| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for September 22, 2005
Two approaches to Open gadgets
The world is full of fun gadgets which perform specific tasks. Those gadgets tend to be highly closed affairs, however. Even the ones which run Linux are sealed shut so that they cannot be played with. The result is that many of these toys retain annoying misfeatures and do not live up to their full potential. For this reason, most interesting electronic toys are surrounded by a crowd of developers looking for a way in. Wouldn't it be nice if that work weren't necessary?One device which has begun to attract attention is the GP2X, which will be shipping soon. This device has a superficial resemblance to the Sony PSP; it has a central screen with a set of buttons on the right and a joystick-button on the left. Unlike the PSP, however, it is an open device. The specifications are available (this Wikipedia page has the most comprehensive information), and the device runs Linux. It is clearly meant to be hacked on, and it could be the source of no end of interesting applications.
On the other hand, some details are scarce, and there appears to be no place to download the Linux distribution used on the device. An earlier version of the product page contains the ominous words "copyright protection by certified DRM." The device will remain vaporware for a little longer; once it is in circulation, the world will see if it is truly a Linux-friendly (as opposed to simply Linux-using) gadget or not.
A more interesting project, one which could certainly benefit from more development help, is Rockbox. The Rockbox developers are creating a free system for portable music players; the primary target is the Archos product line, but work is proceeding on iRiver 1xx and 3xx players as well. This project (which will be releasing version 2.5 "soon") is a demonstration of why free software is such a nice thing to have on these devices.
A partial list of advantages to the Rockbox software would include:
- A much wider range of translations than the original manufacturer
provides.
- Numerous features for blind users, including a voice mode which reads
out menu entries as the user moves over them.
- Gapless playback.
- A wider range of codecs, enabling the use of audio formats not
supported by the manufacturer.
- A user-configurable "while playing" screen, enabling scarce display
space to be used for exactly what the user wishes to see.
- A plugin architecture for adding new features. The plugin
list appears heavily biased toward games, but it also includes image
file viewers, clocks and stopwatches, and more.
- On the iRiver: faster booting and the ability to boot into USB storage mode when the filesystem is corrupted. So filesystem problems which would turn a stock iRiver into a brick are recoverable with Rockbox.
The list goes on, but the point should be clear: Rockbox allows the owner of a music player to do away with no end of annoyances, add new features, and generally get the most out of a nice piece of hardware. The freedom to make changes like this is what drew many of us to free software in the first place.
The sad thing is that the Rockbox developers have had to put considerable work into figuring out how the hardware works and developing firmware patches. Had the vendors simply opened up their hardware in the first place, that effort could have gone into making the software better. This situation should eventually change: Rockbox already looks better than what a number of manufacturers are installing onto their players. As Rockbox develops and that gap widens, there will come a time when some manufacturer will realize that the ability to run Rockbox will be a positive selling point for a media player. Then, maybe, we'll have a truly open gadget to play with.
Reiser4 and kernel inclusion
Filesystem developer Hans Reiser cannot be accused of giving up quickly. His current request that the reiser4 filesystem be included in the 2.6.14 kernel has created a lengthy discussion, but that's not where the story starts. In fact, Hans first asked that reiser4 be merged back in July - of 2003. For more than two years, Hans has repeated his request and made changes in response to feedback from the kernel development community. Yet reiser4 remains out of the mainline, and its chances of getting into 2.6.14 appear small.Reiser4 is an interesting filesystem. It comes with claims of improved speed and space utilization; those are welcome, but they are beside the real point. Reiser4 includes a "wandering log" mechanism which provides journaling capability without the need for a separate journal. The ability to perform multi-step transactions is built into the filesystem, though not yet completely exposed to user space. Multi-stream files (including file-like access to file metadata) are supported, though this feature is turned off for the moment as well. A flexible plugin architecture makes it easy to add new features (such as encryption, compression, different formats, etc.) to the filesystem. And so on.
Hans Reiser and his developers at Namesys are trying to change how people work with filesystems - and with computers as a whole. The underlying vision is one where the filesystem implements the entire namespace used by the system; everything truly is a file. In the Reiser view of the future, applications like relational database managers need not exist; such tasks will be handled in the filesystem itself.
