| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for October 6, 2005
The broadcast flag returns
The broadcast flag is an attempt to mandate the use of digital restrictions management (DRM) technology with U.S digital television and radio broadcasts. In short, the broadcast flag regulations, as adopted by the Federal Communications Commission, would require that reception equipment honor a "do not copy" bit in a digital signal. The end result is that, among other things, free TV and radio systems would not be allowed, since they would fail the "robustness" requirement in the regulations. Happily, a federal court threw out the broadcast regulation last May, ruling that the FCC was not authorized to regulate what a piece of equipment does with a signal after reception.The return of the broadcast flag was inevitable; the commercial interests behind this sort of regulation never give up that easily - or at all. Even so, the return of the broadcast flag has been surprisingly quick. Twenty U.S. members of Congress are now pushing for legislation which would give the FCC the regulatory authority it currently lacks. Susan Crawford has posted the proposed language:
This language is quite broad - the FCC would be empowered to regulate "digital networks" in whatever ways it sees fit to keep the entertainment industry happy. It does not take much imagination to foresee heavy-handed rules which are not particularly friendly to free software. This legislation needs to be defeated; BoingBoing has a list of offending "congressjerks" and their contact information. We don't doubt that they would be delighted to hear from their constituents on this matter.
The broadcast flag looks like a U.S. problem, but the situation in Europe is similar. The EFF has just posted a report on the activities of the Digital Video Broadcasting project, a body which sets television standards for use in Europe, Australia, and even parts of Asia. The upcoming DVB standard contains some familiar provisions:
The CPCM includes provisions for "proximity control" and such, regulating just how far a digital signal can be propagated. It includes a revocation feature allowing existing hardware to be disabled should the industry conclude that it has been compromised. The inevitable "robustness requirement" will make it impossible to create digital television systems with free software. The CPCM, in other words, is the broadcast flag, only worse.
A broadcast flag for Europe is not inevitable. The process which CPCM will have to follow is long: it must be adopted as a European telecommunications standard, then mandated by law in each nation. There is plenty of warning, and no end of good reasons to fight back. With effort - and luck - our ability to create free television systems can be preserved on both sides of the Atlantic.
The Battle for Wesnoth hits 1.0
At linux.conf.au 2005 in Canberra, kernel hacker Rusty Russell was heard to voice a complaint. It seems that he had discovered The Battle for Wesnoth, and his productivity had suffered ever since. He mentioned it again some months later in Ottawa, so one presumes that the problem had not yet gone away. Rusty is![[Wesnoth screenshot]](/images/ns/wesnoth.png)
not the only developer who has been afflicted by the Wesnoth disease over
the last year. If the pace of free software development appears to have
slowed recently, Wesnoth may well be to blame.
Battle for Wesnoth 1.0 was released on October 2. Your editor, being a serious type, does not normally see fit to play computer games (those past episodes with DND, rogue, empire, netrek, nethack, etc. were just aberrations, honest). But a 1.0 release of a popular, GPL-licensed game calls out for investigation; journalistic ethics require it. So your editor pulled down the new release and checked it out. For a while. In fact, the LWN Weekly Edition almost did not happen this week, and it's all Wesnoth's fault.
Wesnoth is a two-dimensional swords, sorcery, and strategy game. In its most basic form, the player must lead an army of elvish fighters against the enemy (played by the computer), occupy villages, rape, pillage, and wipe out the opposing leader. There is a variety of different character types with different capabilities, and characters grow with experience. The game includes a tutorial which makes getting started easy. There is also a pleasant set of musical tracks and (sometimes less pleasant) sound effects that go with the game. Your editor did not know, previously, that ghosts would grunt when struck.
![[Editor screenshot]](/images/ns/wesnoth-editor-sm.png)
The game was designed to be extended. An editor packaged with Wesnoth (and
which is fun to work with in its own right)
makes it easy to design battlefields, and tools are available for the
creation of complete games. Many "campaigns" designed by users are
hosted on the central Wesnoth server; they are easily downloaded
from within the game and played. Wesnoth also offers multi-player operation.
