"Just works with Linux"
Various discussions on the problems associated with binary-only kernel
modules have turned, sooner or later, to the same idea: the world needs a
database of hardware which "just works" with Linux. With this database,
consumers (that's us) could look up potential hardware purchases and know,
immediately, whether it would function with our Linux systems or not.
Vendors would eventually see the value of being listed in this database
and, as a result, have a greater motivation to ensure that their hardware
is supported.
It's a nice idea, but not a particularly new one. Your editor has seen a
fair number of these databases come and go over the last ten years.
Starting a "just works" database is easy, but keeping it current and
relevant is hard, for a number of reasons:
- The variety of hardware out there is huge. Simply testing and
creating entries for a meaningful subset of the available gadgets is a
major task.
- Vendors feel free to change the internal makeup of their gadgets
without telling anybody - or changing the model number. The changes
in the LinkSys WRT54G router are a recent example. This behavior
complicates the database (which must now have information on telling
working hardware from paperweights) - and its maintenance.
- Nobody can actually have all that hardware around, so information must
come from a wide community. Most of us only buy hardware
sporadically, so we tend to have little motivation to help with the
ongoing maintenance of a hardware database. Some of the information
which is contributed may also be of dubious reliability.
- Companies which might help with the maintenance of such a database
have their own incentives to deal with. Red Hat maintains a hardware
list, for example, but it (1) is small, and (2) talks
about RHEL, not about Linux in general. The company once known as
Linuxcare had the proper motivation to maintain a good list, but,
well, Linuxcare didn't weather the dotcom bust very well.
- Weird factors come into play. The BlueZ project used to have a very
nice list of working hardware, but that list
was pulled down as a result of objections from the "Bluetooth
Qualification Administrator."
Any future attempt to build a Linux hardware compatibility database will
have to find a way to overcome the problems listed above. The task is not
impossible, but it may well beyond what a volunteer project can sustain.
It looks, instead, like the kind of work which can be helped by the
addition of a stream of money. Perhaps an industry group (OSDL, say) would
like to serve the community by taking this task on.
Meanwhile, your editor notes with dismay an increase in the number of
Linux-installed hardware vendors who are shipping systems with proprietary
drivers. Once upon a time, the purchase of a system with Linux
pre-installed was worth the extra cost just because the running Linux
instance was a positive proof that the hardware was, indeed, supported.
When these vendors ship non-free "Linux" systems, they violate that
guarantee - and destroy much of the value of their product. Unfortunately,
"buyer beware" remains necessary advice for those buying hardware to work
with Linux.
Comments (57 posted)
GStreamer to support DRM
GStreamer is an extensive
support library for the creation of multimedia applications. Audio and
video applications can be constructed as a series of pipelines; there are
graphical tools which can be used to help put all of the pieces together in
the right order. GStreamer has been used as the back end for a number of
common applications, including Totem, Amarok, Banshee, and many others.
The project recently celebrated the release of
GStreamer 0.10,
which improves the system in a number of ways.
According to GStreamer hacker Christian Schaller, future releases of
GStreamer may contain a feature which is less welcome to many: digital restrictions
management (DRM) support. There are, says Mr. Schaller, clear
reasons why one might want to support DRM-enabled GStreamer modules:
Because they give you access to playback things you wouldn't
otherwise. Many music stores only offers DRM'ed WMA files for
download, and without a system supporting Windows DRM these files
are useless on your Linux system. DRM also includes stuff such as
the protection mechanism on the upcoming high-definition DVD's.
It appears that any DRM features would be packaged into separate modules,
making it easy to install a DRM-free GStreamer in the future.
Distributions could put the DRM modules into a separate package - or leave
them out entirely. So, it is claimed, the implementation of DRM in
GStreamer would not place any restrictions on current or future uses of the
system.
Some skepticism on this claim would appear to be warranted. Any DRM module
which is to gain the trust of the entertainment industry (much less avoid
DMCA suits) will have to prevent the user from capturing an unencrypted
stream. To that end, GStreamer will have to be able to create "secure
pipelines"; DRM modules will then refuse to connect to modules which cannot
be "trusted" with protected content. If GStreamer is to retain its current
power and flexibility, many of its standard modules - and certainly those
concerned with the actual playing and display of media - will have to be
reworked to participate in secure pipelines. Either that, or significant
parts of the GStreamer will have to be duplicated in a "secure" mode. It
is hard to see how the entire GStreamer pipeline could be made to be secure
without affecting people who have no interest in DRM-enabled content.
