Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for February 10, 2005Judge Kimball rules at last SCO v. IBM has been absent from the LWN front page for some time - and there has been a striking lack of letters from readers protesting that. An important ruling has been issued, however, and so it's time for an update.IBM's tenth counterclaim ("CC10") in this case requests a ruling from the court that IBM's Linux activities do not violate any of SCO's copyrights. IBM filed a motion requesting a summary judgment on this counterclaim, stating that there were no disputed facts that might argue against that judgment. A victory on this motion would take much of the wind from SCO's sails. The SCO Group knows this, and so filed a motion of its own requesting that the tenth counterclaim be dismissed, or at least stayed. These motions were argued before Judge Kimball back in September. The ruling was long in coming, but it is now available (in PDF format). The ruling is not a clear victory for either side, but it suggests that SCO is facing a rough road unless it turns up something truly incriminating in the discovery process. The first order of business was SCO's motion to dismiss or stay CC10. The Judge notes that SCO's arguments have shifted over time, ending up with the statement that CC10 is moot because SCO is not actually alleging copyright infringements on IBM's part. The Judge didn't buy it:
Notwithstanding SCO's puzzling denial in its briefing that it has
not alleged a claim against IBM for copyright infringement arising
out of its use, reproduction, or improvement of Linux, it clearly
has alleged such a claim.
The Judge makes note of SCO's public statements on the matter, and the AutoZone suit as well. In conclusion:
The court assumes that SCO was prepared to prosecute its claim in
the AutoZone case or it would not have filed suit. Indeed,
in light of SCO's lawsuit against AutoZone and SCO's public
statements during the last two years, which have essentially
invited this claim, it is incomprehensible that SCO seeks to
postpone resolution of this claim.
The motion was denied flat out, with prejudice. In other words, SCO will have to face this counterclaim, which is clearly a problem of its own making. The Judge then moved on to IBM's request for a summary judgment, which would have resolved CC10 (in IBM's favor) immediately. Judge Kimball reviewed a number of SCO's more blatant public statements, along with IBM's claim that no evidence to back up those statements has been presented. The Judge clearly sees some merit in IBM's arguments, but is not willing to grant the judgment at this time:
Viewed against the backdrop of SCO's plethora of public statements
concerning IBM's and others' infringement of SCO's purported
copyrights to the UNIX software, it is astonishing that SCO has not
offered any competent evidence to create a disputed fact regarding
whether IBM has infringed SCO's alleged copyrights through IBM's
Linux activities.
Nevertheless, despite the vast disparity between SCO's public accusations and its actual evidence-or complete lack thereof-and the resulting temptation to grant IBM's motion, the court has determined that it would be premature to grant summary judgment on IBM's Tenth Counterclaim. The Judge reasons that SCO's contract claims could play into the final determination of the copyright issues, and that ongoing discovery could yet yield the evidence that SCO seeks. The ruling, in passing, notes that Judge Kimball is "in general agreement" with the discovery order forcing IBM to provide all of its Unix/Dynix code to SCO. The Judge also states:
Simply put, regardless of the merits, the granting of summary
judgment would be very unlikely to survive an appeal when a Rule
56(f) motion has been filed and a motion to compel production of
arguably relevant information remains pending.
Judges hate being reversed on appeal, for obvious reasons. So Judge Kimball is, as he should, playing the game in such a way as to come to conclusions which will stand. So the court declined to rule in favor of IBM's motion now, but states that the motion can be refiled after discovery is complete. IBM had also argued that the summary judgment on CC10 should be granted as a sanction for SCO's misbehavior in the case. Judge Kimball didn't buy it, though, and rejected that motion out of hand. Then, IBM had filed a motion trying to strike a number of declarations filed by SCO. These declarations, by Sandeep Gupta, Chris Sontag, and John Harrop, were said (by IBM) to be inadmissible because the people who wrote them didn't know what they were talking about. The Judge accepted SCO's argument, though, that the real purpose of the declarations was to argue that more discovery was needed; he then said, however, that he made no use of the declarations in any case. So this motion, moot to begin with, was denied. IBM has two other summary judgment motions on the table. One seeks to dispose of SCO's contract claims, while the other seeks a ruling on IBM's eighth counterclaim - the GPL violation claim. The filings on these motions are not complete, and arguments have not taken place. Judge Kimball has denied them (without prejudice) anyway, stating that they cannot be resolved until discovery is complete. In fact, no such motions can be resolved, so there is now a ban on any further dispositive motions during the discovery period. What all this seems to mean is that there will be no shortcuts in this case. SCO does not get to squirm out of CC10, but neither does IBM get a quick resolution to its claims. SCO, it seems, will be able to conduct its fishing expedition through IBM's source repositories, though there may yet be more arguments on that point. Your editor, attempting to read between the lines of the ruling, senses a fair amount of hostility to SCO's claims and tactics. But, regardless of how the Judge sees the case now, he seems determined not to make any premature or careless decisions. This case will have to play out according to the calendar - at least, until the discovery phase is over.
