RHEL, kernel vulnerabilities, and days of risk
Security Innovation has joined the elite group of Microsoft-funded
researchers who somehow manage to reach pro-Microsoft conclusions. This
company's latest output is
a report
on the relative security of Linux and Windows web servers [PDF] which
states that Windows is more secure, in this role, than Red Hat Enterprise
Linux. The group did its work
by looking at all of the vulnerabilities fixed by each vendor in 2004 (as
designated by CVE numbers), and determining how much time passed between
the initial disclosure of the problem and the resulting fix. Windows
showed fewer vulnerabilities, and significantly fewer "days of risk" when
disclosed problems lacked a patch.
Those who want to poke holes in this study should be able to find ample
opportunity. Microsoft vulnerabilities are less likely to be disclosed
prior to patching, to the point that the median "days of risk" for Windows
was zero. The report cautions against writing off "low risk"
vulnerabilities, but, somehow, Microsoft simply does not have any
"low risk" problems. Either that, or Microsoft doesn't bother to fix them,
resulting in many undisclosed "days of risk." Red Hat will also have
gotten burned by this libpng
vulnerability, which, by mistake, remained unfixed for two years.
That's a lot of days of risk, even though no known exploits of this
vulnerability took place.
Let's focus on one specific claim, however:
There were thirty one [RHEL] vulnerabilities fixed in 2004 that had
more than 90 days of risk, and of these, seven were designated by
ICAT as high severity... Eleven of these vulnerabilities were in
the operating system kernel.
The report does not list the actual vulnerabilities it looked at, so we'll
have to try to reproduce that work ourselves. Here's the kernel
vulnerabilities fixed by Red Hat in 2004:
The attentive reader may have noticed that this is a rather long list of
vulnerabilities. Summed up, it amounts to a total of 2943 days of risk - a
substantial portion of the 12,415 days of risk cited in the report.
One immediate conclusion is that, in many cases, we are talking about "days
of very low risk." The strncpy() information leak was worth
fixing, but few people were likely to be overly worried during the 305 days
it took for Red Hat to issue updates with that fix. The same is true of
the TTY character count leak (737 days of risk). Both ia-64 users could
probably live with the floating point leak on that platform (209 days of
risk). In other words, many of the vulnerabilities which had a big
contribution to the total number of days of risk were of little concern.
On the other hand, Red Hat was slow in fixing some important
problems. The kmod denial of service and ELF vulnerabilities took months
to fix - and they were clearly (locally) exploitable problems. Red Hat is,
at times, leaving its paying customers with known security problems for
longer than it should.
Interestingly, many of these problems were fixed more quickly in other
distributions - including Fedora Core. Red Hat's stability
goals for its Enterprise Linux line could be an issue here. The need for
more stress and regression testing of kernel updates, combined with a clear
wish to minimize the number of disruptive kernel updates (many updates
fixed several vulnerabilities), is causing those updates to be delayed.
Thus, one might draw the ironic conclusion that, if you want the fastest
security updates, you're better off not paying for them.
There are some more predictable conclusions as well. One is that reports
like the one from Security Innovation still do not mean a whole lot. There
are too many variables; it is hard to get a handle on which system is truly
more secure, and it is too easy to tilt the data in one direction or the
other. Of course, one could look at the number and cost of actual
security incidents, but these Microsoft-funded surveys tend not to do
that. The final, predictable conclusion is this: regardless of how Linux
performs relative to other systems, we are not doing nearly well enough.
As long as we are producing such long lists of bugs (for a single system
component), our claims to security will only hold so much water.
Comments (24 posted)
A look at Ubuntu "Hoary Hedgehog" and Kubuntu
The Ubuntu team is closing in on its second release. The Ubuntu project
announced the preview release
for 5.04, better known as "Hoary Hedgehog," on March 10; the final release
is scheduled for early April.
![[Kubuntu]](/images/ns/kubuntu-circle.png)
The first Kubuntu distribution
release was also announced recently, and is also scheduled for early
April. Kubuntu uses Ubuntu as a base, but with the KDE desktop and related
packages rather than GNOME. We decided to take a look at both releases, to
see how far Ubuntu has come since its inception, and to see what users
could expect in the forthcoming release.
