LiPS service
One might think that there are already enough industry bodies working on
Linux in telephone applications. But, on November 14, a new group,
called the "Linux Phone Standards Forum" (or "LiPS")
announced
its existence. According to the release:
The LiPS Forum will accelerate the adoption of Linux in fixed,
mobile and converged devices by standardizing Linux-based services
and APIs that most directly influence the development, deployment
and interoperability of applications and user-level services.
In essence, LiPS wants to push toward the creation of a standard low-level
phone platform which allows vendors to focus their efforts on the
higher-level features which set their offerings apart. The appeal of this
idea is not that hard to understand. As an operating system for
telephones, Linux is hard to beat: it can be customized to taste, it is
efficient, and it lacks per-unit royalty costs. In addition, mobile
platforms have become powerful enough to run Linux, and many mobile
applications are sufficiently demanding to require a complete operating
system like Linux. On the other hand, Linux lacks the features specific to
telephony which can be found in a proprietary platform like Symbian. By
filling in that layer of telephony-specific features, LiPS hopes to create
a competitive platform for future products.
LiPS will probably be successful in scheduling meetings, generating white
papers, and cranking out press releases. But if LiPS truly wants to turn
Linux into a platform it can rely upon in the future, its management may
want to consider engaging openly with the development community;
"cooperating with OSDL" is not sufficient in this regard. If LiPS sees
itself as another proprietary, members-only consortium, it will cut itself
off from much that the community can provide.
A good start would be to admit some community projects to the group. For
example, since they claim to be trying to build platforms for telephony in
general - not limited to mobile devices - the LiPS member companies might
well benefit from having somebody from the Asterisk and Bayonne projects at
the table.
Even better would be to work with the community directly. A look at the
list of companies which have joined LiPS (ARM, Cellon, Esmertec, France
Telecom/Orange, FSM Labs, Huawei, Jaluna, MIZI Research, MontaVista
Software, Open-Plug and PalmSource) and the other companies which have been
active in Linux-based telephones (Motorola, Haier, Nokia, NEC, Panasonic,
Samsung, ...) has few intersections with the list of companies
participating in Linux kernel development. If the LiPS members truly want
to get the most out of Linux, they will be better off working with the
development community and contributing back their improvements. The recent
announcement by the
Consumer Electronics Linux Forum that it had hired a Linux kernel developer
is a step in the right direction, but it is only a beginning.
Finally, if LiPS truly wants to achieve world domination with Linux-based
phones, it should give some thought to the creation of a user-hackable
platform. A phone which can be extended to perform functions never
envisioned by its creators will be a far more valuable device, and it
should find a wider market. Unfortunately, the mobile phone market tends
to be dominated by companies which behave like, well, telephone companies,
with the result that even routine features (such as Bluetooth) can be
locked down, and user-hackable devices are a rarity. When a device is
fully locked down, it matters little to the user whether it is running
Linux or something else altogether. If LiPS were sufficiently enlightened
that it could go against the closed nature of the industry and
specify the creation of Linux-based phones which have not had the
natural freedom of Linux stripped out of them, it could be the start of
something truly interesting.
Comments (10 posted)
Sony's rootkit: an update
For most companies, simply being caught installing rootkit-like software
onto the systems of customers who simply thought they were playing a music
CD would be bad enough. Certainly, since the Halloween disclosure that
some SonyBMG discs install a rootkit (called "XCP") has been a source of grief for that
company, and rightly so. It takes a truly expansive interpretation of the
notion of "intellectual property rights" to believe that such rights allow
the installation of malware on other peoples' computers. As this event -
and those which have come after - have shown, however, SonyBMG appears to
have learned little from the whole episode.
Just how little the company has learned can be heard on this
NPR interview with SonyBMG manager Thomas Hesse. When asked about the
rootkit, Mr. Hesse responded:
Most people, I think, don't even know what a rootkit is, so why
should they care about it?
