LWN.net Logo

LWN.net Weekly Edition for February 10, 2005

Judge Kimball rules at last

SCO v. IBM has been absent from the LWN front page for some time - and there has been a striking lack of letters from readers protesting that. An important ruling has been issued, however, and so it's time for an update.

IBM's tenth counterclaim ("CC10") in this case requests a ruling from the court that IBM's Linux activities do not violate any of SCO's copyrights. IBM filed a motion requesting a summary judgment on this counterclaim, stating that there were no disputed facts that might argue against that judgment. A victory on this motion would take much of the wind from SCO's sails. The SCO Group knows this, and so filed a motion of its own requesting that the tenth counterclaim be dismissed, or at least stayed.

These motions were argued before Judge Kimball back in September. The ruling was long in coming, but it is now available (in PDF format). The ruling is not a clear victory for either side, but it suggests that SCO is facing a rough road unless it turns up something truly incriminating in the discovery process.

The first order of business was SCO's motion to dismiss or stay CC10. The Judge notes that SCO's arguments have shifted over time, ending up with the statement that CC10 is moot because SCO is not actually alleging copyright infringements on IBM's part. The Judge didn't buy it:

Notwithstanding SCO's puzzling denial in its briefing that it has not alleged a claim against IBM for copyright infringement arising out of its use, reproduction, or improvement of Linux, it clearly has alleged such a claim.

The Judge makes note of SCO's public statements on the matter, and the AutoZone suit as well. In conclusion:

The court assumes that SCO was prepared to prosecute its claim in the AutoZone case or it would not have filed suit. Indeed, in light of SCO's lawsuit against AutoZone and SCO's public statements during the last two years, which have essentially invited this claim, it is incomprehensible that SCO seeks to postpone resolution of this claim.

The motion was denied flat out, with prejudice. In other words, SCO will have to face this counterclaim, which is clearly a problem of its own making.

The Judge then moved on to IBM's request for a summary judgment, which would have resolved CC10 (in IBM's favor) immediately. Judge Kimball reviewed a number of SCO's more blatant public statements, along with IBM's claim that no evidence to back up those statements has been presented. The Judge clearly sees some merit in IBM's arguments, but is not willing to grant the judgment at this time:

Viewed against the backdrop of SCO's plethora of public statements concerning IBM's and others' infringement of SCO's purported copyrights to the UNIX software, it is astonishing that SCO has not offered any competent evidence to create a disputed fact regarding whether IBM has infringed SCO's alleged copyrights through IBM's Linux activities.

Nevertheless, despite the vast disparity between SCO's public accusations and its actual evidence-or complete lack thereof-and the resulting temptation to grant IBM's motion, the court has determined that it would be premature to grant summary judgment on IBM's Tenth Counterclaim.

The Judge reasons that SCO's contract claims could play into the final determination of the copyright issues, and that ongoing discovery could yet yield the evidence that SCO seeks. The ruling, in passing, notes that Judge Kimball is "in general agreement" with the discovery order forcing IBM to provide all of its Unix/Dynix code to SCO. The Judge also states:

Simply put, regardless of the merits, the granting of summary judgment would be very unlikely to survive an appeal when a Rule 56(f) motion has been filed and a motion to compel production of arguably relevant information remains pending.

Judges hate being reversed on appeal, for obvious reasons. So Judge Kimball is, as he should, playing the game in such a way as to come to conclusions which will stand. So the court declined to rule in favor of IBM's motion now, but states that the motion can be refiled after discovery is complete.

IBM had also argued that the summary judgment on CC10 should be granted as a sanction for SCO's misbehavior in the case. Judge Kimball didn't buy it, though, and rejected that motion out of hand.

Then, IBM had filed a motion trying to strike a number of declarations filed by SCO. These declarations, by Sandeep Gupta, Chris Sontag, and John Harrop, were said (by IBM) to be inadmissible because the people who wrote them didn't know what they were talking about. The Judge accepted SCO's argument, though, that the real purpose of the declarations was to argue that more discovery was needed; he then said, however, that he made no use of the declarations in any case. So this motion, moot to begin with, was denied.

