An OLS wrapup
The seventh annual Ottawa Linux Symposium has come to an end. Your editor,
who has attended six of the seven OLS events, finds the conference in good
![[Ottawa art shot]](/images/conf/ols+ks2005/Reflections-sm.jpg)
health. OLS was larger this year - some 700 people - but it has handled
its growth well. OLS remains one of the premier Linux development
gatherings worldwide.
A look at the
schedule reveals some clear themes for this event. Virtualization is
obviously at the top of the list for many OLS attendees; the largest room
was dedicated to the topic for a full day. This was perhaps the most
kernel-oriented schedule yet from an already kernel-dominated event; there
was hardly enough non-kernel content to fill even a single track. Those
who are interested in the user space side of free software may find
themselves drifting toward other events; but kernel people will find plenty
of interest at OLS.
OLS is an increasingly professional event; the proportion of students and
part-time hackers attending the event appears to have dropped over the
years. Registration fees can be as high as C$750. A surprising number of
the attendees are mostly concerned with what their customers want from
Linux; these are people who are making their living in a way which at least
involves Linux and free software.
As always, there was no trade show floor at OLS; nobody is trying to sell
anything to the attendees. OLS is very much about technology and
development communities, and little about hype.
Your editor, rather than trying to provide exhaustive coverage of the
event, attended some of the more interesting sessions. The resulting
articles have been posted over the last week; for convenience, they are:
- A challenge for
developers. Jim Gettys thinks that free software developers have
to get past the "mantra of one," build the multiuser, cooperative
systems of the future, and take the lead for the next generation of
computing.
- Linux and trusted
computing. IBM engineers Emily Ratliff and Tom Lendacky discuss
the current state of Linux support for the "trusted platform module"
(TPM) chip and some of the good things that it can do for us. Trusted
computing does not have to be an evil thing.
- Xen and UML. Lead
developers from the two most prominent Linux paravirtualization
projects discuss where those projects are and what's coming next.
There was much more than the above at OLS this year; your editor, in
particular, appreciated Keith Packard's discussion of the TWIN window
system (designed for very small devices), Michael Austin Halcrow's
description of the eCryptfs filesystem (hopefully to be written up in the
future), Rusty Russell's discussion of nfsim, and Pat Mochel's
sysfs talk. The Wednesday reception featured
talks by Doug Fisher of Intel (who nearly got booed off the stage when it
became clear that his talk was being run from a Windows system) and Art
Cannon from IBM. Art's talk, a buzzword-loaded presentation on how to talk
to business people about open source, was well received but hard to follow
due to the poor acoustics and high noise level in the room. If you gather
several hundred people (many of whom have not seen each other over the past
year) into a room and give them all the beer they want, it can be hard to
get them to sit down, be quiet, and listen to somebody talk about business
stuff.
Dave Jones's ending keynote, instead, got everybody's full attention.
Dave, who, among other things, is the current maintainer of Red Hat's
kernels, is concerned with the number of regressions and other bugs seen in
recent kernels. The quality of our kernels, says Dave, is going down as a
result of regressions, and driver regressions in particular.
There's a lot of reasons for the problems. They date back, perhaps, to the
adoption of BitKeeper. With BK, Linus could quickly pull in a large set of
patches from a subsystem maintainer without really looking at them all. So
BitKeeper increased the velocity of patches through the system, with some
cost as to the quality. The real problem, however, is one of testing. The
only way to really find kernel bugs is to have the kernel tested by a wide
variety of users. This is particularly true for driver bugs; nobody, not
even the driver maintainer, can possibly have all of the hardware needed to
perform even remotely comprehensive testing. It takes a large community of
users to do that.
When testing does happen, we need to make it easier for users to report
bugs. Requiring a user to create a BugZilla account and fill in vast
amounts of information for a (possibly) tiny bug is counterproductive; many
bug reporters will simply give up and go away. Bug reporting should be a
simple and quick operation.
There are, in any case, quite a few challenges involved in dealing with bug
reporters; this was Dave's opportunity to complain a little about the
frustrations of his job. Bug reporters tend to always see their bug as the
most important one (so, he says, bug reporting systems should not allow
reporters to set the severity of the bug); they will continue to mess with
the system while others are trying to fix the bug, making confirmation of
fixes difficult; some of them file a bug and disappear, not responding to
requests for important information; they will lie about the configuration
of their systems (and the presence of binary-only modules in particular);
and so on. The receiving end of a major distribution's bug tracking system
can be a difficult place to be.