For those not familiar with the project, the Ubuntu distribution is based
on Debian, but with a six month release schedule, much like GNOME and OpenBSD. Releases are supported, meaning
critical bug fixes and security updates, for 18 months. Ubuntu has a bit
narrower scope than Debian, however. Ubuntu supports only three
architectures, Intel/x86, AMD64 and PowerPC, and has a more limited set of
packages (the "main" and "restricted" repositories) to provide updates
for. A larger set of packages are available through the "universe" and
"multiverse" repositories.
The release numbers may seem like version inflation, but actually reflect
the year and month of the release, hence 5.04 for Hoary Hedgehog and 4.10
for Warty Warthog -- the first Ubuntu release, from October 2004.
We installed the Ubuntu preview release on a Pentium 4 laptop with 1 GB of
RAM. The installation was completely painless, requiring minimal user input
and a bit of patience while packages were downloaded from the Ubuntu
archive. Ubuntu had no problem detecting all of the laptop's hardware. No
manual configuration or tweaking was necessary for X.org or anything
else. Mileage may differ on other hardware, of course.
To install Kubuntu, we simply followed the instructions on the Kubuntu
documentation page. After running "sudo apt-get install
kubuntu-desktop" and choosing between KDM and GDM, we had Kubuntu,
the KDE 3.4.0 desktop and a number of KDE applications, installed.
![[Ubuntu GNOME screenshot]](/images/ns/ubuntu_gnome-sm.png)
Whereas Debian installs a fairly minimal system and then allows the user to
choose packages, Ubuntu and Kubuntu start off with a set of default
applications for typical desktop use, allowing less experienced users to
get started right away without having to decide which application they wish
to use for e-mail, spreadsheets, word processing or web browsing. For
example, Ubuntu installs GNOME 2.10, Evolution, OpenOffice.org, Totem,
Firefox, Synaptic, Gaim, the Gimp, and so forth. Kubuntu installs KDE 3.4,
Konqueror, Kontact, Kopete, Kynaptic, Akregator and other apps for KDE that
most users would (probably) want.
Overall, we like the choice of packages that are installed with Ubuntu and
Kubuntu by default. Developers and power-users will have to grab additional
packages, but for typical desktop use, Ubuntu is ready "out of the box."
Users that prefer other applications should be able to find them in
Ubuntu's universe repository. For example, this writer still prefers XMMS
to Rhythmbox. Though Rhythmbox is the default music player installed with
Ubuntu, XMMS is easily added using Synaptic or apt-get.
By default, Ubuntu does not set up a password for the root user. Instead,
the first normal user set up at install time can use "sudo" to perform
tasks, like installing software or configuring a network card, usually done
by root. This was a bit off-putting at first for this writer, but after a
few days of working with Hoary, it's become second-nature. (In the past,
this writer has simply gotten around using sudo on Ubuntu by running "sudo
su" and setting a root password and using root normally from there on.)
![[Kubuntu screenshot]](/images/ns/kubuntu-sm.png)
Though GNOME and KDE are the defaults for Ubuntu and Kubuntu, respectively,
KDE and GNOME are not the only desktops available to Ubuntu/Kubuntu
users. There are also packages for XFce, Enlightenment, Blackbox, fvwm and
several other window managers in the Ubuntu Universe repository. This
writer prefers the XFce desktop environment, and has been happily using
XFce with Ubuntu for some time.
Even though this is only a preview release, it seems exceptionally
solid. Though the preview releases contain a lot of "cutting edge"
software, we didn't find any major application bugs or problems of any
kind. We've also been grabbing updates on a regular basis since installing
Ubuntu Hoary, and it's obvious the Ubuntu team is keeping busy.
The only glitches we ran into were, more or less, self-induced. We tried
upgrading from the default 2.6.10 kernel that was installed to the 2.6.11
package that's available. For some reason, our system locked up each time
we tried to log into GNOME or KDE after installing the 2.6.11 kernel. After
going back to 2.6.10, everything ran smooth as silk. There are also 2.4.x
series kernels in the Ubuntu Universe repository for users who require the
2.4.x series for some reason, though we didn't test any of those kernels.
The Hoary release can be found at http://releases.ubuntu.com/hoary/.
Live CDs and install CDs are available for Intel/x86, PowerPC and
AMD64. Users who prefer to go the KDE route can download installation media
or live CDs from http://cdimage.ubuntu.com/kubuntu/releases/hoary/preview/.