It has often been said that gaming is one area where free software will never come close to the proprietary competition. The high expense and hit-oriented nature of the commercial game industry simply sets the bar too high. And, in fact, Wesnoth is still a far cry from commercial battle games available for proprietary platforms. The turn-oriented play, relatively simple animation, and hexagonal-grid landscape all look primitive compared to a high-budget commercial game.
But the gap is closing. Wesnoth as a game is engaging, challenging, and visually and aurally pleasing. Wesnoth may not be able to compete with the latest commercial blockbuster, but it does demonstrate that the free software community is getting better at creating games. In this area, as with many others, our reach is increasing.
There is another important aspect to Wesnoth's success which was also pointed out by Rusty. There is plenty of good programming in Wesnoth, but it doesn't stop there. Somebody has spent quite a bit of time designing graphics and animated effects. Others have contributed music which one is tempted to leave playing even after one has been crushed by the opposition and seen one's castles go up in flames. As free software develops, there will be more need for people who can make these kinds of contributions. Wesnoth has set an example - applicable to a much wider range of development projects - on how non-code contributors can be welcomed. For that, if nothing else, the Wesnoth 1.0 release deserves hearty congratulations.
Now your editor must go off and retry The Eastern Invasion one more time...
Page editor: Jonathan Corbet
Security
Complete coverage in Linux security modules
The Linux Security Module (LSM) framework is intended to allow security modules to lock down a system by inserting checks whenever the kernel is about to do something interesting. A security module hooks into those check points and, for each operation, convinces itself that the operation is allowed by the security policy currently in force. This approach can work well if checks have been placed in all of the relevant locations. A missing check could open a door allowing a user-space process to do something which the site's policy would disallow.Kostik Belousov recently noticed this sort of problem in the 2.6 kernel: it seems that the readv() and writev() system calls ran without calling the associated LSM hook. The missing check means that a process which uses these calls (rather than read() or write()) could perform file I/O which was not subject to oversight by any security modules currently loaded in the system. The practical effect of this vulnerability is minimal: any security module worth its bits will have done its access checks when the file is opened, so the ability to do unchecked reads and writes should not open any gaping holes in the system.
The more important point is how easily this sort of opening can come about. When the security modules patch was originally merged into the kernel, it included checks on readv() and writev(). But those system calls were later rewritten, and the LSM hooks fell by the wayside. This change apparently happened around 2.5.47, but it only came to light now.
Most kernel developers are only peripherally aware of the LSM system. Very few of them know how to code an LSM call, and the rules for the insertion of LSM checks are not particularly well documented. Code which is missing an LSM call still appears to work just fine in normal testing and use. The end result of all this is that it is trivially easy to omit an important check, or to delete one by accident. Such mistakes can then go unnoticed for years.
Anybody who depends on a Linux security module (such as SELinux) is depending on comprehensive checking within the kernel. But, as has been demonstrated here, it is hard to feel sure that the LSM checks are, indeed comprehensive. There are many code paths through the kernel. When a relatively simple system call can go unprotected for so long, how secure do we feel about the more complex paths? It would seem that a thorough audit is called for. An automated audit might even be better; it may well be possible to adapt a tool like sparse to detect unchecked paths through the kernel. Some work in this area could do a lot to increase the level of trust which can be placed in LSM-based modules.
