LWN.net Logo

LWN.net Weekly Edition for March 24, 2005

RHEL, kernel vulnerabilities, and days of risk

Security Innovation has joined the elite group of Microsoft-funded researchers who somehow manage to reach pro-Microsoft conclusions. This company's latest output is a report on the relative security of Linux and Windows web servers [PDF] which states that Windows is more secure, in this role, than Red Hat Enterprise Linux. The group did its work by looking at all of the vulnerabilities fixed by each vendor in 2004 (as designated by CVE numbers), and determining how much time passed between the initial disclosure of the problem and the resulting fix. Windows showed fewer vulnerabilities, and significantly fewer "days of risk" when disclosed problems lacked a patch.

Those who want to poke holes in this study should be able to find ample opportunity. Microsoft vulnerabilities are less likely to be disclosed prior to patching, to the point that the median "days of risk" for Windows was zero. The report cautions against writing off "low risk" vulnerabilities, but, somehow, Microsoft simply does not have any "low risk" problems. Either that, or Microsoft doesn't bother to fix them, resulting in many undisclosed "days of risk." Red Hat will also have gotten burned by this libpng vulnerability, which, by mistake, remained unfixed for two years. That's a lot of days of risk, even though no known exploits of this vulnerability took place.

Let's focus on one specific claim, however:

There were thirty one [RHEL] vulnerabilities fixed in 2004 that had more than 90 days of risk, and of these, seven were designated by ICAT as high severity... Eleven of these vulnerabilities were in the operating system kernel.

The report does not list the actual vulnerabilities it looked at, so we'll have to try to reproduce that work ourselves. Here's the kernel vulnerabilities fixed by Red Hat in 2004:

CAN # Disclosed Fixed Days Description
CVE-2004-0001 2004-1-16 2004-1-16 0 x86-64 ptrace bug
CVE-2004-0077 2004-2-18 2004-2-20 2 mremap() local root exploit
CAN-2004-0109 2004-4-14 2004-4-22 8 ISO9660 buffer overflow
CAN-2004-0424 2004-4-20 2004-4-22 2 ip_setsockopt() local root exploit
CAN-2003-0461 2002-5-2 2004-5-11 737 TTY char count information leak
CAN-2003-0465 2003-7-11 2004-5-11 305 strncpy() potential information leak
CAN-2003-0984 2003-12-4 2004-5-11 159 RTC information leak
CAN-2003-1040 2003-12-4 2004-5-11 159 kmod local denial of service
CAN-2004-0003 2004-1-15 2004-5-11 116 DRI range checking
CAN-2004-0010 2004-2-18 2004-5-11 83 ncpfs buffer overflow
CAN-2004-0427 2004-4-8 2004-6-17 70
CAN-2004-0495 2004-6-17 2004-6-17 0 Potential driver bugs found by sparse
CAN-2004-0554 2004-6-9 2004-6-17 8 Floating point denial of service
CAN-2004-0497 2004-7-2 2004-7-2 0 NFS group permissions
CAN-2004-0178 2004-3-8 2004-8-3 148 SoundBlaster denial of service
CAN-2004-0415 2004-8-3 2004-8-3 0 64-bit information leak
CAN-2004-0447 2004-6-19 2004-8-3 45 ia-64 denial of service
CAN-2004-0535 2004-6-3 2004-8-3 61 e1000 driver information leak
CAN-2004-0587 2004-5-4 2004-8-3 91 qla driver denial of service
CAN-2004-0136 2004-6-14 2004-12-2 171 ELF binary denial of service
CAN-2004-0619 2004-6-23 2004-12-2 162 Broadcom 5820 driver buffer overflow
CAN-2004-0685 2004-8-25 2004-12-2 99 USB driver information leak
CAN-2004-0812 2004-11-8 2004-12-2 24 x86_64 TSS error
CAN-2004-0883 2004-11-17 2004-12-2 15 smbfs remotely exploitable vulnerabilities
CAN-2004-0949 2004-11-17 2004-12-2 15 smbfs packet reassembly
CAN-2004-1068 2004-11-19 2004-12-2 13 Datagram serializing problem
CAN-2004-1070 2004-11-10 2004-12-2 22 ELF loader overflow
CAN-2004-1071 2004-11-10 2004-12-2 22 ELF loader mmap() failure
CAN-2004-1072 2004-11-10 2004-12-2 22 ELF loader interpreter name buffer overflow
CAN-2004-1073 2004-11-10 2004-12-2 22 ELF loader file disclosure
CAN-2004-0565 2004-5-28 2004-12-23 209 ia-64 floating point information leak
CAN-2004-1016 2004-12-14 2004-12-23 9 sendmsg() denial of service
CAN-2004-1017 2004-12-10 2004-12-23 13 Edgeport driver buffer overflow
CAN-2004-1137 2004-12-14 2004-12-23 9 IGMP remote exploit
CAN-2004-1144 2004-12-22 2004-12-23 1 x86_64 32-bit emulation local root exploit
CAN-2004-1234 2004-4-8 2004-12-23 113 ELF denial of service
CAN-2004-1335 2004-12-15 2004-12-23 8 IP options integer overflow

