How would you shrink Fedora?
The Fedora hackers
have a small problem:
the current Fedora Core 4 distribution, as it sits in rawhide, is
about 300MB too big to fit onto four CDs. For various reasons, the project
is not interested in adding a fifth disk at
this time. So that means that
something has to come out and, presumably, be relegated to the "extras"
repository. The project has taken the somewhat unusual step of coming out
and asking its users: what would you remove?
The leading candidate, at the moment, would appear to be Java support,
especially Eclipse. The Java packages are huge; getting rid of them would
solve the space problems easily. They are also relatively easy to remove
because they were not shipped in prior versions of Fedora. The
distribution's users, one assumes, will complain less about losing something
they didn't have in the first place.
People are complaining, however. Many developers feel that, if Linux is to
have a hope of long-term success in large enterprises, it has to offer
top-quality Java support. But, if the distributors do not support free
Java implementations now, work on free Java stands a good chance of dying
from neglect. Few people want to see a future where Linux is, at best, a
platform for proprietary Java implementations. To avoid that future, the
distributors should support free Java now.
Other possibilities raised include:
- Getting rid of the games. Certainly games are not at the top
of the list for many commercial environments, but games do serve as a
gentle introduction to Linux for many people.
- Dropping either emacs or xemacs (but not both).
- Dropping exim and postfix. Except, of course, many people think that
the distribution should drop sendmail instead.
- Removing abiword and gnumeric, since, in theory, OpenOffice.org
provides the same functions.
- Removing KDE. Or removing GNOME. Neither of those look feasible, but
it's possible that XFce will go.
- Move epiphany to extras. Or firefox.
- Go to GCC4, which will cut some redundancy. It appears that this
change might just happen for FC4.
Various other ideas have gone around as well, but none of them are pleasing
to everybody. It appears that the Fedora
Project, which has to come up with an answer to this question in the near
future, is almost certain to upset somebody, at least in the short term.
For future Fedora Core releases, there are plans to make the installer
smarter so that it can transparently grab packages from multiple
repositories. With a bit more infrastructure work, perhaps Fedora could
take a cue from Ubuntu, and drop back to a single installation CD. In the
end, it really should not be necessary to download every possible package
(in ISO form) just to get a base system installed. For now, however, the
project seems stuck with the need to remove packages that some of its users
truly want.
Update: a list of removed packages
has been posted. Victims include abiword, balsa, exim, gnumeric, koffice,
octave, sylpheed, xemacs, and xfce. The Java packages appear to have
survived. Second update: it seems
that Fedora Core 4 will also be a five-CD distribution; that's how
they kept the Java packages.
Comments (61 posted)
LWN goes to LinuxWorld
Your editor returned to the LinuxWorld Conference & Expo last week for
the first time in five years. LinuxWorld has been an important conference
since it began; there may be no better place to see what is going on on the
business side of Linux. But the development-oriented conferences are much
more fun. Still, LinuxWorld proved to be an interesting experience.
Attendance at the Boston LinuxWorld was on the order of 7,000 people. The
east-coast version of the event is clearly quite a bit smaller than the San
Francisco edition, but that is still a significant crowd. Attendees were
heard to say that the show felt smaller than last year's event in New
York. The organizers seem happy with the turnout, however, and plan to
move to a larger conference center (still in Boston) next year.
There were some 140 exhibitors on the busy trade show floor. Of these, 24
were in the .Org area. By a conservative count, close to one third of the
exhibitors were pushing some sort of proprietary software for Linux; backup
software, configuration management, and databases all seem to be highly
active areas. Security too, as could be seen by all of the attendees who
were willing to accept - and wear - "virus free" stickers from one of the
more in-your-face booths.
The design of the conference center caused the exhibit floor to be divided
into two rooms. The conference organizers made use of that division to
great effect: they separated the two communities in attendance at
LinuxWorld. The larger room was dedicated to commerce; that's where all
the large booths from the usual suspects (Red Hat, Novell, IBM, Sun, etc.)
were to be found. The displays were flashy, the speakers charismatic, and
"solutions" were flying by at high speed. But the community which creates
the software that makes all this possible was nowhere in evidence. In
early LinuxWorld conferences, it was common to find developers hanging out
in their employers' booths. In 2005, those developers have found somewhere
else to be.
|
| Jim Gettys |
The interesting thing is that a fair number of developers could, indeed, be
found at LinuxWorld. They tended to prefer the other room, however, where
the ".Org pavilion" was located. That side of the hall was far less
flashy, but much more fun. The people who create Linux do still wander by
LinuxWorld; you just have to know where to find them.
