LWN.net Logo

LWN.net Weekly Edition for September 22, 2005

Two approaches to Open gadgets

The world is full of fun gadgets which perform specific tasks. Those gadgets tend to be highly closed affairs, however. Even the ones which run Linux are sealed shut so that they cannot be played with. The result is that many of these toys retain annoying misfeatures and do not live up to their full potential. For this reason, most interesting electronic toys are surrounded by a crowd of developers looking for a way in. Wouldn't it be nice if that work weren't necessary?

One device which has begun to attract attention is the GP2X, which will be shipping soon. This device has a superficial resemblance to the Sony PSP; it has a central screen with a set of buttons on the right and a joystick-button on the left. Unlike the PSP, however, it is an open device. The specifications are available (this Wikipedia page has the most comprehensive information), and the device runs Linux. It is clearly meant to be hacked on, and it could be the source of no end of interesting applications.

On the other hand, some details are scarce, and there appears to be no place to download the Linux distribution used on the device. An earlier version of the product page contains the ominous words "copyright protection by certified DRM." The device will remain vaporware for a little longer; once it is in circulation, the world will see if it is truly a Linux-friendly (as opposed to simply Linux-using) gadget or not.

A more interesting project, one which could certainly benefit from more development help, is Rockbox. The Rockbox developers are creating a free system for portable music players; the primary target is the Archos product line, but work is proceeding on iRiver 1xx and 3xx players as well. This project (which will be releasing version 2.5 "soon") is a demonstration of why free software is such a nice thing to have on these devices.

A partial list of advantages to the Rockbox software would include:

  • A much wider range of translations than the original manufacturer provides.

  • Numerous features for blind users, including a voice mode which reads out menu entries as the user moves over them.

  • Gapless playback.

  • A wider range of codecs, enabling the use of audio formats not supported by the manufacturer.

  • A user-configurable "while playing" screen, enabling scarce display space to be used for exactly what the user wishes to see.

  • A plugin architecture for adding new features. The plugin list appears heavily biased toward games, but it also includes image file viewers, clocks and stopwatches, and more.

  • On the iRiver: faster booting and the ability to boot into USB storage mode when the filesystem is corrupted. So filesystem problems which would turn a stock iRiver into a brick are recoverable with Rockbox.

The list goes on, but the point should be clear: Rockbox allows the owner of a music player to do away with no end of annoyances, add new features, and generally get the most out of a nice piece of hardware. The freedom to make changes like this is what drew many of us to free software in the first place.

The sad thing is that the Rockbox developers have had to put considerable work into figuring out how the hardware works and developing firmware patches. Had the vendors simply opened up their hardware in the first place, that effort could have gone into making the software better. This situation should eventually change: Rockbox already looks better than what a number of manufacturers are installing onto their players. As Rockbox develops and that gap widens, there will come a time when some manufacturer will realize that the ability to run Rockbox will be a positive selling point for a media player. Then, maybe, we'll have a truly open gadget to play with.

Comments (14 posted)

Reiser4 and kernel inclusion

Filesystem developer Hans Reiser cannot be accused of giving up quickly. His current request that the reiser4 filesystem be included in the 2.6.14 kernel has created a lengthy discussion, but that's not where the story starts. In fact, Hans first asked that reiser4 be merged back in July - of 2003. For more than two years, Hans has repeated his request and made changes in response to feedback from the kernel development community. Yet reiser4 remains out of the mainline, and its chances of getting into 2.6.14 appear small.

Reiser4 is an interesting filesystem. It comes with claims of improved speed and space utilization; those are welcome, but they are beside the real point. Reiser4 includes a "wandering log" mechanism which provides journaling capability without the need for a separate journal. The ability to perform multi-step transactions is built into the filesystem, though not yet completely exposed to user space. Multi-stream files (including file-like access to file metadata) are supported, though this feature is turned off for the moment as well. A flexible plugin architecture makes it easy to add new features (such as encryption, compression, different formats, etc.) to the filesystem. And so on.

Hans Reiser and his developers at Namesys are trying to change how people work with filesystems - and with computers as a whole. The underlying vision is one where the filesystem implements the entire namespace used by the system; everything truly is a file. In the Reiser view of the future, applications like relational database managers need not exist; such tasks will be handled in the filesystem itself.