IBM has two other summary judgment motions on the table. One seeks to dispose of SCO's contract claims, while the other seeks a ruling on IBM's eighth counterclaim - the GPL violation claim. The filings on these motions are not complete, and arguments have not taken place. Judge Kimball has denied them (without prejudice) anyway, stating that they cannot be resolved until discovery is complete. In fact, no such motions can be resolved, so there is now a ban on any further dispositive motions during the discovery period.

What all this seems to mean is that there will be no shortcuts in this case. SCO does not get to squirm out of CC10, but neither does IBM get a quick resolution to its claims. SCO, it seems, will be able to conduct its fishing expedition through IBM's source repositories, though there may yet be more arguments on that point. Your editor, attempting to read between the lines of the ruling, senses a fair amount of hostility to SCO's claims and tactics. But, regardless of how the Judge sees the case now, he seems determined not to make any premature or careless decisions. This case will have to play out according to the calendar - at least, until the discovery phase is over.

Comments (3 posted)

The first public Sunbird release

February 9, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The latest addition to the Mozilla Project's offerings is Mozilla Sunbird, a calendar application based on the iCal standard. Actually, Sunbird has been in the works for some time, but the recent 0.2 release from the Sunbird team is the first "official" release. We're not really sure what makes this "official," but we thought this might be a good time to look at Sunbird to see how it's maturing.

Sunbird is far from complete, but it's much more stable than one might expect from an application at version 0.2. We used Sunbird for a couple of days without experiencing any crashes or "show stopper" bugs. There are a few glitches in Sunbird 0.2, which is to be expected. For example, copying and pasting an event from Thursday to Friday changed the start and end times of the event. There are also a few minor interface glitches, but nothing that would prevent a user from getting work done with Sunbird.

To test Sunbird's calendar import feature and handling of iCal files, we grabbed the U.S. holiday calendar from the Mozilla's holiday files page, [Sunbird screenshot] and a few calendars from iCalShare. Sunbird had no problems importing the calendars, though it automatically pushed the displayed month back to the start of the calendars.

The Sunbird roadmap shows how far Sunbird has progressed so far. Sunbird lacks the ability to export to HTML, edit remote calendars, accept invitations from Outlook users, and a number of other features. Still, the list of features that are complete is larger than the list of incomplete features. The list is not entirely up to date, either. For example, the "work week view" feature is available, though the roadmap doesn't show this feature as complete. This is, in fact, one of this writer's favorite features in Sunbird. The user can specify the days of their work week, and display only those days in the calendar view. Since this writer works a decidedly non-standard work week (Thursday through Sunday) this can come in quite handy.

As a standalone calendar application, Sunbird is already on its way to being a useful project. However, many users are going to want a calendar application that integrates with a mailer and browser. To that end, there's Project Lightning. Lightning is still in the early development phase, so there's very little concrete information about it, but the general gist of the project is to provide tighter integration between Thunderbird and Sunbird. The first general-user release of Lightning is tentatively scheduled for mid-2005.

Another area where Sunbird needs help is device synchronization. Right now, the application doesn't offer any automatic method of synchronizing with a PDA, which is a feature that many users will want from a calendaring application.

Why should users care about Sunbird when we already have Evolution and KDE PIM, which are much further along than Sunbird? The primary reason is multi-platform support. While Evolution and KDE PIM have much to recommend them, wide cross-platform availability is something that neither project can offer at this time. Companies that are looking to standardize on an application will want something that runs on Windows, and possibly Mac OS X as well.

Sunbird is a promising application. Given the quality of Firefox and Thunderbird, not to mention the original Mozilla suite, we're optimistic that Sunbird will be an excellent calendaring application when it grows up.

Comments (4 posted)

Looking forward to LinuxWorld

The LinuxWorld Conference & Expo happens February 14 through 17 in Boston. LWN editor Jonathan Corbet will be wandering by the event for the first time in a few years. Among other things, he will be giving a talk in the O'Reilly booth on Wednesday at 1:30; one can only hope that there will be no rap bands or accordion players in the neighboring booth at that time. Such problems are not unheard of at LinuxWorld.