There is also the obvious question of how DRM can be done securely in an
environment where source is available. Mr. Schaller points at Sun's "Opera" project as a
possible example of how things could be done, and notes:
There might be some ramifications of being free software which will
make the resulting system have conditions for use that makes it
painful, like a requirement for being online when playing back as
an example, but its definitely not impossible.
Still, anybody who can hack on the source can obtain an unencrypted stream
from a GStreamer DRM module. So it seems clear that such modules are
expected to be shipped in a binary-only mode. Even then, though, one
should remember that the Linux kernel is free software too. So even if the
GStreamer pipeline is entirely secure and uncrackable, a quick kernel hack
will still make the capturing of unrestricted streams easy. That suggests,
in turn, that the people looking to put DRM code into GStreamer envision
operating in environments where users cannot install their own kernels.
The TPM chips being put into an increasing number of computers may make
that kind of restriction possible, but the real target is probably
elsewhere: embedded systems.
The use of GStreamer to make non-hackable, Linux-based media gadgets will
be nothing new; various companies are creating such devices now. But the
incorporation of DRM capabilities into our free system seems like a step in
the wrong direction. Features like secure pipelines represent a loss of
control over our own systems - the very control that drives many of use to
use free software in the first place. So users and distributors may want
to think long and hard before allowing DRM-enabled GStreamer near their
systems.
Comments (62 posted)
GNOME v. KDE, December 2005 edition
Heated battles between supporters of the GNOME and KDE desktops are a
longstanding tradition in the free software world. This tradition has
somewhat fallen into neglect in recent years; the relicensing of the Qt
libraries took away the most readily available flame fuel. Still, one
needs to have a good desktop fight every now and then, if just for old
times' sake. It's traditional, after all.
The end of the year is approaching, and work is slowing down on a number of
fronts. The 2.6.15 kernel is well into the stabilization phase, so there
is relatively little work to be done on that front. As a result, it seems
that Linus Torvalds had a bit of spare time to engage in a nostalgic flame
exercise. In response to a question on printer configuration dialogs,
Linus made
his desktop preference clear:
I personally just encourage people to switch to KDE.
This "users are idiots, and are confused by functionality"
mentality of Gnome is a disease. If you think your users are
idiots, only idiots will use it. I don't use Gnome, because in
striving to be simple, it has long since reached the point where it
simply doesn't do what I need it to do.
Those who are interested in the discussion that resulted can read the
full thread. Some of it contains language which is not necessarily
work- or family-safe.
GNOME developers often complain that their approach to user interface
design is misunderstood. But the fact is that they have, indeed, left
behind a certain subset of their user base which has grown tired of seeing
features and options disappear in the name of usability. The low point for
the de-featuring of GNOME applications was probably early in the 2.x
series, but the fact remains: GNOME does not allow things which certain
types of users want to do.
This gap is there explicitly by design; Jeff Waugh put
it this way:
We're not aiming for "powerfully extensible". We're aiming for
"Just Works". Some people will hate that. Some will love
it. Personally, I'd rather have passionate users, lovers and
haters, than be than average and ignored, and I think you'll find
most GNOME developers feel the same way.
Havoc Pennington also compared
the implementation of one often-requested feature (the ability to
arbitrarily rebind mouse buttons in Metacity) to selling maternity clothes
for men. One can only assume he is not implying that people who want to
rebind buttons are, in fact, pot-bellied transvestites.
Havoc notes that he has never encountered anybody wanting to rebind
mouse buttons who was not a "historical Unix user." Whether that is
because these "historical Unix users" are, in addition to possessing
questionable taste in clothing, just unusually fussy about mouse buttons,
or whether the rest of the user base simply is not used to the idea that
this sort of behavior can be changed is not clear. What is clear is that
the GNOME project has chosen to target the subset of users who are content
to have a number of user interface choices made for them as long as the
result "just works."
Flaming the GNOME developers for this decision is a mistake. There is
clearly a user base for the GNOME desktop, and who can say that it is wrong
for the GNOME developers to create a system which works for those users?
Over time, these developers may also figure out how to support both the
"just works" crowd and the small minority of dress-wearing Unix relics;
there is some evidence that this might be happening. In the mean time, the
"just works" users may become hooked on the free software experience, and,
eventually, discover the power of being able to optimize the desktop for
their own needs and workload.