What it comes down to is that reiser4 represents some of the most innovative work being done with filesystems for Linux - or for any other system. So one might well wonder why inclusion is proving to be such a challenge. Some of the reasons are straightforward: there were genuine issues with the code. The "files as directories" capability opened the door to trivial, user-initiated kernel deadlocks - a feature which can absolutely ruin those performance benchmarks. The multiplexed sys_reiser4() system call - to be used for managing transactions, among other things - is just the sort of call that the Linux developers are trying to get away from (and its use of an in-kernel command interpreter did not help). A number of other things needed to be fixed; the Namesys hackers have been working through the list, but a few items remain.

The real point, however, is that getting code into the kernel is an increasingly hard thing to do. In the early days of Linux, almost any code which made things work or added new features was welcome - we needed it all. In more recent times, it is often hard to argue that new features are truly needed, especially at the kernel level. So each new addition must be weighed against the costs that will be incurred when it is added.

The result is that the standards for new kernel code have gone up considerably over the years. Reiser4 has run into these standards, and objections have been raised to code which duplicates features found elsewhere in the kernel, is hard to read, violates the layering rules, has unclear locking schemes, or which uses obsolete interfaces. The point is that, in order to be merged, the reiser4 code must be understandable by people other than its original developers. As Alan Cox put it:

It doesn't matter if reiser4 causes crashes. It matters that people can fix them, that they are actively fixed and the code is maintainable. It will have bugs, all complex code has bugs. Hans team have demonstrated the ability to fix some of those bugs fast, but we also all remember what happened with reiser3 later on despite early fast fixing.

"What happened later on" is that the reiser3 developers moved on to reiser4; not only did they stop maintaining the code, but they actively opposed updates made to the code by other developers. At this point, reiser3 is almost entirely maintained by non-Namesys developers. In the future, the same thing may well happen with reiser4.

The crux is this: the Linux kernel has been around for 14 years, and is expected to last for quite a few more. The kernel hackers understand that, if they are insufficiently careful about what they merge now, they will have a big mess to deal with five years down the road. Many developers, working in all areas of the kernel, have had seemingly good code turned away because the development community was worried about maintaining the code in the future. The process is most frustrating for the people involved, but it is absolutely essential if we want to continue to use Linux into the future. To many, the difficulties encountered by reiser4 (and FUSE, and the realtime LSM, and class-based kernel resource management, and ...) represent the kernel development process at its worst, but the opposite is true.

That said, reiser4 has had a harder time and more microscopes applied to its code than many other developments. Mr. Reiser's approach to community relations, which strikes many as occasionally belligerent and paranoiac, certainly has not helped here. This issue has been discussed often, but there is another issue which deserves airing: some people are clearly uncomfortable with the vision behind the ongoing Reiser filesystem effort. It doesn't quite look like the Unix systems we grew up with. Linux is not an experimental or research-oriented system, so the inclusion of radically different ideas of how the system should work must be carefully considered. But Linux must also evolve, or risk irrelevance in the future. Hans Reiser's efforts to push that evolution are a good thing; the community discourages such work at its peril. So perhaps the time has come to let reiser4 in; the wider community can then get to work dealing with any remaining issues.

Comments (53 posted)

The relevance of the Linux Standard Base

Back in May, 1998, a group of high-profile Linux development and business figures (including Linus Torvalds, Jon 'maddog' Hall, Bruce Perens, Ransom Love, Larry Augustin, Eric Raymond, and others) proposed the creation of a Linux application binary interface (ABI) standard. This effort, called the "Linux Standard Base," would help to ensure that applications ran on all Linux systems. In this way, it was hoped, a great wealth of applications for Linux would be created, and Linux would avoid the sort of fragmentation which afflicted proprietary Unix systems. The LSB would include a formal specification and a reference implementation; applications which ran on the reference system could be expected to run on all LSB-compliant systems.

More than seven years later, version 3.0 of the LSB specification has been released. With this release, the LSB requires the system to have a relatively new compiler and toolchain (gcc-3.4 or newer), adds some libraries and interfaces, and cleans up some obsolete interfaces. There are two core variants of the LSB specification, depending on whether the target system is expected to have graphics capability or not. Sample implementations are available for eight different architectures. The release notes have more details, for those who are curious.