It would, of course, be a disservice to our readers if we failed to point out that Linux Device Drivers, Third Edition, by Jonathan Corbet, Alessandro Rubini, and Greg Kroah-Hartman, will be released (and available) at the show.

The first LinuxWorld event was almost six years ago now. LWN was published that week only because the kind folks at Linuxcare let us stay in the exhibit hall past closing and plug the laptop into their network hub. That conference was an eye-opener. Even for those of us who had been convinced for years that Linux World Domination was inevitable, the level of interest - and the amount of money - to be seen at LinuxWorld was shocking. The wave was clearly building, and it didn't seem that anybody had any real control over it.

The memories of the Red Hat party - or the disturbing lack thereof - will be with us forever.

Six years later, LinuxWorld is a different experience. It's all executive keynotes and expensive exhibits; the conference program almost seems like an afterthought. The more development-oriented conferences, such as OLS or Linux.conf.au (where your editor will also be speaking), are much more fun. LinuxWorld remains the preeminent commercial Linux show, however, at least in the U.S. As a place to get a sense for what the business of Linux is doing, it is hard to beat. Your editor, masochist that he is, is looking forward to having his nose rubbed in the hype for a few days, seeing where people think the money is in Linux, and meeting some LWN readers. See you there.

Comments (2 posted)

European software patents may be adopted on Feb. 17

The FFII site has a translated article from the Polish press agency stating that Poland will no longer resist the adoption of the software patent directive in the European Council. If Poland backs down - and no other country steps up in its place - the Council could adopt its version of the patent directive without regard to the restart motion which passed the legal affairs committee on February 2. And that would mean US-style software patents in Europe.

Comments (22 posted)

Page editor: Jonathan Corbet

Security

Attacks on Firefox

Linux detractors often say that, if and when Linux becomes as popular as Windows, it will attract just as many attacks - and prove just as vulnerable. The popularity of Linux exceeds that of Windows in some areas, but, so far, these attacks have not materialized. It is now beginning to look like this upsurge in attacks may not target Linux directly. Instead, the Firefox browser may become the target of choice.

Eric Johanson recently put out an advisory demonstrating how "homograph attacks" can work against Firefox (and Konqueror). These attacks take advantage of international domain names, which can be written in non-ASCII character sets. The problem is that many non-ASCII characters are rendered just like (or very nearly like) characters in the ASCII set; as a result, a visually identical domain name can actually point somewhere unexpected. An example provided by Mr. Johanson is www.pаypal.com, which your browser renders as www.pаypal.com. This technique, clearly, could be used for phishing attacks - especially when one considers that SSL certificates can contain non-ASCII characters too. It is said that a short-term workaround for this problem is to turn off the network.enableIDN parameter in the about:config screen, but this workaround does not work for all users, and it does not persist across sessions.

Meanwhile, "mikx" has posted a set of three different Firefox vulnerabilities. "Fireflashing" is a trick that, in conjunction with the Flash plugin, can be used to trick a Firefox user into changing configuration parameters. The "firedragging" vulnerability gets around some restrictions to possibly allow a (Windows) user to put a web-supplied executable file onto the desktop. And "firetabbing" circumvents the isolation between sites when links are dragged to different tabs. All of these vulnerabilities have been acknowledge by the Mozilla Project and fixes have been committed.

These attacks are not truly devastating. They make certain kinds of phishing and social engineering attacks easier, but, hopefully, should not fool suitably careful users. But they do show that the level of interest in Firefox vulnerabilities is on the increase.

Attacking many parts of a Linux system is hard. Security is generally reasonably good, one hopes, and techniques like privilege minimization, privilege separation and sandboxing help to contain any vulnerabilities which do exist. The sheer variety of deployed Linux systems also works against attackers; an exploit which works on one system may be useless against the next. The role of diversity in ensuring the security of Linux systems should not be underestimated.