What it comes down to is that reiser4 represents some of the most innovative work being done with filesystems for Linux - or for any other system. So one might well wonder why inclusion is proving to be such a challenge. Some of the reasons are straightforward: there were genuine issues with the code. The "files as directories" capability opened the door to trivial, user-initiated kernel deadlocks - a feature which can absolutely ruin those performance benchmarks. The multiplexed sys_reiser4() system call - to be used for managing transactions, among other things - is just the sort of call that the Linux developers are trying to get away from (and its use of an in-kernel command interpreter did not help). A number of other things needed to be fixed; the Namesys hackers have been working through the list, but a few items remain.
The real point, however, is that getting code into the kernel is an increasingly hard thing to do. In the early days of Linux, almost any code which made things work or added new features was welcome - we needed it all. In more recent times, it is often hard to argue that new features are truly needed, especially at the kernel level. So each new addition must be weighed against the costs that will be incurred when it is added.
The result is that the standards for new kernel code have gone up considerably over the years. Reiser4 has run into these standards, and objections have been raised to code which duplicates features found elsewhere in the kernel, is hard to read, violates the layering rules, has unclear locking schemes, or which uses obsolete interfaces. The point is that, in order to be merged, the reiser4 code must be understandable by people other than its original developers. As Alan Cox put it:
"What happened later on" is that the reiser3 developers moved on to reiser4; not only did they stop maintaining the code, but they actively opposed updates made to the code by other developers. At this point, reiser3 is almost entirely maintained by non-Namesys developers. In the future, the same thing may well happen with reiser4.
The crux is this: the Linux kernel has been around for 14 years, and is expected to last for quite a few more. The kernel hackers understand that, if they are insufficiently careful about what they merge now, they will have a big mess to deal with five years down the road. Many developers, working in all areas of the kernel, have had seemingly good code turned away because the development community was worried about maintaining the code in the future. The process is most frustrating for the people involved, but it is absolutely essential if we want to continue to use Linux into the future. To many, the difficulties encountered by reiser4 (and FUSE, and the realtime LSM, and class-based kernel resource management, and ...) represent the kernel development process at its worst, but the opposite is true.
That said, reiser4 has had a harder time and more microscopes applied to its code than many other developments. Mr. Reiser's approach to community relations, which strikes many as occasionally belligerent and paranoiac, certainly has not helped here. This issue has been discussed often, but there is another issue which deserves airing: some people are clearly uncomfortable with the vision behind the ongoing Reiser filesystem effort. It doesn't quite look like the Unix systems we grew up with. Linux is not an experimental or research-oriented system, so the inclusion of radically different ideas of how the system should work must be carefully considered. But Linux must also evolve, or risk irrelevance in the future. Hans Reiser's efforts to push that evolution are a good thing; the community discourages such work at its peril. So perhaps the time has come to let reiser4 in; the wider community can then get to work dealing with any remaining issues.
The relevance of the Linux Standard Base
Back in May, 1998, a group of high-profile Linux development and business figures (including Linus Torvalds, Jon 'maddog' Hall, Bruce Perens, Ransom Love, Larry Augustin, Eric Raymond, and others) proposed the creation of a Linux application binary interface (ABI) standard. This effort, called the "Linux Standard Base," would help to ensure that applications ran on all Linux systems. In this way, it was hoped, a great wealth of applications for Linux would be created, and Linux would avoid the sort of fragmentation which afflicted proprietary Unix systems. The LSB would include a formal specification and a reference implementation; applications which ran on the reference system could be expected to run on all LSB-compliant systems.More than seven years later, version 3.0 of the LSB specification has been released. With this release, the LSB requires the system to have a relatively new compiler and toolchain (gcc-3.4 or newer), adds some libraries and interfaces, and cleans up some obsolete interfaces. There are two core variants of the LSB specification, depending on whether the target system is expected to have graphics capability or not. Sample implementations are available for eight different architectures. The release notes have more details, for those who are curious.
In many circles, however, the LSB 3.0 release is being greeted with a big yawn. Most Linux users probably have a hard time seeing how the LSB benefits them. Ulrich Drepper, who, as maintainer of glibc is faced with a wide range of LSB compliance issues, has recently claimed that the LSB lacks value and should be dropped. It is a rare Linux user who chooses a distribution or application based on its adherence to the LSB.
