On the defense of piracy enablers
Noted anti-patent activist Florian Mueller recently distributed
a statement regarding the Linux
trademark policy. This policy, according to Mr. Mueller, is just fine;
trademarks are not a barrier to innovation and free software in the way
that patents are. Opposing trademark protection, he says, risks making the
anti-patent community look like it opposes intellectual property in
general; that, in turn, could hurt the fight against software patents.
That could all be true, as far as it goes. Mr. Mueller does not stop
there, however:
In addition to the debate over the Linux trademark, Mueller is also
worried over the role that some organizations play in an American
court by defending the developers of the "bnetd" software against
computer game publisher Blizzard Entertainment: "It's very unwise
for organizations like the EFF (Electronic Frontier Foundation) to
rush to the aid of piracy-enablers. It makes it look like software
patent critics are against copyright, which most of us are not."
This, in your editor's opinion, is dangerous and incorrect reasoning.
One could start by noting that bnetd was certainly not implemented as a
"piracy enabler." Bnetd is a game server for certain games created by
Blizzard Entertainment. It was created because its developers, having
experienced Blizzard's game servers, decided that they could create a
better environment for themselves. So they wrote their own game server
package which lacks some of the problems of Blizzard's Battle.net. It also
lacks Blizzard's authentication mechanisms (for which the requisite
implementation information is not available in any case). As a result,
bnetd can (unlike Battle.net) be used by multiple players who have made
copies of the same game
CD; this is an unintended side effect of bnetd's implementation, not its
purpose for existing.
It seems unlikely that any significant amount of piracy has been "enabled"
by bnetd. But it would not matter in any case. The issue here is not one
of piracy, it is, instead, about the right to create interoperable
software. If bnetd is illegal, then our right to develop software to
interoperate with commercial offerings is much reduced. That is an outcome
which is worth fighting.
We have seen this sort of issue before.
Dmitry Sklyarov's e-book processor could be said to be a "piracy
enabler." Adobe certainly made that claim. Fortunately, few people
questioned the correctness or necessity of defending Mr. Sklyarov.
Similarly, Jon Johansen was accused of facilitating piracy by releasing the
DeCSS code. But DeCSS is not about piracy; it is about our right to play
the DVDs we have purchased on our Linux systems. If we cannot write
interoperable software, we will be stuck with whatever others deign to sell
to us.
In the U.S., at least, the fight for civil liberties often requires
defending unpleasant people. It is the criminals, pornographers, drug
dealers, and others whose rights tend to be infringed first. But even the
sleaziest of people still have rights; if those rights are not defended,
they will soon cease to exist for everybody else as well. If the people we
disagree with do not have rights, we do not either.
Calling the bnetd developers "piracy enablers" puts them in the same camp
as other societal outcasts. Pirates are, after all, among the great
evildoers of our time - at least, according to some people. So casting
developers as pirates makes it easier to attack them. But even if bnetd
were truly a "piracy enabler," its developers would still deserve our
support. These developers did something that many or most of us believe is
within our rights to do. Should we write them off just because somebody
says they are helping pirates?
Anybody who believes that the bnetd developers do not deserve the
community's support would be well advised to think about what the next
"piracy enabler" might be. BitTorrent, perhaps. MythTV? Sound Juicer?
Gaim or Kopete? How about GreaseMonkey? Or XBox Linux? Or Linux in
general, for that matter. The fight against software patents is crucially
important, and it is well to think about how we might best win it. But any
victory which involves throwing members of our community to the wolves to
avoid any appearance of being soft on intellectual property rights will be
illusory at best. The EFF is doing the right thing when it defends the
bnetd developers; this fight is just as important to our rights as the
patent fight.
Comments (97 posted)
OSI procedures - a study in quotes
The Open Source Initiative
announced
last April that it was forming a committee to address the license
proliferation problem. This committee is
charged with the
task of coming to terms with this problem, proposing ways of improving the
situation, and sorting open source licenses into "tiers" as a way of
directing projects toward a preferred subset. The
archive of the committee's
closed mailing list suggests that, as of this writing, not a whole lot of
work has gotten done yet.