Firefox, however, is widely deployed and quite similar on all systems. If nothing else, the project's trademark policies tend to ensure that Firefox deployments will not vary much. Firefox contains interpreters which will certainly contain exploits of the "write once, run anywhere" variety. Firefox is directly controlled by users who may have little interest in - or knowledge of - security policies. And, in many (perhaps most) cases, it talks directly to random sites all over the net. So of course Firefox is being eyed as a possible entry point to otherwise secure systems.

The Firefox browser is popular for a reason: it is a solid, highly featureful, highly useful program. It is also a huge and complex program. Regardless of the skill of the Mozilla hackers, verifying and maintaining the security of a code base that large is going to be a major challenge. Expect some interesting times over the next few years as the security claims made by the Mozilla Project - and by the free software community in general - are put to the test.

Comments (24 posted)

New vulnerabilities

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

mailman: path traversal

Package(s):mailman CVE #(s):CAN-2005-0202
Created:February 9, 2005 Updated:July 13, 2005
Description: The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.

This vulnerability was used to compromise the Full-Disclosure list.

Alerts:
Fedora-Legacy FLSA:152895 2005-07-10
Ubuntu USN-78-2 2005-02-17
Debian DSA-674-3 2005-02-21
Mandrake MDKSA-2005:037 2005-02-14
Red Hat RHSA-2005:137-01 2005-02-15
SuSE SUSE-SA:2005:007 2005-02-14
Debian DSA-674-2 2005-02-11
Red Hat RHSA-2005:136-01 2005-02-10
Gentoo 200502-11 2005-02-10
Fedora FEDORA-2005-132 2005-02-10
Fedora FEDORA-2005-131 2005-02-10
Ubuntu USN-78-1 2005-02-09

Comments (none posted)

newspost: buffer overflow vulnerability

Package(s):newspost CVE #(s):CAN-2005-0101
Created:February 3, 2005 Updated:February 8, 2005
Description: The usenet news autoposter newspost has a buffer overflow which can be exploited remotely, causing newspost to crash or potentially execute arbitrary code.
Alerts:
Gentoo 200502-05 2005-02-03

Comments (none posted)

postfix: error in IPv6 handling

Package(s):postfix CVE #(s):CAN-2005-0337
Created:February 4, 2005 Updated:March 16, 2005
Description: Jean-Samuel Reynaud noticed a programming error in the IPv6 handling code of Postfix when /proc/net/if_inet6 is not available. If "permit_mx_backup" was enabled in the "smtpd_recipient_restrictions", Postfix turned into an open relay, i. e. erroneously permitted the delivery of arbitrary mail to any MX host which has an IPv6 address.
Alerts:
Red Hat RHSA-2005:152-01 2005-03-16
Ubuntu USN-74-2 2005-02-04
Ubuntu USN-74-1 2005-02-04

Comments (1 posted)

python: illegal function internals access

Package(s):python CVE #(s):CAN-2005-0089
Created:February 3, 2005 Updated:April 22, 2005
Description: Python versions 2.2 and 2.3 has a vulnerability in the SimpleXMLRPCServer module which may allow remote users to read or change function internals via the im_* and func_* attributes.
Alerts:
Slackware SSA:2005-111-02 2005-04-22
Red Hat RHSA-2005:108-01 2005-02-15
Mandrake MDKSA-2005:035 2005-02-10
Gentoo 200502-09 2005-02-08
Debian DSA-666-1 2005-02-04
Ubuntu USN-73-1 2005-02-03

Comments (none posted)

squid: multiple vulnerabilities

Package(s):squid CVE #(s):CAN-2005-0173 CAN-2005-0175 CAN-2005-0194 CAN-2005-0211
Created:February 4, 2005 Updated:March 8, 2005
Description: Several vulnerabilities have been discovered in Squid, including cache pollution/poisoning via HTTP response splitting, larger than normal WCCP packet could overflow a buffer, and more.
Alerts:
Conectiva CLA-2005:931 2005-03-08
Red Hat RHSA-2005:060-01 2005-02-15
Red Hat RHSA-2005:061-01 2005-02-11
Mandrake MDKSA-2005:034 2005-02-10
SuSE SUSE-SA:2005:006 2005-02-10
Ubuntu USN-77-1 2005-02-07
Debian DSA-667-1 2005-02-04