New vulnerabilities
abiword: buffer overflow
| Package(s): | abiword | CVE #(s): | CAN-2005-2964 | ||||||||||||||||||
| Created: | September 29, 2005 | Updated: | November 14, 2005 | ||||||||||||||||||
| Description: | The RTF import module of the AbiWord word processor has a buffer overflow vulnerability. A user can be tricked into opening a maliciously crafted RTF file, giving the attacker the ability to execute code with the permissions of the user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apachetop: insecure temporary file
| Package(s): | apachetop | CVE #(s): | CAN-2005-2660 | |||
| Created: | October 4, 2005 | Updated: | October 5, 2005 | |||
| Description: | Eric Romang discovered an insecurely created temporary file in apachetop, a realtime monitoring tool for the Apache webserver that could be exploited with a symlink attack to overwrite arbitrary files with the user id that runs apachetop. | |||||
| Alerts: |
| |||||
arc: temporary file vulnerabilities
| Package(s): | arc | CVE #(s): | CAN-2005-2945 CAN-2005-2992 | |||
| Created: | October 5, 2005 | Updated: | October 5, 2005 | |||
| Description: | The arc archiver program suffers from two independent temporary file vulnerabilities. | |||||
| Alerts: |
| |||||
backupninja: insecure temporary file
| Package(s): | backupninja | CVE #(s): | ||||
| Created: | September 30, 2005 | Updated: | October 5, 2005 | |||
| Description: | Moritz Muehlenhoff discovered the handler code for backupninja creates a temporary file with a predictable filename, leaving it vulnerable to a symlink attack. | |||||
| Alerts: |
| |||||
Berkeley MPEG Tools: multiple insecure temporary files
| Package(s): | mpeg-tools | CVE #(s): | CAN-2005-3115 | |||
| Created: | October 3, 2005 | Updated: | October 5, 2005 | |||
| Description: | Mike Frysinger of the Gentoo Security Team discovered that mpeg_encode and the conversion utilities were creating temporary files with predictable or fixed filenames. The 'test' make target of the MPEG Tools also relied on several temporary files created insecurely. | |||||
| Alerts: |
| |||||
cfengine: insecure temporary files
| Package(s): | cfengine | CVE #(s): | CAN-2005-2960 | ||||||||||||
| Created: | October 3, 2005 | Updated: | October 14, 2005 | ||||||||||||
| Description: | Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dia: missing input sanitizing
| Package(s): | dia | CVE #(s): | CAN-2005-2966 | ||||||||||||||||||
| Created: | October 4, 2005 | Updated: | April 6, 2006 | ||||||||||||||||||
| Description: | Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gopher: buffer overflows
| Package(s): | gopher | CVE #(s): | CAN-2005-2772 | |||
| Created: | September 30, 2005 | Updated: | October 5, 2005 | |||
| Description: | Several buffer overflows have been discovered in gopher, a text-oriented client for the Gopher Distributed Hypertext protocol, that can be exploited by a malicious Gopher server. | |||||
| Alerts: |
| |||||
gtkdiskfree: insecure temp file
| Package(s): | gtkdiskfree | CVE #(s): | CAN-2005-2918 | ||||||
| Created: | September 29, 2005 | Updated: | October 5, 2005 | ||||||
| Description: | The gtkdiskfree utility creates temporary files in an insecure manner. | ||||||||
| Alerts: |
| ||||||||
Hylafax: insecure temporary file creation in xferfaxstats
| Package(s): | hylafax | CVE #(s): | CAN-2005-3069 | |||||||||
| Created: | September 30, 2005 | Updated: | October 13, 2005 | |||||||||
| Description: | Javier Fernandez-Sanguino has discovered that xferfaxstats cron script supplied by Hylafax < 4.2.2 insecurely creates temporary files with predictable filenames. | |||||||||||
| Alerts: |
| |||||||||||
mod-auth-shadow: authorization bypass
| Package(s): | mod-auth-shadow | CVE #(s): | CAN-2005-2963 | ||||||
| Created: | October 5, 2005 | Updated: | October 27, 2005 | ||||||
| Description: | The apache mod-auth-shadow module can, incorrectly, override other authorization mechanisms, allowing access which would otherwise be denied. | ||||||||
| Alerts: |
| ||||||||
ntlmaps: wrong permissions
| Package(s): | ntlmaps | CVE #(s): | CAN-2005-2962 | |||
| Created: | September 30, 2005 | Updated: | October 5, 2005 | |||