The attentive reader may have noticed that this is a rather long list of vulnerabilities. Summed up, it amounts to a total of 2943 days of risk - a substantial portion of the 12,415 days of risk cited in the report.

One immediate conclusion is that, in many cases, we are talking about "days of very low risk." The strncpy() information leak was worth fixing, but few people were likely to be overly worried during the 305 days it took for Red Hat to issue updates with that fix. The same is true of the TTY character count leak (737 days of risk). Both ia-64 users could probably live with the floating point leak on that platform (209 days of risk). In other words, many of the vulnerabilities which had a big contribution to the total number of days of risk were of little concern.

On the other hand, Red Hat was slow in fixing some important problems. The kmod denial of service and ELF vulnerabilities took months to fix - and they were clearly (locally) exploitable problems. Red Hat is, at times, leaving its paying customers with known security problems for longer than it should.

Interestingly, many of these problems were fixed more quickly in other distributions - including Fedora Core. Red Hat's stability goals for its Enterprise Linux line could be an issue here. The need for more stress and regression testing of kernel updates, combined with a clear wish to minimize the number of disruptive kernel updates (many updates fixed several vulnerabilities), is causing those updates to be delayed. Thus, one might draw the ironic conclusion that, if you want the fastest security updates, you're better off not paying for them.

There are some more predictable conclusions as well. One is that reports like the one from Security Innovation still do not mean a whole lot. There are too many variables; it is hard to get a handle on which system is truly more secure, and it is too easy to tilt the data in one direction or the other. Of course, one could look at the number and cost of actual security incidents, but these Microsoft-funded surveys tend not to do that. The final, predictable conclusion is this: regardless of how Linux performs relative to other systems, we are not doing nearly well enough. As long as we are producing such long lists of bugs (for a single system component), our claims to security will only hold so much water.

Comments (24 posted)

A look at Ubuntu "Hoary Hedgehog" and Kubuntu

March 23, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The Ubuntu team is closing in on its second release. The Ubuntu project announced the preview release for 5.04, better known as "Hoary Hedgehog," on March 10; the final release is scheduled for early April.

[Kubuntu] The first Kubuntu distribution release was also announced recently, and is also scheduled for early April. Kubuntu uses Ubuntu as a base, but with the KDE desktop and related packages rather than GNOME. We decided to take a look at both releases, to see how far Ubuntu has come since its inception, and to see what users could expect in the forthcoming release.

For those not familiar with the project, the Ubuntu distribution is based on Debian, but with a six month release schedule, much like GNOME and OpenBSD. Releases are supported, meaning critical bug fixes and security updates, for 18 months. Ubuntu has a bit narrower scope than Debian, however. Ubuntu supports only three architectures, Intel/x86, AMD64 and PowerPC, and has a more limited set of packages (the "main" and "restricted" repositories) to provide updates for. A larger set of packages are available through the "universe" and "multiverse" repositories.

The release numbers may seem like version inflation, but actually reflect the year and month of the release, hence 5.04 for Hoary Hedgehog and 4.10 for Warty Warthog -- the first Ubuntu release, from October 2004.

We installed the Ubuntu preview release on a Pentium 4 laptop with 1 GB of RAM. The installation was completely painless, requiring minimal user input and a bit of patience while packages were downloaded from the Ubuntu archive. Ubuntu had no problem detecting all of the laptop's hardware. No manual configuration or tweaking was necessary for X.org or anything else. Mileage may differ on other hardware, of course.