The question of the proper place to report bugs came up. Many bugs seen by
end users are really bugs in the upstream package, not in a particular
distribution's version of it. Those bugs should be reported to the
real, upstream maintainer. Some distributions (Debian, for example) see
this reporting as their responsibility; others would like bug reporters to
go directly upstream. Dave, in particular, notes that quite a few kernel
bugs show up only in the Red Hat BugZilla system; they never make it to the
(not universally used) kernel BugZilla. How many other distributors, he
wonders, have kernel bugs sitting in their bug trackers which should really
be reported to the community? In the future, it would be nice if BugZilla
installations could talk to each other so that bugs could be forwarded to
the right place; however, each BugZilla evidently has its own schema,
making that sort of communication difficult.
Dave noted that the kernel has gotten significantly more complicated over
the time he has been working on it. Coming up to speed and really
understanding what is happening inside the kernel is a challenging task.
Kernel developers need to recognize this and take advantage of all the
techniques and tools which are available to them to produce better
releases.
Next year's keynote speaker will be Greg Kroah-Hartman.
The final event of OLS is the infamous Black Thorn party; it is the ideal
way to unwind after an intense week of conferencing. The Black Thorn is
getting a little small, however; one of the OLS organizers was asking
people to put their backpacks aside so there would be room for everybody to
stand. If OLS continues to grow, the final event may have to happen
somewhere else.
Comments (11 posted)
Git approaches 1.0
On April 5, 2005, it was announced that BitMover would "focus exclusively"
on its commercial BitKeeper offering and withdraw the free-beer client used
by a number of free software developers. This was a nervous moment;
BitKeeper had become an integral part of the Linux kernel development
process. Nobody wanted to go back to the old days - when no source code
management system was used at all - but there was no clear successor to
BitKeeper on offer.
And where might such a successor have been expected to come from? We had been
told many times that the development of BitKeeper required numerous
person-years of work and millions of dollars of funding. The free software
community was simply not up to the task of creating a tool with that sort
of capabilities - especially not in a hurry. The kernel development
community, having lost a tool it relied upon heavily, appeared doomed to a
long painful period of adjustment.
Two full days later, Linus announced the
first release of a tool called "git." It was, he said, "_really_ nasty,"
but it was a starting point. On April 20, fifteen days after the
withdrawal of BitKeeper, the 2.6.12-rc3 kernel prepatch, done entirely with
git, was released. The git tool, in those days, was clearly suitable only
for early adopters, but, even then, it was also clearly going somewhere.
Git brings with it some truly innovative concepts; it is not a clone of any
other source code management system. Indeed, at its core, it is not really
an SCM at all. What git offers is a content-addressable object
filesystem. If you store a file in git, it does not really have a name;
instead, it can be looked up using its contents (as represented by an SHA
hash). A hierarchical grouping of files - a particular kernel release, for
example - is represented by a separate "tree" object listing which
files are part of the group and where they are to be found. Files do not
have any history - they simply exist or not, and two versions of the same
file are only linked by virtue of being in the same place in two different
tree objects.
This way of organizing things is hard to grasp, initially, but it makes
some interesting things possible. One of the harder problems in many SCM
systems - handling the renaming of files - requires no special care with
git. A single git repository can hold any number of branches or parallel
trees without confusion. File integrity checking is built into the basic
lookup mechanism, so that corruption will be detected automatically, and,
if desired, kernel releases can be cryptographically signed easily.
Perhaps most importantly, however: git made certain options, such as the
merging of patches, very fast.
It's worth noting that git is not a clone of BitKeeper, or of any other
SCM. Certainly it incorporates lessons learned from years of use of
BitKeeper and other tools; it supports changesets, for example, and is
designed to be used in a distributed mode. But git is something new, it
brings a unique approach to the problem.
Watching the git development process snowball over the last few months has
been fascinating. A large and active development community coalesced
around git in short order; interestingly, relatively few of the core git
developers were significant kernel contributors. In a short period of
time, git has acquired most of the features expected from an SCM, its rough
edges have been smoothed, it has picked up a variety of graphical interfaces,
and it is widely used in the kernel development community. Git is clearly
a success.
The git developers are now working
toward a 1.0 release. As part of that process, Linus has now handed git over to a new
maintainer: Junio Hamano. Junio has been an active git developer for some
time; he will now attempt to take
the project forward as its leader. He will have plenty of work ahead
of him as git moves into a more stable (though still fast-moving) phase.