| Description: | Drew Parsons noticed that the post-installation script of ntlmaps, an NTLM authorization proxy server, changes the permissions of the configuration file to be world-readable. It contains the user name and password of the Windows NT system that ntlmaps connects to and, hence, leaks them to local users. | |||||
| Alerts: |
| |||||
prozilla: arbitrary code execution
| Package(s): | prozilla | CVE #(s): | CAN-2005-2961 | |||
| Created: | October 3, 2005 | Updated: | October 5, 2005 | |||
| Description: | Tavis Ormandy discovered a buffer overflow in prozilla, a multi-threaded download accelerator, which may be exploited to execute arbitrary code. | |||||
| Alerts: |
| |||||
squid: authentication handling
| Package(s): | squid | CVE #(s): | CAN-2005-2917 | ||||||||||||||||||
| Created: | September 30, 2005 | Updated: | March 15, 2006 | ||||||||||||||||||
| Description: | Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
texinfo: temporary file vulnerability
| Package(s): | texinfo | CVE #(s): | CAN-2005-3011 | ||||||||||||||||||
| Created: | October 5, 2005 | Updated: | November 9, 2006 | ||||||||||||||||||
| Description: | Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
uim: privilege escalation
| Package(s): | uim | CVE #(s): | CVE-2005-3149 | ||||||||||||
| Created: | October 4, 2005 | Updated: | December 7, 2005 | ||||||||||||
| Description: | Masanari Yamamoto discovered that Uim uses environment variables incorrectly. This bug causes a privilege escalation if setuid/setgid applications are linked to libuim. This bug only affects immodule-enabled Qt (if you build Qt 3.3.2 or later versions with USE="immqt" or USE="immqt-bc"). | ||||||||||||||
| Alerts: |
| ||||||||||||||
unzip: race condition
| Package(s): | unzip | CVE #(s): | CAN-2005-2475 | |||||||||||||||
| Created: | September 29, 2005 | Updated: | January 12, 2006 | |||||||||||||||
| Description: | Unzip has a race condition vulnerability in the handling of output files. During file unpacking, a local attacker can modify the permissions of arbitrary files in the victim's directory. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Updated vulnerabilities
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer | CVE #(s): | CAN-2005-2710 | |||||||||||||||||||||
| Created: | September 27, 2005 | Updated: | October 10, 2005 | |||||||||||||||||||||
| Description: | A format string bug was discovered in the way HelixPlayer processes RealPix (.rp) files. It is possible for a malformed RealPix file to execute arbitrary code as the user running HelixPlayer. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
a2ps: input validation error
| Package(s): | a2ps | CVE #(s): | CAN-2004-1170 CAN-2004-1377 | ||||||||||||||||||
| Created: | November 26, 2004 | Updated: | December 19, 2005 | ||||||||||||||||||
| Description: | The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache information disclosure if modssl=yes
| Package(s): | apache | CVE #(s): | CAN-2005-2700 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 2, 2005 | Updated: | November 10, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CAN-2005-1268 CAN-2005-2088 | |||||||||||||||||||||||||||||||||||||||
| Created: | July 25, 2005 | Updated: | November 7, 2005 | |||||||||||||||||||||||||||||||||||||||
| Description: | Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
awstats: command injection vulnerability
| Package(s): | awstats | CVE #(s): | CAN-2005-1527 | |||||||||
| Created: | August 11, 2005 | Updated: | November 10, 2005 | |||||||||
| Description: | AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CAN-2005-2919 CAN-2005-2920 | ||||||||||||||||||
| Created: | September 19, 2005 | Updated: | September 29, 2005 | ||||||||||||||||||
| Description: | The release notes for ClamAV 0.87 note that this version fixes vulnerabilities in the handling of UPX and FSG compressed executables. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
common-lisp-controller: design error
| Package(s): | common-lisp-controller | CVE #(s): | CAN-2005-2657 | ||||||
| Created: | September 14, 2005 | Updated: | November 21, 2005 | ||||||
| Description: | François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before. | ||||||||
| Alerts: |
| ||||||||
courier: missing input sanitizing
