LWN.net Logo

LWN.net Weekly Edition for March 17, 2005

Mozilla is dead; long live SeaMonkey

Back in April, 2003, the Mozilla Project stirred things up by announcing a set of changes to its development model and roadmap. Rather than continue to develop one huge suite which did everything, the project would shift its efforts to the creation of smaller, standalone applications. In particular, future development would go into the browser then known as Phoenix, and the mail client called, at that time, Minotaur. The full Mozilla suite was expected to fade away.

Over time, as the project continued to make new Mozilla releases, it seemed that the suite might stay around for some time after all. The project made several Mozilla 1.8 alpha releases, and one beta, leading some users to believe, reasonably, that there might just be a Mozilla 1.8 final release afterward. So the February 28 staff meeting summary surprised a number of people with this brief item:

*Mozilla 1.8 final*

- To be discussed tomorrow whether we do one

The ensuing discussion was long and noisy. The suite still has a large and dedicated user base, even if it has been somewhat overshadowed by Firefox and Thunderbird. Some developers had been working on Mozilla 1.8 and now wonder why. It seems that, over the last couple of years, the big-picture plan had faded from view, and the Mozilla Foundation didn't go out of its way to remind people of where it was going.

That ended on March 10, when the Foundation posted its transition plan for the Mozilla suite. According to that plan, the "alpha" and "beta" 1.8 releases were intended simply to test out the Mozilla backend code. There will be no final, stable, supported Mozilla 1.8 release.

The Foundation does seem to recognize that not everybody will have expected this decision:

There is no doubt that the series of 1.8 alpha and beta releases have caused some confusion about whether there would be a 1.8 product released by the Mozilla Foundation. In addition, a set of people have done a non-trivial amount of work on 1.8 features, thinking this would be part of an official Mozilla Foundation release. This has been a major error on our part.

The confusion was also clearly to be found within the project itself, as can be seen by the fact that the question of whether a 1.8 release would happen or not was left as an open item for discussion at the February 28 staff meeting. In any case, the decision has now been made. And that decision is consistent with the project's stated long-term goals, even if people did have reason to believe that things would happen differently. The interesting question now is: what happens next?

What's next, it seems, is that the Mozilla suite gets a new name (almost certainly "SeaMonkey," its longstanding name within the Mozilla Project) and is developed and maintained by a group of volunteers. That group is already organizing itself, and has posted a plan of sorts on the SeaMonkey home page. The first priority will be to get a real 1.8 release out, but the developers are already looking beyond that milestone. A commonly-mentioned longer-term goal is moving over to XULRunner; porting back some of the better Firefox and Thunderbird features is also on the list.

The Mozilla Foundation claims to support this course of action. So SeaMonkey will be able to use the Mozilla support infrastructure - CVS, BugZilla, etc. It also appears that it will be able to use the SeaMonkey name, though it appears that there may be a significant debate within the new project about naming before this is all over. The Mozilla Foundation's primary concern, it seems, is that the SeaMonkey releases cannot appear to be an official Mozilla product.

The Mozilla Foundation's motives in making this decision are easy to understand. The Foundation's resources are limited, so it wants to concentrate those resources on the standalone applications which are at the core of its stated plans - and which, it must be said, have been rather more successful (in terms of user adoption) than the full-blown Mozilla suite ever was. That suite is free software, however, so it can survive abandonment by its creator as long as there are developers with the time and interest to maintain it. The fact that the Foundation is providing the support infrastructure (and, of course, Gecko engine and the rest of the support code used by the Mozilla suite) is an added bonus. There is every reason to expect that both projects will thrive; in a year or two, this decision may be seen as a good thing by all parties involved.

Comments (12 posted)

A modest proposal from Debian's Release Team

March 16, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The big news from the Debian Project this week is a proposal from the Release Team and FTP masters that may result in several architectures being "dropped." The Debian release team and FTP masters are proposing some criteria to determine which architectures will receive stable releases after sarge:

The release team and the ftpmasters are mutually agreed that it is not sustainable to continue making coordinated releases for as many architectures as sarge currently contains, let alone for as many new proposed architectures as are waiting in the wings.

