LWN.net Logo

LWN.net Weekly Edition for August 18, 2005

The Open Software License, Version 3.0

In December, 2004, a committee tasked by the European Commission issued a report [PDF] on open source licensing. This report concluded that, while the existing open source licenses achieved a number of important goals, none was 100% suited to the task of licensing software in Europe. The shortcomings they found led the committee to suggest that the EU should adopt either a modified version of the Open Software License or a completely new license drafted with European requirements in mind.

Most of the problems found by this committee were related to terminology. Most open source licenses, for example, allow the licensed software to be redistributed. Under the European interpretation, however, "redistribute" has a narrower meaning; in particular, it does not include acts like making the software available for general download on the net. The essential right for this sort of redistribution is "communicate to the public." Without an explicit grant of the right to communicate the licensed code to the public, the possibility remains that some court, somewhere, could conclude that putting a tarball on a web site is a violation of the license.

"Virality" is another concern of the authors, who see the GPL is being rather more "viral" than the alternative licenses. In particular, the authors see dynamic linkage as a barrier over which the concept of a "derived work" cannot cross:

The viral effect through mere dynamic linkage (also called "strong copyleft") is a much more debated question, and currently discussed on its legal grounds. From our point of view, there is no legal provision in the EC 91/250 directive on which this viral effect could be grounded. On the contrary, when a program dynamically linked with another, no code is reproduced in the program as such: the only reproduction of code that is made occurs in the RAM of the computer, where both the programs are "merged".

The Free Software Foundation, instead, does not feel that the type of linking used affects the copyright status of the resulting program. This distinction is important; it could, for example, affect the status of proprietary kernel modules. Because they disagree with the FSF's interpretation, the report's authors shy away from the GPL, even though other "copyleft" licenses contain similar language - and copyleft is what the authors say they want.

A few other details caught their attention. Licenses in Europe, for example, are generally not allowed to outlast the corresponding intellectual property protection period. The terms of a copyright license thus cannot be imposed after the covered work has gone out of copyright, should that ever be allowed to happen again. Some details in warranty disclaimers are different, and there are certain types of warranty which cannot be disclaimed.

In response to this report, Lawrence Rosen, the author of the Open Software License, has announced a draft version 3.0 of the OSL [PDF] for review. The draft is annotated so that it is easy to see what has changed from the current version (2.1). Most of the changes are fairly obvious given the discussion above: the OSL now explicitly grants the right to "communicate" the software, for example. The license is no longer "perpetual"; instead, the copyright and patent grants are for the copyright and patent protection periods, respectively.

There are a couple of new terms which might not be popular with all users of this license, however. The "acceptance" clause now includes the following text:

If You distribute or communicate copies of the Original Work or a Derivative Work, You must make a reasonable effort under the circumstances to obtain the express assent of recipients to the terms of this License.

This language is a response to concerns about whether a license can truly be binding in Europe if the licensee has not explicitly accepted it. The "reasonable effort under the circumstances" might include an active copyright acceptance step required at download time or when the software is installed. It is unclear what might be expected of a distributor shipping OSL-licensed software mixed in with thousands of other packages.

The new license also adds:

Unless You obtain a separate license or a waiver of this sentence from the Licensor, (i) You must display Licensor's copyright and patent notices on copies of the Original Work and Derivative Works that You distribute, in the same places and with the same prominence as You display Your own copyright and patent notices, and (ii) You must display a statement to the effect that "Your work is a Derivative Work of Licensor's Original Work licensed under the Open Software License version 3.0" in copies of Derivative Works that You distribute, in the same places and with the same prominence as You display Your own trademarks.

This looks like the return of the unlamented BSD advertising clause. It is less onerous, however, in that it only requires attribution in places where the redistributor is asserting copyright claims. Still, a splash screen for an application built from several OSL-licensed libraries could get unwieldy. Mr. Rosen states:

This change has nothing to do with the other changes I made in response to the EC proposal for a license that conforms more closely to their language and needs. It was made because certain open source companies who contribute free software have told me they need a way to prevent downstream distributors from simply making it appear that the new distributors -- and not the original author -- are the ones responsible for the work.

It is not clear how much of a problem this has been in the real world, and whether it truly needs fixing.

The OSL is not a hugely popular license; Freshmeat claims that the OSL applies to 0.15% of the projects listed there. There are some important projects using the OSL, however, including Rails, Globus, ImageMagick, and sparse. This license is well respected and carries a certain influence. Its importance could grow if it comes to be seen as the license to use for those who are especially concerned about adherence to European law. So this proposed update is significant. For those who are interested, the discussion is happening now on the Open Source Initiative's license-discuss mailing list.