In many circles, however, the LSB 3.0 release is being greeted with a big yawn. Most Linux users probably have a hard time seeing how the LSB benefits them. Ulrich Drepper, who, as maintainer of glibc is faced with a wide range of LSB compliance issues, has recently claimed that the LSB lacks value and should be dropped. It is a rare Linux user who chooses a distribution or application based on its adherence to the LSB.

The stated purpose of the LSB was to encourage the availability of applications - both free and proprietary - for Linux. So it is telling that, among the available Linux applications, very few claim to be targeted at LSB-compliant systems. In fact, your editor found just one beyond the special versions of free applications in the LSB's own application battery: it's Appgen's MyBooks, which works on bleeding-edge LSB-compliant systems like SUSE 8.1 and SCO OpenLinux. In general, application vendors are not targeting the LSB; they are, instead, certifying specific distributions.

Not everybody feels a need for wide availability of proprietary applications for Linux. But, for those who do, the certification of individual distributions is exactly the sort of situation that the LSB was created to prevent. From that standpoint, the LSB would appear to have failed.

That said, the LSB effort has certainly had a positive effect in bringing Linux distributions closer, and in raising awareness among distributors of how their offerings diverge from the standard. Even if an application is not specifically aimed at LSB compliance, the fact that it probably just works on non-certified systems is, at least in part, attributable to the LSB. There is value in separating the core part of a distribution (that which, in some sense, makes it "Linux") from the additional features and services distributors throw in to add value to their offerings. The LSB helps to bring that separation about.

From the moment that Linux started to attract attention outside of the development community, detractors have grumbled that it would fragment in the same way that Unix did. Yet, despite the existence of hundreds of distributions, several of which are widely used, this fragmentation has not happened. Linux applications remain portable, and, just as importantly, switching from one distribution to another is (usually) nearly painless. Linux is Linux, regardless of the distributor. The reasons for this state of affairs include the use of a (more or less) common kernel and application base, and the fact that free licensing makes it easy for good ideas to move quickly from one distribution to another. But there is a place for standards as well. As long as the LSB continues to codify current expectations of what a Linux system should be, it will help to keep the Linux universe coherent.

Comments (5 posted)

Page editor: Jonathan Corbet

Security

Another look at response times

Two weeks ago, this page compared the response times of several distributors to a small set of recent security issues. That article generated a number of comments and a fair amount of mail from people who felt that its conclusions were inaccurate. As before, the table shows the number of days required for each distributor to issue an update. For the purposes of this table, the clock starts when a vulnerability is disclosed, or when the first distributor alert is issued, whichever comes first. So, here is a new version of the response times table which takes those comments - and alerts issued after publication - into account:

Vulnerability Distributor
Debian Fedora Gentoo Red Hat SUSE Ubuntu
Apache mod_ssl 14 9 21 11 14 12
clamav 22 3 3 n/a 5 --
evolution -- 1 13 19 6 1
fetchmail 22 0 4 4 7 5
PCRE 13 4 14 18 16 3
PHP XML-RPC 9 4 5 6 7 4
PHP XML-RPC 2 18 10 9 4 15 5
ProFTPd 35 -- 4 n/a n/a n/a
vim modeline -- 16 n/a? 28 n/a? 1

In the above table, numbers which are underlined reflect alerts issued after the previous version. Those which are, instead, bold are corrections for erroneous entries published two weeks ago.

As one can see, a number of corrections were required. One might conclude from this that your editor was being even more clueless than usual when compiling the previous version of the table. One would probably be right, but there is a little more to it than that. It turns out that putting together a table like this is a hard thing to do.

The previous version stated that Fedora had not issued an advisory for clamav. That is, in fact, true; no advisory ever came out. The clamav package in Fedora Extras was quietly replaced, however, shortly after the vulnerability was disclosed. In the presence of silent fixes, it is hard for users to know if they are vulnerable or not; this is doubly true in cases where security fixes are backported to previous releases of the affected package. Fedora Extras does not do backporting, but it still requires an alert administrator to know that, while clamav has been fixed, ProFTPd in Extras remains vulnerable.