The proposal would not affect the Sarge release, but would take effect for the next stable Debian release, dubbed "Etch." The architectures that are slated for release with Sarge will still go out the door, and will have security support throughout Sarge's release cycle, but would not be included in testing for the Etch release.

The proposal would relegate a number of architectures to "second class citizen" (SCC) status, though even that does not come for free. At a minimum, the architecture must have a functioning Debian build system ("buildd") which can run 24 hours per day without crashing. It would also require five Debian developers that use or work on the port to send a signed request for its addition, binaries for the port would need to be built and signed by Debian developers, include "basic Unix functionality," and binaries would need to be built from unmodified Debian source. Finally, the architecture must be freely usable, and the port would require a sufficient user base, or 10% of downloads "over a sampled set of mirrors."

To be part of the Etch release, an architecture would have to meet yet another set of criteria. The target systems must be available for purchase, they must be able to compile at least 98% of the distribution's packages, there must be a working installer, and there must be a machine under debian.org, available to developers, for testing. It would also be necessary for the security team, the system administration team, and the release team to sign off on accepting the architecture.

We followed up on the proposal with Steve Langasek, one of the Debian Release Team members. Using this set of criteria, Langasek predicts that this would reduce the candidate architectures from 11 (for Sarge) to 4 for Etch -- x86, PowerPC, IA-64 and AMD64. The list of ports is not set in stone. Langasek told LWN that he hopes other ports will "strive for inclusion in the Etch release, and that their efforts will contribute to maintaining the high quality we have today even if they don't end up being released."

We also asked Langasek how the Release Team had picked the criteria to be used for future releases.

One of the items in the agenda I had set for this meeting in Vancouver (with input from the rest of the team) was to talk about setting per-architecture criteria for etch to address some of the problems we've seen during the sarge cycle, where we've been fighting fires involving one architecture or another not being able to keep up -- and what we've noticed is that it's not consistently any particular architecture, it's been spread out across the board, so we really needed to tell people up front what we needed from ports in order to get etch out on-schedule.

As it turns out, the ftpmasters ran with this idea in a late-night brainstorm session even before the meeting officially began, and had some preliminary criteria put together by Saturday morning. By Saturday evening, we'd hammered this into something we all agreed was a good idea, and spent the next couple of days tweaking, refining it as one thought or another popped into someone's head.

The release team has invited comments on the plan, and it is undergoing quite a bit of discussion over on debian-devel. We asked Langasek if the proposal would be dropped if there was a strong reaction against it. Langasek said that the Release Team was open to ideas, and was "happy to tweak the specific criteria in use if there are reasons to do so." However, Langasek said that setting basic requirements "shouldn't be all that controversial, because the only alternative to holding our ports to a standard that reflects the demands of the release process really is a slow, unpredictable release." He also said there might be tweaks for ports not deemed release candidates.

It is pretty clear based on feedback that something more than the proposed unstable snapshot mechanism is desired for those ports that aren't going to be "release candidates". We don't know yet what form that will take, but there's been a lot of good discussion about what the needs are that should be met.

One criteria for release candidates that caught our eye was the requirement that the architecture must be "publicly available to buy new." We wondered if that would mean dropping support for 386 and 486 chips, something that other distributions have done for some time. According to Langasek, processors with the 486 instruction set are still in use.

The truth is that it's still possible to buy chips implementing a 486 instruction set, and a lot of people are still doing interesting things with them in the embedded sphere -- and it doesn't really cost us anything, release-wise, to maintain backwards-compatibility with those chips.