To install Kubuntu, we simply followed the instructions on the Kubuntu documentation page. After running "sudo apt-get install kubuntu-desktop" and choosing between KDM and GDM, we had Kubuntu, the KDE 3.4.0 desktop and a number of KDE applications, installed.

[Ubuntu GNOME screenshot] Whereas Debian installs a fairly minimal system and then allows the user to choose packages, Ubuntu and Kubuntu start off with a set of default applications for typical desktop use, allowing less experienced users to get started right away without having to decide which application they wish to use for e-mail, spreadsheets, word processing or web browsing. For example, Ubuntu installs GNOME 2.10, Evolution, OpenOffice.org, Totem, Firefox, Synaptic, Gaim, the Gimp, and so forth. Kubuntu installs KDE 3.4, Konqueror, Kontact, Kopete, Kynaptic, Akregator and other apps for KDE that most users would (probably) want.

Overall, we like the choice of packages that are installed with Ubuntu and Kubuntu by default. Developers and power-users will have to grab additional packages, but for typical desktop use, Ubuntu is ready "out of the box." Users that prefer other applications should be able to find them in Ubuntu's universe repository. For example, this writer still prefers XMMS to Rhythmbox. Though Rhythmbox is the default music player installed with Ubuntu, XMMS is easily added using Synaptic or apt-get.

By default, Ubuntu does not set up a password for the root user. Instead, the first normal user set up at install time can use "sudo" to perform tasks, like installing software or configuring a network card, usually done by root. This was a bit off-putting at first for this writer, but after a few days of working with Hoary, it's become second-nature. (In the past, this writer has simply gotten around using sudo on Ubuntu by running "sudo su" and setting a root password and using root normally from there on.)

[Kubuntu screenshot] Though GNOME and KDE are the defaults for Ubuntu and Kubuntu, respectively, KDE and GNOME are not the only desktops available to Ubuntu/Kubuntu users. There are also packages for XFce, Enlightenment, Blackbox, fvwm and several other window managers in the Ubuntu Universe repository. This writer prefers the XFce desktop environment, and has been happily using XFce with Ubuntu for some time.

Even though this is only a preview release, it seems exceptionally solid. Though the preview releases contain a lot of "cutting edge" software, we didn't find any major application bugs or problems of any kind. We've also been grabbing updates on a regular basis since installing Ubuntu Hoary, and it's obvious the Ubuntu team is keeping busy.

The only glitches we ran into were, more or less, self-induced. We tried upgrading from the default 2.6.10 kernel that was installed to the 2.6.11 package that's available. For some reason, our system locked up each time we tried to log into GNOME or KDE after installing the 2.6.11 kernel. After going back to 2.6.10, everything ran smooth as silk. There are also 2.4.x series kernels in the Ubuntu Universe repository for users who require the 2.4.x series for some reason, though we didn't test any of those kernels.

The Hoary release can be found at http://releases.ubuntu.com/hoary/. Live CDs and install CDs are available for Intel/x86, PowerPC and AMD64. Users who prefer to go the KDE route can download installation media or live CDs from http://cdimage.ubuntu.com/kubuntu/releases/hoary/preview/. The next Ubuntu release is scheduled for October, and has been dubbed "Breezy Badger."

Users looking for a cutting-edge Linux distribution that "just works" should try out Ubuntu. The distribution is put together very well, offers an excellent selection of packages and a very active and helpful user community.

Comments (15 posted)

GreaseMonkey: a two-edged sword

The Mozilla Firefox extension mechanism is a powerful feature; it gives browser users a great deal of flexibility in controlling how things work. One of the extensions attracting the most attention in the last few months is GreaseMonkey. It is, in fact, a classic example of why free software is a great thing, but also an illustration of how users can be invited to harm themselves.

The core idea behind GreaseMonkey is simple: it allows the user to associate JavaScript programs with specific sites on the net. When one of the identified pages (as determined by a regular expression) is loaded, the script gets a chance to rewrite things before the page is displayed. GreaseMonkey is, in other words, a mechanism which enables readers to automatically rework web pages into the form they would have liked them to be in the first place.