Speaking of ProFTPd, your editor had seen that package in a SUSE distribution he had at hand, and assumed it was still distributed. That turns out not to be the case.

Both SUSE and Gentoo claim to not be affected by the vim modeline vulnerability because they ship versions with the modeline feature turned off by default. Turning off a possibly insecure feature is a good thing to do; it reflects a concern by the distributor for the security of its users. Some of those users, however, will certainly turn the feature back on. Others will be concerned by the fact that they are running software with a known, unpatched vulnerability, even if that vulnerability does not directly affect them. In such cases, it would make sense for the distributor to, at a minimum, issue an advisory explaining the situation. Putting out a fix would be better.

Other corrections above reflect simple screwups on your editor's part. Sorry.

The corrected table still shows some real patterns in the relative response times for security updates. There is value in this information. As time permits, LWN will be making changes to its security database to make the generation of this sort of table an easier and more accurate process. But a task which, in the presence of nice things like CVE numbers, should be relatively straightforward is likely to require a fair amount of time (and iterations) for the foreseeable future.

Comments (9 posted)

Security news

Mozilla Linux Command Line URL Parsing Security Flaw Reported (MozillaZine)

MozillaZine warns of a new firefox security problem; this one has to do with command line parsing. "For example, consider a Linux user who uses Firefox as his or her default Web browser and Mozilla Thunderbird as his or her default email client. An attacker could send an email to this user containing a link to http://local`find`host. When the user clicks on this link in Thunderbird, Firefox's URL-parsing shell script will be invoked and will execute the find command before calling Firefox to open the URL." The firefox 1.0.7 release contains the fix for this problem (and a few others).

Comments (6 posted)

New vulnerabilities

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CAN-2005-2919 CAN-2005-2920
Created:September 19, 2005 Updated:September 29, 2005
Description: The release notes for ClamAV 0.87 note that this version fixes vulnerabilities in the handling of UPX and FSG compressed executables.
Alerts:
Gentoo 200509-13 2005-09-19
Mandriva MDKSA-2005:166 2005-09-20
Debian-Testing DTSA-19-1 2005-09-22
Trustix TSLSA-2005-0051 2005-09-23
SuSE SUSE-SA:2005:055 2005-09-26
Debian DSA-824-1 2005-09-29

Comments (none posted)

Mailutils: format string vulnerability in imap4d

Package(s):mailutils CVE #(s):CAN-2005-2878
Created:September 19, 2005 Updated:October 13, 2005
Description: The imap4d server contains a format string bug in the handling of IMAP SEARCH requests.
Alerts:
Gentoo 200509-10 2005-09-17
Debian DSA-841-1 2005-10-04
Debian-Testing DTSA-20-1 2005-10-13

Comments (none posted)

masqmail: input sanitizing and symlink vulnerabilities

Package(s):masqmail CVE #(s):CAN-2005-2662 CAN-2005-2663
Created:September 21, 2005 Updated:October 10, 2005
Description: Masqmail fails to properly sanitize addresses when sending failed mail, allowing a local attacker to run arbitrary commands as the mail user. There is also a symlink vulnerability which can be exploited to overwrite files.
Alerts:
Mandriva MDKSA-2005:168 2005-09-20
Debian DSA-848-1 2005-10-08

Comments (none posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09:02 2005-09-17

Comments (none posted)

turqstat: buffer overflow

Package(s):turqstat CVE #(s):CAN-2005-2658
Created:September 15, 2005 Updated:September 20, 2005
Description: Turquoise SuperStat is a Fidonet and Usenet statistics gathering application. A malicious NNTP server can cause a buffer overflow condition.
Alerts:
Debian DSA-812-1 2005-09-15

Comments (none posted)

Zebedee: Denial of Service vulnerability

Package(s):zebedee CVE #(s):
Created:September 20, 2005 Updated:September 20, 2005
Description: Zebedee crashes when "0" is received as the port number in the protocol option header. By performing malformed requests a remote attacker could cause Zebedee to crash.
Alerts:
Gentoo 200509-14 2005-09-20

Comments (none posted)