There have been a few ABI changes recently that have made current software dependent on an instruction set that's only available in 486 chips and higher; it's possible to emulate around this, but the only implementation currently available has security problems, so it may yet turn out that sarge is the first release of Debian's "i386" port that doesn't actually support true 80386 processors. We've also dropped support in sarge for the oldest of the 32-bit Sparc processors, for similar reasons.

From where we're sitting, this looks like a reasonable proposal. It doesn't arbitrarily drop specific architectures, but allows for ports to be dropped from Etch's release candidates if they fail to keep up. This may not be the "magic bullet" needed to ensure more timely releases from the Debian Project, but it should contribute to faster releases overall.

Comments (11 posted)

Remembering the crypto wars

One of the quieter announcements to come out of last month's RSA conference was this release stating that Dorothy Denning had received the 2004 "Harold F. Tipton Award" in recognition of her career in information security. From the release:

"Over the past three decades, Dorothy Denning has been instrumental in the battle to secure cyber infrastructure," said Tipton, who will present the award to Dr. Denning. "She has an extensive history of developing ways to protect highly sensitive information for corporations and government agencies."

Ms Denning was certainly an early pioneer in this field. Her 1982 Cryptography and Data Security was, for some years, the book on encryption, access control, and security models. A copy of it remains on your editor's shelf. Dorothy Denning helped pave the way to where we are now.

The release omits an important point in Ms Denning's career, however, which would be worthwhile for the free software community to remember. Those who were paying attention at the time will remember the encryption battles of the 1990's, when governments (and the U.S. government in particular) tried to control the spread of cryptographic technology. The breaking point in that debate was the "Clipper" initiative, first proposed under Bush I, then supported by the Clinton administration. Clipper would have required that all encryption used in the United States implement a key escrow mechanism which would enable the government to decrypt any communication which caught its interest. Of course, the government promised not to abuse this capability, honest, trust us. Strangely enough, people didn't trust them.

Dorothy Denning was nearly unique in the cryptography community in that she was a strong clipper supporter. Her essay, The Future of Cryptography, remains available; it is worth reading for a scary view on how the net should work. Here's what she was worried about:

Crypto anarchy can be viewed as the proliferation of cryptography that provides the benefits of confidentiality protection but does nothing about its harms. It is government-proof encryption which denies access to the government even under a court order or other legal order. It has no safeguards to protect users and their organizations from accidents and abuse. It is like an automobile with no brakes, no seat belts, no pollution controls, no license plate, and no way of getting in after you've locked your keys in the car.

Crypto anarchy, it was claimed, would lead to social disorder and the end of life as we know it. But it could be prevented; all that was needed was key escrow, and the "Skipjack" encryption algorithm, which happened to be classified so nobody could see it. It was thought that key escrow might win on its own merits, but this outcome was not to be left to the whim of markets:

The manufacture, distribution, import, and export of unlicensed encryption products would be illegal, but no particular method of encryption would be mandated. Individuals would be allowed to develop their own encryption systems for personal or educational use without obtaining licenses, though they could not distribute them to others.

It should be clear that this view of the world would not sit well with the free software community. We want to be able to develop - and distribute - software which satisfies our own sense of how much security we need. We have little patience for coding in back doors for government, or for anybody else. We do not believe in the security of government-mandated back doors or classified encryption algorithms.

Clearly, the proponents of key escrow were not successful. There are two reasons for this failure; the first, and perhaps strongest, of those is economic. Somehow, the Powers That Be subscribed to the absurd notion that there would be a worldwide market for encryption products with an explicit back door for the U.S. government. People in the industry, however, eventually figured out that key escrow and crypto export regulations would destroy their business. They pushed for change, and got it.

The other reason, however, is public opposition. The debate was loud, public, and effective. And a significant part of that debate came about as a result of the public release of PGP, which let the strong cryptography cat out of the bag in an irreversible way. Phillip Zimmermann's courageous act demonstrated the repressive power that was poised to swoop down on those who sought to protect their own data; it also made any attempt to control the spread of encryption technology moot. Without the release of that code, the software environment as we see it today might have been quite different.