| Package(s): | courier | CVE #(s): | CAN-2005-2820 | ||||||
| Created: | September 26, 2005 | Updated: | October 11, 2005 | ||||||
| Description: | Jakob Balle discovered that with "Conditional Comments" in Internet Explorer it is possible to hide javascript code in comments that will be executed when the browser views a malicious email via sqwebmail. Successful exploitation requires that the user is using Internet Explorer. | ||||||||
| Alerts: |
| ||||||||
cpio: directory traversal
| Package(s): | cpio | CVE #(s): | CAN-2005-1111 | |||||||||||||||||||||||||||
| Created: | June 20, 2005 | Updated: | December 26, 2005 | |||||||||||||||||||||||||||
| Description: | There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CAN-2005-2874 | ||||||
| Created: | September 22, 2005 | Updated: | September 28, 2005 | ||||||
| Description: | CUPS has a vulnerability that can be triggered by processing corrupted HTTP requests. A remote user can use this to cause a denial of service. | ||||||||
| Alerts: |
| ||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
elm: buffer overflow
| Package(s): | elm | CVE #(s): | CAN-2005-2665 | ||||||
| Created: | August 23, 2005 | Updated: | November 10, 2005 | ||||||
| Description: | A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it. | ||||||||
| Alerts: |
| ||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
ethereal: dissector vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2005-2365 CAN-2005-2367 CAN-2005-2360 CAN-2005-2361 CAN-2005-2362 CAN-2005-2363 CAN-2005-2364 CAN-2005-2366 | ||||||||||||||||||
| Created: | July 28, 2005 | Updated: | October 10, 2005 | ||||||||||||||||||
| Description: | The ethereal network traffic analyzer has several vulnerabilities, involving traffic dissectors. Dissectors have buffer overflows, format string overflows, and crashing/denial of service issues. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
evolution: format string issues
| Package(s): | evolution | CVE #(s): | CAN-2005-2549 CAN-2005-2550 | |||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | March 23, 2006 | |||||||||||||||||||||
| Description: | Evolution has format string issues. SITIC advisory SA05-001 contains more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 22, 2005 | Updated: | February 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gaim: buffer overflow
| Package(s): | gaim | CVE #(s): | CAN-2005-2103 | ||||||||||||||||||||||||
| Created: | August 10, 2005 | Updated: | February 27, 2006 | ||||||||||||||||||||||||
| Description: | Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CAN-2005-0891 | ||||||||||||||||||||||||||||||||||||
| Created: | March 30, 2005 | Updated: | December 19, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ghostscript: symlink vulnerabilities
| Package(s): | ghostscript | CVE #(s): | CAN-2004-0967 | |||||||||
| Created: | October 20, 2004 | Updated: | September 28, 2005 | |||||||||
| Description: | The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks. | |||||||||||
| Alerts: |
| |||||||||||
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc | CVE #(s): | CAN-2004-0968 | ||||||||||||||||||||||||
| Created: | October 21, 2004 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
htdig: cross site scripting
| Package(s): | htdig | CVE #(s): | CAN-2005-0085 | |||||||||||||||
| Created: | February 14, 2005 | Updated: | January 10, 2006 | |||||||||||||||
| Description: | Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
imlib2: buffer overflows
| Package(s): | imlib2 | CVE #(s): | CAN-2004-0802 CAN-2004-0817 | |||||||||||||||||||||||||||
| Created: | September 8, 2004 | Updated: | October 26, 2005 | |||||||||||||||||||||||||||
| Description: | The imlib2 library contains buffer overflows in the BMP handling code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster | CVE #(s): | CVE-2005-1108 CVE-2005-1109 | ||||||
| Created: | April 13, 2005 | Updated: | November 5, 2005 | ||||||
| Description: | JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. | ||||||||
| Alerts: |
| ||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 |
| Created: | July 19, 2005 | Updated: | November 27, 2006 |
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See | ||