Updated vulnerabilities

CUPS: multiple vulnerabilities

Package(s):CUPS CVE #(s):CAN-2004-2154
Created:July 14, 2005 Updated:September 20, 2005
Description: The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue.
Alerts:
Red Hat RHSA-2005:571-01 2005-07-14
Fedora-Legacy FLSA:163274 2005-09-14
Ubuntu USN-185-1 2005-09-20
Mandriva MDKSA-2005:165 2005-09-15

Comments (none posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
EnGarde ESA-20040317-003 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Debian DSA-465-1 2004-03-17
Gentoo 200403-03 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Red Hat RHSA-2004:121-01 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Trustix TSLSA-2004-0012 2004-03-17
Whitebox WBSA-2004:120-01 2004-03-22
Fedora FEDORA-2004-095 2004-03-19
Red Hat RHSA-2004:084-01 2004-03-23
Whitebox WBSA-2004:084-01 2004-03-23
Conectiva CLA-2004:834 2004-03-31
Fedora-Legacy FLSA:1395 2004-05-08
Fedora FEDORA-2005-1042 2005-10-31
Red Hat RHSA-2005:829-00 2005-11-02
Red Hat RHSA-2005:830-00 2005-11-02

Comments (1 posted)

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Mandrake MDKSA-2004:140 2004-11-25
Debian DSA-612-1 2004-12-20
Gentoo 200501-02 2005-01-04
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Mandriva MDKSA-2005:097 2005-06-07
Fedora-Legacy FLSA:152870 2005-12-17

Comments (none posted)

apache information disclosure if modssl=yes

Package(s):apache CVE #(s):CAN-2005-2700
Created:September 2, 2005 Updated:November 10, 2005
Description: An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
Alerts:
OpenPKG OpenPKG-SA-2005.017 2005-09-02
Red Hat RHSA-2005:608-01 2005-09-06
Ubuntu USN-177-1 2005-09-07
Debian DSA-805-1 2005-09-08
Fedora FEDORA-2005-848 2005-09-07
Mandriva MDKSA-2005:161 2005-09-08
Fedora FEDORA-2005-849 2005-09-07
Slackware SSA:2005-251-02 2005-09-09
Debian DSA-807-1 2005-09-12
Slackware SSA:2005-251-03 2005-09-14
Red Hat RHSA-2005:773-01 2005-09-15
SuSE SUSE-SA:2005:052 2005-09-12
Gentoo 200509-12 2005-09-19
Fedora-Legacy FLSA:166941 2005-11-09

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Red Hat RHSA-2005:582-01 2005-07-25
SuSE SUSE-SR:2005:018 2005-07-28
Trustix TSLSA-2005-0038 2005-07-29
Fedora FEDORA-2005-639 2005-08-02
Fedora FEDORA-2005-638 2005-08-02
Mandriva MDKSA-2005:129 2005-08-03
Mandriva MDKSA-2005:130 2005-08-03
Ubuntu USN-160-1 2005-08-04
Fedora-Legacy FLSA:157701 2005-08-10
SuSE SUSE-SA:2005:046 2005-08-16
Ubuntu USN-160-2 2005-09-07
Debian DSA-803-1 2005-09-08
Slackware SSA:2005-310-04 2005-11-07

Comments (none posted)

awstats: command injection vulnerability

Package(s):awstats CVE #(s):CAN-2005-1527
Created:August 11, 2005 Updated:November 10, 2005
Description: AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server.
Alerts:
Ubuntu USN-167-1 2005-08-11
Gentoo 200508-07 2005-08-16
Debian DSA-892-1 2005-11-10

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
Ubuntu USN-127-1 2005-05-17
Mandriva MDKSA-2005:091 2005-05-18
Debian DSA-730-1 2005-05-27
SuSE SUSE-SR:2005:015 2005-06-07
OpenPKG OpenPKG-SA-2005.008 2005-06-10
Red Hat RHSA-2005:474-01 2005-06-16
Debian DSA-741-1 2005-07-07
rPath rPSA-2007-0004-1 2007-01-09

Comments (2 posted)

common-lisp-controller: design error

Package(s):common-lisp-controller CVE #(s):CAN-2005-2657
Created:September 14, 2005 Updated:November 21, 2005
Description: François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before.
Alerts:
Debian DSA-811-1 2005-09-14
Debian DSA-811-2 2005-11-21