Git is an example of how well the free software process can work. Linus
has shown us, once again, that he knows how to get a successful free
software project started: put out a minimal (but well thought out) core
that begins to solve a problem, then let the community run with it. The
result is a vibrant, living project which incorporates the best of what has
been learned before while simultaneously breaking new ground. The creator
of the Linux kernel appears to have launched another winner.
But, then, some things still seem to surprise even Linus:
| August 25, 1991 | July 26, 2005 |
|
"I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones." |
"...this thing ended up being a bit bigger and more
professional than I originally even envisioned."
|
Let this be a lesson to all free software developers out there: the
humblest of projects can, with the right ideas and participation, become
far more "big and professional" than one might ever imagine.
Comments (6 posted)
A Firefox roadmap update
The Mozilla Foundation is
shaking up
its roadmap a little -- though not "scrapping" the
1.1 release as had been reported in some outlets.
The 1.1 release was originally planned for this month, but that has been
changed
to a 1.5 release planned for September. Chris Hofmann, Mozilla's director
of engineering, talked to us about the change in the roadmap, and what's
ahead for Firefox and Thunderbird.
Hofmann said that the version number change was made for a number of
reasons:
[The change] is partly technical, one of the features that is going into
this next release is a software updating feature, so we were able to do a
better job of testing incremental updates with this software update
feature. As we move up the numbering scale, and make sure that all of that
detection and ability to deal with numbering changes works with part of the
software update system and more importantly, recognizes the progress that
we've made in the last six months getting a number of features into the
product that we hadn't expected to be there and this far along.
Firefox developer Asa Dotzler also wrote about
the change:
One major consideration in this decision was the sheer volume of changes in
the Firefox core (Gecko) made a minor .1 increment seem misleading. While
it may not be obvious by looking simply at release dates, today's Gecko
core of Firefox has seen nearly 16 months worth of changes compared to what
shipped in Firefox 1.0. This is because we created our Gecko 1.7 branch
(the branch from which Firefox 1.0 shipped) back in April of 2004. At that
time, Gecko development on the trunk continued and very little of that work
was carried over to the 1.7 branch to be included in Firefox 1.0.
Indeed, there are quite a few new
features and other changes in Firefox 1.5, many of which we covered on
LWN with the first Deer Park
Alpha release. The 1.5 release should have improvements in pop-up
blocking, tab reordering, Scalable Vector
Graphics (SVG) support and ECMAScript
for XML (E4X) support.
One of the improvements that Hofmann highlighted for 1.5 is Firefox's extensions
system. According to Hofmann, the 1.5 release will handle versioning
information of extensions and "ability for the browser to recognize
extensions that might be incompatible with specific releases."
Hofmann also said that this release would allow the user to turn extensions
on and off, something that the Firefox 1.0 does not allow -- though some
extensions, like Greasemonkey
do provide that feature directly.
The 1.0 to 1.5 jump will also bring about some changes to the Firefox API,
which may affect
extensions that work with the current interface.
There's a pretty big shift in the API set for applications and extensions
that are moving from 1.0 to 1.5, most of the extension authors have taken
the work to make extensions that are going to be compatible with 1.5. There
might be a few more changes we make in the next few weeks of the
development cycle, but by the time we get to 1.5 release, the goal is to
have a very large percentage of the extensions available be compatible with
that release.
Thunderbird is also being shifted from a 1.1 release to a 1.5 release
around the same time frame as Firefox. Hofmann said that the version bump
for Thunderbird was, in part, because development had been moving along
nicely for Thunderbird as well -- but also because the Mozilla Foundation
is trying to keep version numbers for both applications in sync. He noted
that Thunderbird 1.5 would have improvements in spam detection and for
detecting phishing attacks, in-line spell checking and improved RSS
features. Thunderbird 1.5 will also feature improvements for updates, and
users should be able to do updates from Thunderbird directly.
Though the feature sets are sketchy at this point, the Mozilla Foundation's
roadmap calls for a Firefox 2.0 release in early 2006 and a Firefox 3.0 by
the end of 2006. One feature that Hofmann talked about for future releases
is Xul
Runner. According to Hofmann, Xul Runner will allow Firefox,
Thunderbird and other applications "to share core components of
technology." According to Hofmann, any one of the Mozilla
applications would include the core features, and then users would only
need to download "a thin layer" for additional applications.
Hofmann said that the first instance of Xul Runner would be available
"around the time we ship Firefox 1.5," and that the next
versions of Firefox and Thunderbird would be built on top of Xul Runner and
"allow sharing of common code" that both applications use.