The early LinuxWorld conferences included a reasonable program of talks
along with the exhibit floor. At the first LinuxWorld, your editor complained that talks by Jon
'maddog' Hall, Larry Wall, Jeremy Allison, and Miguel de Icaza had all been
scheduled simultaneously. There are few such problems in 2005. Though the
conference did offer some interesting speakers (among others: Jeremy
Allison, Matt Domsch, Chris Wright, Jay Beale, and, inevitably, maddog),
the conference program was fit into a mere three slots per day. The talks
are clearly not the main attraction at LinuxWorld.
Your editor got a chance to try out booth duty, giving a talk from the
O'Reilly booth. For the morbidly curious, O'Reilly's Greg Corrin has
posted a picture of the
event.
![[Bruce Perens]](/images/ns/lweb2005/perens-sm.jpg) |
| Bruce Perens |
The only talk your editor attended was, interestingly, not on the
conference program. Bruce Perens gave his "state of open source" talk,
instead, in a press conference format - complete with free food. The core
of the talk was concerned with software patents - in Europe, and in the
U.S. The community has, says Bruce, no defense against patent suits, and
free software developers cannot count on assistance from large corporations
when an infringement suit comes around. He was apparently recruited to be
an expert witness for "the defining Linux patent infringement case," only
to be dropped when the (anonymous) party realized that Bruce would not
testify in a patent holder's favor. According to Bruce, the solution to
the software patent problem can only lie in "clean-up" legislation at the
Federal level.
Bruce also touched on Sun's situation (from which the company has "no good
exit"), the SCO suit (interesting things may come from the turmoil at
Canopy), and the need to emphasize the "free" part of free software. A
focus on freedom will help the community to occupy a moral high ground
which will help when trying to obtain friendly legislation. Bruce has
posted his
speaking notes for those who are interested.
One notable absence this time around was any mention of BSD. The BSD
branch of Unix was well represented at early LinuxWorld shows; the booth
staff tended to stand out in the crowd of Linux folks. BSD remains an
important part of the free software world, but its distance from Linux
appears, sometimes, to be growing.
LinuxWorld reflects the commercial side of Linux; that side is an important
part of the greater Linux ecosystem. This conference is also where new
users tend to start. So it is an important event. It's important that the
community be there; we can help guide users toward the heart of the free
software movement.
Comments (7 posted)
Cutting back license proliferation
The number of open source licenses in use today would be a good example of
"too much of a good thing." Taken individually, each open source license
represents the freedom to use, modify and redistribute code. However, many
of the licenses are incompatible, and present a hurdle for open source
projects that may want to incorporate code from other projects.
At LinuxWorld last week the Open
Source Initiative (OSI) board made it known that they are looking at
ways to reduce the number of open source licenses in use. We invited Russ
Nelson, president of OSI to respond to questions about reducing the number
of open source licenses in use.
LWN: What's so bad about license proliferation?
Two problems:
- A company reasonably should take a good look at the license before they
modify a piece of open source software, even for internal use. "A good
look" means a legal analysis. Every new open source license makes it that
much more expensive. Some companies want to do this even if they only *use*
open source software (but no open source license restricts use in any way).
- What happens when you want to combine software from two different
packages, but they're licensed under software with conflicting terms?
LWN: Realistically, what can be done about the problem? How can OSI "trim"
the number of licenses, or influence companies and developers that use
one-off licenses or less popular licenses that are incompatible with the
"main" open source licenses such as the GPL or BSD license?
Say "no" more often. But it's not enough for us to say "no". We have to
have community support for saying "no", so that the community won't use
software that isn't OSI Certified.
LWN: OSI has approved quite a few licenses - how many of those licenses are
one-offs or used by a handful of projects?
The vast majority. Before we can address license proliferation, we need to
understand the problem better. How many companies think they need to study
a license before they can use open source? How many before they make
internal modifications? How many before they publish modifications? We
need to understand how many licenses are actually being used, and how
widely. Lots of study needed before we take action.
LWN: Is there any consideration being given to changing the Open Source
Definition - for example, to disallow licenses that are specifically
tailored not to be compatible with the GPL?
We would have to discern intent to do that. But yes, we've changed the OSD
in the past; we may do it again.
LWN: It's been well-publicized that version 3 of the GPL is in the works.
(Well, has been for some time, but much noise has been made about it being
ready this year.) What needs to be in version 3?
Depends on what your goal is. If you went into a code tree to refactor it,
there's always changes you would make. If you want to add features, you
would make different changes. I expect that some community members would
like the GPL to be a contract rather than a copyright license. I expect
that others would like to see copyright provisions address "public
performance"; that is, web services.
LWN: In one story, Sam Greenblatt was quoted as saying "there should be
three licenses: the GPL, a commercial version of the GPL and...the BSD."