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Gentoo 200506-16 2005-06-20
Trustix TSLSA-2005-0030 2005-06-24
Mandriva MDKSA-2005:116 2005-07-11
Mandriva MDKSA-2005:116-1 2005-07-19
Red Hat RHSA-2005:378-01 2005-07-21
Ubuntu USN-189-1 2005-09-29
Debian DSA-846-1 2005-10-07
Red Hat RHSA-2005:806-01 2005-11-10
Mandriva MDKSA-2005:237 2005-12-23

Comments (1 posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Gentoo 200502-29 2005-02-23
SuSE SUSE-SA:2005:009 2005-02-24
Ubuntu USN-87-1 2005-02-28
Mandrake MDKSA-2005:051 2005-03-04
Conectiva CLA-2005:937 2005-03-17
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Fedora FEDORA-2005-339 2005-04-27
Red Hat RHSA-2005:408-01 2005-05-17
Fedora-Legacy FLSA:156290 2006-04-04

Comments (none posted)

elm: buffer overflow

Package(s):elm CVE #(s):CAN-2005-2665
Created:August 23, 2005 Updated:November 10, 2005
Description: A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it.
Alerts:
Red Hat RHSA-2005:755-01 2005-08-23
Slackware SSA:2005-311-01 2005-11-08

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Ubuntu USN-76-1 2005-02-07
Debian DSA-670-1 2005-02-08
Debian DSA-671-1 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Fedora FEDORA-2005-116 2005-02-08
Red Hat RHSA-2005:112-01 2005-02-10
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:133-01 2005-02-15
Fedora FEDORA-2005-145 2005-02-14
Fedora FEDORA-2005-146 2005-02-14
Gentoo 200502-20 2005-02-15
Mandrake MDKSA-2005:038 2005-02-15
Debian DSA-685-1 2005-02-17
Fedora-Legacy FLSA:152898 2006-05-12

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
Debian DSA-654-1 2005-01-21
Ubuntu USN-68-1 2005-01-24
Fedora FEDORA-2005-015 2005-01-26
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-096 2005-01-31
Red Hat RHSA-2005:039-01 2005-02-01
Gentoo 200502-03 2005-02-02
Mandrake MDKSA-2005:033 2005-02-10
Red Hat RHSA-2005:040-01 2005-02-15
Fedora-Legacy FLSA:152892 2005-12-17
rPath rPSA-2006-0083-1 2006-05-26

Comments (none posted)

ethereal: dissector vulnerabilities

Package(s):ethereal CVE #(s):CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366
Created:July 28, 2005 Updated:October 10, 2005
Description: The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues.
Alerts:
Gentoo 200507-27 2005-07-28
Fedora FEDORA-2005-651 2005-07-28
Fedora FEDORA-2005-655 2005-07-29
Mandriva MDKSA-2005:131 2005-08-04
Red Hat RHSA-2005:687-01 2005-08-10
Debian DSA-853-1 2005-10-09

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Fedora FEDORA-2005-743 2005-08-11
Fedora FEDORA-2005-742 2005-08-11
Mandriva MDKSA-2005:141 2005-08-17
Gentoo 200508-12 2005-08-23
Red Hat RHSA-2005:267-01 2005-08-29
SuSE SUSE-SA:2005:054 2005-09-16
Debian DSA-1016-1 2006-03-23

Comments (2 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
Gentoo 200409-24 2004-09-20
Fedora FEDORA-2004-303 2004-09-21
Conectiva CLA-2004:880 2004-10-27
Fedora-Legacy FLSA:2076 2004-11-05
SuSE SUSE-SA:2006:026 2006-05-30

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Red Hat RHSA-2005:589-01 2005-08-09
Ubuntu USN-168-1 2005-08-12
Gentoo 200508-06 2005-08-15
Mandriva MDKSA-2005:139 2005-08-15
Fedora FEDORA-2005-750 2005-08-17
Fedora FEDORA-2005-751 2005-08-17
Slackware SSA:2005-242-03 2005-08-31
Fedora-Legacy FLSA:158543 2006-02-25