As the class-action suits begin to pile up, and as even Microsoft feels the
need to create a Sonyware removal tool, maybe Mr. Hesse will eventually
realize that people (who are rapidly learning what a rootkit is) do care.
SonyBMG has claimed that there is no "phone home" capability in this
software. Unfortunately for the company, connections back home are
relatively easy to detect. Some investigation
quickly showed that SonyBMG's software does indeed make a connection back
home when the CD is played. Nowhere has SonyBMG alerted its users to this
behavior and the associated privacy problems.
For additional amusement, see the EULA which
comes with the rootkit software.
SonyBMG has made an uninstaller available for those few users which are
capable of understanding what a rootkit does and being upset by it. It
turns out, however, that this uninstaller is worse than the original
rootkit. Running the uninstaller opens a number of holes - which can
be exploited via web pages - in the target system. So victims of SonyBMG's
rootkit who care about the security of their systems are in a bind; there
is currently no straightforward way to get that software off the system
without compromising the system even further.
Yet another ironic twist is the possibility
that Sony's rootkit includes some LGPL-licensed code, but does not comply
with the license. If this were true (and there are some doubts
on this point, though they seem to be getting
smaller), the hypocrisy would be complete.
In response to all this, SonyBMG announced that it would "temporarily" stop
making CDs with XCP on them. There was no apology, much less an offer to
compensate people whose systems have been compromised. Neither was there a
recall of the (apparently millions) of malware-infected discs which were
still in the retail pipeline. Only on November 15 did SonyBMG finally
give in, recall the outstanding XCP-infected CDs, and offer to replace
discs in the hands of its customers. Said users are still waiting for the
compensation offer, however.
It is also worth noting that Sony is still shipping CDs with
Sunncomm's MediaMax DRM code on them. MediaMax may not be quite as bad
as XCP, but it is still hostile software which, among other things, phones
home.
In the end, SonyBMG appears to have been slapped down fairly hard for its
actions. It would be a mistake to assume that this sort of incident will
not happen again, however. The entertainment industry has managed to
create such a strawman enemy out of "pirates" that any sort of response
appears to be justified. In a world where these folks can dictate the
design of radios and televisions, attempt to legalize online attacks against
"pirates," and file lawsuits against children, the addition of malware to a
music disc seems like a small thing. Until such a time as this industry
stops seeing its own customers as enemies, it will fail to show those
customers any respect.
Linux users should not expect much respect either. Efforts like the
broadcast flag already threaten to make the creation of free television and
radio receivers impossible. Beyond any doubt, the music industry looks
forward to the day when even playing a song on a free system will be
disallowed. As Linux users, we are not much impressed by the idea that, in
order to play a music track, we must accept the installation of hostile
software onto our systems. Unfortunately, we may yet see a day when that
is the only choice we have.
(See also: the EFF's open
letter to SonyBMG and the Sony
timeline on BoingBoing).
Comments (56 posted)
FOSS.IN 2005
One would think that free software would be a natural for a country like
India. With free software, a developing nation can take greater control of
its infrastructure, avoid paying hard-currency licensing fees, and worry
less about "pirates" creating difficulties with foreign companies and
governments. When the country also has vast numbers of smart and
highly-educated people, as India does, free software seems like an even
better fit. There is no doubt that use of free software in India is
growing, but the country has not always been strongly represented in the
development community.
Things are clearly changing however, and one of the clearest signs of that
change is the upcoming FOSS.IN conference,
starting November 29 in Bangalore. This conference, now in its fifth
year, expects some 3000 attendees, offers over 140 talks, 20 tutorials, and
a growing list of BOF sessions. The list of speakers includes many
Indian names, quite a few of which are known well beyond India. Other
speakers, whose names might be more familiar to most LWN readers, include
Andrew Cowie, Harald Welte, Alan Cox, Jeremy Zawodny, Brian Behlendorf,
Dave Phillips, James Morris, Rasmus Lerdorf, and Danese Cooper. The talks
cover a vast range of topics, including legal and advocacy issues, a strong
education track, embedded systems, kernel hacking, security, and much
more. FOSS.IN,
in other words, is working toward being a world-class free software
conference.