The first public Sunbird release The latest addition to the Mozilla Project's offerings is Mozilla Sunbird, a calendar application based on the iCal standard. Actually, Sunbird has been in the works for some time, but the recent 0.2 release from the Sunbird team is the first "official" release. We're not really sure what makes this "official," but we thought this might be a good time to look at Sunbird to see how it's maturing.Sunbird is far from complete, but it's much more stable than one might expect from an application at version 0.2. We used Sunbird for a couple of days without experiencing any crashes or "show stopper" bugs. There are a few glitches in Sunbird 0.2, which is to be expected. For example, copying and pasting an event from Thursday to Friday changed the start and end times of the event. There are also a few minor interface glitches, but nothing that would prevent a user from getting work done with Sunbird.
To test Sunbird's calendar import feature and handling of iCal files, we
grabbed the U.S. holiday calendar from the Mozilla's holiday
files page,
The Sunbird roadmap shows how far Sunbird has progressed so far. Sunbird lacks the ability to export to HTML, edit remote calendars, accept invitations from Outlook users, and a number of other features. Still, the list of features that are complete is larger than the list of incomplete features. The list is not entirely up to date, either. For example, the "work week view" feature is available, though the roadmap doesn't show this feature as complete. This is, in fact, one of this writer's favorite features in Sunbird. The user can specify the days of their work week, and display only those days in the calendar view. Since this writer works a decidedly non-standard work week (Thursday through Sunday) this can come in quite handy. As a standalone calendar application, Sunbird is already on its way to being a useful project. However, many users are going to want a calendar application that integrates with a mailer and browser. To that end, there's Project Lightning. Lightning is still in the early development phase, so there's very little concrete information about it, but the general gist of the project is to provide tighter integration between Thunderbird and Sunbird. The first general-user release of Lightning is tentatively scheduled for mid-2005. Another area where Sunbird needs help is device synchronization. Right now, the application doesn't offer any automatic method of synchronizing with a PDA, which is a feature that many users will want from a calendaring application. Why should users care about Sunbird when we already have Evolution and KDE PIM, which are much further along than Sunbird? The primary reason is multi-platform support. While Evolution and KDE PIM have much to recommend them, wide cross-platform availability is something that neither project can offer at this time. Companies that are looking to standardize on an application will want something that runs on Windows, and possibly Mac OS X as well. Sunbird is a promising application. Given the quality of Firefox and Thunderbird, not to mention the original Mozilla suite, we're optimistic that Sunbird will be an excellent calendaring application when it grows up.
Looking forward to LinuxWorld The LinuxWorld Conference & Expo happens February 14 through 17 in Boston. LWN editor Jonathan Corbet will be wandering by the event for the first time in a few years. Among other things, he will be giving a talk in the O'Reilly booth on Wednesday at 1:30; one can only hope that there will be no rap bands or accordion players in the neighboring booth at that time. Such problems are not unheard of at LinuxWorld.It would, of course, be a disservice to our readers if we failed to point out that Linux Device Drivers, Third Edition, by Jonathan Corbet, Alessandro Rubini, and Greg Kroah-Hartman, will be released (and available) at the show. The first LinuxWorld event was almost six years ago now. LWN was published that week only because the kind folks at Linuxcare let us stay in the exhibit hall past closing and plug the laptop into their network hub. That conference was an eye-opener. Even for those of us who had been convinced for years that Linux World Domination was inevitable, the level of interest - and the amount of money - to be seen at LinuxWorld was shocking. The wave was clearly building, and it didn't seem that anybody had any real control over it. The memories of the Red Hat party - or the disturbing lack thereof - will be with us forever. Six years later, LinuxWorld is a different experience. It's all executive keynotes and expensive exhibits; the conference program almost seems like an afterthought. The more development-oriented conferences, such as OLS or Linux.conf.au (where your editor will also be speaking), are much more fun. LinuxWorld remains the preeminent commercial Linux show, however, at least in the U.S. As a place to get a sense for what the business of Linux is doing, it is hard to beat. Your editor, masochist that he is, is looking forward to having his nose rubbed in the hype for a few days, seeing where people think the money is in Linux, and meeting some LWN readers. See you there.
European software patents may be adopted on Feb. 17 The FFII site has a translated article from the Polish press agency stating that Poland will no longer resist the adoption of the software patent directive in the European Council. If Poland backs down - and no other country steps up in its place - the Council could adopt its version of the patent directive without regard to the restart motion which passed the legal affairs committee on February 2. And that would mean US-style software patents in Europe.
