LWN.net Logo

LWN.net Weekly Edition for November 3, 2005

A study on free software in British schools

There have been a number of stories recently about the adoption of free software in public school systems around the world. Certainly free software has a lot of attributes which make it well suited for that role: it is relatively secure, open to curious minds which wish to look inside it, freely available for students to copy and use at home, easily adapted to local languages, and easier on a school's (typically stretched) budget. Of course, not everybody agrees that the use of free software is cheaper; certain proprietary software companies, in particular, are trying to cast doubt on that assertion. So the administration of a school contemplating a switch to free software might well wonder: will it truly save money?

The British Educational Communications and Technology Agency decided that it needed an answer to that question. So it took a detailed look at 48 British schools - 33 which were not using free software, and 15 which were - to get a sense for their relative costs. The result of this work is now available as a glossy report [PDF], suitable for printing on heavy paper and handing to a school administrator near you.

The study divided software usage into three broad categories: (1) servers, (2) class and administrative computer operating systems, and (3) classroom and administrative applications. The total costs were summarized in each category, taking a broad view. Costs include hardware and software, but also support - both purchased from outside and provided by internal staff. Training was also included. In other words, the study took into account all of those factors which, according to the critics, make free software more expensive than the proprietary alternatives.

The bottom-line result is quite clear:

The annual total cost per PC was less for nearly all the OSS schools at both primary and secondary school levels. For OSS schools, cost per PC at primary school level was half that of non-OSS schools, and cost per PC at secondary school level was around 20% less than that of the non-OSS schools.

Unsurprisingly, the study found that the best immediate results came from the use of free software on server systems. There are more obstacles to deployments on administrative and classroom systems. In some cases - especially for school administrative functions - the necessary applications are not yet available (the study notes that projects like SchoolTool are working to provide those applications). There is also some opposition to free applications from people who are trained in other packages. Tellingly, most of this opposition seems to come from the teachers, not the students:

This willingness to "mix and match" was also mentioned by the head teacher in the case study report on another primary school: "Children don't seem to care if they have Word at home, or StarOffice. At school they have never complained about which they use."

Teachers and administrators, like most adults, have a certain tendency to get set in their ways and stick with what they already know. Children can be more flexible. What these schools are seeing corresponds with your editor's own experience: children have no problem working with free software, and, if exposed to it, will take to it readily. Just don't (speaking from experience here, again) expose your children to Battle For Wesnoth, or their homework will suffer.

In summary: this report is a good thing, as far as it goes. The flood of hostile "total cost of ownership" studies is unlikely to slow in the near future, so it is good to have contrary evidence from relatively unbiased sources. There are, however, no end of reasons, beyond the financial ones, for using free software in public schools, but this report ignores them almost completely. At the lower school levels, free software can be made available to students without licensing hassles or sanctimonious lectures about not making copies. At higher levels it can teach the students much about software itself, encourage them to experiment, and demonstrate how cooperative work can yield benefits for everybody involved. A strict focus on costs may provide a favorable picture, but risks creating the impression that cost is the only reason for using free software. In the context of the public schools, more than in many other situations, it is important that people understand that there is far more to free software than "free of cost."

Comments (14 posted)

Open source compliance insurance

The folks at Open Source Risk Management have, for some time now, been working on indemnification insurance for free software. The idea behind this offering is that businesses which are worried about an SCO-style lawsuit can purchase insurance turning that risk into a regular, predictable business expense. This sort of service may well turn out to be a hard sell, however; SCO's experience seems unlikely to inspire many copycat acts. The risk of successful, copyright-based legal attacks against free software currently seems to be quite low.

Patents may yet prove to be a different story, though.

Meanwhile, OSRM, in conjunction with Kiln plc and Miller Insurance Services, has come up with a new idea: sell insurance to companies which fear GPL compliance problems:

Open Source Compliance Insurance will initially offer cover of up to $10 million for direct loss suffered by the insured following a finding of non-compliance with specific license agreements under which open source code is obtainable. The insurance will indemnify the insured for the loss of profits associated with the withdrawal or alteration of a product incorporating non-compliant code or the impaired valuation of an acquisition agreement exchanging open source software. In certain circumstances the policy would pay the costs to mitigate such losses including the expense of repair or replacement of code that is found to infringe upon the General Public License (GPL) or other Open Source licenses.