Comments (none posted)

xview: buffer overflows

Package(s):xview CVE #(s):CAN-2005-0076
Created:February 9, 2005 Updated:February 9, 2005
Description: The xview library suffers from a number of buffer overflow vulnerabilities.
Alerts:
Debian DSA-672-1 2005-02-09

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

AWStats: remote code execution

Package(s):awstats CVE #(s):CAN-2005-0116 CAN-2005-0362 CAN-2005-0363
Created:January 25, 2005 Updated:February 15, 2005
Description: When 'awstats.pl' is run as a CGI script, it fails to validate specific inputs which are used in a Perl open() function call. A remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code with the rights of the web server.
Alerts:
Debian DSA-682-1 2005-02-15
Gentoo 200501-36:03 2005-01-25
Gentoo 200501-36 2005-01-25

Comments (1 posted)

bind: validator function denial of service

Package(s):bind CVE #(s):CAN-2005-0034
Created:January 27, 2005 Updated:February 1, 2005
Description: A vulnerability was discovered in BIND version 9.3.0, an incorrect assumption in the validator function can be exploited by a remote attacker to cause named to exit prematurely.
Alerts:
Mandrake MDKSA-2005:023 2005-01-26

Comments (none posted)

cdrecord: failure to drop privilege

Package(s):cdrecord CVE #(s):CAN-2004-0806
Created:September 8, 2004 Updated:February 21, 2005
Description: The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program.
Alerts:
Fedora-Legacy FLSA:2058 2005-02-20
Gentoo 200409-18 2004-09-14
Fedora FEDORA-2004-298 2004-09-09
Fedora FEDORA-2004-297 2004-09-09
Mandrake MDKSA-2004:091 2004-09-07

Comments (none posted)

chbg: buffer overflow

Package(s):chbg CVE #(s):CAN-2004-1264
Created:January 18, 2005 Updated:February 2, 2005
Description: Danny Lungstrom discovered a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine.
Alerts:
Mandrake MDKSA-2005:027 2005-02-01
Debian DSA-644-1 2005-01-18

Comments (none posted)

ClamAV: multiple issues

Package(s):clamav CVE #(s):CAN-2005-0133
Created:January 31, 2005 Updated:March 3, 2005
Description: ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs.
Alerts:
Conectiva CLA-2005:928 2005-03-03
Mandrake MDKSA-2005:025 2005-01-31
Gentoo 200501-46 2005-01-31

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CAN-2004-1267 CAN-2004-1268 CAN-2004-1269 CAN-2004-1270
Created:December 17, 2004 Updated:February 9, 2005
Description: cups has a denial of service vulnerability in the lppasswd utility and a remote code execution vulnerability in the hpgltops filter.
Alerts:
SuSE SUSE-SR:2005:003 2005-02-04
Mandrake MDKSA-2005:008 2005-01-17
Gentoo 200412-25:02 2004-12-28
Red Hat RHSA-2005:013-01 2005-01-12
Gentoo 200412-25 2004-12-28
Fedora FEDORA-2004-559 2004-12-17
Fedora FEDORA-2004-560 2004-12-17

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: multiple vulnerabilites

Package(s):ethereal CVE #(s):CAN-2005-0006 CAN-2005-0007 CAN-2005-0008 CAN-2005-0009 CAN-2005-0010 CAN-2005-0084
Created:January 21, 2005 Updated:February 15, 2005
Description: Ethereal has released 0.10.9 to fix several vulnerabilities.
Alerts:
Red Hat RHSA-2005:037-01 2005-02-15
Red Hat RHSA-2005:011-01 2005-02-02
Fedora FEDORA-2005-069 2005-01-25
Fedora FEDORA-2005-068 2005-01-25
Mandrake MDKSA-2005:013 2005-01-24
Debian DSA-653-1 2005-01-21
Gentoo 200501-27 2005-01-20

