Ubuntu and Debian look forward
The Ubuntu 5.10 release is out, and the initial reviews are good. The
Ubuntu team, however, is not taking time out to drink beer and relax before
pondering its next release. Well, OK, maybe they are taking a little
time. But, when the hangovers wear off, they are still putting some
thought into their next release, which will break some new ground.
Meanwhile, the Debian Project is looking forward to its next release as
well. In both cases, the planning process gives us a hint of what to
expect from these distributions in the near future.
Ubuntu's approach has been to crank out a distribution every six months,
integrating a great deal of bleeding-edge software each time. This process
has been through three cycles now, with obvious success. The next release
(6.04, or "Dapper Drake") will be different, however: Ubuntu has stated
that 6.04 will be supported for three years on desktops, and five years on
server systems. That is quite a promise for such a young company to make,
but, if Ubuntu can live up to it, the popularity of this distribution could
grow. Thus far, five-year support has come with a hefty price tag; the
prospect of free updates from Ubuntu for that long could make a number of
companies wonder just what they are paying for. The fact that Ubuntu's
security response time tends to be excellent can only help in that regard.
All this depends on Ubuntu being able to make a credible promise of
long-term support. This week, Ubuntu's Jeff Waugh took some steps in that
direction with these thoughts on the Dapper
release process. If this proposal becomes policy,
Dapper will, indeed, be a different
sort of release.
The core of the proposed Dapper process is this: the upstream version freeze which
was imposed for the 5.10 release will remain in place. Essentially, the
distribution will be frozen for the next six months, with the bulk of
development effort going into ensuring that it is the most stable,
supportable release possible. Another way of looking at it is that all of
those users happily downloading the Breezy release now get to be the beta
testers for 6.04. This is a major change for Ubuntu, but, as Jeff put it:
We can't just follow the same release process and expect to be able
to ship a long term supportable system. 6.04 will be different, so
we need to think about it differently.
Of course, too much stability would be contrary to the Ubuntu spirit, so
the developers are leaving themselves a bit of room to toss in some newer
packages. So 6.04 will have a few, small upgrades, including:
- GNOME 2.14 (and whatever is the current KDE)
- Firefox 1.5
- The modular X.org 7 release
- OpenOffice.org 2.0
- A newer kernel, probably 2.6.14
The list of exceptions is expected to be discussed at the upcoming UbuntuBelowZero
gathering. The picture coming into focus now suggests that 6.04 will
include some major upgrades, but much of the infrastructural code,
especially that used on server systems, will remain at the version shipped
with 5.10.
The Debian Project got its Sarge release out the door last June. By normal
Debian timelines, it is thus quite early to be thinking about pulling
things together for another release. Instead, Debian developers should be
busily testing the patience of sid users by filling it with unstable,
incompatible, major package updates. Well, the developers have indeed been
on top of that task, but release manager Steve Langasek is trying to ruin
the fun with this plan for the next Debian
release, called "etch."
That release will be put together by Steve, along with new co-release
manager Andreas Barth. They have a timeline, which involves a toolchain
freeze at the end of next July, a general freeze in October 2006, and the
etch release is planned, with great precision, for December 4, 2006.
July seems like a distant prospect, but Steve notes that
this deadline does not leave a whole lot of time for big changes:
What's not spelled out in the above timeline is that this basically
leaves people until around the end of the year to to implement any
dastardly plans they have that require sweeping changes to the
archive, followed by another half a year of comparatively minor
changes (you know, the kind that *don't* render half the libraries
RC-buggy in a single upload...)
If this timeline holds, we should see the shape of the etch release by the
beginning of next year. Looking at the current plan, it seems that etch
will have made the switch to gcc 4.0 and (finally) X.org. Another
long-delayed advance will be support for the amd64 architecture as an
official Debian port. Then there is the crucial business of purging
the distribution of non-free documentation, and non-free firmware as
well. Tasks on the wishlist include full SELinux support, a default UTF-8
locale, multiarch support, and more.