The issue of committee membership recently surfaced on the license-discuss
mailing list. Rather than attempt to summarize the discussion, your editor
decided to provide a few quotes and let the participants speak for
themselves. For the curious, the
entire thread is available from the archives.
Some time ago, I applied to be on the license proliferation
committee. I eventually got a form letter from Laura Majerus saying
that they had too many qualified people....
Most of you will realize that I am uniquely qualified as the main
author of the guidelines that OSI now seeks to interpret, and
someone who has assisted many businesses and legal professionals in
working within those guidlines since then. Two people with
experience similar to mine but less in duration were admitted to
the committee. There are a few legal professionals admitted. All
others admitted are extremely worthy individuals, and have been
working very hard at this, but I can't really say they are more
experienced....
And thus, I really have to question the process.
-- Bruce Perens
http://bastiat.org/en/the_law.html
It's very short. You should read it. I discovered something very
interesting in it: it doesn't matter who writes the law, as long as
the law treats everyone equally....
Rather than judging the process, you should judge the result.
Since there are no results yet, you have nothing to say anything
about.
-- Russ Nelson
Several years ago I agitated strongly about the lack of any
semblance of democracy or transparency in the OSI. I stopped when
I realized that the OSI didn't really matter. Since then the OSI
has some to matter somewhat more--e.g., sourceforge.net looks to it
to ratify licenses. But it still doesn't matter very much....
Personally I think the OSI should drop any claims about
representing the community, and instead describe itself as a group
of self-selected experts who periodically issue opinions about open
source licensing-- i.e., more or less the same as any NGO. I think
that would be more honest and more helpful.
-- Ian Lance Taylor
How we do things is immaterial. What we do is the only thing that
matters. When you eat in a restaurant, you don't get to vote for
the cook. You voted when you walked into the restaurant. People
selected OSI because we matter.
-- Russ Nelson
I feel it's unfair to everyone, not just me, to keep my expertise
off of the committee. That's why I stated my case.
-- Bruce Perens
The license proliferation committee will have to make hard
decisions. We made one in your case, and you are attempting to
strong-arm us into changing our minds. This is evidence to me that
we chose well to keep you off the committee. The license
proliferation committees' continued rejection of you is necessary
practice for ignoring the anticipated pressure. Even though you
don't like the form of it, you are contributing to the success of
the committee.
-- Russ Nelson
A priori, democracy is held to be good. This is faith-based
reasoning.
-- Russ Nelson
If the writings of Bastiat weigh stronger on the decision making
process of the OSI then those of Perens, then maybe it's better
that we don't get to watch...
-- Keven Bedell
In fact, you weren't rejected because you were or were not Bruce
Perens on the night of September 22, 1997. You were rejected
because you were person N+M on a committee of N people where M>0.
No malice intended; you just didn't make the cut; sorry that you
weren't even the guy out in right field; hope your feelings weren't
hurt (would it help to apologize?).
-- Russ Nelson
The committee as it presently exists is over-lawyered, and I would
have added some balance and a lot of skill. If you look at the
discussion list, it will be clear that they aren't getting very
much energy out of that group of extremely busy people. Turning
away an extremely-qualified volunteer who has already worked on the
problem isn't a good idea.
-- Bruce Perens
For what it is worth, the current committee membership is Brian Geurts,
John Cowan, McCoy Smith, Diane Peters, Cliff Schmidt, Laura Majerus, Karna
Nisewaner, Russ Nelson, Damien Eastwood, Eric Raymond, Mitchell Baker,
Rishab Aiyer Ghosh and Sanjiva Weerawarana. There are no indications that
any changes to the membership will be made.
Comments (24 posted)
Guten Tag from Avahi
Early this week, the Avahi team
announced
the 0.1 release of Avahi, dubbed "Guten Tag."
Avahi is a framework for service discovery on local networks, using the
same specifications as Apple's
Bonjour (formerly
"Rendezvous"),
Multicast DNS
(mDNS) and
DNS Service Discovery
(DNS-SD) from the
Zero Configuration
Networking (Zeroconf) working group.