Comments (30 posted)

GNOME and the way forward

It is not often that a straightforward software release announcement generates over 100 comments on LWN, so the recent GTK+ 2.8.0 announcement is special. One might think that the commenters were excited about the new GTK+ features, including Cairo graphics, composite extension support, or that sexy new file browser widget. But no such luck. It would seem that what people really want to talk about is key bindings, which are unchanged in 2.8.0. Certain users see GNOME as moving steadily away from its initial user base, and away from the traditions of Unix as a whole, and they are vocal about their discontent with this state of affairs.

Certainly, the GNOME desktop offers enough annoyances to make just about any user grumpy. Your editor is burned daily by the metacity "a new window gets the keyboard focus regardless of the pointer position" policy; having the focus yanked away in the middle of a sentence does not seem like the most user-friendly policy. Why can't gthumb's forms do the right thing when the user hits "enter," rather than forcing another trip back to the mouse? Where, exactly, is the little option to get emacs key bindings? Clicking on a window does not mean the window should be raised; there is a separate combination for that. The new, "electron cloud" busy-cursor behavior in the Rawhide version of GNOME 2.12 is distracting and annoying, requiring a trip to an external site for a new cursor theme. Dia's aggressive use of "tool tips" makes a nice drawing application almost unusable. Why is there no easy way to move settings from one system to another? And so on.

Annoyances are part of using a computer, however. It is hard to imagine that a desktop as complex and featureful as GNOME would be free of glitches. These things can be smoothed out over time to make room for new bits of obnoxious behavior. The GNOME debate goes beyond the current set of misfeatures, however, and into a couple of fundamental issues which are worth a look.

One of these is: to what extent is GNOME a "Unix" desktop, and to what extent should it preserve the traditional Unix way of doing things, whatever that might be? At the 2000 Ottawa Linux Symposium, Miguel de Icaza delivered his famous "Unix sucks" talk. Unix, he said, had gone stale and had not been the source of any significant innovation for quite some time. The GNOME project intended to move beyond hidebound Unix ways and deliver something new. Miguel's vision, which seemed to involve switching over to hidebound Microsoft ways, does not appear to be driving the GNOME project at this time, but the project does appear willing to break from the past - even its own past - if that offers hope of a better desktop.

And that is how it should be. The Unix way of doing things worked well in a different era, when users were clueful, systems were small (in capability, if not in actual size), and an ADM 3 terminal in one's office seemed like a major step up. How do many of the fundamental Unix ideas - writing programs as small, text-oriented filters, for example - fit into the creation of a modern, graphical desktop? Clearly, developers wishing to pull Linux forward into a larger world with a broader user community have to be willing to do some things differently. One may not agree with everything that the GNOME project has done, but the GNOME hackers are (like their counterparts at KDE and elsewhere) trying to change the world for the better.

It would be surprising indeed if there were a consensus on what "better" is, especially before it has been implemented and pounded on. The GNOME idea of "better" may or may not win out in the end, but, because the developers are working at it, we will have the opportunity find out. And that is a good thing.

The other issue which comes up with some regularity is a perceived arrogance from some in the GNOME camp. Experimentation with the desktop will go best when accompanied by careful attention to the resulting cries of agony from the user community. Users have often been heard to complain, however, that the GNOME hackers Know Too Much to listen to those cries as they follow the One True Course. A tendency by some developers to describe user requests as "crack" probably has not helped in this regard. Recent posters have complained about the refusal by the Evolution maintainers to accept a patch enabling the use of external editors.

There is a hard line to follow here; the maintainer of any successful free software project must learn to say "no" to features and requests much of the time, or that project will likely collapse under its own weight. Say "no" too often, however, and both users and developers will leave for a more accommodating environment. The GNOME developers may well be guilty of occasionally erring on the "no" side of that line, however. The project probably hit its low point early in the 2.x series, when configuration options were being jettisoned in a seemingly indiscriminate manner and few apologies were forthcoming. The situation seems to have improved, however, even if work remains to be done; chances are that 2.12 will be the best GNOME release yet.