But, even if GNOME truly becomes the "desktop for idiots," there are other
desktop alternatives out there, including (but not limited to) KDE. One
might well ask why we should have multiple desktop projects if their end
projects are indistinguishable. Let them, instead, choose their user bases
and provide those users with the best desktop they can. If the desktops
diverge from each other, the result will be more choice for users - and
plenty of material to feed our GNOME/KDE flame war tradition well into the
future.
Comments (225 posted)
Page editor: Jonathan Corbet
Security
Community help as an attack vector
A recent
IT-Director
article discussed some of the reasons why small businesses (in the
author's opinion) might not want to make the jump to free software. One of
them was the following:
Technical support will involve participating in internet forums,
asking people of unknown capability for help with any problems and
trusting that what comes back is a real fix, not some means of a
malicious person gaining access to the user's system. This
haphazard way of supporting IT is unattractive, especially for
smaller businesses with limited in-house expertise.
The article goes on to say that businesses respond to this problem by
purchasing support from distributors. Paid support plans are a fine
alternative in many situations, but people who have spent much time
performing system administration have usually learned that, often, answers
from the net can be quicker and more clueful than those from the paid
providers. So the idea that community support could be used as a way to
attack a system is disconcerting.
At first, it also seems rather unlikely. One wonders where this concern
came from, given that there may not be a single case of a system having
been compromised by way of "help" provided through a community forum. As a
business sizes up the threats to its systems, malicious advice from the net
should probably appear fairly low on the list.
That said, this possibility may be worth a little thought. The phishing
problem shows that there is no shortage of people out there with an
interest in social engineering attacks. Provision of bogus advice would
not scale in the way mass phishing attacks do, but it might also fall on
more fertile ground. A system administrator with a broken system,
disgruntled users, and a pointy-haired boss breathing down his or her neck
might be inclined to follow seemingly helpful advice from the net without
thinking about it much first. In a world where software installation
instructions begin with "turn off your antivirus software," any of a number
of ill-advised suggestions might seem entirely reasonable.
So, sooner or later, some joker will probably attempt this sort of attack.
For those who are especially concerned about this possibility, here's a few
possible defenses:
- When asking for help on the net, consider using a non-work email
address. Requests from admin@big-defense-contractor.com may be more
likely to attract suspicious replies. It can only help to keep
potential attackers from knowing where the relevant systems are
located.
- Be highly suspicious of any replies which are not copied back to the
list where the question was originally asked. Hostile advice posted
to a public list will likely be spotted quickly, but there is no
public review of private mail.
- Make a point of understanding any suggested remedies before trying
them.
The above is all entirely obvious stuff, but it should be sufficient to
defend against most social engineering attacks disguised as responses to
requests for help. As is the case in many areas of security, a bit of
common sense goes a long way.
Comments (14 posted)
New vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
courier: unauthorized access
| Package(s): | courier |
CVE #(s): | CVE-2005-3532
|
| Created: | December 8, 2005 |
Updated: | December 14, 2005 |
| Description: |
The Courier mail server's courier-authdaemon can grant access to
deactivated accounts, allowing for unauthorized access to information. |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
ethereal: buffer overflow
| Package(s): | ethereal |
CVE #(s): | CVE-2005-3651
|
| Created: | December 13, 2005 |
Updated: | January 4, 2006 |
| Description: |
A buffer overflow has been discovered in ethereal, a commonly used
network traffic analyzer that causes a denial of service and may
potentially allow the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
kernel: key rebinding
| Package(s): | kernel |
CVE #(s): | CVE-2005-3257
|
| Created: | December 14, 2005 |
Updated: | January 4, 2006 |
| Description: |
Linux kernels through 2.6.14 allow any user to rebind console keys; this opening can be exploited to inject commands when other users are logged in. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2005-4079
CVE-2005-3665
|
| Created: | December 12, 2005 |
Updated: | November 20, 2006 |
| Description: |
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8). |
| Alerts: |
|
Comments (none posted)
poppler: arbitrary code execution
| Package(s): | poppler |
CVE #(s): | CVE-2005-3191
CAN-2005-3193
|
| Created: | December 8, 2005 |
Updated: | January 16, 2006 |
| Description: |
The poppler PDF rendering library has a heap overflow vulnerability
that can be exploited by viewing specially crafted PDF files.