So, Avahi allows programs to publish services that are available and to
discover services that are available on other machines. As an example, a
user could find local printers without needing to know their IP address, or
which computers are publishing file shares.
We asked two of the Avahi developers, Trent Lloyd and Lennart Poettering,
about this release and what we could expect from future releases.
Avahi is a framework, and is meant to be used by other programs that have a
need for mDNS/DNS-SD. It uses a D-BUS API, with
"implicit bindings" for Python, Mono and many other languages,
according to Poettering.
According to the release notes, a few of the "SHOULDs" for mDNS were not
implemented. We were curious about what hadn't been implemented, and
whether they planned to implement them in the future. Poettering explained
why some of the "SHOULDs" were not in this release:
This depends. Some of the missing "SHOULDs" are difficult to implement (or
at least I'm to lazy to implement them for what it's worth), some of the
"SHOULDs" are currently discussed to be removed from the RFC entirely, some
don't apply to our implementation and others I consider questionable.
Poettering also identified three "SHOULDs" in the mDNS specification that are not implemented in the 0.1 release of Avahi:
Unicast response bit generation (Avahi honours it on incoming queries but
doesn't set it on outgoing queries). According to Marc Krochmal (one of the
two Apple guys behind mDNS/DNS-SD) they're considering the complete removal
of this feature, as its added complexity outweighs the gain.
An extra delay should be applied when relying to packets with the TC
(truncation) bit set. This is on the TODO list. It's a fairly new addition
to the spec (only available in the spec as of 7th June 2005).
Passive observation of failures. This must be slipped from my mind
completely. I didn't have that one on my list. Since avahi doesn't
implement this (optional) feature at all, the "SHOULDs" don't apply to
Avahi right now. (Though I added this to the TODO list now)
Despite the low version number, and the fact that a few of the "SHOULDs"
have not yet been implemented, Lloyd said that this release is actually
quite usable:
Well the low version number is a bit of a misnomer it terms of featureness,
it does have quite a lot in it, there is some work for 0.2 to provide a
couple new resolver interfaces to the DBUS for better handling of services
changing their information, and it will certainly contain bug fixes.
Poettering also noted that Avahi "has lots of uncommon features that
even Apple's stack doesn't have." One feature that Poettering
highlighted is "avahi-dnsconfd," which "allows the configuration of
unicast DNS servers via mDNS in a DHCP-like fashion. This is especially
useful on IPv6 where address autoconfiguration is available out-of-the-box,
but DNS server configuration currently isn't."
We also asked if the low version number indicated that Avahi would be
undergoing major API changes. Poettering said that he doesn't see
"any major changes coming for the near future" but that there
would probably be some API additions.
One thing that Poettering stressed is that Avahi is not GNOME-centric or
KDE-centric. "We currently ship a glib adapter for our libraries, but
this purely optional... We are interested in adoption of Avahi in all
desktop environments, including both GNOME and KDE. Admittedly the core
developers of Avahi are all GNOME people, but that's just personal
preference."
There are other implementations of mDSN/DNS-SD available, but not under
what many would consider a "free" license. Avahi is available under the
LGPL, so it should be usable by nearly any project that would care to
incorporate Avahi.
At the moment, Avahi is only available for Linux. The only stumbling block
appears to be netlink, according to Poettering and Lloyd. Poettering says
that "as soon as the BSD compatible replacement for netlink is in
place, porting to other kernels should be really simple."
It should be interesting to see how Avahi is incorporated into Linux
applications and distributions. The ability to easily advertise printing,
file-sharing and other services for desktop users -- putting Linux on par
with Mac OS X -- is one more component in helping to secure Linux's place
on the desktop.
Comments (7 posted)
Page editor: Jonathan Corbet
Security
Victory against spam?
The August 20 edition of The Economist includes
an
article (restricted to Economist subscribers as of this writing) makes
an interesting claim:
But "spam", unsolicited e-mail, seems to be in retreat. The
amount of spam that swishes through the internet is holding steady
or declining, according to most studies. And of the stuff that
still exists, the vast majority is blocked by filters before it
gets to an inbox.
