic, a relatively simple exploit can be made to work on all systems running the vulnerable distribution. If the stack moves, instead, hardcoded addresses no longer work.

Moving the mmap() area has similar benefits. One popular type of exploit prepares the stack and then "returns" into a shared library somewhere. That return can, for example, cause the application to behave as if it had intentionally called system() or a similar library function. Moving the libraries around makes these attacks harder.

One of the biggest complaints that has been raised is that the amount of randomization is insufficient. The patches, as posted, vary the stack base within a 64KB area and the mmap() base within a 1MB range. Alignment requirements prevent just any address from being used with the result that only a relatively small number of possible base addresses exists. So a determined attacker could repeatedly run a hardcoded exploit with some assurance that, within a reasonable amount of time, the stack would land at the right place and the exploit would work. Placing a long series of no-op instructions at the beginning of the payload can also make an exploit more robust when faced with randomization.

Arjan responds that the amount of randomization is not the issue at the moment. He is trying to get the infrastructure into the kernel and tested in a minimally disruptive way; the degree of randomization can be tweaked upward later on. That amount may never get as high as some people would like, at least on 32-bit systems, because it cuts back on the available virtual address space. But it is likely to go up once the developers are convinced that things are working.

In any case, a larger randomness makes the problem harder, but does not change its fundamental nature. With the ability to keep trying, an attacker will eventually get around any degree of randomization possible on 32-bit systems (64-bit systems are a different story). Thus, says Ingo Molnar:

conclusion: stack randomisation (and other VM randomisations) are not a tool against local attacks (which are much easier and faster to brute-force) or against targeted remote attacks, but mainly a tool to degrade the economy of automated remote attacks.

Randomization is not a magic bullet which solves a wide range of security problems. It does make an attack harder, however, and that can only be a good thing.

Comments (13 posted)

New vulnerabilities

bind: validator function denial of service

Package(s):bind CVE #(s):CAN-2005-0034
Created:January 27, 2005 Updated:February 1, 2005
Description: A vulnerability was discovered in BIND version 9.3.0, an incorrect assumption in the validator function can be exploited by a remote attacker to cause named to exit prematurely.
Alerts:
Mandrake MDKSA-2005:023 2005-01-26

Comments (none posted)

ClamAV: multiple issues

Package(s):clamav CVE #(s):CAN-2005-0133
Created:January 31, 2005 Updated:March 3, 2005
Description: ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs.
Alerts:
Conectiva CLA-2005:928 2005-03-03
Mandrake MDKSA-2005:025 2005-01-31
Gentoo 200501-46 2005-01-31

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

f2c: insecure temp files

Package(s):f2c CVE #(s):CAN-2005-0017 CAN-2005-0018
Created:January 27, 2005 Updated:April 20, 2005
Description: The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack.
Alerts:
Debian DSA-661-2 2005-04-20
Gentoo 200501-43 2005-01-30
Debian DSA-661-1 2005-01-27

Comments (none posted)

FireHOL: insecure temporary file creation

Package(s):FireHOL CVE #(s):
Created:February 1, 2005 Updated:February 1, 2005
Description: FireHOL insecurely creates temporary files with predictable names. A local attacker could create malicious symbolic links to arbitrary system files. When FireHOL is executed, this could lead to these files being overwritten with the rights of the user launching FireHOL, usually the root user.
Alerts:
Gentoo 200502-01 2005-02-01

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 31, 2005 Updated:February 10, 2005
Description: Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. See this Gallery announcement for the release of 1.4.4-pl5 for more information.
Alerts:
Gentoo 200501-45:03 2005-01-30
Gentoo 200501-45 2005-01-30

Comments (none posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Fedora-Legacy FLSA:152904 2006-05-12
Fedora FEDORA-2005-435 2005-08-16
Red Hat RHSA-2005:371-01 2005-05-17
Mandrake MDKSA-2005:028 2005-02-01
Gentoo 200501-44 2005-01-30

Comments (none posted)

ngIRCd: buffer overflow

Package(s):ngIRCd CVE #(s):
Created:January 28, 2005 Updated:February 1, 2005
Description: Florian Westphal discovered a buffer overflow caused by an integer underflow in the Lists_MakeMask() function of lists.c. See the ngIRCd 0.8.2 release announcement for more information.
Alerts:
Gentoo 200501-40 2005-01-28

Comments (none posted)

openswan: stack based buffer overflow

Package(s):openswan CVE #(s):CAN-2005-0162
Created:January 28, 2005 Updated:February 1, 2005
Description: A stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code.
Alerts:
Fedora FEDORA-2005-082 2005-01-28

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

postgresql: privilege escalation via LOAD

Package(s):postgresql CVE #(s):CAN-2005-0227
Created:February 1, 2005 Updated:February 7, 2005
Description: John Heasman has discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library's initialization function was then executed with the permissions of the server.
Alerts:
Fedora FEDORA-2005-125 2005-02-07
Fedora FEDORA-2005-124 2005-02-07
Gentoo 200502-08 2005-02-07
Ubuntu USN-71-1 2005-02-01

Comments (none posted)

SquirrelMail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-0075 CAN-2005-0103 CAN-2005-0104
Created:January 28, 2005 Updated:July 19, 2005
Description: SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a.
Alerts:
Fedora-Legacy FLSA:152900 2005-07-16
Fedora FEDORA-2005-260 2005-03-28
Fedora FEDORA-2005-259 2005-03-28
Debian DSA-662-2 2005-03-14
Red Hat RHSA-2005:099-01 2005-02-15
Red Hat RHSA-2005:135-01 2005-02-10
Debian DSA-662-1 2005-02-01
Gentoo 200501-39 2005-01-28