An attacker can cause a crash or the execution of arbitrary
code. This vulnerability is related to
a similar vulnerability with xpdf. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache2: memory leak
| Package(s): | apache2 |
CVE #(s): | CVE-2005-2970
|
| Created: | December 6, 2005 |
Updated: | December 19, 2005 |
| Description: |
A memory leak was found in the Apache 2 'worker' module in the
handling of aborted TCP connections. By repeatedly triggering this
situation, a remote attacker could drain all available memory, which
eventually led to a Denial of Service. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
egroupware: multiple vulnerabilities
| Package(s): | egroupware |
CVE #(s): | CVE-2005-0870
CVE-2005-2600
CVE-2005-3347
CVE-2005-3348
|
| Created: | November 17, 2005 |
Updated: | December 9, 2005 |
| Description: |
A number of vulnerabilities have been found in egroupware,
a web-based groupware suite.
Phpsysinfo has several cross-site scripting vulnerabilities,
The the tree view of FUD Forum Bulletin Board Software has
a cross-site scripting problem, phpsyinfo has a local variable
overwrite problem, and phpsyinfo has an input sanitizing
issue. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enigmail: information disclosure
| Package(s): | enigmail |
CVE #(s): | CVE-2005-3256
|
| Created: | October 20, 2005 |
Updated: | December 13, 2005 |
| Description: |
The key selection dialog from the Mozilla Thunderbird enigmail plugin
has an information disclosure vulnerability.
A key with an empty user id from a user's keyring will be used by
default, allowing a message to be decrypted. This can lead to an
unauthorized information disclosure. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FUSE: mtab corruption through fusermount
| Package(s): | fuse |
CVE #(s): | CVE-2005-3531
|
| Created: | November 22, 2005 |
Updated: | January 24, 2006 |
| Description: |
Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points. A local attacker could corrupt the contents of the /etc/mtab file by mounting over a maliciously-named directory using fusermount, potentially allowing the attacker to set unauthorized mount options. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
helix-player: integer overflow
| Package(s): | helix-player |
CVE #(s): | CVE-2005-2629
|
| Created: | December 2, 2005 |
Updated: | December 7, 2005 |
| Description: |
An integer overflow has been discovered in helix-player, the helix
audio and video player. This flaw could allow a remote attacker to
run arbitrary code on a victims computer by supplying a specially
crafted network resource. |
| Alerts: |
|
Comments (none posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
inkscape: arbitrary code execution
| Package(s): | inkscape |
CVE #(s): | CVE-2005-3737
|
| Created: | November 21, 2005 |
Updated: | December 7, 2005 |
| Description: |
A buffer overflow has been discovered in the SVG importer of Inkscape.
By tricking an user into opening a specially crafted SVG image this
could be exploited to execute arbitrary code with the privileges of
the Inkscape user. |
| Alerts: |
|
Comments (none posted)
inkscape: insecure temp files
| Package(s): | inkscape |
CVE #(s): | CVE-2005-3885
|
| Created: | December 5, 2005 |
Updated: | December 7, 2005 |
| Description: |
Javier Fernández-Sanguino Peña discovered that Inkscape's ps2epsi.sh
script, which converts PostScript files to Encapsulated PostScript
format, creates a temporary file in an insecure way. A local attacker
could exploit this with a symlink attack to create or overwrite
arbitrary files with the privileges of the user running Inkscape. |
| Alerts: |
|
Comments (1 posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
libconvert-uulib-perl: arbitrary code execution
| Package(s): | libconvert-uulib-perl |
CVE #(s): | CAN-2005-1349
|
| Created: | May 20, 2005 |
Updated: | January 27, 2006 |
| Description: |
Mark Martinec and Robert Lewis discovered a buffer overflow in
Convert::UUlib (before 1.051), a Perl interface to the uulib library, which
may result in the execution of arbitrary code. |
| Alerts: |
|
Comments (1 posted)
libdbi-perl: insecure temporary file
| Package(s): | libdbi-perl |
CVE #(s): | CAN-2005-0077
|
| Created: | January 25, 2005 |
Updated: | March 2, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit Project
discovered that the DBI library, the Perl5 database interface, creates
a temporary PID file in an insecure manner. This can be exploited by a
malicious user to overwrite arbitrary files owned by the person
executing the parts of the library. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code vi |