This is, in other words, a 180-degree change from the previous OSRM offering. The previously-offered indemnification policies addressed concerns that free software could be infringing on copyrights through the inclusion of proprietary code. Now, instead, we have insurance to benefit those who might just infringe the copyrights associated with free software. This situation is, certainly, more likely to come about; here's another quote from the press release:

Worldwide, more than thirty legal claims involving infringement of open source licenses have been brought against corporations in the last two years. In each case, plaintiffs have prevailed in enforcing their rights to restrict the use of their code.

This statement, certainly, is a strong statement in favor of the enforceability of free software licenses.

One might argue that this sort of insurance policy presents a moral hazard. A company which hopes to ignore the requirements of the GPL could ship a product without source, secure in the knowledge that, if somebody calls them on it, they can fall back on the insurance policy to mitigate their losses. The plan's fine print must certainly have language excluding deliberate acts of noncompliance, but proving that a specific infringement was willful could be a challenge.

Others might say that there should be no inadvertent infringement of the GPL; any such infringement constitutes, at best, an extreme lack of due diligence. Consider, however, the much-publicized cases where various wireless routers have used GPL code in noncompliant ways. In these cases, the final vendor - the one whose name is on the product - often has little knowledge of what software was used by the obscure, far-eastern supplier who actually made the product. As more GPL rulings are handed down, it seems likely that resellers will start asking more questions of their suppliers, but surprises still seem possible. This particular risk - being betrayed by a supplier - seems like a legitimate thing to insure against.

So OSRM and its partners might just find a market for this particular offering. If, in the process, they make businesses feel more comfortable about using free software in their products - and, perhaps, even helping with the further development of that software - it should be a good thing for the free software community as a whole.

Comments (3 posted)

EFF: Halloween on the hill

As reported on the EFF site: the broadcast flag is back, bigger and badder than ever. The new halloween document [PDF], otherwise known as the "Analog Content Security Preservation Act of 2005," would impose no end of restrictions. "The unprotected analog outputs of computers will be, in perpetuity, restricted to either DRM-laden standards, or to a 'constrained image', 'no more than 350,000 pixels'. Analog video which has been branded as 'do not copy', will last for only ninety minutes only in the digital world - and will be erased, literally frame by frame, megabyte by megabyte, from your PC, without your control. You'll watch a two hour film, and as you watch the final half hour, the first few scenes will be being dissolved away by statute."

Comments (16 posted)

The send-a-link feature

The recent discussion on improving LWN's readership led to one clear action item: the addition of a feature which would allow subscribers to create special links which they could use to point out interesting articles to non-subscribers. These links would bypass the normal subscription gate, allowing articles to be read while they are still current.

That feature has been implemented, and is now active. There is no limit on the number of links a subscriber may create, and no limit on how many people may read an article via a given link. A few caveats do apply, however:

  • For the time being, only "project leader" subscribers have the ability to create subscriber links. This restriction is meant to be temporary; its main purpose is to slow the initial use of the new feature while any remaining bugs are shaken out. It would, however, be interesting to hear what people think of keeping subscriber links as a differentiating feature for the high-level subscriptions.

  • Subscriber links can be made for individual articles; just look for the "send a link" line in the left column. These links cannot be made for entire Weekly Edition pages, however.

  • We reserve the right to turn off the subscriber link capability for specific articles; the annual timeline is a case where we might do that. No decisions have been made on that point, however, and the mechanism to implement an exclusion policy has not yet been implemented.

  • We reserve the right to turn off the whole thing if it looks like the feature is being abused and hurting subscription sales. We do not expect things to go that way, however.

Privacy stuff and details: for each link, we track who created it and the number of hits it receives. That information will go away some time after the link expires - which happens when the relevant article becomes freely available. The links are constructed in such a way that they will continue to work forever. Currently, following a subscriber link leads directly to the article in question; in the future, we might throw in some sort of encouragement to subscribe.

We are most interested to see how this new feature - which was driven by requests from our subscribers - works out.

Comments (18 posted)

Page editor: Jonathan Corbet

Security

Sony, rootkits, and the escalation of the DRM war

As most readers are likely to have seen by now, a Windows developer recently discovered that a rootkit on his system had been installed by the DRM ("digital restrictions management," to use Richard Stallman's apt term) code from a copy-protected CD. This CD (Van Zant's appropriately named "Get Right With The Man") was issued by SonyBMG. It happily installed software on the system, overrode a couple of system calls, and proceeded to hide itself from casual view. This is not the sort of experience that CD purchases are normally looking for. SonyBMG should - and will - take a fair amount of grief from this bit of silliness.