The core of the article is based on a
MessageLabs report stating that spam, which constituted 83% of all
email traffic in January, fell to "only" 67% in June. 67% remains a
horrifying number, but it also clearly is a step in the right direction.
Interestingly, your editor's personal spam indicator, currently running at
about 4,000/day, does not show any decline at all. Some people, it seems,
are just lucky.
The Economist credits a number of factors in the decline. Filters are one
of those, though the article only mentions proprietary offerings. (Said
proprietary filters are credited with 95% effectiveness, incidentally; your
editor can attest that a well-trained SpamAssassin can do much better than
that). Smarter recipients are another; evidently most Internet users have
already enlarged whatever parts of their anatomy they felt were too small,
or figured out that it wasn't going to happen for them. High-profile legal
setbacks for selected spammers have provided a small disincentive. And
phishing attacks, which are very much on the increase, have convinced many
users that spam can be dangerous and is best avoided.
Phishing is where the action is now - especially in South
America, it would seem, where a strong interest in postcard sites makes
attacks relatively easy. Since there is money in phishing, this problem is
likely to grow, at least until enough people get burned that a general
awareness sets in. It is a somewhat ironic outcome, meanwhile, that the
phishers may be helping to take the profits out of spam, and thus reducing
the problem.
Declaring victory on spam seems somewhat premature, however. The costs of
carrying that much garbage through the email system, filtering, and
shoveling out mailboxes remain high. But wouldn't it be interesting if the
arms race between spammers and their opponents turned out to be winnable -
by the good guys - after all?
Comments (10 posted)
New vulnerabilities
cvs: insecure temp file
| Package(s): | cvs |
CVE #(s): | CAN-2005-2693
|
| Created: | August 23, 2005 |
Updated: | September 9, 2005 |
| Description: |
Insecure temporary file usage was found in the cvsbug program. It is possible that a malicious user could use this to execute arbitrary
instructions as the user running cvsbug. |
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2005-2098
CAN-2005-2099
CAN-2005-2456
CAN-2005-2457
CAN-2005-2458
CAN-2005-2459
CAN-2005-2548
CAN-2005-2555
|
| Created: | August 19, 2005 |
Updated: | September 19, 2005 |
| Description: |
David Howells discovered a local Denial of Service vulnerability in
the key session joining function. Under certain user-triggerable
conditions, a semaphore was not released properly, which caused
processes which also attempted to join a key session to hang forever.
(CAN-2005-2098)
David Howells discovered a local Denial of Service vulnerability in
the keyring allocator. A local attacker could exploit this to crash
the kernel by attempting to add a specially crafted invalid keyring.
(CAN-2005-2099)
Balazs Scheidler discovered a local Denial of Service vulnerability in
the xfrm_compile_policy() function. By calling setsockopt() with an
invalid xfrm_user policy message, a local attacker could cause the
kernel to write to an array beyond its boundaries, thus causing a
kernel crash. (CAN-2005-2456)
Tim Yamin discovered that the driver for compressed ISO file systems
did not sufficiently validate the input data. By tricking an user into
mounting a malicious CD-ROM with a specially crafted compressed ISO
file system, he could cause a kernel crash. (CAN-2005-2457)
It was discovered that the kernel's embedded zlib compression library
was still vulnerable to two old vulnerabilities of the standalone zlib
library. This library is used by various drivers and can also be used
by third party modules, so the impact varies. (CAN-2005-2458,
CAN-2005-2459)
Peter Sandstrom discovered a remote Denial of Service vulnerability in
the SNMP handler. Certain UDP packages lead to a function call with
the wrong argument, which resulted in a crash of the network stack.