Comments (none posted)

uw-imap: authentication bypass

Package(s):uw-imap imap CVE #(s):CAN-2005-0198
Created:February 2, 2005 Updated:March 1, 2005
Description: The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions.
Alerts:
SuSE SUSE-SA:2005:012 2005-03-01
Red Hat RHSA-2005:128-01 2005-02-23
Mandrake MDKSA-2005:026 2005-02-01
Gentoo 200502-02 2005-02-02

Comments (1 posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

AWStats: remote code execution

Package(s):awstats CVE #(s):CAN-2005-0116 CAN-2005-0362 CAN-2005-0363
Created:January 25, 2005 Updated:February 15, 2005
Description: When 'awstats.pl' is run as a CGI script, it fails to validate specific inputs which are used in a Perl open() function call. A remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code with the rights of the web server.
Alerts:
Debian DSA-682-1 2005-02-15
Gentoo 200501-36:03 2005-01-25
Gentoo 200501-36 2005-01-25

Comments (1 posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

chbg: buffer overflow

Package(s):chbg CVE #(s):CAN-2004-1264
Created:January 18, 2005 Updated:February 2, 2005
Description: Danny Lungstrom discovered a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine.
Alerts:
Mandrake MDKSA-2005:027 2005-02-01
Debian DSA-644-1 2005-01-18

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270
Created:December 17, 2004 Updated:February 9, 2005
Description: cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter.
Alerts:
SuSE SUSE-SR:2005:003 2005-02-04
Mandrake MDKSA-2005:008 2005-01-17
Gentoo 200412-25:02 2004-12-28
Red Hat RHSA-2005:013-01 2005-01-12
Gentoo 200412-25 2004-12-28
Fedora FEDORA-2004-559 2004-12-17
Fedora FEDORA-2004-560 2004-12-17

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: multiple vulnerabilites

Package(s):ethereal CVE #(s):CAN-2005-0006 CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084
Created:January 21, 2005 Updated:February 15, 2005
Description: Ethereal has released 0.10.9 to fix several vulnerabilities.
Alerts:
Red Hat RHSA-2005:037-01 2005-02-15
Red Hat RHSA-2005:011-01 2005-02-02
Fedora FEDORA-2005-069 2005-01-25
Fedora FEDORA-2005-068 2005-01-25
Mandrake MDKSA-2005:013 2005-01-24
Debian DSA-653-1 2005-01-21
Gentoo 200501-27 2005-01-20

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CAN-2005-0102
Created:January 24, 2005 Updated:May 19, 2005
Description: Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).
Alerts:
Red Hat RHSA-2005:238-01 2005-05-19
Conectiva CLA-2005:925 2005-02-16
Debian DSA-673-1 2005-02-10
Mandrake MDKSA-2005:024 2005-01-27
Gentoo 200501-35 2005-01-24
Ubuntu USN-69-1 2005-01-24

Comments (1 posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 2005-02-15
Gentoo 200501-23 2005-01-12
Debian DSA-637-1 2005-01-13
Debian DSA-635-1 2005-01-12
Ubuntu USN-56-1 2005-01-07
Fedora FEDORA-2005-001 2005-01-06
Fedora FEDORA-2005-001 2005-01-06

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kdebase: screen saver crash

Package(s):kdebase CVE #(s):CAN-2005-0078
Created:January 26, 2005 Updated:January 26, 2005
Description: From the Debian advisory: "Raphaël Enrici discovered that the KDE screensaver can crash under certain local circumstances. This can be exploited by an attacker with physical access to the workstation to take over the desktop session."
Alerts:
Debian DSA-660-1 2005-01-26

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kerberos5: execution of arbitrary code by authenticated user

Package(s):kerberos5 CVE #(s):CAN-2004-1189
Created:December 21, 2004 Updated:February 15, 2005
Description: There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.
Alerts:
Red Hat RHSA-2005:045-01 2005-02-15
Red Hat RHSA-2005:012-01 2005-01-19
Conectiva CLA-2005:917 2005-01-13
Ubuntu USN-58-1 2005-01-10
Debian DSA-629-1 2005-01-07
Gentoo 200501-05 2005-01-05
Mandrake MDKSA-2004:156 2004-12-22
Fedora FEDORA-2004-564 2004-12-21
Fedora FEDORA-2004-563 2004-12-21
Trustix TSLSA-2004-0069 2004-12-21

Comments (none posted)

kernel: i386 SMP page fault handler privilege escalation

Package(s):kernel CVE #(s):CAN-2005-0001
Created:January 14, 2005 Updated:February 25, 2005
Description: Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details.
Alerts:
Fedora-Legacy FLSA:2336 2005-02-24
SuSE SUSE-SA:2005:010 2005-02-25
SuSE SUSE-SA:2005:005 2005-02-04
Mandrake MDKSA-2005:022 2005-01-25
Red Hat RHSA-2005:017-01 2005-01-21
Red Hat RHSA-2005:016-01 2005-01-21
SuSE SUSE-SA:2005:003 2005-01-21
Ubuntu USN-60-0 2005-01-14
Fedora FEDORA-2005-025 2005-01-13
Fedora FEDORA-2005-026 2005-01-13

Comments (none posted)

Konversation: multiple vulnerabilities

Package(s):konversation CVE #(s):CAN-2005-0129 CAN-2005-0130 CAN-2005-0131
Created:January 24, 2005 Updated:January 26, 2005
Description: Multiple vulnerabilities have been discovered in all Konversation versions up to and including 0.15.
Alerts:
Gentoo 200501-34 2005-01-24

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-radius-auth

Package(s):libpam-radius-auth CVE #(s):CAN-2005-0108
Created:January 26, 2005 Updated:January 26, 2005
Description: The PAM RADIUS authentication module suffers from an integer overflow vulnerability.
Alerts:
Debian DSA-659-1 2005-01-26

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts: <
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02