The following eleven months of stabilization seem glacial by Ubuntu
standards, but it is an optimistic timeline for Debian. One interesting
change that the project is considering is to continue to allow
non-maintainer updates to all packages throughout the etch cycle. Debian
developers have historically been the lords of their particular bits of
package turf, so non-maintainer updates have always been a sensitive
issue. The release managers believe, however, that non-maintainer updates
speed the release process - and make Debian a better distribution as well.
Both distributions have a lot to gain if they can make their plans stick.
Ubuntu will have produced a stable distribution which it can credibly
promise to support for five years, all while keeping its six-month release
cycle. Debian, meanwhile, will be able to get a stable distribution out in
a timely manner without compromising its high quality standards. In both
cases, the end result can only be good for Linux users.
[Update: Ubuntu patron Mark Shuttleworth has posted his position on freezing for 6.04; he is
inclined to be more permissive - for a while at least - on what gets into
that release.]
Comments (19 posted)
Europatents to return in 2006?
One problem with governments is that, unsurprisingly, powerful interests
try to direct governmental power toward their own ends. Those who
would fight power grabs quickly learn a hard lesson: those pushing for more
power usually need only win once, while those who oppose them must win over
and over again. This dynamic can be seen, for example, in the current
broadcast flag debate in the U.S. This flag has already been defeated
once, but nobody doubts that it will return, perhaps repeatedly.
In Europe, the debate on software patents is likely to go the same way.
Those who have a substantial amount to gain if software patents are adopted
throughout the EU are unlikely to simply give up just because they lost the
battle last July. So software patents in Europe will almost certainly be
back. Now it is starting to look like the vehicle for the next attempt to
impose software patents might be a process called the "Community Lisbon
Programme."
This program is part of an effort to improve the health of European
economies by making the EU as a whole more efficient and competitive. It
is a large undertaking touching on many areas, including regulation, internal
markets, environmental issues, global trade agreements and more. Deep
within a
recently-released document [PDF] on the implementation of the program
is a section on intellectual property rights ("IPR"). It reads, in part:
Companies and their clients need IPR which stimulates innovation,
provides a stable context in which to make investment decisions,
and encourages the development of efficient new business
models. The debate engendered by the proposed directive on the
patentability of computer-implemented inventions has demonstrated
that framing IPR rules which balance the needs of all stakeholders
is by no means easy. The Commission will therefore launch a
dialogue with industry and other interested parties in 2006 to
determine what more might usefully be done to provide European
industry with a sound IPR framework.
It is not hard to imagine that the result of this process could be a
renewed directive establishing software patents in Europe. This time,
however, it could be buried within a much larger chunk of EU-level
industrial policy legislation, and, thus, harder to defeat.
Clearly, the free software community needs to be among the "other
interested parties" participating in this process. We have many thoughts
on what makes up a "sound IPR framework," and they should be heard early
on. In the later stages of this program, when it truly comes into public
view, it will be too late to effect changes on issues like patents.
Comments (12 posted)
Bob Young leaves Red Hat
Back in 1993, Bob Young created a company called "ACC Corporation," which,
among other things, dealt in early Linux distributions. In 1995, ACC
acquired Marc Ewing's Red Hat Linux distribution; the combined company was
then named Red Hat software. Over the coming years, Red Hat would
transform the Linux business environment, become the first Linux-related
company to obtain big-name venture capital, and the first to go public.
Regardless of how one feels about the company or its distribution, it is
hard to deny that Red Hat has had a big influence on the Linux community as
a whole.
On October 18, Red Hat announced
that Bob Young had resigned from the company's board of directors, with the
intent of spending more time on his other endeavor: Lulu.com. Bob's role in the company had been
shrinking for years; he had not been involved in day-to-day management for
some time. Still, when one thinks of the names involved with the early Red
Hat (Marc Ewing, Donnie Barnes, Michael Johnson, Eric Troan, ...), it
becomes clear that they have all moved on. Bob was the last of the crowd
which helped to set new standards for Linux distributions and showed that
it was possible to build a business around Linux.