Just how silly is just becoming clear: consider this weblog entry which suggests that SonyBMG's DRM activities don't really even have anything to do with copy protection. Instead, SonyBMG is simply trying to make life more difficult for iPod users as a way of trying to muscle in on Apple's turf. It is increasingly clear that DRM is being used as a way of excluding competition, rather than for its stated purpose. With luck, some politicians might begin to understand this, and the tone of the debate in various national capitols may change a bit.

Meanwhile, it is also clear that DRM is increasingly a security issue. We have music discs which install malware, the entertainment industry trying to poison bittorrent streams, and legislators who would like to legalize overt attacks against those who are deemed to be pirates. There will certainly be many computers - including those in companies - which have been infected with the DRM code shipped by SonyBMG, and the full capabilities of that code remain unclear. The next security compromise carried out in the name of piracy prevention may be even worse.

There are some obvious conclusions to be drawn from this episode. The most obvious of all being that automatically running code from an arbitrary CD is a stunningly bad idea. Beyond that, avoiding Windows helps, for now. Even Macintosh systems are unaffected by SonyBMG's DRM. And it has been made clear that security threats can come from unexpected directions. SonyBMG is not a bunch of script kiddies in a basement somewhere; it's a high-profile corporation which, one might expect, would not be in the business of attacking its customers' computers. This is unlikely to be the last episode of this kind we will see.

Comments (11 posted)

New vulnerabilities

gallery: privilege escalation

Package(s):gallery CVE #(s):CVE-2005-2596
Created:November 2, 2005 Updated:November 2, 2005
Description: The gallery system has a bug which can allow all PostNuke users full access to the gallery.
Alerts:
Debian DSA-879-1 2005-11-02

Comments (none posted)

gnump3d: cross-site scripting, directory traversal

Package(s):gnump3d CVE #(s):CVE-2005-3122 CVE-2005-3123
Created:October 28, 2005 Updated:November 7, 2005
Description: Steve Kemp discovered two vulnerabilities in gnump3d, a streaming server for MP3 and OGG files.
Alerts:
Gentoo 200511-05 2005-11-06
Debian DSA-877-1 2005-10-28

Comments (none posted)

Mantis: multiple vulnerabilities

Package(s):mantisbt CVE #(s):CVE-2005-3091 CVE-2005-3335 CVE-2005-3336 CVE-2005-3338 CVE-2005-3339
Created:October 28, 2005 Updated:December 22, 2005
Description: Mantis contains several vulnerabilities, including a remote file inclusion vulnerability, an SQL injection vulnerability, multiple cross site scripting vulnerabilities and multiple information disclosure vulnerabilities.
Alerts:
Gentoo 200512-12 2005-12-22
Debian DSA-905-1 2005-11-22
Gentoo 200510-24 2005-10-28

Comments (none posted)

openvpn: format string vulnerability

Package(s):openvpn CVE #(s):CVE-2005-3393 CVE-2005-3409
Created:November 2, 2005 Updated:December 12, 2005
Description: OpenVPN 2.0.x contains a format string vulnerability which can be exploited by a hostile server; see this advisory for details.
Alerts:
Mandriva MDKSA-2005:206-1 2005-12-09
Mandriva MDKSA-2005:206 2005-11-08
Debian DSA-885-1 2005-11-07
Gentoo 200511-07 2005-11-06
SuSE SUSE-SR:2005:025 2005-11-04
OpenPKG OpenPKG-SA-2005.023 2005-11-02

Comments (none posted)

Squirrelmail: preference modification

Package(s):squirrelmail CVE #(s):CAN-2005-2095
Created:November 2, 2005 Updated:November 2, 2005
Description: Versions of Squirrelmail prior to 1.4.5 have an error in how the $_POST variable is handled. As a result, a user's preferences can be viewed and modified.
Alerts:
Mandriva MDKSA-2005:202 2005-11-01

Comments (1 posted)

TikiWiki: XSS vulnerability

Package(s):tikiwiki CVE #(s):
Created:October 28, 2005 Updated:November 2, 2005
Description: Due to improper input validation, TikiWiki can be exploited to perform cross-site scripting attacks. A remote attacker could exploit this to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.
Alerts:
Gentoo 200510-23 2005-10-28

Comments (none posted)