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CAN-2005-0102
Created:January 24, 2005 Updated:May 19, 2005
Description: Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).
Alerts:
Red Hat RHSA-2005:238-01 2005-05-19
Conectiva CLA-2005:925 2005-02-16
Debian DSA-673-1 2005-02-10
Mandrake MDKSA-2005:024 2005-01-27
Gentoo 200501-35 2005-01-24
Ubuntu USN-69-1 2005-01-24

Comments (1 posted)

exim: buffer overflows

Package(s):exim CVE #(s):CAN-2005-0021 CAN-2005-0022
Created:January 7, 2005 Updated:February 15, 2005
Description: A buffer overflow in the host_aton() function in Exim 4.4x may allow execution of arbitrary commands with elevated privileges by a local user. This has been patched in Exim 4.43.

Additionally, there is a another buffer overflow in Exim's auth_spa_server() which also be fixed in Exim 4.43.

Alerts:
Red Hat RHSA-2005:025-01 2005-02-15
Gentoo 200501-23 2005-01-12
Debian DSA-637-1 2005-01-13
Debian DSA-635-1 2005-01-12
Ubuntu USN-56-1 2005-01-07
Fedora FEDORA-2005-001 2005-01-06
Fedora FEDORA-2005-001 2005-01-06

Comments (1 posted)

f2c: insecure temp files

Package(s):f2c CVE #(s):CAN-2005-0017 CAN-2005-0018
Created:January 27, 2005 Updated:April 20, 2005
Description: The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack.
Alerts:
Debian DSA-661-2 2005-04-20
Gentoo 200501-43 2005-01-30
Debian DSA-661-1 2005-01-27

Comments (none posted)

FireHOL: insecure temporary file creation

Package(s):FireHOL CVE #(s):
Created:February 1, 2005 Updated:February 1, 2005
Description: FireHOL insecurely creates temporary files with predictable names. A local attacker could create malicious symbolic links to arbitrary system files. When FireHOL is executed, this could lead to these files being overwritten with the rights of the user launching FireHOL, usually the root user.
Alerts:
Gentoo 200502-01 2005-02-01

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FreeRADIUS: denial of service

Package(s):freeradius CVE #(s):CAN-2004-0938 CAN-2004-0960 CAN-2004-0961
Created:September 22, 2004 Updated:February 2, 2005
Description: FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code.
Alerts:
Fedora-Legacy FLSA:2187 2005-02-01
Red Hat RHSA-2004:609-01 2004-11-12
Gentoo 200409-29 2004-09-22

Comments (none posted)

gaim: buffer overflow in MSN protocol

Package(s):gaim CVE #(s):CAN-2004-0891
Created:October 25, 2004 Updated:February 11, 2005
Description: A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.
Alerts:
Fedora-Legacy FLSA:2188 2005-02-10
Red Hat RHSA-2004:604-01 2004-10-20
Mandrake MDKSA-2004:117 2004-11-01
Ubuntu USN-8-1 2004-10-27
Gentoo 200410-23 2004-10-24
Slackware SSA:2004-296-01 2004-10-25

Comments (none posted)

Gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 31, 2005 Updated:February 10, 2005
Description: Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. See this Gallery announcement for the release of 1.4.4-pl5 for more information.
Alerts:
Gentoo 200501-45:03 2005-01-30
Gentoo 200501-45 2005-01-30