As we fight software patents, broadcast flags, or attempts to restrict peer-to-peer software, we should keep these lessons in mind. These battles can be won, even when strong interests are quite determined in their opposition. And releasing code onto the net can change the world. By developing and distributing our systems, which are designed with our interests in mind, we are helping to bring about a more free future.

Comments (8 posted)

Page editor: Jonathan Corbet

Security

Big Ideas for saving the Internet

CIO magazine has run an article called How To Save The Internet. The core idea is that the Internet threatens to collapse under the load of spam, spyware, worms, etc., and that some sort of Big Ideas must be found to save the situation. A few of the suggested ideas merit a look...

The first is "hire a czar." The idea would seem to be that the appointment of a high-level (U.S.) "cybersecurity" official would do something to make our systems more secure. It looks mostly like a bully-pulpit role:

We propose a high-profile surgeon general for information security, who reports to the secretary of DHS. Imagine labels on software like those on cigarettes--Infosecurity General's Warning: The use of software and hardware that is not certified secure can harm your system and other people's systems, and you may be held liable for those damages.

Aside from the idea of how hardware and software would be "certified secure," one could imagine that people in the free software community could have a lot of fun creating warning labels.

Another suggestion is giving vendors incentives to create more secure software. Essentially, it is the return of the product liability idea. This approach may still offer some promise, but it is hard to see how to make it fit with the "no warranties" nature of free software.

Two related items are well described by the title applied to the first: "Treat End Users Like the Dummies They Are." The suggestion to have ISPs provide more filtering, detection, and response services to those who are willing to pay for them is fine. The other one, however, is more problematic:

Let's make all end user devices nonprogrammable.... No one can connect to the Internet on a machine that creates code. If you want a computer to do programming, you would have to be licensed. We could license software companies to purchase programmable machines, which would be completely traceable along with the code created on them.

The idea of "traceable code" would appear to pose some technical challenges of its own. But the idea that you could "save the Internet" by restricting access to programmable devices is truly frightening. There are a few of us out there who see the net as a bit more than a clothing-optional shopping mall. We would not react well to the idea that we would have to be licensed before getting a machine we could hack on.

There is an idea for the creation of reputation servers as an antidote to phishing problem (though, of course, it has to be expressed as "using XML and meta-data to tag websites with safety, reputation, past performance and other security ratings"). Something like that may yet be part of a solution to certain classes of problems. More likely, however, is that it would just become another variant of the (nearly useless) SSL certificate mechanism.

Almost as an afterthought, the article presents a couple of relevant Big Ideas: make a bigger effort to write error-free software, and think carefully about what features any given program should have. Maybe an email client really should not be able to execute code received in messages. One wonders why nobody ever thought of that before.

See the article for the full list of "Big Ideas." For the most part, this article can be dismissed as just another silly journalistic exercise. But the truth of the matter is that people are actually likely to try some of these ideas. Look for a "Code Traceability and Programmer Licensing" initiative in a legislature near you sometime soon.

Comments (16 posted)

New vulnerabilities

Ethereal: Multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-0699 CAN-2005-0704 CAN-2005-0705
Created:March 14, 2005 Updated:March 28, 2005
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.10, including:
The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows (CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the "ignore cipher bit" option is enabled (CAN-2005-0705) and various vulnerabilities in the IAPP, JXTA, and sFlow dissectors.
Alerts:
Conectiva CLA-2005:942 2005-03-28
Red Hat RHSA-2005:306-01 2005-03-18
Mandrake MDKSA-2005:053 2005-03-15
Fedora FEDORA-2005-212 2005-03-16
Fedora FEDORA-2005-213 2005-03-16
Gentoo 200503-16 2005-03-12

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:September 16, 2005
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