The GreaseMonkey script repository shows that there is a demand for this capability. Scripts have been posted which:

  • Remove articles or comments posted by specific users. Perhaps this would be a quick way to implement the comment filtering features occasionally requested for LWN.net.

  • Rewrite web pages to get rid of intrusive navigation bars, interstitial ad pages, etc. For those who want more ads, there is a script which inserts Google ads into the handful of pages on the net which do not yet have them.

  • Redirect SourceForge download links to skip the mirror selection page and simply get the requested files.

  • Delete Michael Jackson stories from certain news sites ("Best. Userscript. Ever.").

  • Rewrite Paul Graham's articles for better readability.

  • Create cross links between Netflix and IMDB.

And so on; the list appeared to be growing as this article was being written.

The operators of various web sites will, beyond doubt, get upset if GreaseMonkey use takes off. To anybody who wishes to have a high degree of control over the appearance and use of their site, GreaseMonkey will be a threat. But GreaseMonkey is a clear expression of software freedom: we will control how things work on our own computers. Our tools are written to maximize that control, and there is little that can be done about it.

GreaseMonkey does, however, potentially threaten that control in a different way. A tool which encourages users to download and run scripts from random parts of the net would appear to be an open door for security problems. If the browser's sandboxing works properly, a script should not be able to affect the system outside of the browser. But even the mere ability to rewrite HTML is asking for some trouble: how long will it be until some phisher posts a script that, while perhaps doing something useful, also redirects links within financial sites? It is not entirely clear how that sort of problem can be addressed - the same capability which can redirect all New York Times links to the "printable" version can point a password submission form to a third-party site.

In other words, while GreaseMonkey is a cool and powerful tool, it should be used with great care. Install a minimum number of scripts, look them over first, and, preferably, write them yourself. As the GreaseMonkey community grows, there will certainly be exploit attempts. Firefox is a relatively secure web browser; it would be a shame to ruin that by inviting in random malware from the net.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

Attack of the killer CD

This story starts to get a little tiresome: a security researcher has found yet another set of vulnerabilities in the Linux kernel. The researcher this time is Michal Zalewski, who, in the past, has had great luck finding problems by feeding random data to code. It didn't take him too long to find a few ways to crash the kernel with corrupted CD images.

The impact of this bug is that anybody who can cause a CD to be mounted can crash the system, and, potentially, obtain root access. Mounting a disk is normally a privileged operation, but many systems are set up to automatically mount a CD (and, perhaps, fire off a file manager window) on insertion. Others are set up to allow unprivileged users to mount a CD on demand. So corrupt CDs are, indeed, a mechanism which could be used to compromise a system.

Of course, it is true that anybody who gets into a position where they can insert a CD into the system may well find a way to compromise it anyway. It is hard to defend against an attacker with physical access. Even so, there is no point in making any sort of attack easier.

The bugs in this case are ancient; much of the ISO9660 code dates back to the early 1990's, and it hasn't seen a great deal of maintenance since. In some places, values obtained from the filesystem are not properly checked, leading to inappropriate memory accesses. In one other, the check was in place, but the code responds to a corrupt disk by calling panic(), thus creating a nice denial of service situation. There's guaranteed to be other problems which have not yet been found; as Linus put it, "The code is a mess."

Other filesystems may have similar problems. An on-disk filesystem is a complicated data structure, and it can be very hard to defend against any sort of corruption. Users are plugging in filesystems more frequently; many consumer gadgets, such as cameras and music players, just look like another disk to the computer. So the opportunities for filesystem-based attacks are growing. Expect more patches as more ten-year-old bugs are found and fixed.