This conference is certainly taken seriously within India. The
Visvesvaraya Technological University (the leading technical university in
the state of Karnataka) has sent out a letter to over 100
engineering colleges asking them to urge their students to attend FOSS.IN.
As it grows to become one of the largest technical free software events
anywhere, FOSS.IN is increasingly going for world-wide respect.
That notwithstanding, the conference organizers have also consented to let
LWN editor Jonathan Corbet speak at the event. This was an opportunity not
to be turned down, and your editor is looking forward to attending and
reporting from FOSS.IN (even if he's a little less enthusiastic about the
24-hour travel time each way). Look for the first reports in the December 1
Weekly Edition.
(The image shown above was taken from this very nice set of
posters put together by Hari Krishnan).
Comments (none posted)
LWN Weekly comes out early next week
A reminder: the (U.S.) Thanksgiving holiday is next week. LWN's editors
traditionally publish the Weekly Edition one day early on Thanksgiving
week in order to be able to go join their families and eat enough food to
last through the end of the year. We'll return to the regular schedule
the following week.
Comments (2 posted)
Page editor: Jonathan Corbet
Security
Some trusted computing security modules
IBM has been pushing the use of the "trusted platform module" chip found in
its laptops (and on other systems as well) for some time; see
this report from OLS 2005 for a
summary of the benefits they see from trusted computing. Now IBM's
developers have posted
a new set
of security modules which make use of the TPM to lock down a system.
The three modules are:
- The simple Linux integrity model, or SLIM. This module
associates two attributes with every process and every file: the
integrity level and the privacy level. The integrity levels are
"system," "user," and "untrusted." Any process may read or execute
any file with an equal or higher integrity level (subject to the usual
permissions). Read and execute access to lower-integrity files is
also allowed, but, as a result, the process will, itself, be demoted
to the lower level. Writing files with a higher integrity level is
not allowed. The integrity levels thus implement a form of simple,
automatic sandboxing; if a process touches untrusted resources, it
also loses trust and has a lowered ability to change things elsewhere
on the system. Network sockets, incidentally, are always considered
to have an "untrusted" integrity level.
The privacy level has four levels: public, user, user-sensitive, and
system-sensitive. Processes can read files of equal or lower
sensitivity. If, instead, a process reads a higher-sensitivity file,
its own sensitivity level is raised to match. Writing
lower-sensitivity files is not allowed. This "high watermark"
mechanism is intended to prevent the leakage of secret data to
less-trusted contexts.
- The SLIM module, like SELinux, depends on the extended attributes of
a file to make security decisions. But what if something is able to
change those attributes? The extended verification module
(EVM) is an attempt to keep that from happening. EVM creates its own
extended attribute on each file which is an HMAC hash of the file's
contents and attributes. If the file and the HMAC fail to match, EVM
will deny access to the file.
One might argue that EVM's hash is no less susceptible to tampering
than the other attributes on the file. The difference is that EVM
uses the hardware TPM module to sign the HMAC result. The TPM will
only perform this operation if it is satisfied that the proper "secure
boot" rituals have been followed, and that the integrity of the
running system has not been compromised. Since the TPM key is
specific to that particular chip, it is not possible to remove the
drive and forge HMACs on a different system. If the trusted boot
chain, starting with the BIOS, holds, there should be a high level of
assurance that the system's files and their attributes have not been
tampered with.
- The third module is the integrity measurement architecture.
LWN readers have seen IMA
before, so that discussion will not be repeated. In short, IMA is
a remote attestation feature which can provide a convincing proof that
a system is running (only) well-known, trusted versions of approved
software.