Bob's vision was not always perfect - remember that Red Hat went public
with a business plan
stating that its Internet portal was the key to its future
profitability. Still, he clearly got some things right. Seeking an
example of how he saw things in the early days, your editor spent some time
digging through his mailbox. What turned up was this message on how Red Hat chose Linux over
BSD, sent to the free software business mailing list back in 1998. It
makes an interesting read:
When we launched Red Hat Software, Inc, we planned to sell an
operating system. It doesn't take a rocket scientist to recognize
that being in the OS business meant that we were competing with
Microsoft.
While our ambitions at the outset were quite limited, we can drink
as much beer as anyone, and on those occasions when our natural
intelligence was at its most limited, we'd speculate on what
Microsoft's reaction would be when we became a real threat.
They concluded that a GPL-licensed system would not be as vulnerable to the
famous "embrace and extend" strategy as a system covered by the BSD
license. Were it not for the licensing issue (and a couple of others,
mentioned in the message) and adequate supplies of beer, Bob and Marc might
just have gone into business with "Red Hat BSD."
Bob has been well rewarded for his role in the creation of Red Hat - he
still owns about 5% of the company, according to the proxy information sent
out for last August's board election. Still, it is worth a moment to say
"thanks, Bob." Linux would certainly have succeeded without Red Hat, but
it would have been a different, and possibly slower, path to success.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
A survey of recent kernel vulnerabilities
There has been a fairly long list of kernel vulnerabilities over the last
few months, but few of them have received much serious attention (outside
of the security groups at numerous distributors, who have been duly issuing
patches as the issues come up). Here's a selection of recent problems.
| CVE | Fixed-in | Description |
|---|
| CAN-2005-2098 |
2.6.12.5
2.6.13 |
The session keyring code had an error path which could
fail to release the session management semaphore. As a result, any
local user could cause processes to hang. |
| CAN-2005-2099 |
2.6.12.5
2.6.13 |
A keyring which failed to instantiate correctly could
leave behind a NULL pointer which would subsequently be dereferenced by
the kernel, causing an oops. |
| CAN-2005-1761 |
2.6.12.1 |
A ptrace() bug on the ia64 architecture
enables local denial of service attacks. (Patch) |
| CAN-2005-1913 |
2.6.12.1 |
The subthread exec code did not properly reparent
timers, leading to an oops caused by a local user when signals are
delivered to the wrong thread. (Patch) |
| CAN-2005-2456 |
2.6.13 |
The XFRM policy parser had an array overflow, enabling
denial of service attacks by local users. (Patch) |
| CAN-2005-2457 |
2.6.13 |
Mounting a malicious compressed ISO filesystem could
lead to a kernel oops |
CAN-2005-2458
CAN-2005-2459 |
2.6.13 |
Two zlib vulnerabilities which can be used to oops the
kernel and create denial of service attacks. |
| CAN-2005-2490 |
2.6.13.1 |
A race condition with user space allows a local
attacker to change the contents of a message passed to the 32-bit
version of sendmsg() on 64-bit architectures. The result is a
locally exploitable buffer overflow. (Patch) |
| CAN-2005-2492 |
2.6.13.1 |
An unchecked user-space dereference in
sendmsg() can be exploited to oops the system. (Patch) |
| CAN-2005-2548 |
2.6.9 |
A hostile UDP packet could cause the 8021Q VLAN code
to oops, leading to remote denial of service attacks.