Comments (6 posted)

New vulnerabilities

dyndnsupdate: multiple vulnerabilities

Package(s):dyndnsupdate CVE #(s):
Created:March 21, 2005 Updated:March 22, 2005
Description: Toby Dickenson discovered that Xzabite's dyndnsupdate suffers from multiple overflows. A remote attacker, posing as a dyndns.org server, could execute arbitrary code with the rights of the user running dyndnsupdate.
Alerts:
Gentoo 200503-27 2005-03-21

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-0399 CAN-2005-0401 CAN-2005-0402
Created:March 23, 2005 Updated:March 25, 2005
Description: The firefox browser (prior to version 1.0.2) contains three vulnerabilities: a GIF processing buffer overflow, a (difficult) way to trick users into running hostile XUL content, and a way to get a user to run an arbitrary program by way of the sidebar panel.
Alerts:
Gentoo 200503-31 2005-03-25
Red Hat RHSA-2005:336-01 2005-03-23
Fedora FEDORA-2005-246 2005-03-23

Comments (none posted)

kdelibs: dcopserver vulnerability

Package(s):kdelibs CVE #(s):CAN-2005-0396 CAN-2005-0237 CAN-2005-0365
Created:March 17, 2005 Updated:May 17, 2005
Description: The KDE Desktop Communication Protocol daemon (dcopserver) is vulnerable to lockup by a local user, leading to a denial of service.
Alerts:
Conectiva CLA-2005:953 2005-05-17
SuSE SUSE-SA:2005:022 2005-04-11
Red Hat RHSA-2005:307-01 2005-04-06
Fedora FEDORA-2005-245 2005-03-23
Fedora FEDORA-2005-244 2005-03-23
Red Hat RHSA-2005:325-01 2005-03-23
Gentoo 200503-22 2005-03-19
Mandrake MDKSA-2005:058 2005-03-16

Comments (none posted)

LTris: buffer overflow

Package(s):ltris CVE #(s):
Created:March 21, 2005 Updated:March 22, 2005
Description: LTris is vulnerable to a buffer overflow when reading the global highscores file. By modifying the global highscores file a malicious user could trick another user to execute arbitrary code.
Alerts:
Gentoo 200503-24 2005-03-20

Comments (none posted)

rxvt-unicode: buffer overflow

Package(s):rxvt-unicode CVE #(s):CAN-2005-0764
Created:March 21, 2005 Updated:March 22, 2005
Description: Rob Holland of the Gentoo Linux Security Audit Team discovered that rxvt-unicode fails to properly check input length. Successful exploitation would allow an attacker to execute arbitrary code with the permissions of the user running rxvt-unicode.
Alerts:
Gentoo 200503-23 2005-03-20

Comments (none posted)

xloadimage: missing input sanitizing, integer overflow

Package(s):xloadimage CVE #(s):CAN-2005-0638 CAN-2005-0639
Created:March 21, 2005 Updated:May 4, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team has reported a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. CAN-2005-0638

Insufficient validation of image properties in have been discovered which could potentially result in buffer management errors. CAN-2005-0639

Alerts:
Mandriva MDKSA-2005:076 2005-04-20
Red Hat RHSA-2005:332-01 2005-04-19
Debian DSA-695-1 2005-03-21
Debian DSA-694-1 2005-03-21
Fedora FEDORA-2005-237 2005-03-18
Fedora FEDORA-2005-236 2005-03-18

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

cyrus-sasl: remote buffer overflow

Package(s):cyrus-sasl CVE #(s):CAN-2004-0884
Created:October 7, 2004 Updated:March 16, 2005
Description: cyrus-sasl has a vulnerability involving a buffer overflow in the digestmda5.c file. A remote attacker may be able to compromise the system. Also, a local user may be able to exploit a vulnerability by using the SASL_PATH environment variable.
Alerts:
Mandrake MDKSA-2005:054 2005-03-15
SuSE SUSE-SA:2005:013 2005-03-03
Fedora-Legacy FLSA:2137 2005-02-17
OpenPKG OpenPKG-SA-2005.004 2005-01-28
Conectiva CLA-2004:889 2004-11-11
Debian DSA-568-1 2004-10-16
Debian DSA-563-3 2004-10-14
Debian DSA-563-2 2004-10-12
Debian DSA-563-1 2004-10-12
Trustix TSLSA-2004-0053 2004-10-08
Mandrake MDKSA-2004:106 2004-10-07
Red Hat RHSA-2004:546-02 2004-10-07
Gentoo 200410-05 2004-10-07