The next Ubuntu release is scheduled for October, and has been dubbed "Breezy
Badger."
Users looking for a cutting-edge Linux distribution that "just works"
should try out Ubuntu. The distribution is put together very well, offers
an excellent selection of packages and a very active and helpful user
community.
Comments (15 posted)
GreaseMonkey: a two-edged sword
The Mozilla Firefox extension mechanism is a powerful feature; it gives
browser users a great deal of flexibility in controlling how things work.
One of the extensions attracting the most attention in the last few months
is
GreaseMonkey. It is, in
fact, a classic example of why free software is a great thing, but also an
illustration of how users can be invited to harm themselves.
The core idea behind GreaseMonkey is simple: it allows the user to
associate JavaScript programs with specific sites on the net. When one of
the identified pages (as determined by a regular expression) is loaded, the
script gets a chance to rewrite things before the page is displayed.
GreaseMonkey is, in other words, a mechanism which enables readers to
automatically rework web pages into the form they would have liked them to
be in the first place.
The GreaseMonkey
script repository shows that there is a demand for this capability.
Scripts have been posted which:
- Remove articles or comments posted by specific users. Perhaps
this would be a quick way to implement the comment filtering features
occasionally requested for LWN.net.
- Rewrite web pages to get rid of intrusive navigation bars,
interstitial ad pages, etc. For those who want more ads, there is a
script which inserts Google ads into the handful of pages on the net
which do not yet have them.
- Redirect SourceForge download links to skip the mirror selection page
and simply get the requested files.
- Delete Michael Jackson stories from certain news sites
("Best. Userscript. Ever.").
- Rewrite Paul Graham's articles for better readability.
- Create cross links between Netflix and IMDB.
And so on; the list appeared to be growing as this article was being
written.
The operators of various web sites will, beyond doubt, get upset if
GreaseMonkey use takes off. To anybody who wishes to have a high degree of
control over the appearance and use of their site, GreaseMonkey will be a
threat. But GreaseMonkey is a clear expression of software freedom: we
will control how things work on our own computers. Our tools are
written to maximize that control, and there is little that can be done
about it.
GreaseMonkey does, however, potentially threaten that control in a
different way. A tool which encourages users to download and run scripts
from random parts of the net would appear to be an open door for security
problems. If the browser's sandboxing works properly, a script should not
be able to affect the system outside of the browser. But even the mere
ability to rewrite HTML is asking for some trouble: how long will it be
until some phisher posts a script that, while perhaps doing something
useful, also redirects links within financial sites? It is not entirely
clear how that sort of problem can be addressed - the same capability which
can redirect all New York Times links to the "printable" version can point
a password submission form to a third-party site.
In other words, while GreaseMonkey is a cool and powerful tool, it should
be used with great care. Install a minimum number of scripts, look them
over first, and, preferably, write them yourself. As the GreaseMonkey
community grows, there will certainly be exploit attempts. Firefox is a
relatively secure web browser; it would be a shame to ruin that by inviting
in random malware from the net.
Comments (7 posted)
Page editor: Jonathan Corbet
Security
Attack of the killer CD
This story starts to get a little tiresome: a security researcher has found
yet another set of vulnerabilities in the
Linux kernel. The researcher this time is Michal Zalewski, who, in the
past, has had great luck finding problems by feeding random data to code.
It didn't take him too long to find a few ways to crash the kernel with
corrupted CD images.
The impact of this bug is that anybody who can cause a CD to be mounted can
crash the system, and, potentially, obtain root access. Mounting a disk is
normally a privileged operation, but many systems are set up to
automatically mount a CD (and, perhaps, fire off a file manager window) on
insertion. Others are set up to allow unprivileged users to mount a CD on
demand. So corrupt CDs are, indeed, a mechanism which could be used to
compromise a system.
Of course, it is true that anybody who gets into a position where they can
insert a CD into the system may well find a way to compromise it anyway.
It is hard to defend against an attacker with physical access. Even so,
there is no point in making any sort of attack easier.