Updated vulnerabilities

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

abiword: buffer overflow

Package(s):abiword CVE #(s):CAN-2005-2964
Created:September 29, 2005 Updated:November 14, 2005
Description: The RTF import module of the AbiWord word processor has a buffer overflow vulnerability. A user can be tricked into opening a maliciously crafted RTF file, giving the attacker the ability to execute code with the permissions of the user.
Alerts:
Debian DSA-894-1 2005-11-14
Gentoo 200510-17 2005-10-20
Ubuntu USN-203-1 2005-10-13
Fedora FEDORA-2005-955 2005-09-30
Gentoo 200509-20 2005-09-30
Ubuntu USN-188-1 2005-09-29

Comments (none posted)

apache information disclosure if modssl=yes

Package(s):apache CVE #(s):CAN-2005-2700
Created:September 2, 2005 Updated:November 10, 2005
Description: An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
Alerts:
Fedora-Legacy FLSA:166941 2005-11-09
Gentoo 200509-12 2005-09-19
SuSE SUSE-SA:2005:052 2005-09-12
Red Hat RHSA-2005:773-01 2005-09-15
Slackware SSA:2005-251-03 2005-09-14
Debian DSA-807-1 2005-09-12
Slackware SSA:2005-251-02 2005-09-09
Fedora FEDORA-2005-849 2005-09-07
Mandriva MDKSA-2005:161 2005-09-08
Fedora FEDORA-2005-848 2005-09-07
Debian DSA-805-1 2005-09-08
Ubuntu USN-177-1 2005-09-07
Red Hat RHSA-2005:608-01 2005-09-06
OpenPKG OpenPKG-SA-2005.017 2005-09-02

Comments (none posted)

httpd: off-by-one overflow and cross-site scripting

Package(s):apache httpd CVE #(s):CAN-2005-1268 CAN-2005-2088
Created:July 25, 2005 Updated:November 7, 2005
Description: Watchfire reported a flaw that occurred when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL).

Alerts:
Slackware SSA:2005-310-04 2005-11-07
Debian DSA-803-1 2005-09-08
Ubuntu USN-160-2 2005-09-07
SuSE SUSE-SA:2005:046 2005-08-16
Fedora-Legacy FLSA:157701 2005-08-10
Ubuntu USN-160-1 2005-08-04
Mandriva MDKSA-2005:130 2005-08-03
Mandriva MDKSA-2005:129 2005-08-03
Fedora FEDORA-2005-638 2005-08-02
Fedora FEDORA-2005-639 2005-08-02
Trustix TSLSA-2005-0038 2005-07-29
SuSE SUSE-SR:2005:018 2005-07-28
Red Hat RHSA-2005:582-01 2005-07-25

Comments (none posted)

awstats: command injection vulnerability

Package(s):awstats CVE #(s):CAN-2005-1527
Created:August 11, 2005 Updated:November 10, 2005
Description: AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server.
Alerts:
Debian DSA-892-1 2005-11-10
Gentoo 200508-07 2005-08-16
Ubuntu USN-167-1 2005-08-11

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

common-lisp-controller: design error

Package(s):common-lisp-controller CVE #(s):CAN-2005-2657
Created:September 14, 2005 Updated:November 21, 2005
Description: François-René Rideau discovered a bug in common-lisp-controller, a Common Lisp source and compiler manager, that allows a local user to compile malicious code into a cache directory which is executed by another user if that user has not used Common Lisp before.
Alerts:
Debian DSA-811-2 2005-11-21
Debian DSA-811-1 2005-09-14

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

curl/wget: NTLM username buffer overflow

Package(s):curl wget CVE #(s):CAN-2005-3185
Created:October 14, 2005 Updated:November 7, 2005
Description: A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details.
Alerts:
Slackware SSA:2005-310-01 2005-11-07
Red Hat RHSA-2005:812-00 2005-11-02
Red Hat RHSA-2005:807-00 2005-11-02
SuSE SUSE-SA:2005:063 2005-10-24
Gentoo 200510-19 2005-10-22
Fedora FEDORA-2005-1000 2005-10-18
Fedora FEDORA-2005-996 2005-10-17
Ubuntu USN-205-1 2005-10-14
Mandriva MDKSA-2005:183 2005-10-13
Mandriva MDKSA-2005:182 2005-10-13

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Debian DSA-1025-1 2006-04-06
Mandriva MDKSA-2005:187 2005-10-20
Gentoo 200510-06 2005-10-06
Debian DSA-847-1 2005-10-08
SuSE SUSE-SR:2005:022 2005-10-07
Ubuntu USN-193-1 2005-10-04