|
| CAN-2005-2555 |
2.6.13 |
The kernel failed to restrict kernel socket policy
loading to administrative users. (Patch)
|
| CAN-2005-3044 |
2.6.13.2 |
The 32-bit ioctl() handler on x86-64 was
missing an fput() call. This error could be exploited by a
local attacker to corrupt kernel data structures. (Patch) |
| CAN-2005-3053 |
2.6.13 |
The set_mempolicy() system call, used to tweak memory
behavior on NUMA systems, did not properly check the
policy argument. A local attacker could, by supplying a
negative value, could cause a kernel oops. (Patch) |
| CAN-2005-3106 |
2.6.11 |
A race condition between core dumps and exec() could
enable a local attacker to deadlock the system. (Patch) |
| CAN-2005-3107 |
2.6.11 |
Another local deadlock related to core dumps and
ptrace(). (Patch) |
| CAN-2005-3108 |
2.6.11 |
The right sort of I/O mapping could create information
leaks and kernel oopses on the x86-64 platform. It is hard to see
how this one could be exploited by an unprivileged user. (Patch) |
| CAN-2005-3109 |
2.6.11 |
A maliciously created HFS filesystem could oops the
kernel, if the system was configured to allow users to mount such
filesystems. (Patch) |
| CAN-2005-3110 |
2.6.12 |
A race condition in the netfilter ebtables module can
cause a kernel oops on SMP systems. (Patch). |
| CAN-2005-3119 |
2.6.13.4 |
A memory leak in the key request code could be used in
denial of service attacks. (Patch) |
| CAN-2005-3180 |
2.6.13.4 |
The orinoco driver can leak information onto the net. (Patch) |
| CAN-2005-3181 |
2.6.13.4 |
A memory leak in the audit code can be used for denial of service
attacks. (Patch) |
That is a long list of vulnerabilities. The fact that almost all of them
are "only" denial of service problems, and that only one of those is truly
remotely exploitable, is of limited consolation.
One may well wonder why the kernel is the source of so many security holes,
far more than any other package on the system. The complexity of the
kernel and the environment in which it runs, the fact that many
often-harmless bugs (such as memory leaks) turn into security issues for
the kernel, and the high level of auditing which is done on kernel code are
all part of the answer to that question. Unfortunately, the flow of
security issues in the kernel is unlikely to stop anytime soon.
Comments (6 posted)
EFF decodes color printer watermarks
It has been known for some time that high-resolution color printers added
codes to their output which would enable that output to be traced. The EFF
has now
found and decoded those marks for a
number of popular printers. It turns out that the scheme used is fairly
simple - an unencrypted code which includes the printing time and the
serial number of the printer. See
the EFF's printer
list to see if your printer encodes this information, and
this page to
learn how to find and decode the markings.
The moral of the story is clear: if we do not control our devices, they
will not work in our interests. There are plenty of good reasons for
wanting to be able to print anonymously, and there is no doubt that this
sort of watermarking can be used for the suppression of dissent and the
shutting down of whistle-blowers. Thanks to the EFF, we can at least see
this particular bit of technological ratware. But, as the EFF says:
"Even worse, it shows how the government and private industry make
backroom deals to weaken our privacy by compromising everyday equipment
like printers. The logical next question is: what other deals have been or
are being made to ensure that our technology rats on us?"
Comments (5 posted)
Security news
CERT advisory: Snort Back Orifice buffer overflow
If you are running the Snort intrusion detection system along with the
"Back Orifice" preprocessor, you want to read the attached advisory (click
below). Back Orifice suffers from a buffer overflow which can be exploited
by any remote attacker who can get a UDP packet onto your network. The
hole can be closed by upgrading to snort 2.4.3, or by disabling Back
Orifice.
