LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
A Look at The Onion Router (Tor)
Last week we promised a look at Tor, a system for anonymous Internet communication, primarily developed by Nick Mathewson and Roger Dingledine. Current development is supported by the Electronic Frontier Foundation (EFF), but Tor was originally developed as part of the U.S. Naval Research Laboratory's Onion Routing program.
As the Tor web page explains, Tor is a "toolset for a wide range of organizations and people that want to improve their safety and security on the Internet." What does that mean? In a nutshell, Tor is a client/server application that anonymizes traffic by routing it from the client through a series of nodes to hide the origin of a request. It can also be used to protect services against denial of service attacks and the like by hiding their origin.
Tor routes traffic through nodes that "know" about the previous node and the next node -- but not the rest of the network. By routing traffic through a series of "onion routers" Tor makes it difficult for the receiver, observers and even other Tor routers to detect the source of traffic. A more complete description of Tor's design can be found in the design paper; a protocol specification is also available for those who wish to build compatible software.
Tor works as both a server and as a client. By default, Tor runs as a client only, but it can be configured to allow other users to connect to your system as a Tor node. In addition, Tor can be used to run "hidden" services that do not reveal your IP address to others at all. The "hidden wiki" maintains a list of hidden services that users can see as an example. Finally, it's possible to set up one's own Tor network that does not interact with the public Tor network, for those who want to test the protocol but may lack access to the Internet.
To achieve best results, one may need to use Tor in conjunction with other applications. For example, users who wish to browse anonymously would use Tor in conjunction with Privoxy. Other applications may require use of tsocks or ProxyChains.
To see what Tor had to offer, we installed it on a Ubuntu Hoary machine, along with Privoxy, tsocks and ProxyChains. Configuring services to work with Tor is not terribly difficult, and there is a relatively detailed HOWTO for users who wish to configure specific applications like Gaim, X-Chat, SSH or BitTorrent with Tor.
It should be noted that using Tor can have an impact on performance for client applications. Using Tor and Privoxy together for browsing, for example, introduced a notable lag. Firefox users may be interested in using the SwitchProxy Tool extension to switch Proxy use on and off, reserving Tor for specific sites rather than for all web browsing. Users should also be prepared for some odd behavior on some sites -- for example, we kept being redirected to country-specific versions of Google, rather than Google's main site, when using Tor and Privoxy. Tor itself didn't seem to have much of an impact on system performance overall.
Tor is not completely foolproof. It could be possible for someone who's running a Tor server to modify Tor or use other software to monitor traffic going through the server. Traffic coming out of the "exit node" (the last hop in the Tor "circuit") is not encrypted, so a malicious user could set up a Tor server and browse traffic coming out of their machine. (It is possible to specify your exit node in the Tor configuration.) There are also potential JavaScript issues, and there are other ways to analyze traffic that passes through Tor.
Interested users should also have a look at the EFF's legal issues page about Tor. Though Tor can be used for things like BitTorrent, it is not designed to assist copyright infringement or other illegal activity.
There is still a lot of development ahead for Tor, but it is definitely worth a look for users who are interested in anonymous communication on the Internet. Users with bandwidth to spare are also encouraged to set up and run a Tor server to help test its scalability and to help provide a larger Tor network. See the download page for Tor packages and source code.
New vulnerabilities
apache-utils: htpasswd buffer overflow
| Package(s): | apache-utils | CVE #(s): | ||||
| Created: | May 26, 2005 | Updated: | June 1, 2005 | |||
| Description: | The htpasswd utility has a buffer overflow vulnerability. Web sites that use an unchecked public interface to htpasswd can be used to execute arbitrary code with the privileges of the user who runs htpasswd. | |||||
| Alerts: |
| |||||
gxine: format string vulnerability
| Package(s): | gxine | CVE #(s): | CAN-2005-1692 | ||||||
| Created: | May 26, 2005 | Updated: | July 23, 2005 | ||||||
| Description: | The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code. | ||||||||
| Alerts: |
| ||||||||
ImageMagick: xwd coder denial of service
| Package(s): | ImageMagick | CVE #(s): | CAN-2005-1739 | ||||||||||||
| Created: | May 26, 2005 | Updated: | July 19, 2005 | ||||||||||||