The IMA module was not well received when it was last posted. The
developers hope that the largest objections have been addressed, and that
the set of TPM-related modules as a whole can be considered, eventually,
for merging. Before reaching that point, however, these modules have
another obstacle to overcome: they rely on the ability to run multiple
Linux security modules in a "stacked" mode. Stacked security modules have
been a contentious issue for
some time, and that capability has never been merged. The developers claim
that the new modules will make the case for stacking, but that
conversation has yet to take place.
Comments (none posted)
Security news
Discontinued SUSE Linux Distribution: 9.0
SUSE has a reminder that no security updates will be available for SUSE
Linux 9.0 after December 15, 2005. "
As a consequence, the SUSE Linux
9.0 distribution directory on our ftp server ftp.suse.com has been moved
from /pub/suse/i386/9.0/ to the /pub/suse/discontinued/ directory tree
structure to free space on our mirror sites. The 9.0 directory in the
update tree /pub/suse/i386/update/9.0 will follow, as soon as all updates
have been published."
Full Story (comments: none)
New vulnerabilities
acidlab: SQL injection
| Package(s): | acidlab |
CVE #(s): | CVE-2005-3325
|
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
Remco Verhoef has discovered a vulnerability in acidlab, Analysis
Console for Intrusion Databases, and in acidbase, Basic Analysis and
Security Engine, which can be exploited by malicious users to conduct
SQL injection attacks. |
| Alerts: |
|
Comments (none posted)
emacs: lisp execution vulnerability
| Package(s): | emacs |
CVE #(s): | CAN-2003-1232
|
| Created: | November 10, 2005 |
Updated: | November 16, 2005 |
| Description: |
Version 21.2 of the EMACS editor has a vulnerability in which
text files containing Lisp code can be executed without warning
the user. Attackers can cause users to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
flash-plugin: buffer overflow
| Package(s): | flash-plugin |
CVE #(s): | CVE-2005-2628
|
| Created: | November 10, 2005 |
Updated: | November 25, 2005 |
| Description: |
The Mozilla browser Macromedia Flash Player plug-in has a
buffer overflow vulnerability. A user who opens a maliciously
created Macromedia Flash file may be tricked into executing
arbitrary code. |
| Alerts: |
|
Comments (none posted)
ftpd: remote buffer overflow
| Package(s): | ftpd |
CVE #(s): | CVE-2005-3524
|
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
A buffer overflow vulnerability has been found in the linux-ftpd-ssl
package. A command that generates an excessively long response from the
server may overrun a stack buffer. An attacker that has permission to create directories that are accessible via the FTP server could exploit this vulnerability. Successful exploitation would execute arbitrary code on the local machine with root privileges. |
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | December 19, 2005 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
phpsysinfo: programming errors
| Package(s): | phpsysinfo |
CVE #(s): | CVE-2005-3347
CVE-2005-3348
|
| Created: | November 15, 2005 |
Updated: | November 23, 2005 |
| Description: |
Christopher Kunz discovered that local variables get overwritten
unconditionally and are trusted later, which could lead to the inclusion of
arbitrary files. Christopher Kunz also discovered that user-supplied input
is used unsanitized, causing a HTTP Response splitting problem. |
| Alerts: |
|
Comments (none posted)
RAR: format string and buffer overflow
| Package(s): | rar |
CVE #(s): | |
| Created: | November 14, 2005 |
Updated: | November 16, 2005 |
| Description: |
Tan Chew Keong reported two vulnerabilities in RAR: a format string error
exists when displaying a diagnostic error message that informs the user of
an invalid filename in an UUE/XXE encoded file and some boundary errors in
the processing of malicious ACE archives can be exploited to cause a buffer
overflow. |
| Alerts: |
|
Comments (none posted)
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d |
CVE #(s): | |
| Created: | November 15, 2005 |
Updated: | August 11, 2006 |
| Description: |
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
abiword: buffer overflow
| Package(s): | abiword |
CVE #(s): | CAN-2005-2964
|
| Created: | September 29, 2005 |