Given the amount of time 1.5 has been in development (Firefox 1.0 was
released in November, 2004) it seems a bit ambitious to plan the 2.0 and
3.0 releases in 2006. However, anything is possible.
Meanwhile, the Firefox 1.5 Beta is scheduled for August, and a second
alpha release is available now for brave souls who can't wait for new
features, or who are eager to help in testing.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
Greasemonkey gets into trouble
The ability to add extensions to Firefox has proven to be a popular
feature. One of the most popular extensions for Firefox, inspiring
countless user scripts, is the
Greasemonkey extension, which
allows users change the behavior of web sites.
A serious vulnerability was found in Greasemonkey last
week by Mark Pilgrim, author of the upcoming book "Greasemonkey Hacks,"
and Dive Into
Greasemonkey. Pilgrim discovered that a combination of two flaws in
Greasemonkey could allow user data to be transmitted to virtually any
site.
We spoke to Pilgrim about the vulnerabilities, and the security of
Greasemonkey in general. According to Pilgrim, Greasemonkey's first flaw
would allow a web page access to the APIs to call remote pages. A page with
an exploit for this vulnerability would allow the exploit to call code from
other sites without the user being aware of it. This could include posting
data to another site.
The second exploit allowed pages to access file URLs, which could allow a
remote site to browse the content of a user's hard drive. In conjunction
with the first vulnerability, "remote pages could access any file on
your system... [they could] recurse through the entire hard drive and post
it anywhere in the world, really. And that's bad."
These vulnerabilities are fixed in the 3.5 version of Greasemonkey, though
it
is a "neutered" version that lacks the Greasemonkey
APIs. Pilgrim said that a beta had
been released that should retain functionality and clear up the
security holes that he had found.
The new version disables file URLs altogether for that API function, so
even user scripts are not allowed to do that anymore, and second of all,
closes the hole that allows remote page you're browsing to trap the API
call. The pages you browse now no longer have access to any of the
Greasemonkey internals. User scripts can still use it... but the page
you're browsing can't steal access to those pages.
Even though the vulnerability has been closed in the latest versions of
Greasemonkey, Pilgrim said that users could still be vulnerable to
malicious user scripts. "Greasemonkey is very powerful, and people
need to be aware what they're installing." Indeed, there does seem
to be a level of concern that the problems with Greasemonkey are in its
features, not its vulnerabilities. The concept of allowing users to run
scripts in the browser developed by third parties, who may not have the
users' best interests in mind, opens up some scary possibilities.
Since Firefox and Greasemonkey are becoming increasingly popular with less
technical users, we asked Pilgrim how those users could verify that the
scripts they install were safe, and if there was any way for the
Greasemonkey team to protect those users.
Basically, there's no technical solution to that, Greasemonkey allows you
so much power, that you can't stop people from writing malicious
scripts...without making Greasemonkey useless.
We also asked Chris Hofmann, director of engineering for Mozilla, about the
Greasemonkey vulnerability and whether the Mozilla developers could do
anything to make extensions safer for users. Hofmann also said that much of
the responsibility lies with the user to verify the source and function of
extensions. "Users should take caution for any extensions they
download, and to authenticate the source of the extension." He also
explained that the default operation of the browser was to warn users
before installing any software, to prevent any extensions or scripts from
being installed without the user's knowledge.
It's worth noting that Firefox is not unique in allowing extensions or
add-ons like Greasemonkey. Pilgrim noted that Turnabout for Internet
Explorer performed the same function for IE, by allowing users to run
scripts to change the function of websites. Just as with Firefox, Turnabout
users could easily run malicious scripts if they're not careful about where
they acquire them.
There's really nothing unique about the Greasemonkey situation,
though. Spyware and adware have propagated in large part because users have
been willing to download and install software without questioning the
source of the software or any possible side-effects.
The best that the Greasemonkey team can do is ensure that their software is
not subject to vulnerabilities like the two that Pilgrim discovered. Beyond
that, the responsibility will remain with the user to verify that
extensions, scripts and other software is suitable for use.