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Gentoo 200505-15 2005-05-20
Ubuntu USN-135-1 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-136-2 2005-05-27
Mandriva MDKSA-2005:095 2005-05-30
Trustix TSLSA-2005-0025 2005-05-31
Gentoo 200506-01 2005-06-01
Fedora FEDORA-2005-497 2005-06-29
Fedora FEDORA-2005-498 2005-06-29
Red Hat RHSA-2005:659-01 2005-09-28
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:801-01 2005-10-18
Fedora FEDORA-2005-1032 2005-10-27
Fedora FEDORA-2005-1033 2005-10-27
Mandriva MDKSA-2005:215 2005-11-23
Red Hat RHSA-2006:0368-01 2006-07-20
Red Hat RHSA-2006:0354-01 2006-08-10

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora FEDORA-2005-265 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-268 2005-03-30
Red Hat RHSA-2005:344-01 2005-04-01
Red Hat RHSA-2005:343-01 2005-04-05
Ubuntu USN-108-1 2005-04-05
Mandrake MDKSA-2005:068 2005-04-07
Mandrake MDKSA-2005:069 2005-04-07
SuSE SUSE-SR:2005:010 2005-04-08
Fedora-Legacy FLSA:154272 2005-07-15
Fedora-Legacy FLSA:155510 2005-12-17

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200410-10 2004-10-10
Ubuntu USN-5-1 2004-10-27
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Gentoo 200410-10:02 2004-10-10
Fedora-Legacy FLSA:136323 2006-01-09
Mandriva MDKSA-2006:051 2006-02-28

Comments (1 posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Gentoo 200410-18 2004-10-20
Ubuntu USN-3-1 2004-10-27
Red Hat RHSA-2005:081-01 2005-09-28

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Gentoo 200410-19 2004-10-21
Ubuntu USN-4-1 2004-10-27
Fedora FEDORA-2004-356 2004-11-11
Red Hat RHSA-2004:586-01 2004-12-20
Mandrake MDKSA-2004:159 2004-12-29
Debian DSA-636-1 2005-01-12
Red Hat RHSA-2005:261-01 2005-04-28
Fedora-Legacy FLSA:152848 2005-11-13

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:September 16, 2005
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2005-202 2005-03-09
Fedora FEDORA-2005-203 2005-03-09
Gentoo 200503-21 2005-03-17
Red Hat RHSA-2005:304-01 2005-03-28
Mandrake MDKSA-2005:066 2005-04-01
Gentoo 200504-07 2005-04-08
Mandriva MDKSA-2005:075 2005-04-20
Mandriva MDKSA-2005:074 2005-04-20
Fedora-Legacy FLSA:152919 2005-09-15

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Ubuntu USN-13-1 2004-11-01
Gentoo 200411-15 2004-11-08
Mandriva MDKSA-2006:038 2006-02-08

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
Ubuntu USN-158-1 2005-08-01
Ubuntu USN-161-1 2005-08-04
Fedora-Legacy FLSA:157696 2005-08-10
Fedora-Legacy FLSA:158801 2005-11-14
Mandriva MDKSA-2006:026 2006-01-30
Mandriva MDKSA-2006:027 2006-01-30
OpenPKG OpenPKG-SA-2007.002 2007-01-08

Comments (2 posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Gentoo 200502-16 2005-02-13
Debian DSA-680-1 2005-02-14
Red Hat RHSA-2005:090-01 2005-02-15
Mandrake MDKSA-2005:063 2005-03-31
Fedora-Legacy FLSA:152907 2006-01-09

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Red Hat RHSA-2005:114-01 2005-02-18
Fedora-Legacy FLSA:152912 2005-05-12
Fedora-Legacy FLSA:184074 2006-04-04

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Mandrake MDKSA-2004:089 2004-09-07
Fedora FEDORA-2004-300 2004-09-09
Fedora FEDORA-2004-301 2004-09-09
Gentoo 200409-12 2004-09-08
Red Hat RHSA-2004:465-01 2004-09-15
Debian DSA-548-1 2004-09-16
Debian DSA-552-1 2004-09-22
Conectiva CLA-2004:870 2004-09-28
Debian DSA-548-2 2005-10-26

Comments (none posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Gentoo 200504-11 2005-04-13
Debian DSA-713-1 2005-04-21