What would a "commercial version of the GPL" look like?
CDDL. Or more properly, the MPL, since it already has traction in the
community (clearly, since Sun wrote the CDDL based on the MPL). A lot of
licenses are derived from the MPL. If we can figure out why they derived
the MPL rather than using it, we can fix the problem in the MPL that caused
them to do that.
LWN: Thanks, Russ.
Comments (5 posted)
Page editor: Jonathan Corbet
Security
Secret answers as insecure passwords
Here at LWN security headquarters, we have received hundreds of messages
from readers with one crucial security question on their minds: how was
Paris Hilton's T-Mobile account cracked?
Well...OK...maybe we haven't received quite that many messages. But we're
sure people will want to know. Turns out that
OSDir
has the answer. Apparently T-Mobile's site has a "secret
answer" mechanism for people who forget their passwords. Ms Hilton's
"secret answer" was her dog's name. Bitten again.
Wherever there is a potential security problem, there is inevitably a
Bruce Schneier column warning about it. In this case, Bruce notes:
Passwords have reached the end of their useful life. Today, they
only work for low-security applications. The secret question is
just one manifestation of that fact.
Passwords may well be heading toward the end of their useful life, but
"secret answers" are not necessarily a demonstration of that fact. Many
web sites (or other interfaces requiring confirmation) go out of their way
to prevent the use of insecure passwords. Some site developers put
considerable effort into creating novel rules for passwords. Then they add a "secret
answer" mechanism which bypasses all of that.
The real issue here, perhaps, is that an authentication interface should
actually control access to the resources it protects. Back doors are never
good for the security of a system, and a "secret answer" scheme is really
just a form of back door. If you provide a way around your password
interface, you should not be surprised if attackers use it.
Comments (17 posted)
Security news
New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)
MozillaZine
reports
that IDN support will not be disabled. The details of the new
short term
solution are available. "
Darin Fisher, network supremo, has
pulled it out of the bag and come up with a less drastic short-term
solution to the IDN problem. It has just been checked in for all three
upcoming releases. Read about it over in bug 282270, but basically IDN will
still work, but all occurrences of IDN domains in the browser UI (URL bar,
security info etc.) will be the punycode form. There is a pref to re-enable
full IDN - set "network.IDN_show_punycode" to false. As with the previous
plan, this preference will be set to true in all official builds."
Meanwhile the search for a long term solution continues.
Comments (23 posted)
New vulnerabilities
bidwatcher: format string vulnerability
| Package(s): | bidwatcher |
CVE #(s): | CAN-2005-0158
|
| Created: | February 18, 2005 |
Updated: | March 3, 2005 |
| Description: |
Ulf Härnhammar from the Debian Security Audit Project discovered a
format string vulnerability in bidwatcher, a tool for watching and
bidding on eBay auctions. This problem can be triggered remotely by a
web server of eBay, or someone pretending to be eBay, sending certain
data back. As of version 1.3.17 the program uses cURL and is not
vulnerable anymore. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
gaim: client freezes
| Package(s): | gaim |
CVE #(s): | CAN-2005-0472
CAN-2005-0473
|
| Created: | February 22, 2005 |
Updated: | April 27, 2005 |
| Description: |
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information. |
| Alerts: |
|
Comments (none posted)
GProFTPD: gprostats format string vulnerability
| Package(s): | gproftpd |
CVE #(s): | |
| Created: | February 18, 2005 |
Updated: | February 23, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team has identified a
format string vulnerability in the gprostats utility. An attacker could
exploit the vulnerability by performing a specially crafted FTP transfer,
the resulting ProFTPD transfer log could potentially trigger the execution
of arbitrary code when parsed by GProFTPD. |
| Alerts: |
|
Comments (none posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
mc: multiple vulnerabilities
| Package(s): | mc |
CVE #(s): | CAN-2004-1004
CAN-2004-1005
CAN-2004-1092
CAN-2004-1176
|
| Created: | February 17, 2005 |
Updated: | March 4, 2005 |
| Description: |
Midnight commander has multiple vulnerabilities including
format string vulnerabilities, buffer overflows, a buffer underflow,
and a memory deallocation error. An attacker can use these to
run arbitrary code with the permission of the user. |
| Alerts: |
|
Comments (none posted)
PuTTY: remote code execution
| Package(s): | putty |
CVE #(s): | CAN-2005-0467
|
| Created: | February 21, 2005 |
Updated: | March 2, 2005 |
| Description: |
Two vulnerabilities have been discovered in the PSCP and PSFTP clients,
which can be triggered by the SFTP server itself. See this iDEFENSE advisory for details. |
| Alerts: |