The nice thing about all this is that we are dealing with free software. Using GNOME is not required to get the most out of Linux. The KDE project is out there, and several other desktops as well; it should not be hard to find one to suit the needs of any particular user. One can even still operate a Linux system via an ADM 3 terminal, using the traditional key bindings. The GNOME hackers are doing the right thing in a general sense by pushing toward their vision of a better desktop. If they fail to meet the needs of the user community - or to listen to that community's feedback - there are plenty of alternatives to choose from. Or even the option of forking the project, should that seem like the best course. For the time being, however, this project has made major progress in the creation of a powerful Linux desktop, and the whole thing is free software. There are limits to how much one should complain about that.

[As a footnote, it's worth noting that long-time GNOME release manager Jeff Waugh is stepping down; his replacement will likely be Elijah Newren. Congratulations are due to Jeff for heading up several smooth, on-time GNOME releases.]

Comments (116 posted)

Page editor: Jonathan Corbet

Security

Wiretapping and email

August 17, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The legal protection for email has been expanded, just slightly. The full First Circuit Court of Appeals has overturned a First Circuit panel decision that allowed Bradford Councilman to monitor the content of his users' incoming email.

Councilman was vice president of Interloc, a company that ran an online service that listed rare and out-of-print books, and offered its customers an email at "interloc.com." (Interloc has become Albris.) In January 1998, Councilman directed employees to copy incoming email from Amazon.com to subscribers. A procmail script was used to copy those messages, without any notice to Interloc's users, into a mailbox that Councilman could read in an attempt to gain a commercial advantage.

In 2001, a grand jury charged Councilman with conspiracy to violate the Wiretap Act. This count was dismissed by district court, and the dismissal was affirmed by a panel hearing of the First Circuit Court last year, but the full court granted an en banc hearing which overturned the panel decision. The judgment has been vacated and the case has been remanded to the district court.

The case centers on whether email is an "electronic communication," or whether Congress meant to -- by exclusion -- exempt "communications in transient storage" from the Wiretap Act. The Electronic Communications Privacy Act (ECPA) of 1986 updated title 18 of the United States Code (the Wiretap Act), making it an offense to "intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication."

If email is considered an electronic communication, then it is considered protected under the ECPA. However, Councilman argued that email was not "electronic communication" when it was copied because it was "in storage" at the time.

The court has decided that Councilman's interpretation "is inconsistent with Congress's intent."

The statute contains no explicit indication that Congress intended to exclude communications in transient storage from the definition of "electronic communication," and, hence, from the scope of the Wiretap Act. Councilman, without acknowledging it, looks beyond the face of the statute and makes an inferential leap. He infers that Congress intended to exclude communications in transient storage from the definition of "electronic communication," regardless of whether they are in the process of being delivered, simply because it did not include the term "electronic storage" in that definition. This inferential leap is not a plain text reading of the statute.

It's also worthwhile to note the court's comments on the Stored Communications Act, saying that "Councilman's conduct may appear to fall under the Stored Communications Act's main criminal provision," but that he would also fall under the provider exception, which says the Act "does not apply with respect to conduct authorized by the person or entity providing a wire or electronic communications service." The Stored Communications Act, according to the Court's decision, appears to establish "virtually complete immunity" for service providers in handling email on their systems.

However, the Stored Communications Act does not provide a "safe harbor" for Councilman, since the Wiretap Act has a much narrower service provider exception, which only allows interception as "necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service." Obviously, Councilman's actions do not fall within this definition.

The court concluded that "electronic communication" includes "transient electronic storage that is intrinsic to the communication process for such communications" and that "interception of an email message in such storage is an offense under the Wiretap Act."

Assuming this decision holds, the Councilman decision is a victory for users and protects email in transit -- whether that is "on the wire" or in temporary storage on a server awaiting delivery to its final destination -- granting email the same protection from interception and monitoring that is given to phone calls.

Comments (2 posted)

Security news

An overview of multilevel security

One of the many features added to the 2.6.12 kernel is multilevel security support for SELinux. The only problem is that few people actually understand what MLS is. James Morris has posted a multilevel security overview which makes a good starting point. "The reason why we have categories as well as sensitivities is so that sensitivities can be further compartmented on a need to know basis. For example, while a user may be cleared to Secret, they may not need to know anything about project WarpDrive (which could be the name of a category)."

Comments (14 posted)

The Hidden Boot Code of the Xbox

The Xbox Linux Project site has posted a detailed article on how the Xbox was designed to prevent the booting of "unauthorized" software, and how that scheme was defeated. It is an interesting look at the design of non-free hardware. (By way of Bruce Schneier).