| Description: | The xwd coder in ImageMagick has a vulnerability that can be accessed by working on a maliciously created image. A denial of service can result. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Mailutils: multiple vulnerabilities in imap4d and mail
| Package(s): | mailutils | CVE #(s): | CAN-2005-1520 CAN-2005-1521 CAN-2005-1522 CAN-2005-1523 | ||||||
| Created: | May 27, 2005 | Updated: | June 3, 2005 | ||||||
| Description: | infamous41d discovered several vulnerabilities in GNU Mailutils. imap4d does not correctly implement formatted printing of command tags (CAN-2005-1523), fails to validate the range sequence of the "FETCH" command (CAN-2005-1522), and contains an integer overflow in the "fetch_io" routine (CAN-2005-1521). mail contains a buffer overflow in "header_get_field_name()" (CAN-2005-1520). | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
ImageMagick: heap corruption
| Package(s): | ImageMagick | CVE #(s): | CAN-2005-1275 | ||||||||||||
| Created: | April 28, 2005 | Updated: | May 25, 2005 | ||||||||||||
| Description: | ImageMagick 6.2.1 and earlier has a heap corruption problem in the pnm coder. | ||||||||||||||
| Alerts: |
| ||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cdrdao: local root vulnerability
| Package(s): | cdrdao | CVE #(s): | CAN-2002-0137 CAN-2002-0138 | |||
| Created: | May 19, 2005 | Updated: | May 25, 2005 | |||
| Description: | The cdrdao CD burning utility has two vulnerabilities. Local users can use the show-data command to read arbitrary files, and local users can overwrite arbitrary files via a symlink attack on the ~/.cdrdao config file. This can be exploited to gain root privileges. | |||||
| Alerts: |
| |||||
cheetah: untrusted module search path
| Package(s): | cheetah | CVE #(s): | ||||
| Created: | May 19, 2005 | Updated: | May 25, 2005 | |||
| Description: | Cheetah, a Python template engine and code generator, has a vulnerability in the module importing code that can be used by a local user to gain escalated privileges. | |||||
| Alerts: |
| |||||
cpio - file permissions error
| Package(s): | cpio | CVE #(s): | CAN-1999-1572 | |||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | July 19, 2005 | |||||||||||||||||||||
| Description: | Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cURL: buffer overflow
| Package(s): | curl | CVE #(s): | CAN-2005-0490 | ||||||||||||||||||||||||
| Created: | February 28, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cvs: multiple vulnerabilities
| Package(s): | cvs | CVE #(s): | CAN-2005-0753 | |||||||||||||||||||||||||||||||||
| Created: | April 18, 2005 | Updated: | July 13, 2005 | |||||||||||||||||||||||||||||||||
| Description: | CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
dhcp: format string vulnerability
| Package(s): | dhcp | CVE #(s): | CAN-2004-1006 | |||||||||
| Created: | November 4, 2004 | Updated: | July 13, 2005 | |||||||||
| Description: | Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server. | |||||||||||
| Alerts: |
| |||||||||||
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq | CVE #(s): | |||||||
| Created: | April 4, 2005 | Updated: | July 21, 2005 | ||||||
| Description: | Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing. | ||||||||
| Alerts: |
| ||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
Ethereal: numerous vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2005-1456 CAN-2005-1457 CAN-2005-1458 CAN-2005-1459 CAN-2005-1460 CAN-2005-1461 CAN-2005-1462 CAN-2005-1463 CAN-2005-1464 CAN-2005-1465 CAN-2005-1466 CAN-2005-1467 CAN-2005-1468 CAN-2005-1469 CAN-2005-1470 | ||||||||||||
| Created: | May 6, 2005 | Updated: | June 7, 2005 | ||||||||||||
| Description: | There are numerous vulnerabilities in versions of Ethereal versions 0.8.14 to 0.10.10 according to this advisory. | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: message crash vulnerability
| Package(s): | evolution | CVE #(s): | CAN-2005-0806 | |||||||||||||||
| Created: | March 17, 2005 | Updated: | August 11, 2005 | |||||||||||||||
| Description: | The Evolution mail client can be crashed when reading certain types of messages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1158 CAN-2005-1160 CAN-2005-1159 | ||||||||||||
| Created: | May 11, 2005 | Updated: | May 26, 2005 | ||||||||||||
| Description: | The Firefox browser (and Mozilla as well) suffers from several vulnerabilities which can be exploited by a remote attacker to execute arbitrary code. See this advisory for a discussion of the worst two. Upgrading to version 1.0.4 will fix the problems. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
FreeRADIUS: buffer overflow and SQL injection
| Package(s): | freeradius | CVE #(s): | CAN-2005-1454 CAN-2005-1455 | |||||||||
| Created: | May 17, 2005 | Updated: | June 23, 2005 | |||||||||
| Description: | Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS 1.0.2 and earlier may be vulnerable to a buffer overflow. He also discovered that FreeRADIUS fails to sanitize user-input before using it in a SQL query, possibly allowing SQL command injection. | |||||||||||
| Alerts: |
| |||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2005-0891 | ||||||||||||||||||||||||||||||||||||