IPsec-Tools: denial of service

Package(s):ipsec-tools setkey racoon CVE #(s):CAN-2005-0398
Created:March 14, 2005 Updated:April 5, 2005
Description: The IPsec-Tools package is used to build other programs such as setkey and racoon. There is a potential denial of service vulnerability when parsing ISAKMP headers in racoon.
Alerts:
Ubuntu USN-107-1 2005-04-05
SuSE SUSE-SA:2005:020 2005-03-31
Mandrake MDKSA-2005:062 2005-03-31
Gentoo 200503-33 2005-03-25
Red Hat RHSA-2005:232-01 2005-03-23
Fedora FEDORA-2005-217 2005-03-14
Fedora FEDORA-2005-216 2005-03-14

Comments (none posted)

luxman: buffer overflow

Package(s):luxman CVE #(s):CAN-2005-0385
Created:March 14, 2005 Updated:March 16, 2005
Description: Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based PacMan clone, that could lead to the execution of arbitrary commands as root.
Alerts:
Debian DSA-693-1 2005-03-14

Comments (none posted)

MySQL: input validation and temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Created:March 16, 2005 Updated:July 19, 2005
Description: MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability.
Alerts:
Fedora-Legacy FLSA:152925 2005-07-15
OpenPKG OpenPKG-SA-2005.006 2005-04-20
Debian DSA-707-1 2005-04-13
Fedora FEDORA-2005-305 2005-04-05
Fedora FEDORA-2005-304 2005-04-05
Red Hat RHSA-2005:348-01 2005-04-05
Conectiva CLA-2005:946 2005-04-04
Red Hat RHSA-2005:334-01 2005-03-28
SuSE SUSE-SA:2005:019 2005-03-24
Mandrake MDKSA-2005:060 2005-03-21
Trustix TSLSA-2005-0009 2005-03-21
Ubuntu USN-96-1 2005-03-16
Gentoo 200503-19 2005-03-16

Comments (none posted)

openslp: buffer overflows

Package(s):openslp CVE #(s):
Created:March 14, 2005 Updated:March 21, 2005
Description: The SUSE Security Team reviewed critical parts of the OpenSLP package, an open source implementation of the Service Location Protocol (SLP). During the audit, various buffer overflows and out of bounds memory access have been fixed which can be triggered by remote attackers by sending malformed SLP packets.
Alerts:
Gentoo 200503-25 2005-03-20
Ubuntu USN-98-1 2005-03-17
Mandrake MDKSA-2005:055 2005-03-15
SuSE SUSE-SA:2005:015 2005-03-14

Comments (none posted)

Ringtone Tools: buffer overflow

Package(s):ringtonetools CVE #(s):
Created:March 15, 2005 Updated:March 16, 2005
Description: Qiao Zhang has discovered a buffer overflow vulnerability in the 'parse_emelody' function in 'parse_emelody.c'. A remote attacker could entice a Ringtone Tools user to open a specially crafted eMelody file, which would potentially lead to the execution of arbitrary code with the rights of the user running the application.
Alerts:
Gentoo 200503-18 2005-03-15

Comments (none posted)

sylpheed: buffer overflow

Package(s):sylpheed CVE #(s):CAN-2005-0667
Created:March 15, 2005 Updated:April 15, 2005
Description: Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5 allows remote attackers to execute arbitrary code via an e-mail message with certain headers containing non-ASCII characters that are not properly handled when the user replies to the message.
Alerts:
SuSE SUSE-SR:2005:011 2005-04-15
Gentoo 200503-26 2005-03-20
Red Hat RHSA-2005:303-01 2005-03-18
Fedora FEDORA-2005-224 2005-03-17
Fedora FEDORA-2005-211 2005-03-15

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

abuse: several vulnerabilities

Package(s):abuse CVE #(s):CAN-2005-0098 CAN-2005-0099
Created:March 7, 2005 Updated:March 9, 2005
Description: Several vulnerabilities have been discovered in abuse, the SDL port of the Abuse action game. Erik Sjölund discovered several buffer overflows in the command line handling, which could lead to the execution of arbitrary code with elevated privileges since it is installed setuid root. Steve Kemp discovered that that abuse creates some files without dropping privileges first, which may lead to the creation and overwriting of arbitrary files.
Alerts:
Debian DSA-691-1 2005-03-07