Comments (1 posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Mandriva MDKSA-2005:160 2005-09-06
Ubuntu USN-176-1 2005-09-07
Slackware SSA:2005-251-01 2005-09-09
Debian DSA-815-1 2005-09-16
Red Hat RHSA-2006:0582-01 2006-08-10

Comments (none posted)

kdeedu: tempfile handling vulnerabilities

Package(s):kdeedu CVE #(s):CAN-2005-2101
Created:August 15, 2005 Updated:September 22, 2005
Description: Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked. The script uses known filenames in /tmp which allow an local attacker to overwrite files writeable by the user invoking the conversion script.
Alerts:
Fedora FEDORA-2005-745 2005-08-15
Fedora FEDORA-2005-744 2005-08-16
Mandriva MDKSA-2005:159 2005-09-06
Debian DSA-818-1 2005-09-22

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Fedora FEDORA-2005-594 2005-07-19
Mandriva MDKSA-2005:122 2005-07-20
Ubuntu USN-150-1 2005-07-21
Red Hat RHSA-2005:612-01 2005-07-27
Debian DSA-804-1 2005-09-08
Debian DSA-804-2 2005-11-10
Gentoo 200611-21 2006-11-27

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2005-2555
Created:August 19, 2005 Updated:September 19, 2005
Description: David Howells discovered a local Denial of Service vulnerability in the key session joining function. Under certain user-triggerable conditions, a semaphore was not released properly, which caused processes which also attempted to join a key session to hang forever. (CAN-2005-2098)

David Howells discovered a local Denial of Service vulnerability in the keyring allocator. A local attacker could exploit this to crash the kernel by attempting to add a specially crafted invalid keyring. (CAN-2005-2099)

Balazs Scheidler discovered a local Denial of Service vulnerability in the xfrm_compile_policy() function. By calling setsockopt() with an invalid xfrm_user policy message, a local attacker could cause the kernel to write to an array beyond its boundaries, thus causing a kernel crash. (CAN-2005-2456)

Tim Yamin discovered that the driver for compressed ISO file systems did not sufficiently validate the input data. By tricking an user into mounting a malicious CD-ROM with a specially crafted compressed ISO file system, he could cause a kernel crash. (CAN-2005-2457)

It was discovered that the kernel's embedded zlib compression library was still vulnerable to two old vulnerabilities of the standalone zlib library. This library is used by various drivers and can also be used by third party modules, so the impact varies. (CAN-2005-2458, CAN-2005-2459)

Peter Sandstrom discovered a remote Denial of Service vulnerability in the SNMP handler. Certain UDP packages lead to a function call with the wrong argument, which resulted in a crash of the network stack. (CAN-2005-2548)

Herbert Xu discovered that the setsockopt() function was not restricted to privileged users. This allowed a local attacker to bypass intended IPSec policies, set invalid policies to exploit flaws like CAN-2005-2456, or cause a Denial of Service by adding policies until kernel memory is exhausted. Now the call is restricted to processes with the CAP_NET_ADMIN capability. (CAN-2005-2555)

Alerts:
Ubuntu USN-169-1 2005-08-19
Fedora FEDORA-2005-820 2005-08-28
Fedora FEDORA-2005-821 2005-08-28
SuSE SUSE-SA:2005:050 2005-09-01
Trustix TSLSA-2005-0043 2005-08-19
Debian-Testing DTSA-16-1 2005-09-15

Comments (3 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
SuSE SUSE-SA:2005:018 2005-03-24
Fedora FEDORA-2005-262 2005-03-28
Conectiva CLA-2005:945 2005-03-31
Debian DSA-1067-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1069-1 2006-05-20
Debian DSA-1082-1 2006-05-29

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Red Hat RHSA-2005:567-02 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Gentoo 200507-11 2005-07-12
SuSE SUSE-SR:2005:017 2005-07-13
Mandriva MDKSA-2005:119 2005-07-13
Trustix TSLSA-2005-0036 2005-07-14
Debian DSA-757-1 2005-07-17
Ubuntu USN-224-1 2005-12-06

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Gentoo 200503-08 2005-03-04
Ubuntu USN-92-1 2005-03-07
Gentoo 200503-15 2005-03-12
Ubuntu USN-97-1 2005-03-16
Fedora FEDORA-2005-272 2005-03-29
Fedora