A 2005 retrospective
The last issue of December is traditionally a time for many publications to
look back at the past year. As we live through a year, it can be a hard
time to get a perspective on all that is happening; a review can help
develop a better understanding of what we have all experienced.
Besides, there's usually not much more to write about at the end of
December.
In past years, your editor has reviewed the predictions made at the
beginning of the year. That exercise seems a little self-indulgent this
time around. So suffice to say that some of last January's predictions have
been borne out, and others not. We'll not go through all of them here.
Starting with one which didn't work out:
your editor's prediction that 2005 would see the end of SCO
was optimistic. We have seen the end of SCO in every way that
matters; what remains, at this point, is the ghoulish exercise of watching
it all fall apart and seeing where the pieces land. Following SCO is a
waste of time at this point, a morbid and pointless exercise in the
consequences of stupid decisions. We're looking forward to every minute of
it.
Your editor's prediction that software patents would not be enacted in
Europe looked optimistic, especially in the first half of the year,
but turned out to be correct in the end. More to
the point, though: the free software community enjoyed legal victories in
almost every battle which was decided this year. No software patents, no
broadcast flag, the GPL upheld in German court, FAT patents thrown out,
etc. Next year may be tougher, but, for this year, we can all raise a
glass and toast our victories. It is not all hopeless.
Let us not forget our defeats, however. The Grokster decision holds
software developers responsible for the actions of their users - in some
situations, at least. The bnetd decision placed limits on our right to
create interoperable software. The situation is not all rosy either.
One battle which came to head this year was open formats: as of this
writing, the state of Massachusetts is still fighting over a mandate to use
open formats in government. Open access to government documents is a clear
requirement for a free society; it seems amazing that there is even a fight
on this issue. Open formats are also a key to the desktop for free
software. This is an important issue, and the debate has barely begun.
The free software community has acquired a pool of patents of its own.
Donations - of greater or lesser freedom - came from IBM, Sun, Nokia,
Computer Associates, and others. These patents can help to prevent attacks
from competitors in the software industry - though they will do little to
deter lawyer-only patent troll firms. But a partial solution is better
than none; one might well conclude that the risk of a patent attack against
free software is, while still significant, lower than it was a year ago.
For years, we have talked about the evils of digital restrictions
management schemes and the dangers inherent in not having control over our
own systems. But we can thank SonyBMG for making these points clear to a
much larger audience. "Consumers" everywhere have seen what happens when
others claim control over their systems. People who bought CDs because it
was the right thing to do saw that they were punished for it. Their desire
to do the right thing will be much reduced - and the entertainment industry
must know it. The DRM battle is far from over, and we have a great deal of
ugliness to endure yet. But SonyBMG may have shortened the process for us
considerably.
2005 was, perhaps, the year of the foundation. A number of projects,
including Zope, Ubuntu, and OpenPKG created independent foundations to look
after their code. Red Hat also announced the creation of a Fedora
foundation, but, the better part of a year later, that foundation has yet
to materialize. The fundamental motivation behind all this founding of
foundations is easily found: software (even free software) controlled by a
single company tends to make other users nervous. The creation of an
independent foundation gives others confidence in a free software project's
future.
The free software business world continues to develop. MandrakeSoft and
Conectiva merged into Mandriva, Novell went through some difficulties but
looks like it may be pulling things together, and the flow of venture
capital toward free software businesses increased. HP claimed to have
shipped over 1 million Linux servers. It seems there really is
business to be done around free software.
Meanwhile, the code continues to get better. The list of significant
releases is far too large to review here - check the latest version of your
favorite distribution to see much of it. Our development community is
active and healthy; it is producing results that few would have thought
possible even a few years ago. Ups and downs notwithstanding, 2005 has
been a good year for the community. We can all raise a glass to that.
Comments (21 posted)
The LWN.net 2005 Linux and free software timeline
For eight years now, the editors at LWN.net have put together a timeline
highlighting the most important events of the last twelve months. As
always, it has been a busy year. Attacks against free software continued
in legislatures and the courts - but few have been successful.
Corporations began donating patents to the community, some with more
enthusiasm than others. The kernel developers improved their process - and
dealt with the abrupt loss of their source code management system. SUSE
development became more open. SonyBMG gave us all a lesson on the
importance of control over our own computers. And so on.
Most importantly, in 2005 the free software community kept on hacking. The
variety and quality of the resulting software is simply amazing. The free
software community is healthy and growing, despite the legal problems,
corporate layoffs, hardware hassles, and occasional petty internal
bickering. We are going strong.
This is version 1.0 of the 2005 timeline.