Full Story (comments: 1)
New vulnerabilities
curl/wget: NTLM username buffer overflow
| Package(s): | curl wget |
CVE #(s): | CAN-2005-3185
|
| Created: | October 14, 2005 |
Updated: | November 7, 2005 |
| Description: |
A vulnerability in libcurl's NTLM function can overflow a stack-based
buffer if given too long a user name or domain name in NTLM authentication
is enabled and either a) pass a user and domain name to libcurl that
together are longer than 192 bytes or b) allow (lib)curl to follow HTTP
redirects and the new URL contains a URL with a user and domain name that
together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details. |
| Alerts: |
|
Comments (none posted)
lynx: stack overflow
| Package(s): | lynx |
CVE #(s): | CAN-2005-3120
|
| Created: | October 17, 2005 |
Updated: | November 7, 2005 |
| Description: |
Ulf Harnhammar discovered a stack overflow
bug in Lynx when handling connections to NNTP (news) servers. An attacker
could create a web page redirecting to a malicious news server which could
execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
netpbm: buffer overflow in "pnmtopng"
| Package(s): | netpbm-free |
CVE #(s): | CAN-2005-2978
|
| Created: | October 18, 2005 |
Updated: | October 28, 2005 |
| Description: |
A buffer overflow was found in the "pnmtopng" conversion program. By
tricking an user (or automated system) to process a specially crafted
PNM image with pnmtopng, this could be exploited to execute arbitrary
code with the privileges of the user running pnmtopng. |
| Alerts: |
|
Comments (none posted)
OpenWBEM: arbitrary code execution
| Package(s): | OpenWBEM |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
The SUSE Security Team performed a security review of important parts of the OpenWBEM system. During the audit, several integer wrap arounds and buffer overflows have been discovered and fixed. If exploited, they allow remote attackers to execute arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
Perl, Qt-UnixODBC, CMake: RUNPATH issues
| Package(s): | perl qt-unixodbc CMake |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
Some packages may introduce insecure paths into the list of directories
that are searched for libraries at runtime. Furthermore, packages
depending on the MakeMaker Perl module for build configuration may have
incorrectly copied the LD_RUN_PATH into the DT_RPATH. A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent executable, potentially resulting in privilege escalation.
|
| Alerts: |
|
Comments (none posted)
php: open_basedir directive handling
| Package(s): | php4 |
CVE #(s): | CAN-2005-3054
|
| Created: | October 17, 2005 |
Updated: | October 24, 2005 |
| Description: |
A bug has been found in the handling of the open_basedir directive. Contrary to the specification, the value of open_basedir
was handled as a prefix instead of a proper directory name even if it
was terminated by a slash ('/'). For example, this allowed PHP scripts
to access the directory /home/user10 when open_basedir was configured
to '/home/user1/'. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: arbitrary code execution
| Package(s): | phpmyadmin |
CVE #(s): | |
| Created: | October 17, 2005 |
Updated: | October 19, 2005 |
| Description: |
Maksymilian Arciemowicz reported that in libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated. Systems running PHP in safe mode are not affected. A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abiword: buffer overflow
| Package(s): | abiword |
CVE #(s): | CAN-2005-2964
|
| Created: | September 29, 2005 |
Updated: | November 14, 2005 |
| Description: |
The RTF import module of the AbiWord word processor has a
buffer overflow vulnerability. A user can be tricked into
opening a maliciously crafted RTF file, giving the attacker
the ability to execute code with the permissions of the user. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cfengine: insecure temporary files
| Package(s): | cfengine |
CVE #(s): | CAN-2005-2960
|
| Created: | October 3, 2005 |
Updated: | October 14, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered several insecure temporary
file uses in cfengine, a tool for configuring and maintaining
networked machines, that can be exploited by a symlink attack to
overwrite arbitrary files owned by the user executing cfengine, which
is probably root. |
| Alerts: |
|
Comments (none posted)
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
graphviz: insecure temporary file
| Package(s): | graphviz |
CVE #(s): | CAN-2005-2965
|
| Created: | October 10, 2005 |
Updated: | October 21, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered insecure temporary file
creation in graphviz, a rich set of graph drawing tools, that can be
exploited to overwrite arbitrary files by a local attacker. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
Hylafax: insecure temporary file creation in xferfaxstats
| Package(s): | hylafax |
CVE #(s): | CAN-2005-3069
|
| Created: | September 30, 2005 |
Updated: | October 13, 2005 |
| Description: |
Javier Fernandez-Sanguino has discovered that xferfaxstats cron script
supplied by Hylafax < 4.2.2 insecurely creates temporary files with
predictable filenames. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
koffice: KWord RTF import buffer overflow
| Package(s): | koffice |
CVE #(s): | CAN-2005-2971
|
| Created: | October 12, 2005 |
Updated: | November 7, 2005 |
| Description: |
The KOffice RTF import module suffers from a buffer overflow vulnerability
which could be exploited via a malicious RTF file. See the KDE
advisory for details. |
| Alerts: |
|
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | C |