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

KDE dcopidlng: insecure temporary file creation

Package(s):dcopidlng CVE #(s):
Created:March 7, 2005 Updated:March 9, 2005
Description: Davide Madrisan has discovered that the dcopidlng script creates temporary files in a world-writable directory with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When dcopidlng is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200503-14 2005-03-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CAN-2005-0102
Created:January 24, 2005 Updated:May 19, 2005
Description: Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).
Alerts:
Red Hat RHSA-2005:238-01 2005-05-19
Conectiva CLA-2005:925 2005-02-16
Debian DSA-673-1 2005-02-10
Mandrake MDKSA-2005:024 2005-01-27
Gentoo 200501-35 2005-01-24
Ubuntu USN-69-1 2005-01-24

Comments (1 posted)

f2c: insecure temp files

Package(s):f2c CVE #(s):CAN-2005-0017 CAN-2005-0018
Created:January 27, 2005 Updated:April 20, 2005
Description: The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack.
Alerts:
Debian DSA-661-2 2005-04-20
Gentoo 200501-43 2005-01-30
Debian DSA-661-1 2005-01-27

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: DoS issue in parsing malformed HTML

Package(s):gaim CVE #(s):CAN-2005-0208
Created:February 25, 2005 Updated:March 14, 2005
Description: Gaim has a DoS issue in parsing malformed HTML, and a MSN related crash.
Alerts:
Conectiva CLA-2005:933 2005-03-14
Red Hat RHSA-2005:215-01 2005-03-10
Mandrake MDKSA-2005:049 2005-03-04
Gentoo 200503-03 2005-03-01
Fedora FEDORA-2005-172 2005-02-25
Fedora FEDORA-2005-171 2005-02-25

Comments (none posted)

gaim: client freezes

Package(s):gaim CVE #(s):CAN-2005-0472 CAN-2005-0473
Created:February 22, 2005 Updated:April 27, 2005
Description: The Gaim client freezes when receiving certain invalid messages and crashes when receiving specific malformed HTML. See this Secunia Advisory for additional information.
Alerts:
Debian DSA-716-1 2005-04-27
Ubuntu USN-85-1 2005-02-25
Fedora FEDORA-2005-160 2005-02-21
Fedora FEDORA-2005-159 2005-02-21

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

gftp: missing input sanitizing

Package(s):gftp CVE #(s):CAN-2005-0372 CAN-2004-1376
Created:February 17, 2005 Updated:July 13, 2005
Description: gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files.
Alerts:
Fedora-Legacy FLSA:152908 2005-07-10
Red Hat RHSA-2005:410-01 2005-06-13
Fedora FEDORA-2005-310 2005-04-07
Fedora FEDORA-2005-309 2005-04-07
Mandrake MDKSA-2005:050 2005-03-04
Gentoo 200502-27 2005-02-19
SuSE SUSE-SR:2005:005 2005-02-18
Debian DSA-686-1 2005-02-17

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

hashcash: format string vulnerability

Package(s):hashcash CVE #(s):
Created:March 7, 2005 Updated:March 9, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw in the Hashcash utility that an attacker could expose by specifying a malformed reply address. Successful exploitation would permit an attacker to disrupt Hashcash users, and potentially execute arbitrary code.
Alerts:
Gentoo 200503-12 2005-03-06

Comments (none posted)

HelixPlayer: buffer overflows

Package(s):HelixPlayer CVE #(s):CAN-2005-0455 CAN-2005-0611
Created:March 3, 2005 Updated:March 9, 2005
Description: The Helix Player 1.0 media player has two buffer overflows that can be exploited by playing specially crafted SMIL and WAV files. This can allow a remote attacker to execute code with the user's permissions.
Alerts:
Red Hat RHSA-2005:271-01 2005-03-03
Fedora FEDORA-2005-188 2005-03-03