(CAN-2005-2548)
Herbert Xu discovered that the setsockopt() function was not
restricted to privileged users. This allowed a local attacker to
bypass intended IPSec policies, set invalid policies to exploit flaws
like CAN-2005-2456, or cause a Denial of Service by adding policies
until kernel memory is exhausted. Now the call is restricted to
processes with the CAP_NET_ADMIN capability. (CAN-2005-2555) |
| Alerts: |
|
Comments (3 posted)
Kismet: multiple vulnerabilities
| Package(s): | kismet |
CVE #(s): | CAN-2005-2626
CAN-2005-2627
|
| Created: | August 19, 2005 |
Updated: | August 29, 2005 |
| Description: |
Kismet is vulnerable to a heap overflow when handling pcap captures and
to an integer underflow in the CDP protocol dissector. With a specially
crafted packet an attacker could cause Kismet to execute arbitrary code
with the rights of the user running the program. |
| Alerts: |
|
Comments (none posted)
lm-sensors: insecure temp files
| Package(s): | lm-sensors |
CVE #(s): | CAN-2005-2672
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
Javier Fernández-Sanguino Peña noticed that the pwmconfig script created
temporary files in an insecure manner. This could allow a symlink attack to
create or overwrite arbitrary files with full root privileges since
pwmconfig is usually executed by root. |
| Alerts: |
|
Comments (1 posted)
mantis: missing input sanitizing
| Package(s): | mantis |
CVE #(s): | CAN-2005-2556
CAN-2005-2557
|
| Created: | August 19, 2005 |
Updated: | September 26, 2005 |
| Description: |
Two security related problems have been discovered in Mantis, a
web-based bug tracking system. A remote attacker could insert arbitrary
SQL code into SQL statements and a remote attacker was able to insert
arbitrary HTML code bug reports, hence, cross site scripting. |
| Alerts: |
|
Comments (none posted)
openvpn: multiple vulnerabilities
| Package(s): | openvpn |
CVE #(s): | CAN-2005-2531
CAN-2005-2532
CAN-2005-2533
CAN-2005-2534
|
| Created: | August 23, 2005 |
Updated: | October 10, 2005 |
| Description: |
A number of vulnerabilities were discovered in OpenVPN that were fixed in
the 2.0.1 release:
A DoS attack against the server when run with "verb 0" and without
"tls-auth" when a client connection to the server fails certificate
verification, the OpenSSL error queue is not properly flushed. This could
result in another unrelated client instance on the server seeing the error
and responding to it, resulting in a disconnection of the unrelated client.
A DoS attack against the server by an authenticated client that sends a
packet which fails to decrypt on the server, the OpenSSL error queue was
not properly flushed. This could result in another unrelated client
instance on the server seeing the error and responding to it, resulting in
a disconnection of the unrelated client.
A DoS attack against the server by an authenticated client is possible in
"dev tap" ethernet bridging mode where a malicious client could
theoretically flood the server with packets appearing to come from hundreds
of thousands of different MAC addresses, resulting in the OpenVPN process
exhausting system virtual memory.
If two or more client machines tried to connect to the server at the same
time via TCP, using the same client certificate, a race condition could
crash the server if --duplicate-cn is not enabled on the server. |
| Alerts: |
|
Comments (none posted)
pcre3: arbitrary code execution
| Package(s): | pcre3 |
CVE #(s): | CAN-2005-2491
|
| Created: | August 23, 2005 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow has been discovered in the PCRE, a widely used library
that provides Perl compatible regular expressions. Specially crafted
regular expressions triggered a buffer overflow. On systems that accept
arbitrary regular expressions from untrusted users, this could be exploited
to execute arbitrary code with the privileges of the application using the
library. |
| Alerts: |
|
Comments (none posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CAN-2005-2498
|
| Created: | August 19, 2005 |
Updated: | October 4, 2005 |
| Description: |
A bug was discovered in the PEAR XML-RPC Server package included in PHP. If
a PHP script is used which implements an XML-RPC Server using the PEAR
XML-RPC package, then it is possible for a remote attacker to construct an
XML-RPC request which can cause PHP to execute arbitrary PHP commands as
the 'apache' user. |
| Alerts: |
|
Comments (none posted)
slocate: long path bug
| Package(s): | slocate |
CVE #(s): | CAN-2005-2499
|