The stated purpose of the LSB was to encourage the availability of applications - both free and proprietary - for Linux. So it is telling that, among the available Linux applications, very few claim to be targeted at LSB-compliant systems. In fact, your editor found just one beyond the special versions of free applications in the LSB's own application battery: it's Appgen's MyBooks, which works on bleeding-edge LSB-compliant systems like SUSE 8.1 and SCO OpenLinux. In general, application vendors are not targeting the LSB; they are, instead, certifying specific distributions.
Not everybody feels a need for wide availability of proprietary applications for Linux. But, for those who do, the certification of individual distributions is exactly the sort of situation that the LSB was created to prevent. From that standpoint, the LSB would appear to have failed.
That said, the LSB effort has certainly had a positive effect in bringing Linux distributions closer, and in raising awareness among distributors of how their offerings diverge from the standard. Even if an application is not specifically aimed at LSB compliance, the fact that it probably just works on non-certified systems is, at least in part, attributable to the LSB. There is value in separating the core part of a distribution (that which, in some sense, makes it "Linux") from the additional features and services distributors throw in to add value to their offerings. The LSB helps to bring that separation about.
From the moment that Linux started to attract attention outside of the development community, detractors have grumbled that it would fragment in the same way that Unix did. Yet, despite the existence of hundreds of distributions, several of which are widely used, this fragmentation has not happened. Linux applications remain portable, and, just as importantly, switching from one distribution to another is (usually) nearly painless. Linux is Linux, regardless of the distributor. The reasons for this state of affairs include the use of a (more or less) common kernel and application base, and the fact that free licensing makes it easy for good ideas to move quickly from one distribution to another. But there is a place for standards as well. As long as the LSB continues to codify current expectations of what a Linux system should be, it will help to keep the Linux universe coherent.
Page editor: Jonathan Corbet
Security
Another look at response times
Two weeks ago, this page compared the response times of several distributors to a small set of recent security issues. That article generated a number of comments and a fair amount of mail from people who felt that its conclusions were inaccurate. As before, the table shows the number of days required for each distributor to issue an update. For the purposes of this table, the clock starts when a vulnerability is disclosed, or when the first distributor alert is issued, whichever comes first. So, here is a new version of the response times table which takes those comments - and alerts issued after publication - into account:
Vulnerability Distributor Debian Fedora Gentoo Red Hat SUSE Ubuntu Apache mod_ssl 14 9 21 11 14 12 clamav 22 3 3 n/a 5 -- evolution -- 1 13 19 6 1 fetchmail 22 0 4 4 7 5 PCRE 13 4 14 18 16 3 PHP XML-RPC 9 4 5 6 7 4 PHP XML-RPC 2 18 10 9 4 15 5 ProFTPd 35 -- 4 n/a n/a n/a vim modeline -- 16 n/a? 28 n/a? 1
In the above table, numbers which are underlined reflect alerts issued after the previous version. Those which are, instead, bold are corrections for erroneous entries published two weeks ago.
As one can see, a number of corrections were required. One might conclude from this that your editor was being even more clueless than usual when compiling the previous version of the table. One would probably be right, but there is a little more to it than that. It turns out that putting together a table like this is a hard thing to do.
The previous version stated that Fedora had not issued an advisory for clamav. That is, in fact, true; no advisory ever came out. The clamav package in Fedora Extras was quietly replaced, however, shortly after the vulnerability was disclosed. In the presence of silent fixes, it is hard for users to know if they are vulnerable or not; this is doubly true in cases where security fixes are backported to previous releases of the affected package. Fedora Extras does not do backporting, but it still requires an alert administrator to know that, while clamav has been fixed, ProFTPd in Extras remains vulnerable.
Speaking of ProFTPd, your editor had seen that package in a SUSE distribution he had at hand, and assumed it was still distributed. That turns out not to be the case.
Both SUSE and Gentoo claim to not be affected by the vim modeline vulnerability because they ship versions with the modeline feature turned off by default. Turning off a possibly insecure feature is a good thing to do; it reflects a concern by the distributor for the security of its users. Some of those users, however, will certainly turn the feature back on. Others will be concerned by the fact that they are running software with a known, unpatched vulnerability, even if that vulnerability does not directly affect them. In such cases, it would make sense for the distributor to, at a minimum, issue an advisory explaining the situation. Putting out a fix would be better.
Other corrections above reflect simple screwups on your editor's part. Sorry.