|
Comments (none posted)
Squid: DNS response handling
| Package(s): | squid |
CVE #(s): | CAN-2005-0446
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
Handling of certain DNS responses trigger assertion failures. By returning
a specially crafted DNS response an attacker could cause Squid to crash by
triggering an assertion failure. |
| Alerts: |
|
Comments (none posted)
xpdf: vulnerabilities on 64 bit platforms
| Package(s): | xpdf gpdf cups |
CVE #(s): | CAN-2005-0206
|
| Created: | February 18, 2005 |
Updated: | March 16, 2005 |
| Description: |
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
alsa-lib: disabled stack execution protection
| Package(s): | alsa-lib |
CVE #(s): | CAN-2005-0087
|
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
A flaw in the alsa mixer code was discovered that caused stack execution
protection to be disabled for the libasound.so library. The effect of this
flaw is that stack execution protection, through NX or Exec-Shield, would
be disabled for any application linked to libasound. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
ClamAV: multiple issues
| Package(s): | clamav |
CVE #(s): | CAN-2005-0133
|
| Created: | January 31, 2005 |
Updated: | March 3, 2005 |
| Description: |
ClamAV fails to properly scan ZIP files with special headers and base64
encoded images in URLs. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
kdeenu: buffer overflow in fliccd
| Package(s): | kdeenu kstars |
CVE #(s): | CAN-2005-0011
|
| Created: | February 16, 2005 |
Updated: | February 18, 2005 |
| Description: |
Erik Sjolund discovered a buffer overflow in fliccd which is part of
kdeedu, edutainment applications for KDE. An attacker could exploit this
vulnerability to execute code with elevated privileges. If fliccd does not
run as daemon remote exploitation of this vulnerability is not possible. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kernel: i386 SMP page fault handler privilege escalation
| Package(s): | kernel |
CVE #(s): | CAN-2005-0001
|
| Created: | January 14, 2005 |
Updated: | February 25, 2005 |
| Description: |
Paul Starzetz found an exploitable hole in the x86 SMP page fault handler
which could lead to privilege escalation. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | February 28, 2005 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lighttpd: script source disclosure
| Package(s): | lighttpd |
CVE #(s): | |
| Created: | February 15, 2005 |
Updated: | February 16, 2005 |
| Description: |
lighttpd uses file extensions to determine which elements are programs
that should be executed and which are static pages that should be sent
as-is. By appending %00 to the filename, you can evade the extension
detection mechanism while still accessing the file. A remote attacker
could send specific queries and access the source of scripts that should
have been executed as CGI or FastCGI applications. |
| Alerts: |
|
Comments (none posted)
linux-source-2.6.8.1: multiple vulnerabilities
| Package(s): | linux-source-2.6.8.1 |
CVE #(s): | CAN-2005-0176
CAN-2005-0177
CAN-2005-0178
|
| Created: | February 15, 2005 |
Updated: | March 15, 2005 |
| Description: |
Michael Kerrisk noticed an insufficient permission checking in the shmctl()
function. Any process was permitted to lock/unlock any System V shared
memory segment that fell within the the RLIMIT_MEMLOCK limit (that is the
maximum size of shared memory that unprivileged users can acquire). This
allowed am unprivileged user process to unlock locked memory of other
processes, thereby allowing them to be swapped out. Usually locked shared
memory is used to store passphrases and other sensitive content which must
not be written to the swap space (where it could be read out even after a
reboot). (CAN-2005-0176)
OGAWA Hirofumi noticed that the table sizes in nls_ascii.c were incorrectly
set to 128 instead of 256. This caused a buffer overflow in some cases
which could be exploited to crash the kernel. (CAN-2005-177)
A race condition was found in the terminal handling of the "setsid()" function, which is used to start new process sessions. (CAN-2005-178)
|
| Alerts: |
|
Comments (none posted)
lvm10: creates insecure temporary directory
| Package(s): | lvm10 |
CVE #(s): | CAN-2004-0972
|
| Created: | November 1, 2004 |
Updated: | July 25, 2005 |
| Description: |
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting
| Package(s): | mailman |
CVE #(s): | CAN-2004-1177
|
| Created: | January 10, 2005 |
Updated: | March 22, 2005 |
| Description: |
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page. |
| Alerts: |
|
Comments (none posted)
mailman: path traversal
| Package(s): | mailman |
CVE #(s): | CAN-2005-0202
|
| Created: | February 9, 2005 |
Updated: | July 13, 2005 |
| Description: |
The "private" module in the mailman mailing list manager fails to sanitize path names adequately. An attacker could exploit this vulnerability to retrieve private information, including passwords and private list archives.
This vulnerability was used to compromise the Full-Disclosure list. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|