| Created: | August 22, 2005 |
Updated: | October 5, 2005 |
| Description: |
A bug was found in the way slocate processes very long paths. A local user
could create a carefully crafted directory structure that would prevent
updatedb from completing its file system scan, resulting in an incomplete
slocate database. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
Adobe Acrobat Reader: arbitrary code execution
| Package(s): | Adobe Acrobat Reader |
CVE #(s): | CAN-2005-2470
|
| Created: | August 16, 2005 |
Updated: | August 22, 2005 |
| Description: |
A buffer overflow bug has been found in Adobe Acrobat Reader. It is
possible to execute arbitrary code on a victim's machine if the victim
opens a malicious PDF file. |
| Alerts: |
|
Comments (none posted)
affix: two remote vulnerabilities
| Package(s): | affix |
CVE #(s): | CAN-2005-2250
CAN-2005-2277
|
| Created: | July 19, 2005 |
Updated: | September 2, 2005 |
| Description: |
A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2
and 3.2.0 allows remote attackers to execute arbitrary code via a long
filename in an OBEX file share. Also remote attackers may execute
arbitrary commands via shell metacharacters in the filename argument of a
PUT command. |
| Alerts: |
|
Comments (none posted)
amd64: multiple vulnerabilities
| Package(s): | amd64 |
CVE #(s): | |
| Created: | August 11, 2005 |
Updated: | August 17, 2005 |
| Description: |
The Debian amd64 distribution contains a long list of
security vulnerabilities, this update fixes them. |
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bluez: command execution
| Package(s): | bluez-utils |
CVE #(s): | CAN-2005-2547
|
| Created: | August 17, 2005 |
Updated: | August 26, 2005 |
| Description: |
The bluez-utils package (through version 2.19) fails to properly validate device names. As a result, pairing the system with a device containing a maliciously-crafted name could result in the execution of arbitrary commands as root.
|
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
CUPS: multiple vulnerabilities
| Package(s): | CUPS |
CVE #(s): | CAN-2004-2154
|
| Created: | July 14, 2005 |
Updated: | September 20, 2005 |
| Description: |
The CUPS printing system has a problem with queue name
case-sensitivity matching that can cause a security policy override. An
unauthorized user can use this to gain print to a protected queue. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dbus: information disclosure
| Package(s): | dbus |
CVE #(s): | CAN-2005-0201
|
| Created: | June 8, 2005 |
Updated: | August 30, 2005 |
| Description: |
From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another
user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening. |
| Alerts: |
|
Comments (none posted)
dhcpcd: denial of service
| Package(s): | dhcpcd |
CVE #(s): | CAN-2005-1848
|
| Created: | July 13, 2005 |
Updated: | September 13, 2005 |
| Description: |
The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
|
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
epiphany: Mozilla regression vulnerability
| Package(s): | epiphany |
CVE #(s): | |
| Created: | July 28, 2005 |
Updated: | August 29, 2005 |
| Description: |
The epiphany web browser had a vulnerability regression that was
caused by fixes to the Mozilla suite. This is specific to
Ubuntu Linux, the Mozilla fix was: USN-155-1. |
| Alerts: |
|
Comments (none posted)
ethereal: dissector vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript |
CVE #(s): | CAN-2004-0967
|
| Created: | October 20, 2004 |
Updated: | September 28, 2005 |
| Description: |
The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. |
| Alerts: |
|
Comments (none posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnupg: information leak
| Package(s): | gnupg |
CVE #(s): | CAN-2005-0366
|
| Created: | March 16, 2005 |
Updated: | August 19, 2005 |
| Description: |
GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | September 16, 2005 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdeedu: tempfile handling vulnerabilities
| Package(s): | kdeedu |
CVE #(s): | CAN-2005-2101
|
| Created: | August 15, 2005 |
Updated: | September 22, 2005 |
| Description: |
Ben Burton notified the KDE security team about several tempfile
handling related vulnerabilities in langen2kvtml, a conversion
script for kvoctrain. The script must be manually invoked. The
script uses known filenames in /tmp which allow an local
attacker to overwrite files writeable by the user invoking the
conversion script. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