Comments (4 posted)
New vulnerabilities
ClamAntiVirus: integer overflows
| Package(s): | clamav |
CVE #(s): | CAN-2005-2450
|
| Created: | July 26, 2005 |
Updated: | August 16, 2005 |
| Description: |
Clam AntiVirus versions < 0.86.2 is vulnerable to integer overflows when
handling the TNEF, CHM and FSG file formats. By sending a
specially-crafted file an attacker could execute arbitrary code with the
permissions of the user running Clam AntiVirus. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2005-2335
|
| Created: | July 21, 2005 |
Updated: | August 12, 2005 |
| Description: |
The fetchmail POP3 client has an arbitrary code execution vulnerability
that may be triggered by a malicious POP server. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
libgadu: integer overflows
| Package(s): | libgadu |
CVE #(s): | CAN-2005-1852
|
| Created: | July 22, 2005 |
Updated: | July 27, 2005 |
| Description: |
libgadu, a library implementing the Gadu messaging protocol, suffers from a set of integer overflow vulnerabilities. This vulnerability affects a number of other packages; see, for example, this KDE advisory for kdenetwork and Kopete. |
| Alerts: |
|
Comments (none posted)
movemail: arbitrary code execution
| Package(s): | movemail |
CVE #(s): | |
| Created: | July 21, 2005 |
Updated: | July 27, 2005 |
| Description: |
The emacs movemail POP utility has an arbitrary code execution vulnerability
that can be activated by connecting to a malicious POP server. |
| Alerts: |
|
Comments (none posted)
phpbb2: cross-site scripting
| Package(s): | phpbb2 |
CVE #(s): | CAN-2005-2161
|
| Created: | July 27, 2005 |
Updated: | July 27, 2005 |
| Description: |
The phpbb2 package suffers from a cross-site scripting vulnerability. |
| Alerts: |
|
Comments (none posted)
sandbox: insecure temporary file handling
| Package(s): | sandbox |
CVE #(s): | |
| Created: | July 25, 2005 |
Updated: | July 27, 2005 |
| Description: |
The Gentoo Linux Security Audit Team discovered that the sandbox
utility was vulnerable to multiple TOCTOU (Time of Check, Time of Use)
file creation race conditions. Local users may be able to create or overwrite arbitrary files with the permissions of the root user. |
| Alerts: |
|
Comments (none posted)
shorewall: rule bypass vulnerability
| Package(s): | shorewall |
CVE #(s): | CAN-2005-2317
|
| Created: | July 21, 2005 |
Updated: | October 10, 2005 |
| Description: |
Shorewall has a vulnerability in which a client that is accepted by
MAC address filtering can bypass other rules, allowing access to
all open services on the firewall. |
| Alerts: |
|
Comments (none posted)
vim: arbitrary command execution
| Package(s): | vim |
CVE #(s): | CAN-2005-2368
|
| Created: | July 26, 2005 |
Updated: | August 23, 2005 |
| Description: |
Georgi Guninski discovered
that it was possible to construct Vim 6.3 modelines that execute arbitrary
shell commands by wrapping them in glob() or expand() function calls. If an
attacker tricked an user to open a file with a specially crafted modeline,
he could exploit this to execute arbitrary commands with the user's
privileges. |
| Alerts: |
|
Comments (1 posted)
webcalendar: information disclosure
| Package(s): | webcalendar |
CVE #(s): | CAN-2005-2320
|
| Created: | July 27, 2005 |
Updated: | July 27, 2005 |
| Description: |
The webcalendar utility suffers from an information disclosure vulnerability. |
| Alerts: |
|
Comments (none posted)
zlib: buffer overflow
| Package(s): | zlib |
CVE #(s): | CAN-2005-1849
|
| Created: | July 21, 2005 |
Updated: | April 11, 2006 |
| Description: |
zlib has a vulnerability that can cause code that executes it to crash
if a corrupted file is opened. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
affix: two remote vulnerabilities
| Package(s): | affix |
CVE #(s): | CAN-2005-2250
CAN-2005-2277
|
| Created: | July 19, 2005 |
Updated: | September 2, 2005 |
| Description: |
A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2
and 3.2.0 allows remote attackers to execute arbitrary code via a long
filename in an OBEX file share. Also remote attackers may execute
arbitrary commands via shell metacharacters in the filename argument of a
PUT command. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cacti: SQL injection and PHP file inclusion
| Package(s): | cacti |
CVE #(s): | |
| Created: | June 22, 2005 |
Updated: | July 21, 2005 |
| Description: |
Cacti (prior to version 0.8.6e) suffers from vulnerabilities which can lead to SQL injection and (on some systems) execution of arbitrary PHP files. |
| Alerts: |
|
Comments (none posted)
cpio - file permissions error
| Package(s): | cpio |
CVE #(s): | CAN-1999-1572
|
| Created: | February 2, 2005 |
Updated: | July 19, 2005 |
| Description: |
Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. |
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
CUPS: multiple vulnerabilities