Page editor: Jonathan Corbet Security Attacks on Firefox Linux detractors often say that, if and when Linux becomes as popular as Windows, it will attract just as many attacks - and prove just as vulnerable. The popularity of Linux exceeds that of Windows in some areas, but, so far, these attacks have not materialized. It is now beginning to look like this upsurge in attacks may not target Linux directly. Instead, the Firefox browser may become the target of choice.Eric Johanson recently put out an advisory demonstrating how "homograph attacks" can work against Firefox (and Konqueror). These attacks take advantage of international domain names, which can be written in non-ASCII character sets. The problem is that many non-ASCII characters are rendered just like (or very nearly like) characters in the ASCII set; as a result, a visually identical domain name can actually point somewhere unexpected. An example provided by Mr. Johanson is www.pаypal.com, which your browser renders as www.pаypal.com. This technique, clearly, could be used for phishing attacks - especially when one considers that SSL certificates can contain non-ASCII characters too. It is said that a short-term workaround for this problem is to turn off the network.enableIDN parameter in the about:config screen, but this workaround does not work for all users, and it does not persist across sessions. Meanwhile, "mikx" has posted a set of three different Firefox vulnerabilities. "Fireflashing" is a trick that, in conjunction with the Flash plugin, can be used to trick a Firefox user into changing configuration parameters. The "firedragging" vulnerability gets around some restrictions to possibly allow a (Windows) user to put a web-supplied executable file onto the desktop. And "firetabbing" circumvents the isolation between sites when links are dragged to different tabs. All of these vulnerabilities have been acknowledge by the Mozilla Project and fixes have been committed. These attacks are not truly devastating. They make certain kinds of phishing and social engineering attacks easier, but, hopefully, should not fool suitably careful users. But they do show that the level of interest in Firefox vulnerabilities is on the increase. Attacking many parts of a Linux system is hard. Security is generally reasonably good, one hopes, and techniques like privilege minimization, privilege separation and sandboxing help to contain any vulnerabilities which do exist. The sheer variety of deployed Linux systems also works against attackers; an exploit which works on one system may be useless against the next. The role of diversity in ensuring the security of Linux systems should not be underestimated. Firefox, however, is widely deployed and quite similar on all systems. If nothing else, the project's trademark policies tend to ensure that Firefox deployments will not vary much. Firefox contains interpreters which will certainly contain exploits of the "write once, run anywhere" variety. Firefox is directly controlled by users who may have little interest in - or knowledge of - security policies. And, in many (perhaps most) cases, it talks directly to random sites all over the net. So of course Firefox is being eyed as a possible entry point to otherwise secure systems. The Firefox browser is popular for a reason: it is a solid, highly featureful, highly useful program. It is also a huge and complex program. Regardless of the skill of the Mozilla hackers, verifying and maintaining the security of a code base that large is going to be a major challenge. Expect some interesting times over the next few years as the security claims made by the Mozilla Project - and by the free software community in general - are put to the test.
New vulnerabilities emacs21: format string vulnerability in "movemail"
mailman: path traversal
newspost: buffer overflow vulnerability
postfix: error in IPv6 handling
python: illegal function internals access
squid: multiple vulnerabilities
xview: buffer overflows
Updated vulnerabilities a2ps: input validation error
AWStats: remote code execution
bind: validator function denial of service
cdrecord: failure to drop privilege
chbg: buffer overflow
ClamAV: multiple issues
cpio - file permissions error
cups: multiple vulnerabilities
cyrus-sasl: remote buffer overflow
dhcp: format string vulnerability
enscript: arbitrary code execution
ethereal: multiple vulnerabilites
evolution: arbitrary code execution
exim: buffer overflows
f2c: insecure temp files
FireHOL: insecure temporary file creation
Foomatic: Arbitrary command execution in foomatic-rip
FreeRADIUS: denial of service
gaim: buffer overflow in MSN protocol
Gallery: cross-site scripting vulnerability
gtk2, gdk-pixbuf: buffer overflows
gettext: Insecure temporary file handling
ghostscript: symlink vulnerabilities
glibc: Information leak with LD_DEBUG
glibc: tempfile vulnerability in catchsegv script
gnome-vfs: backend script vulnerabilities
groff: insecure temporary directory
gtkhtml: malformed messages cause crash
imagemagick: .psd image file decode vulnerability
imlib2: buffer overflows
iptables: missing initialization
kdelibs: unsanitzied input
kerberos5: execution of arbitrary code by authenticated user
kernel: i386 SMP page fault handler privilege escalation
libdbi-perl: insecure temporary file
libgd2: buffer overflows in PNG handling
libpng: multiple vulnerabilities
libtiff: buffer overflow
libxml2: multiple buffer overflows
libxpm4: stack and integer overflows
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Sunbird screenshot]](/images/ns/sunbird-sm.png)