Updated: | November 14, 2005 |
| Description: |
The RTF import module of the AbiWord word processor has a
buffer overflow vulnerability. A user can be tricked into
opening a maliciously crafted RTF file, giving the attacker
the ability to execute code with the permissions of the user. |
| Alerts: |
|
Comments (none posted)
apache information disclosure if modssl=yes
| Package(s): | apache |
CVE #(s): | CAN-2005-2700
|
| Created: | September 2, 2005 |
Updated: | November 10, 2005 |
| Description: |
An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
|
| Alerts: |
|
Comments (none posted)
awstats: command injection vulnerability
| Package(s): | awstats |
CVE #(s): | CAN-2005-1527
|
| Created: | August 11, 2005 |
Updated: | November 10, 2005 |
| Description: |
AWStats has a command injection vulnerability that can
be exploited by specially crafting referrer URLs that
contain Perl code. The code can then be executed with the
privileges of the web server. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
chmlib: several vulnerabilities
| Package(s): | chmlib |
CVE #(s): | CVE-2005-2659
CVE-2005-2930
CVE-2005-3318
|
| Created: | November 7, 2005 |
Updated: | November 28, 2005 |
| Description: |
Several vulnerabilities have been discovered in chmlib, a library for
dealing with CHM format files. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2005-3239
CVE-2005-3500
CVE-2005-3501
CVE-2005-3303
|
| Created: | November 7, 2005 |
Updated: | November 9, 2005 |
| Description: |
Multiple security holes were found in clamav that may allow attackers to
cause a denial of service, memory corruption and execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
elm: buffer overflow
| Package(s): | elm |
CVE #(s): | CAN-2005-2665
|
| Created: | August 23, 2005 |
Updated: | November 10, 2005 |
| Description: |
A buffer overflow flaw in Elm was
discovered that was triggered by viewing a mailbox containing a message
with a carefully crafted 'Expires' header. An attacker could create a
malicious message that would execute arbitrary code with the privileges of
the user who received it. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enigmail: information disclosure
| Package(s): | enigmail |
CVE #(s): | CVE-2005-3256
|
| Created: | October 20, 2005 |
Updated: | December 13, 2005 |
| Description: |
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmailconf: insecure file creation
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-3088
|
| Created: | October 26, 2005 |
Updated: | November 22, 2005 |
| Description: |
The fetchmailconf utility can create files which are world-readable for a brief period. These files may contain passwords, and thus should not be created in this manner.
|
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
glibc: tempfile vulnerability in catchsegv script
| Package(s): | glibc |
CVE #(s): | CAN-2004-0968
|
| Created: | October 21, 2004 |
Updated: | November 14, 2005 |
| Description: |
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script. |
| Alerts: |
|
Comments (none posted)
gpsdrive: format string vulnerability
| Package(s): | gpsdrive |
CVE #(s): | CVE-2005-3523
|
| Created: | November 9, 2005 |
Updated: | November 9, 2005 |
| Description: |
The gpsdrive navigation system contains a format string vulnerability which could be exploited to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
horde3: design error
| Package(s): | horde3 |
CVE #(s): | CVE-2005-3344
|
| Created: | November 7, 2005 |
Updated: | November 9, 2005 |
| Description: |
Mike O'Connor discovered that the default installation of Horde3 on
Debian includes an administrator account without a password. Already
configured installations will not be altered by this update. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
krb5: double-free flaw
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0175
CAN-2005-0488
CAN-2005-1175
CAN-2005-1689
|
| Created: | July 12, 2005 |
Updated: | December 6, 2005 |
| Description: |
The krb5 authentication has a double-free flaw which may be
initiated by a remote unauthenticated attacker.
Also, a single byte heap overflow in the krb5_unparse_name() function
can lead to a denial of service and an information disclosure may
be caused by a malicious telnet server. See
This report for more
information. |
| Alerts: |
|
Comments (none posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
|