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

Ethereal: Multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-0699 CAN-2005-0704 CAN-2005-0705
Created:March 14, 2005 Updated:March 28, 2005
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.10, including:
The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows (CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the "ignore cipher bit" option is enabled (CAN-2005-0705) and various vulnerabilities in the IAPP, JXTA, and sFlow dissectors.
Alerts:
Conectiva CLA-2005:942 2005-03-28
Red Hat RHSA-2005:306-01 2005-03-18
Mandrake MDKSA-2005:053 2005-03-15
Fedora FEDORA-2005-212 2005-03-16
Fedora FEDORA-2005-213 2005-03-16
Gentoo 200503-16 2005-03-12

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CAN-2005-0102
Created:January 24, 2005 Updated:May 19, 2005
Description: Max Vozeler discovered an integer overflow in camel-lock-helper. A user-supplied length value was not validated, so that a value of -1 caused a buffer allocation of 0 bytes; this buffer was then filled by an arbitrary amount of user-supplied data. A local attacker or a malicious POP3 server could exploit this to execute arbitrary code with root privileges (because camel-lock-helper is installed as setuid root).
Alerts:
Red Hat RHSA-2005:238-01 2005-05-19
Conectiva CLA-2005:925 2005-02-16
Debian DSA-673-1 2005-02-10
Mandrake MDKSA-2005:024 2005-01-27
Gentoo 200501-35 2005-01-24
Ubuntu USN-69-1 2005-01-24

Comments (1 posted)

f2c: insecure temp files

Package(s):f2c CVE #(s):CAN-2005-0017 CAN-2005-0018
Created:January 27, 2005 Updated:April 20, 2005
Description: The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack.
Alerts:
Debian DSA-661-2 2005-04-20
Gentoo 200501-43 2005-01-30
Debian DSA-661-1 2005-01-27

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: client freezes

Package(s):gaim CVE #(s):CAN-2005-0472 CAN-2005-0473
Created:February 22, 2005 Updated:April 27, 2005
Description: The Gaim client freezes when receiving certain invalid messages and crashes when receiving specific malformed HTML. See this Secunia Advisory for additional information.
Alerts:
Debian DSA-716-1 2005-04-27
Ubuntu USN-85-1 2005-02-25
Fedora FEDORA-2005-160 2005-02-21
Fedora FEDORA-2005-159 2005-02-21

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

gftp: missing input sanitizing

Package(s):gftp CVE #(s):CAN-2005-0372 CAN-2004-1376
Created:February 17, 2005 Updated:July 13, 2005
Description: gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files.
Alerts:
Fedora-Legacy FLSA:152908 2005-07-10
Red Hat RHSA-2005:410-01 2005-06-13
Fedora FEDORA-2005-310 2005-04-07
Fedora FEDORA-2005-309 2005-04-07
Mandrake MDKSA-2005:050 2005-03-04
Gentoo 200502-27 2005-02-19
SuSE SUSE-SR:2005:005 2005-02-18
Debian DSA-686-1 2005-02-17

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:September 16, 2005
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imagemagick: .psd image file decode vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0005
Created:January 18, 2005 Updated:March 23, 2005
Description: According to this iDEFENSE advisory, ImageMagick is vulnerable to a heap overflow when decoding .psd image files. This could be remotely exploited allowing an attacker to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:070-01 2005-03-23
Red Hat RHSA-2005:071-01 2005-02-15
Gentoo 200501-37 2005-01-26
Gentoo 200501-26 2005-01-20
Debian DSA-646-1 2005-01-19
Ubuntu USN-62-1 2005-01-18

Comments (1 posted)

imagemagick: format string vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0397
Created:March 3, 2005 Updated:April 4, 2005
Description: The ImageMagick file name handling code has a format string vulnerability. Specially crafted file names can be used to crash ImageMagick and possibly execute arbitrary code.
Alerts:
Mandrake MDKSA-2005:065 2005-04-01
Debian DSA-702-1 2005-04-01
Fedora FEDORA-2005-235 2005-03-30
Fedora FEDORA-2005-234 2005-03-30
SuSE SUSE-SA:2005:017 2005-03-23
Red Hat RHSA-2005:320-01 2005-03-23
Gentoo 200503-11 2005-03-06
Ubuntu USN-90-1 2005-03-03