The bugs in this case are ancient; much of the ISO9660 code dates back to
the early 1990's, and it hasn't seen a great deal of maintenance since. In
some places, values obtained from the filesystem are not properly checked,
leading to inappropriate memory accesses. In one other, the check was in
place, but the code responds to a corrupt disk by calling panic(),
thus creating a nice denial of service situation. There's guaranteed to be
other problems which have not yet been found; as Linus put it, "The code is a mess."
Other filesystems may have similar problems. An on-disk filesystem is a
complicated data structure, and it can be very hard to defend against any
sort of corruption. Users are plugging in filesystems more frequently;
many consumer gadgets, such as cameras and music players, just look like
another disk to the computer. So the opportunities for filesystem-based
attacks are growing. Expect more patches as more ten-year-old bugs are
found and fixed.
Comments (6 posted)
New vulnerabilities
dyndnsupdate: multiple vulnerabilities
| Package(s): | dyndnsupdate |
CVE #(s): | |
| Created: | March 21, 2005 |
Updated: | March 22, 2005 |
| Description: |
Toby Dickenson discovered that Xzabite's dyndnsupdate suffers from multiple
overflows. A remote attacker, posing as a dyndns.org server, could execute
arbitrary code with the rights of the user running dyndnsupdate. |
| Alerts: |
|
Comments (none posted)
evolution: message crash vulnerability
| Package(s): | evolution |
CVE #(s): | CAN-2005-0806
|
| Created: | March 17, 2005 |
Updated: | August 11, 2005 |
| Description: |
The Evolution mail client can be crashed when reading
certain types of messages. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CAN-2005-0399
CAN-2005-0401
CAN-2005-0402
|
| Created: | March 23, 2005 |
Updated: | March 25, 2005 |
| Description: |
The firefox browser (prior to version 1.0.2) contains three vulnerabilities: a GIF processing buffer overflow, a (difficult) way to trick users into running hostile XUL content, and a way to get a user to run an arbitrary program by way of the sidebar panel. |
| Alerts: |
|
Comments (none posted)
kdelibs: dcopserver vulnerability
| Package(s): | kdelibs |
CVE #(s): | CAN-2005-0396
CAN-2005-0237
CAN-2005-0365
|
| Created: | March 17, 2005 |
Updated: | May 17, 2005 |
| Description: |
The KDE Desktop Communication Protocol daemon (dcopserver)
is vulnerable to lockup by a local user, leading to a denial
of service. |
| Alerts: |
|
Comments (none posted)
LTris: buffer overflow
| Package(s): | ltris |
CVE #(s): | |
| Created: | March 21, 2005 |
Updated: | March 22, 2005 |
| Description: |
LTris is vulnerable to a buffer overflow when reading the global
highscores file. By modifying the global highscores file a malicious user
could trick another user to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
rxvt-unicode: buffer overflow
| Package(s): | rxvt-unicode |
CVE #(s): | CAN-2005-0764
|
| Created: | March 21, 2005 |
Updated: | March 22, 2005 |
| Description: |
Rob Holland of the Gentoo Linux Security Audit Team discovered that
rxvt-unicode fails to properly check input length. Successful exploitation
would allow an attacker to execute arbitrary code with the permissions of
the user running rxvt-unicode. |
| Alerts: |
|
Comments (none posted)
xloadimage: missing input sanitizing, integer overflow
| Package(s): | xloadimage |
CVE #(s): | CAN-2005-0638
CAN-2005-0639
|
| Created: | March 21, 2005 |
Updated: | May 4, 2005 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw
in the handling of compressed images, where shell meta-characters are not
adequately escaped. CAN-2005-0638
Insufficient validation of image properties in have been discovered which
could potentially result in buffer management errors. CAN-2005-0639
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
dhcp: format string vulnerability
| Package(s): | dhcp |
CVE #(s): | CAN-2004-1006
|
| Created: | November 4, 2004 |
Updated: | July 13, 2005 |
| Description: |
Dhcp has a format string vulnerability in the log functions of dhcp 2.x
that may be exploited via a malicious DNS server. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
Ethereal: Multiple vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2005-0699
CAN-2005-0704
CAN-2005-0705
|
| Created: | March 14, 2005 |
Updated: | March 28, 2005 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.10, including:
The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows
(CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the
"ignore cipher bit" option is enabled (CAN-2005-0705) and various