The corrected table still shows some real patterns in the relative response times for security updates. There is value in this information. As time permits, LWN will be making changes to its security database to make the generation of this sort of table an easier and more accurate process. But a task which, in the presence of nice things like CVE numbers, should be relatively straightforward is likely to require a fair amount of time (and iterations) for the foreseeable future.
Security news
Mozilla Linux Command Line URL Parsing Security Flaw Reported (MozillaZine)
MozillaZine warns of a new firefox security problem; this one has to do with command line parsing. "For example, consider a Linux user who uses Firefox as his or her default Web browser and Mozilla Thunderbird as his or her default email client. An attacker could send an email to this user containing a link to http://local`find`host. When the user clicks on this link in Thunderbird, Firefox's URL-parsing shell script will be invoked and will execute the find command before calling Firefox to open the URL." The firefox 1.0.7 release contains the fix for this problem (and a few others).
New vulnerabilities
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CAN-2005-2919 CAN-2005-2920 | ||||||||||||||||||
| Created: | September 19, 2005 | Updated: | September 29, 2005 | ||||||||||||||||||
| Description: | The release notes for ClamAV 0.87 note that this version fixes vulnerabilities in the handling of UPX and FSG compressed executables. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Mailutils: format string vulnerability in imap4d
| Package(s): | mailutils | CVE #(s): | CAN-2005-2878 | |||||||||
| Created: | September 19, 2005 | Updated: | October 13, 2005 | |||||||||
| Description: | The imap4d server contains a format string bug in the handling of IMAP SEARCH requests. | |||||||||||
| Alerts: |
| |||||||||||
masqmail: input sanitizing and symlink vulnerabilities
| Package(s): | masqmail | CVE #(s): | CAN-2005-2662 CAN-2005-2663 | ||||||
| Created: | September 21, 2005 | Updated: | October 10, 2005 | ||||||
| Description: | Masqmail fails to properly sanitize addresses when sending failed mail, allowing a local attacker to run arbitrary commands as the mail user. There is also a symlink vulnerability which can be exploited to overwrite files. | ||||||||
| Alerts: |
| ||||||||
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
turqstat: buffer overflow
| Package(s): | turqstat | CVE #(s): | CAN-2005-2658 | |||
| Created: | September 15, 2005 | Updated: | September 20, 2005 | |||
| Description: | Turquoise SuperStat is a Fidonet and Usenet statistics gathering application. A malicious NNTP server can cause a buffer overflow condition. | |||||
| Alerts: |
| |||||
Zebedee: Denial of Service vulnerability
| Package(s): | zebedee | CVE #(s): | ||||
| Created: | September 20, 2005 | Updated: | September 20, 2005 | |||
| Description: | Zebedee crashes when "0" is received as the port number in the protocol option header. By performing malformed requests a remote attacker could cause Zebedee to crash. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
CUPS: multiple vulnerabilities
| Package(s): | CUPS | CVE #(s): | CAN-2004-2154 | ||||||||||||
| Created: | July 14, 2005 | Updated: | September 20, 2005 | ||||||||||||
| Description: | The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache information disclosure if modssl=yes
| Package(s): | apache | CVE #(s): | CAN-2005-2700 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 2, 2005 | Updated: | November 10, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CAN-2005-1268 CAN-2005-2088 | |||||||||||||||||||||||||||||||||||||||
| Created: | July 25, 2005 | Updated: | November 7, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
awstats: command injection vulnerability
| Package(s): | awstats | CVE #(s): | CAN-2005-1527 | |||||||||
| Created: | August 11, 2005 | Updated: | November 10, 2005 | |||||||||
| Description: | AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
common-lisp-controller: design error
| Package(s): | common-lisp-controller | CVE #(s): | CAN-2005-2657 | ||||||
| Created: | September 14, 2005 | Updated: | November 21, 2005 | ||||||
| Description: | François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before. | ||||||||
| Alerts: |
| ||||||||
cpio: directory traversal
| Package(s): | cpio | CVE #(s): | CAN-2005-1111 | |||||||||||||||||||||||||||
| Created: | June 20, 2005 | Updated: | December 26, 2005 | |||||||||||||||||||||||||||
| Description: | There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
elm: buffer overflow
| Package(s): | elm | CVE #(s): | CAN-2005-2665 | ||||||
| Created: | August 23, 2005 | Updated: | November 10, 2005 | ||||||
| Description: | A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it. | ||||||||
| Alerts: |