Comments (none posted)

elm: buffer overflow

Package(s):elm CVE #(s):CAN-2005-2665
Created:August 23, 2005 Updated:November 10, 2005
Description: A buffer overflow flaw in Elm was discovered that was triggered by viewing a mailbox containing a message with a carefully crafted 'Expires' header. An attacker could create a malicious message that would execute arbitrary code with the privileges of the user who received it.
Alerts:
Slackware SSA:2005-311-01 2005-11-08
Red Hat RHSA-2005:755-01 2005-08-23

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enigmail: information disclosure

Package(s):enigmail CVE #(s):CVE-2005-3256
Created:October 20, 2005 Updated:December 13, 2005
Description: The key selection dialog from the Mozilla Thunderbird enigmail plugin has an information disclosure vulnerability. A key with an empty user id from a user's keyring will be used by default, allowing a message to be decrypted. This can lead to an unauthorized information disclosure.
Alerts:
Mandriva MDKSA-2005:226 2005-12-12
Debian DSA-889-1 2005-11-08
Ubuntu USN-211-1 2005-10-20

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ethereal: multiple vulnerabilities

Package(s):ethereal CVE #(s):CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3245 CVE-2005-3246 CVE-2005-3247 CVE-2005-3248 CVE-2005-3249 CVE-2005-3184
Created:October 25, 2005 Updated:January 10, 2006
Description: A number of security flaws have been discovered in Ethereal. On a system where Ethereal is running, a remote attacker could send malicious packets to trigger these flaws and cause Ethereal to crash or potentially execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:152922 2006-01-09
Mandriva MDKSA-2005:193-2 2005-10-31
Gentoo 200510-25 2005-10-30
Mandriva MDKSA-2005:193-1 2005-10-26
Mandriva MDKSA-2005:193 2005-10-25
Red Hat RHSA-2005:809-01 2005-10-25

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

fetchmailconf: insecure file creation

Package(s):fetchmail CVE #(s):CVE-2005-3088
Created:October 26, 2005 Updated:November 22, 2005
Description: The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
Alerts:
Debian DSA-900-3 2005-11-22
Debian DSA-900-2 2005-11-21
Debian DSA-900-1 2005-11-18
Mandriva MDKSA-2005:209 2005-11-09
Ubuntu USN-215-1 2005-11-07
Gentoo 200511-06 2005-11-06
Red Hat RHSA-2005:823-01 2005-10-26

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

koffice: KWord RTF import buffer overflow

Package(s):koffice CVE #(s):CAN-2005-2971
Created:October 12, 2005 Updated:November 7, 2005
Description: The KOffice RTF import module suffers from a buffer overflow vulnerability which could be exploited via a malicious RTF file. See the KDE advisory for details.
Alerts:
Slackware SSA:2005-310-02 2005-11-07
Debian DSA-872-1 2005-10-26
Mandriva MDKSA-2005:185 2005-10-14
Fedora FEDORA-2005-984 2005-10-13
Gentoo 200510-12 2005-10-14
Ubuntu USN-202-1 2005-10-12

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 2005-12-06
Debian DSA-757-1 2005-07-17
Trustix TSLSA-2005-0036 2005-07-14
Mandriva MDKSA-2005:119 2005-07-13
SuSE SUSE-SR:2005:017 2005-07-13
Gentoo 200507-11 2005-07-12
Fedora FEDORA-2005-553 2005-07-12
Red Hat RHSA-2005:562-01 2005-07-12
Fedora FEDORA-2005-552 2005-07-12
Red Hat RHSA-2005:567-02 2005-07-12

Comments (none posted)

libconvert-uulib-perl: arbitrary code execution

Package(s):libconvert-uulib-perl CVE #(s):CAN-2005-1349
Created:May 20, 2005 Updated:January 27, 2006
Description: Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib (before 1.051), a Perl interface to the uulib library, which may result in the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:022 2006-01-26
Debian DSA-727-1 2005-05-20

Comments (1 posted)

libdbi-perl: insecure temporary file

Package(s):libdbi-perl CVE #(s):CAN-2005-0077
Created:January 25, 2005 Updated:March 2, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered that the DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Alerts:
Fedora-Legacy FLSA:178989 2006-03-01
Gentoo 200501-38:03 2005-01-26
Red Hat RHSA-2005:072-01 2005-02-15
Mandrake MDKSA-2005:030 2005-02-08
Red Hat RHSA-2005:069-01 2005-02-01
Gentoo 200501-38 2005-01-26
Ubuntu USN-70-1 2005-01-25
Debian DSA-658-1 2005-01-25

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114