vulnerabilities in the IAPP, JXTA, and sFlow dissectors. |
| Alerts: |
|
Comments (none posted)
evolution: arbitrary code execution
| Package(s): | evolution |
CVE #(s): | CAN-2005-0102
|
| Created: | January 24, 2005 |
Updated: | May 19, 2005 |
| Description: |
Max Vozeler discovered an integer overflow in camel-lock-helper. A
user-supplied length value was not validated, so that a value of -1
caused a buffer allocation of 0 bytes; this buffer was then filled by
an arbitrary amount of user-supplied data. A local attacker or a malicious
POP3 server could exploit this to execute arbitrary code with root
privileges (because camel-lock-helper is installed as setuid root). |
| Alerts: |
|
Comments (1 posted)
f2c: insecure temp files
| Package(s): | f2c |
CVE #(s): | CAN-2005-0017
CAN-2005-0018
|
| Created: | January 27, 2005 |
Updated: | April 20, 2005 |
| Description: |
The f2c fortran to C translator has a vulnerability due to
insecure opening of temporary files. A local attacker can use this
to launch a symlink attack. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: client freezes
| Package(s): | gaim |
CVE #(s): | CAN-2005-0472
CAN-2005-0473
|
| Created: | February 22, 2005 |
Updated: | April 27, 2005 |
| Description: |
The Gaim client freezes when receiving certain invalid messages and crashes
when receiving specific malformed HTML. See this Secunia Advisory for
additional information. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gftp: missing input sanitizing
| Package(s): | gftp |
CVE #(s): | CAN-2005-0372
CAN-2004-1376
|
| Created: | February 17, 2005 |
Updated: | July 13, 2005 |
| Description: |
gftp has a directory traversal vulnerability.
A remote server could use specially crafted filenames to overwrite
local files.
|
| Alerts: |
|
Comments (none posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | September 16, 2005 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imagemagick: .psd image file decode vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0005
|
| Created: | January 18, 2005 |
Updated: | March 23, 2005 |
| Description: |
According to this iDEFENSE advisory,
ImageMagick is vulnerable to a heap overflow when decoding .psd image
files. This could be remotely exploited allowing an attacker to execute
arbitrary code. |
| Alerts: |
|
Comments (1 posted)
imagemagick: format string vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2005-0397
|
| Created: | March 3, 2005 |
Updated: | April 4, 2005 |
| Description: |
The ImageMagick file
name handling code has a format string vulnerability.
Specially crafted file names can be used to crash ImageMagick
and possibly execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
IPsec-Tools: denial of service
| Package(s): | ipsec-tools setkey racoon |
CVE #(s): | CAN-2005-0398
|
| Created: | March 14, 2005 |
Updated: | April 5, 2005 |
| Description: |
The IPsec-Tools package is used to build other programs such as setkey and
racoon. There is a potential denial of service vulnerability when parsing
ISAKMP headers in racoon. |
| Alerts: |
|
Comments (none posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kdenetwork: file descriptor leak
| Package(s): | kdenetwork |
CVE #(s): | CAN-2005-0205
|
| Created: | March 3, 2005 |
Updated: | March 16, 2005 |
| Description: |
The kdenetwork networking applications package has a bug
with the handling of privileged file descriptors in kppp.
A local user can use this to modify the /etc/hosts
and /etc/resolv.conf files, allowing them to
spoof domain information. |
| Alerts: |
|
Comments (none posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libexif: improper validation
| Package(s): | libexif |
CVE #(s): | CAN-2005-0664
|
| Created: | March 7, 2005 |
Updated: | April 15, 2005 |
| Description: |
Sylvain Defresne discovered that the EXIF library did not properly
validate the structure of the EXIF tags. By tricking a user to load an
image with a malicious EXIF tag, an attacker could exploit this to
crash the process using the library, or even execute arbitrary code
with the privileges of the process. |
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CAN-2004-1308
|
| Created: | December 22, 2004 |
Updated: | May 19, 2005 |
| Description: |
The libtiff image manipulation library contains several exploitable buffer overflows. |
| Alerts: |
|
Comments (none posted)
libXpm: new buffer overflows
| Package(s): | libXpm |
CVE #(s): | CAN-2005-0605
|
| Created: | March 4, 2005 |
Updated: | March 8, 2006 |
| Description: |
A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code
execution. |
| Alerts: |
|
Comments (none posted)
luxman: buffer overflow