Comments (5 posted)

New vulnerabilities

Adobe Acrobat Reader: arbitrary code execution

Package(s):Adobe Acrobat Reader CVE #(s):CAN-2005-2470
Created:August 16, 2005 Updated:August 22, 2005
Description: A buffer overflow bug has been found in Adobe Acrobat Reader. It is possible to execute arbitrary code on a victim's machine if the victim opens a malicious PDF file.
Alerts:
SuSE SUSE-SA:2005:047 2005-08-22
Gentoo 200508-11 2005-08-19
Red Hat RHSA-2005:750-01 2005-08-16

Comments (none posted)

awstats: command injection vulnerability

Package(s):awstats CVE #(s):CAN-2005-1527
Created:August 11, 2005 Updated:November 10, 2005
Description: AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server.
Alerts:
Debian DSA-892-1 2005-11-10
Gentoo 200508-07 2005-08-16
Ubuntu USN-167-1 2005-08-11

Comments (2 posted)

bluez: command execution

Package(s):bluez-utils CVE #(s):CAN-2005-2547
Created:August 17, 2005 Updated:August 26, 2005
Description: The bluez-utils package (through version 2.19) fails to properly validate device names. As a result, pairing the system with a device containing a maliciously-crafted name could result in the execution of arbitrary commands as root.
Alerts:
Mandriva MDKSA-2005:150 2005-08-25
Debian DSA-782-1 2005-08-23
Gentoo 200508-09 2005-08-17

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

kdeedu: tempfile handling vulnerabilities

Package(s):kdeedu CVE #(s):CAN-2005-2101
Created:August 15, 2005 Updated:September 22, 2005
Description: Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked. The script uses known filenames in /tmp which allow an local attacker to overwrite files writeable by the user invoking the conversion script.
Alerts:
Debian DSA-818-1 2005-09-22
Mandriva MDKSA-2005:159 2005-09-06
Fedora FEDORA-2005-744 2005-08-16
Fedora FEDORA-2005-745 2005-08-15

Comments (none posted)

Mozilla: frame injection spoofing

Package(s):mozilla firefox CVE #(s):CAN-2004-0718 CAN-2005-1937
Created:August 15, 2005 Updated:September 19, 2005
Description: A vulnerability has been discovered in Mozilla and Mozilla Firefox that allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site. Thunderbird is not affected by this.
Alerts:
Debian-Testing DTSA-14-1 2005-09-13
Fedora-Legacy FLSA:160202 2005-09-14
Debian DSA-810-1 2005-09-13
Debian DSA-777-1 2005-08-17
Debian DSA-775-1 2005-08-15

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

affix: two remote vulnerabilities

Package(s):affix CVE #(s):CAN-2005-2250 CAN-2005-2277
Created:July 19, 2005 Updated:September 2, 2005
Description: A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary code via a long filename in an OBEX file share. Also remote attackers may execute arbitrary commands via shell metacharacters in the filename argument of a PUT command.
Alerts:
Debian DSA-762-1 2005-07-19

Comments (none posted)

amd64: multiple vulnerabilities

Package(s):amd64 CVE #(s):
Created:August 11, 2005 Updated:August 17, 2005
Description: The Debian amd64 distribution contains a long list of security vulnerabilities, this update fixes them.
Alerts:
Debian DSA-773-1 2005-08-11

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Slackware SSA:2005-310-04 2005-11-07
Debian DSA-803-1 2005-09-08
Ubuntu USN-160-2 2005-09-07
SuSE SUSE-SA:2005:046 2005-08-16
Fedora-Legacy FLSA:157701 2005-08-10
Ubuntu USN-160-1 2005-08-04
Mandriva MDKSA-2005:130 2005-08-03
Mandriva MDKSA-2005:129 2005-08-03
Fedora FEDORA-2005-638 2005-08-02
Fedora FEDORA-2005-639 2005-08-02
Trustix TSLSA-2005-0038 2005-07-29
SuSE SUSE-SR:2005:018 2005-07-28
Red Hat RHSA-2005:582-01 2005-07-25

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ClamAntiVirus: integer overflows

Package(s):clamav CVE #(s):CAN-2005-2450
Created:July 26, 2005 Updated:August 16, 2005
Description: Clam AntiVirus versions < 0.86.2 is vulnerable to integer overflows when handling the TNEF, CHM and FSG file formats. By sending a specially-crafted file an attacker could execute arbitrary code with the permissions of the user running Clam AntiVirus.
Alerts:
Debian DSA-776-1 2005-08-16
Mandriva MDKSA-2005:125 2005-07-27
Gentoo 200507-25 2005-07-26