Comments (none posted)

gtk2, gdk-pixbuf: buffer overflows

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
Created:September 15, 2004 Updated:February 25, 2005
Description: The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Alerts:
Fedora-Legacy FLSA:2005 2005-02-23
Conectiva CLA-2004:875 2004-10-18
Slackware SSA:2004-266-02 2004-09-22
Gentoo 200409-28 2004-09-21
Mandrake MDKSA-2004:095-1 2004-09-17
SuSE SUSE-SA:2004:033 2004-09-17
Debian DSA-549-1 2004-09-17
Red Hat RHSA-2004:447-02 2004-09-15
Debian DSA-546-1 2004-09-16
Red Hat RHSA-2004:466-01 2004-09-15
Red Hat RHSA-2004:447-01 2004-09-15
Mandrake MDKSA-2004:095 2004-09-15
Fedora FEDORA-2004-289 2004-09-15
Fedora FEDORA-2004-288 2004-09-15
Fedora FEDORA-2004-287 2004-09-15
Fedora FEDORA-2004-286 2004-09-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

iptables: missing initialization

Package(s):iptables CVE #(s):CAN-2004-0986
Created:November 1, 2004 Updated:February 11, 2005
Description: Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on its own as it was supposed to. This could lead to firewall rules not being loaded on system startup. This caused a failure in connection with rules provided by lokkit at least.
Alerts:
Fedora-Legacy FLSA:2252 2005-02-10
Ubuntu USN-81-1 2005-02-11
Mandrake MDKSA-2004:125 2004-11-04
Debian DSA-580-1 2004-11-01

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kerberos5: execution of arbitrary code by authenticated user

Package(s):kerberos5 CVE #(s):CAN-2004-1189
Created:December 21, 2004 Updated:February 15, 2005
Description: There is a buffer overflow in the password history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.
Alerts:
Red Hat RHSA-2005:045-01 2005-02-15
Red Hat RHSA-2005:012-01 2005-01-19
Conectiva CLA-2005:917 2005-01-13
Ubuntu USN-58-1 2005-01-10
Debian DSA-629-1 2005-01-07
Gentoo 200501-05 2005-01-05
Mandrake MDKSA-2004:156 2004-12-22
Fedora FEDORA-2004-564 2004-12-21
Fedora FEDORA-2004-563 2004-12-21
Trustix TSLSA-2004-0069 2004-12-21

Comments (none posted)

kernel: i386 SMP page fault handler privilege escalation

Package(s):kernel CVE #(s):CAN-2005-0001
Created:January 14, 2005 Updated:February 25, 2005
Description: Paul Starzetz found an exploitable hole in the x86 SMP page fault handler which could lead to privilege escalation. See the advisory for details.
Alerts:
Fedora-Legacy FLSA:2336 2005-02-24
SuSE SUSE-SA:2005:010 2005-02-25
SuSE SUSE-SA:2005:005 2005-02-04
Mandrake MDKSA-2005:022 2005-01-25
Red Hat RHSA-2005:017-01 2005-01-21
Red Hat RHSA-2005:016-01 2005-01-21
SuSE SUSE-SA:2005:003 2005-01-21
Ubuntu USN-60-0 2005-01-14
Fedora FEDORA-2005-025 2005-01-13
Fedora FEDORA-2005-026 2005-01-13

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CAN-2004-1308
Created:December 22, 2004 Updated:May 19, 2005
Description: The libtiff image manipulation library contains several exploitable buffer overflows.
Alerts:
Fedora-Legacy FLSA:152815 2005-05-18
Red Hat RHSA-2005:035-01 2005-02-15
Conectiva CLA-2005:920 2005-01-20
Red Hat RHSA-2005:019-01 2005-01-13
SuSE SUSE-SA:2005:001 2005-01-10
Fedora FEDORA-2005-598 2005-01-07
Fedora FEDORA-2005-597 2005-01-07
Ubuntu USN-54-1 2005-01-06
Mandrake MDKSA-2005:002 2005-01-06
Mandrake MDKSA-2005:001 2005-01-06
Gentoo 200501-06 2005-01-05
Debian DSA-626-1 2005-01-06
Debian DSA-617-1 2004-12-24
Fedora FEDORA-2004-577 2004-12-22
Fedora FEDORA-2004-576 2004-12-22
Ubuntu USN-46-1 2004-12-22

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:February 28, 2005
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

libxpm4: stack and integer overflows

Package(s):libxpm4 CVE #(s):CAN-2004-0687 CAN-2004-0688
Created:September 16, 2004 Updated:February 14, 2005