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

imagemagick: format string vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0397
Created:March 3, 2005 Updated:April 4, 2005
Description: The ImageMagick file name handling code has a format string vulnerability. Specially crafted file names can be used to crash ImageMagick and possibly execute arbitrary code.
Alerts:
Mandrake MDKSA-2005:065 2005-04-01
Debian DSA-702-1 2005-04-01
Fedora FEDORA-2005-235 2005-03-30
Fedora FEDORA-2005-234 2005-03-30
SuSE SUSE-SA:2005:017 2005-03-23
Red Hat RHSA-2005:320-01 2005-03-23
Gentoo 200503-11 2005-03-06
Ubuntu USN-90-1 2005-03-03

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kdenetwork: file descriptor leak

Package(s):kdenetwork CVE #(s):CAN-2005-0205
Created:March 3, 2005 Updated:March 16, 2005
Description: The kdenetwork networking applications package has a bug with the handling of privileged file descriptors in kppp. A local user can use this to modify the /etc/hosts and /etc/resolv.conf files, allowing them to spoof domain information.
Alerts:
Conectiva CLA-2005:934 2005-03-16
Debian DSA-692-1 2005-03-08
Red Hat RHSA-2005:175-01 2005-03-03

Comments (none posted)

less: heap based buffer overflow

Package(s):less CVE #(s):CAN-2005-0086
Created:March 8, 2005 Updated:March 9, 2005
Description: Victor Ashik discovered a heap based buffer overflow in less, caused by a patch added to the less package in Red Hat Linux 9. An attacker could construct a carefully crafted file that could cause less to crash or possibly execute arbitrary code when opened.
Alerts:
Fedora-Legacy FLSA:2404 2005-03-07

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libexif: improper validation

Package(s):libexif CVE #(s):CAN-2005-0664
Created:March 7, 2005 Updated:April 15, 2005
Description: Sylvain Defresne discovered that the EXIF library did not properly validate the structure of the EXIF tags. By tricking a user to load an image with a malicious EXIF tag, an attacker could exploit this to crash the process using the library, or even execute arbitrary code with the privileges of the process.
Alerts:
Debian DSA-709-1 2005-04-15
Mandrake MDKSA-2005:064 2005-03-31
Red Hat RHSA-2005:300-01 2005-03-21
Gentoo 200503-17 2005-03-12
Fedora FEDORA-2005-200 2005-03-08
Fedora FEDORA-2005-199 2005-03-08
Ubuntu USN-91-1 2005-03-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CAN-2004-1308
Created:December 22, 2004 Updated:May 19, 2005
Description: The libtiff image manipulation library contains several exploitable buffer overflows.
Alerts:
Fedora-Legacy FLSA:152815 2005-05-18
Red Hat RHSA-2005:035-01 2005-02-15
Conectiva CLA-2005:920 2005-01-20
Red Hat RHSA-2005:019-01 2005-01-13
SuSE SUSE-SA:2005:001 2005-01-10
Fedora FEDORA-2005-598 2005-01-07
Fedora FEDORA-2005-597 2005-01-07
Ubuntu USN-54-1 2005-01-06
Mandrake MDKSA-2005:002 2005-01-06
Mandrake MDKSA-2005:001 2005-01-06
Gentoo 200501-06 2005-01-05
Debian DSA-626-1 2005-01-06
Debian DSA-617-1 2004-12-24
Fedora FEDORA-2004-577 2004-12-22
Fedora FEDORA-2004-576 2004-12-22
Ubuntu USN-46-1 2004-12-22

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

linux-source-2.6.8.1: multiple vulnerabilities

Package(s):linux-source-2.6.8.1 CVE #(s):CAN-2005-0176 CAN-2005-0177 CAN-2005-0178
Created:February 15, 2005