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

IPsec-Tools: denial of service

Package(s):ipsec-tools setkey racoon CVE #(s):CAN-2005-0398
Created:March 14, 2005 Updated:April 5, 2005
Description: The IPsec-Tools package is used to build other programs such as setkey and racoon. There is a potential denial of service vulnerability when parsing ISAKMP headers in racoon.
Alerts:
Ubuntu USN-107-1 2005-04-05
SuSE SUSE-SA:2005:020 2005-03-31
Mandrake MDKSA-2005:062 2005-03-31
Gentoo 200503-33 2005-03-25
Red Hat RHSA-2005:232-01 2005-03-23
Fedora FEDORA-2005-217 2005-03-14
Fedora FEDORA-2005-216 2005-03-14

Comments (none posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake MDKSA-2005:045 2005-02-17
Red Hat RHSA-2005:065-01 2005-02-15
Red Hat RHSA-2005:009-01 2005-02-10
Fedora FEDORA-2005-064 2005-01-25
Fedora FEDORA-2005-063 2005-01-25
Gentoo 200501-18 2005-01-11
Debian DSA-631-1 2005-01-10

Comments (none posted)

kdenetwork: file descriptor leak

Package(s):kdenetwork CVE #(s):CAN-2005-0205
Created:March 3, 2005 Updated:March 16, 2005
Description: The kdenetwork networking applications package has a bug with the handling of privileged file descriptors in kppp. A local user can use this to modify the /etc/hosts and /etc/resolv.conf files, allowing them to spoof domain information.
Alerts:
Conectiva CLA-2005:934 2005-03-16
Debian DSA-692-1 2005-03-08
Red Hat RHSA-2005:175-01 2005-03-03

Comments (none posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libexif: improper validation

Package(s):libexif CVE #(s):CAN-2005-0664
Created:March 7, 2005 Updated:April 15, 2005
Description: Sylvain Defresne discovered that the EXIF library did not properly validate the structure of the EXIF tags. By tricking a user to load an image with a malicious EXIF tag, an attacker could exploit this to crash the process using the library, or even execute arbitrary code with the privileges of the process.
Alerts:
Debian DSA-709-1 2005-04-15
Mandrake MDKSA-2005:064 2005-03-31
Red Hat RHSA-2005:300-01 2005-03-21
Gentoo 200503-17 2005-03-12
Fedora FEDORA-2005-200 2005-03-08
Fedora FEDORA-2005-199 2005-03-08
Ubuntu USN-91-1 2005-03-07

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CAN-2004-1308
Created:December 22, 2004 Updated:May 19, 2005
Description: The libtiff image manipulation library contains several exploitable buffer overflows.
Alerts:
Fedora-Legacy FLSA:152815 2005-05-18
Red Hat RHSA-2005:035-01 2005-02-15
Conectiva CLA-2005:920 2005-01-20
Red Hat RHSA-2005:019-01 2005-01-13
SuSE SUSE-SA:2005:001 2005-01-10
Fedora FEDORA-2005-598 2005-01-07
Fedora FEDORA-2005-597 2005-01-07
Ubuntu USN-54-1 2005-01-06
Mandrake MDKSA-2005:002 2005-01-06
Mandrake MDKSA-2005:001 2005-01-06
Gentoo 200501-06 2005-01-05
Debian DSA-626-1 2005-01-06
Debian DSA-617-1 2004-12-24
Fedora FEDORA-2004-577 2004-12-22
Fedora FEDORA-2004-576 2004-12-22
Ubuntu USN-46-1 2004-12-22

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 2006-03-07
Fedora-Legacy FLSA:152803 2006-01-09
Fedora FEDORA-2005-815 2005-08-26
Fedora FEDORA-2005-808 2005-08-25
Red Hat RHSA-2005:198-01 2005-06-08
Red Hat RHSA-2005:473-01 2005-05-24
Red Hat RHSA-2005:412-01 2005-05-11
Debian DSA-723-1 2005-05-09
Mandriva MDKSA-2005:081 2005-05-05
Mandriva MDKSA-2005:080 2005-04-28
Red Hat RHSA-2005:044-01 2005-04-06
Red Hat RHSA-2005:331-01 2005-03-30
Fedora FEDORA-2005-273 2005-03-29
Fedora FEDORA-2005-272 2005-03-29
Ubuntu USN-97-1 2005-03-16
Gentoo 200503-15 2005-03-12
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-08 2005-03-04

Comments (none posted)

luxman: buffer overflow