| Created: | March 30, 2005 | Updated: | December 19, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gftp: missing input sanitizing
| Package(s): | gftp | CVE #(s): | CAN-2005-0372 CAN-2004-1376 | ||||||||||||||||||||||||
| Created: | February 17, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||
| Description: | gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: Information leak with LD_DEBUG
| Package(s): | glibc | CVE #(s): | CAN-2004-1453 | ||||||
| Created: | August 17, 2004 | Updated: | May 26, 2005 | ||||||
| Description: | Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation. | ||||||||
| Alerts: |
| ||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnupg: information leak
| Package(s): | gnupg | CVE #(s): | CAN-2005-0366 | |||||||||
| Created: | March 16, 2005 | Updated: | August 19, 2005 | |||||||||
| Description: | GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." | |||||||||||
| Alerts: |
| |||||||||||
GnuTLS: Denial of Service vulnerability
| Package(s): | gnutls | CVE #(s): | CAN-2005-1431 | |||||||||||||||
| Created: | May 9, 2005 | Updated: | June 1, 2005 | |||||||||||||||
| Description: | GnuTLS 1.2.3 and 1.0.25 have been released, fixing a denial of service problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
grip: buffer overflow
| Package(s): | grip | CVE #(s): | CAN-2005-0706 | |||||||||||||||||||||||||||
| Created: | March 10, 2005 | Updated: | September 16, 2005 | |||||||||||||||||||||||||||
| Description: | Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gzip: race condition and directory traversal
| Package(s): | gzip | CVE #(s): | CAN-2005-0988 CAN-2005-1228 | ||||||||||||||||||||||||
| Created: | May 4, 2005 | Updated: | July 13, 2005 | ||||||||||||||||||||||||
| Description: | gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
htdig: cross site scripting
| Package(s): | htdig | CVE #(s): | CAN-2005-0085 | |||||||||||||||
| Created: | February 14, 2005 | Updated: | January 10, 2006 | |||||||||||||||
| Description: | Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
infozip: privilege escalation, directory-traversal
| Package(s): | infozip | CVE #(s): | CAN-2003-0282 CAN-2004-1010 CAN-2005-0602 | ||||||
| Created: | May 2, 2005 | Updated: | August 1, 2005 | ||||||
| Description: | InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities. | ||||||||
| Alerts: |
| ||||||||
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster | CVE #(s): | CVE-2005-1108 CVE-2005-1109 | ||||||
| Created: | April 13, 2005 | Updated: | November 5, 2005 | ||||||
| Description: | JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. | ||||||||
| Alerts: |
| ||||||||
kdelibs: unsanitzied input
| Package(s): | kdelibs | CVE #(s): | CAN-2004-1165 | ||||||||||||||||||||||||
| Created: | January 10, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||
| Description: | Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0400 CAN-2005-0749 CAN-2005-0750 CAN-2005-0815 CAN-2005-0839 | |||||||||||||||||||||||||||||||||
| Created: | April 1, 2005 | Updated: | July 1, 2005 | |||||||||||||||||||||||||||||||||
| Description: | More kernel vulnerabilities have been discovered including:
| |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
kernel: ELF loader core dump vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2005-1263 | ||||||||||||||||||
| Created: | May 11, 2005 | Updated: | August 25, 2005 | ||||||||||||||||||
| Description: | Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kimgio input validation errors
| Package(s): | kimgio | CVE #(s): | CAN-2005-1046 | |||||||||||||||||||||
| Created: | April 22, 2005 | Updated: | July 19, 2005 | |||||||||||||||||||||
| Description: | KDE has issued a security advisory for kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including KDE 3.4. kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to execute arbitrary code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libXpm: new buffer overflows
| Package(s): | libXpm | CVE #(s): | CAN-2005-0605 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2005 | Updated: | March 8, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl | CVE #(s): | CAN-2005-1349 | ||||||
| Created: | May 20, 2005 | Updated: | January 27, 2006 | ||||||
| Description: | Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl | CVE #(s): | CAN-2005-0077 | ||||||||||||||||||||||||
| Created: | January 25, 2005 | Updated: | March 2, 2006 | ||||||||||||||||||||||||
| Description: | Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libnet-ssleay-perl: weakened cryptographic operations
| Package(s): | libnet-ssleay-perl | CVE #(s): | CAN-2005-0106 | ||||||
| Created: | May 3, 2005 | Updated: | January 27, 2006 | ||||||
| Description: | Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content. | ||||||||
| Alerts: |
| ||||||||
libTIFF: buffer overflow
| Package(s): | libtiff | CVE #(s): | CAN-2005-1544 | |||||
| Created: | May 10, 2005 | Updated: | February 17, 2006 | |||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code. | |||||||
| Alerts: |
| |||||||