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

CUPS: multiple vulnerabilities

Package(s):CUPS CVE #(s):CAN-2004-2154
Created:July 14, 2005 Updated:September 20, 2005
Description: The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue.
Alerts:
Mandriva MDKSA-2005:165 2005-09-15
Ubuntu USN-185-1 2005-09-20
Fedora-Legacy FLSA:163274 2005-09-14
Red Hat RHSA-2005:571-01 2005-07-14

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dbus: information disclosure

Package(s):dbus CVE #(s):CAN-2005-0201
Created:June 8, 2005 Updated:August 30, 2005
Description: From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Alerts:
Fedora FEDORA-2005-822 2005-08-29
Ubuntu USN-144-1 2005-06-27
Mandriva MDKSA-2005:105 2005-06-24
Red Hat RHSA-2005:102-01 2005-06-08

Comments (none posted)

dhcpcd: denial of service

Package(s):dhcpcd CVE #(s):CAN-2005-1848
Created:July 13, 2005 Updated:September 13, 2005
Description: The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
Alerts:
Slackware SSA:2005-255-01 2005-09-13
Red Hat RHSA-2005:603-01 2005-07-27
Gentoo 200507-16 2005-07-15
Mandriva MDKSA-2005:117 2005-07-12
Debian DSA-750-1 2005-07-11

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

epiphany: Mozilla regression vulnerability

Package(s):epiphany CVE #(s):
Created:July 28, 2005 Updated:August 29, 2005
Description: The epiphany web browser had a vulnerability regression that was caused by fixes to the Mozilla suite. This is specific to Ubuntu Linux, the Mozilla fix was: USN-155-1.
Alerts:
Ubuntu USN-155-2 2005-07-28

Comments (none posted)

ethereal: dissector vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366
Created:July 28, 2005 Updated:October 10, 2005
Description: The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues.
Alerts:
Debian DSA-853-1 2005-10-09
Red Hat RHSA-2005:687-01 2005-08-10
Mandriva MDKSA-2005:131 2005-08-04
Fedora FEDORA-2005-655 2005-07-29
Fedora FEDORA-2005-651 2005-07-28
Gentoo 200507-27 2005-07-28

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2005-2335
Created:July 21, 2005 Updated:August 12, 2005
Description: The fetchmail POP3 client has an arbitrary code execution vulnerability that may be triggered by a malicious POP server. See this advisory for more information.
Alerts:
Debian DSA-774-1 2005-08-12
Mandriva MDKSA-2005:126 2005-07-28
OpenPKG OpenPKG-SA-2005.016 2005-07-28
Ubuntu USN-153-1 2005-07-26
Gentoo 200507-21 2005-07-25
Red Hat RHSA-2005:640-01 2005-07-25
Slackware SSA:2005-203-05 2005-07-23
Fedora FEDORA-2005-614 2005-07-21
Fedora FEDORA-2005-613 2005-07-21

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:September 16, 2005
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

heartbeat: insecure temporary files

Package(s):heartbeat CVE #(s):CAN-2005-2231
Created:July 19, 2005 Updated:August 15, 2005
Description: Eric Romang discovered several insecure temporary file creations in the High Availability Linux Project Heartbeat 1.2.3.
Alerts:
Debian DSA-761-2 2005-08-15
Ubuntu USN-165-1 2005-08-11
Mandriva MDKSA-2005:132 2005-08-09
Gentoo 200508-05 2005-08-07
Debian DSA-761-1 2005-07-19

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: ELF loader core dump vulnerability

Package(s):kernel CVE #(s):CAN-2005-1263
Created:May 11, 2005 Updated:August 25, 2005
Description: Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4.
Alerts:
Red Hat RHSA-2005:529-01 2005-08-25
Red Hat RHSA-2005:420-01 2005-06-08
Red Hat RHSA-2005:472-01 2005-05-25
Fedora FEDORA-2005-392 2005-05-23
Ubuntu USN-131-1 2005-05-23
Trustix TSLSA-2005-0022 2005-05-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-1913 CAN-2005-1761
Created:July 1, 2005 Updated:September 9, 2005
Description: Several vulnerabilities in the 2.6 kernel have been fixed, including a subthread exec problem (CAN-2005-1913) and a ia64 ptrace + sigrestore_context problem (CAN-2005-1761).
Alerts:
Ubuntu USN-178-1 2005-09-09
Red Hat RHSA-2005:551-01 2005-08-25
SuSE SUSE-SA:2005:044 2005-08-04
Fedora FEDORA-2005-510 2005-07-01

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user openi