| ||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ethereal: dissector vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366 | ||||||||||||||||||
| Created: | July 28, 2005 | Updated: | October 10, 2005 | ||||||||||||||||||
| Description: | The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
evolution: format string issues
| Package(s): | evolution | CVE #(s): | CAN-2005-2549 CAN-2005-2550 | |||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | March 23, 2006 | |||||||||||||||||||||
| Description: | Evolution has format string issues. SITIC advisory SA05-001 contains more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gaim: buffer overflow
| Package(s): | gaim | CVE #(s): | CAN-2005-2103 | ||||||||||||||||||||||||
| Created: | August 10, 2005 | Updated: | February 27, 2006 | ||||||||||||||||||||||||
| Description: | Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2005-0891 | ||||||||||||||||||||||||||||||||||||
| Created: | March 30, 2005 | Updated: | December 19, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
grip: buffer overflow
| Package(s): | grip | CVE #(s): | CAN-2005-0706 | |||||||||||||||||||||||||||
| Created: | March 10, 2005 | Updated: | September 16, 2005 | |||||||||||||||||||||||||||
| Description: | Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
htdig: cross site scripting
| Package(s): | htdig | CVE #(s): | CAN-2005-0085 | |||||||||||||||
| Created: | February 14, 2005 | Updated: | January 10, 2006 | |||||||||||||||
| Description: | Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster | CVE #(s): | CVE-2005-1108 CVE-2005-1109 | ||||||
| Created: | April 13, 2005 | Updated: | November 5, 2005 | ||||||
| Description: | JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. | ||||||||
| Alerts: |
| ||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdeedu: tempfile handling vulnerabilities
| Package(s): | kdeedu | CVE #(s): | CAN-2005-2101 | ||||||||||||
| Created: | August 15, 2005 | Updated: | September 22, 2005 | ||||||||||||
| Description: | Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked. The script uses known filenames in /tmp which allow an local attacker to overwrite files writeable by the user invoking the conversion script. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2005-2555 | ||||||||||||||||||
| Created: | August 19, 2005 | Updated: | September 19, 2005 | ||||||||||||||||||
| Description: | David Howells discovered a local Denial of Service vulnerability in
the key session joining function. Under certain user-triggerable
conditions, a semaphore was not released properly, which caused
processes which also attempted to join a key session to hang forever.
(CAN-2005-2098)
David Howells discovered a local Denial of Service vulnerability in the keyring allocator. A local attacker could exploit this to crash the kernel by attempting to add a specially crafted invalid keyring. (CAN-2005-2099) Balazs Scheidler discovered a local Denial of Service vulnerability in the xfrm_compile_policy() function. By calling setsockopt() with an invalid xfrm_user policy message, a local attacker could cause the kernel to write to an array beyond its boundaries, thus causing a kernel crash. (CAN-2005-2456) Tim Yamin discovered that the driver for compressed ISO file systems did not sufficiently validate the input data. By tricking an user into mounting a malicious CD-ROM with a specially crafted compressed ISO file system, he could cause a kernel crash. (CAN-2005-2457) It was discovered that the kernel's embedded zlib compression library was still vulnerable to two old vulnerabilities of the standalone zlib library. This library is used by various drivers and can also be used by third party modules, so the impact varies. (CAN-2005-2458, CAN-2005-2459) Peter Sandstrom discovered a remote Denial of Service vulnerability in the SNMP handler. Certain UDP packages lead to a function call with the wrong argument, which resulted in a crash of the network stack. (CAN-2005-2548) Herbert Xu discovered that the setsockopt() function was not restricted to privileged users. This allowed a local attacker to bypass intended IPSec policies, set invalid policies to exploit flaws like CAN-2005-2456, or cause a Denial of Service by adding policies until kernel memory is exhausted. Now the call is restricted to processes with the CAP_NET_ADMIN capability. (CAN-2005-2555) | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
krb5: double-free flaw
| Package(s): | krb5 | CVE #(s): | CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689 | ||||||||||||||||||||||||||||||
| Created: | July 12, 2005 | Updated: | December 6, 2005 | ||||||||||||||||||||||||||||||
| Description: | The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
libXpm: new buffer overflows
| Package(s): | libXpm | CVE #(s): | CAN-2005-0605 | ||||||||||||||||
| Created: | March 4, 2005 | Updated: | March 8, 2006 | ||||||||||||||||
| Description: | A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||