| Package(s): | CUPS |
CVE #(s): | CAN-2004-2154
|
| Created: | July 14, 2005 |
Updated: | September 20, 2005 |
| Description: |
The CUPS printing system has a problem with queue name
case-sensitivity matching that can cause a security policy override. An
unauthorized user can use this to gain print to a protected queue. |
| Alerts: |
|
Comments (none posted)
cURL: buffer overflow
| Package(s): | curl |
CVE #(s): | CAN-2005-0490
|
| Created: | February 28, 2005 |
Updated: | July 19, 2005 |
| Description: |
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and
possibly other versions, allow remote malicious web servers to execute
arbitrary code via base64 encoded replies that exceed the intended buffer
lengths when decoded. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dbus: information disclosure
| Package(s): | dbus |
CVE #(s): | CAN-2005-0201
|
| Created: | June 8, 2005 |
Updated: | August 30, 2005 |
| Description: |
From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another
user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening. |
| Alerts: |
|
Comments (none posted)
dhcpcd: denial of service
| Package(s): | dhcpcd |
CVE #(s): | CAN-2005-1848
|
| Created: | July 13, 2005 |
Updated: | September 13, 2005 |
| Description: |
The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
|
| Alerts: |
|
Comments (none posted)
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq |
CVE #(s): | |
| Created: | April 4, 2005 |
Updated: | July 21, 2005 |
| Description: |
Dnsmasq does not properly detect that DNS replies received do not
correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux
Security Audit team also discovered two off-by-one buffer overflows that
could crash DHCP lease files parsing. |
| Alerts: |
|
Comments (none posted)
ekg: multiple vulnerabilities
| Package(s): | ekg |
CVE #(s): | CAN-2005-1850
CAN-2005-1851
CAN-2005-1916
|
| Created: | July 18, 2005 |
Updated: | August 8, 2005 |
| Description: |
Several vulnerabilities have been discovered in the ekg
contributed scripts. These include an
insecure temporary file creation problem, a
potential shell command injection problem, and an
arbitrary command execution problem. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: message crash vulnerability
| Package(s): | evolution |
CVE #(s): | CAN-2005-0806
|
| Created: | March 17, 2005 |
Updated: | August 11, 2005 |
| Description: |
The Evolution mail client can be crashed when reading
certain types of messages. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | September 16, 2005 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gxine: format string vulnerability
| Package(s): | gxine |
CVE #(s): | CAN-2005-1692
|
| Created: | May 26, 2005 |
Updated: | July 23, 2005 |
| Description: |
The gxine media player has a format string vulnerability in the
hostname decoding function. A specially crafted file can be used
to cause a user to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
heartbeat: insecure temporary files
| Package(s): | heartbeat |
CVE #(s): | CAN-2005-2231
|
| Created: | July 19, 2005 |
Updated: | August 15, 2005 |
| Description: |
Eric Romang discovered several insecure temporary file creations in
the High Availability Linux Project Heartbeat 1.2.3. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
infozip: privilege escalation, directory-traversal
| Package(s): | infozip |
CVE #(s): | CAN-2003-0282
CAN-2004-1010
CAN-2005-0602
|
| Created: | May 2, 2005 |
Updated: | August 1, 2005 |
| Description: |
InfoZip reports that Zip 2.3 and
(presumably) all previous versions have a buffer-overrun vulnerability
relating to deep directory paths that could potentially lead to local
privilege escalation (e.g., in the case of automated, Zip-based backups).
All versions of UnZip through 5.50 have a number of directory-traversal
vulnerabilities. |
| Alerts: |
|
Comments (1 posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdelibs: unsanitzied input
| Package(s): | kdelibs |
CVE #(s): | CAN-2004-1165
|
| Created: | January 10, 2005 |
Updated: | July 19, 2005 |
| Description: |
Thiago Macieira discovered a vulnerability in the kioslave library,
which is part of kdelibs, which allows a remote attacker to execute
arbitrary FTP commands via an ftp:// URL that contains an URL-encoded
newline before the FTP command. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: ELF loader core dump vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2005-1263
|
| Created: | May 11, 2005 |
Updated: | August 25, 2005 |
| Description: |
Paul Starzetz has posted an
advisory for yet another kernel vulnerability.
In this case, by using a specially manipulated ELF binary, a local attacker
can compromise the system (via the core dump code) and obtain root access.
This vulnerability affects all kernels from 2.2 through 2.6.12-rc4. |
| Alerts: |
|
Comment