If you find any errors or remaining major omissions, please send them
to us at timeline@lwn.net; please do
not post errors or omissions as comments until after we have had a chance
to address them.
The development of the LWN.net Linux Timeline was supported by LWN
subscribers; if you like what you see, please consider subscribing to LWN.
As usual, the timeline is split up by month. One of these years, we really
will restore the "one big page" option, honest.
For the historically minded, the timelines for the previous seven years
remain available:
Thanks to the following people who have helped improve the 2005 Timeline:
Ross Combs, Bernhard Reiter, Karl Schendel, and David A. Wheeler.
Comments (3 posted)
The XGL development model
XGL is a
version of the X server built on top of the OpenGL API. Many developers
see the XGL approach as the way forward; as video hardware becomes
increasingly 3D-only, OpenGL offers a uniform way to drive that hardware.
Once an XGL server becomes available, the door will be opened for all kinds
of fast 2D and 3D applications.
As it turns out, there is a paid development team working at XGL; these
developers are hosted at Novell. This work is being funded with the
apparent idea of upgrading the free XGL server and benefiting the free
software community in general. So it is interesting to see a significant
amount of criticism of Novell's work in the desktop community.
The problem comes down to this: all of Novell's work is being done
in-house, using a private repository. The wider community knows that this
work is going on, and has some idea of what has been done, but none of the
resulting code has been seen beyond Novell. The best description of what
is happening - and the reaction to it - can be found in Aaron
Seigo's weblog. There we see that the non-Novell developers who would
like to hack on XGL are frustrated. They know that a number of problems
have already been fixed by Novell, but the code is not available. They
fear that much of the work they are doing will be duplicated by what the
Novell team does. They feel locked out, and wonder about Novell's reasons
for taking this approach.
Everybody seems to assume that Novell's work will, eventually, see the
light of day and be contributed back - though the X license does not
require that. But that release will confront the community with a large
dump of corporate code. It will not have been reviewed by anybody outside
of Novell, it may well incorporate design decisions which are not
acceptable to other developers, and it is likely to duplicate and conflict
with any work done by the rest of the community. The possibility that
Novell will hold the code until it has packaged it into a SUSE Linux
release is also somewhat annoying.
In the absence of a statement from Novell, one can only speculate on why
this approach is being taken. It is possible that Novell is just trying to
avoid dealing with developers who oppose the XGL project in the first
place. At the moment, it is almost impossible to use XGL without
proprietary drivers; developers who feel strongly about avoiding
proprietary code would thus rather take a different approach - and they
have been rather vocal about that. It is also possible that Novell is
simply looking to "get the job done" its way, without the distractions of
dealing with the community.
This situation should work out in the end, once Novell releases its code
and the process of merging begins. At that point, with luck, the X
community will have a much-improved XGL server to work with. But the
memory of having been locked out of the process will persist for some
time. One can only hope that this code release happens soon so that the
next phase can begin.
Comments (11 posted)
Two discontinued browsers
The writing has been on the wall for some time, but now it's official:
Internet Explorer on the OS X platform will go unsupported at the end
of 2005. This browser has seen no active development since 2003, but its
users were at least provided with security updates. No more; IE for the
Mac is at a dead end.
There is little that OS X users can do about this decision. IE is very
much a closed-source application, so there is no way for anybody to take
over its maintenance after Microsoft walks away. This browser is dead, and
its users have no choice but to seek alternatives; fortunately, a number of
good alternatives exist. But anybody who was truly dependent on this piece
of software is out of luck. It is always this way with proprietary
software; it can disappear out from under you at its owner's whim.
Earlier this year, the Mozilla Foundation announced that it was
discontinuing support for the Mozilla browser suite. The Foundation saw
its future in the independent Firefox and Thunderbird applications, and
felt that the time had come to move past its one-time flagship suite.
Mozilla users, of whom there are many, had little say in this decision; the
Foundation makes its own decisions on how best to pursue its goals.
But Mozilla is free software. So a group of dedicated users came together
to continue the maintenance and development of the Mozilla suite, using the
old SeaMonkey name. Mozilla/SeaMonkey is a large body of code, not
something to be taken on lightly. But the SeaMonkey hackers thought that
they could handle it.
On December 19, these hackers announced
the availability of SeaMonkey 1.0 Beta. The release includes a number of
new features, including drag-and-drop tabs, SVG support, "blazingly fast
back," and much more. It provides the full suite of tools: web browser,
email client, HTML editor, IRC chat tool, DOM inspector, and two varieties
of kitchen sink. This is the full suite, updated with the latest work from
Firefox and elsewhere. The SeaMonkey hackers would appear to be up to the
job.
And, yes, it works on OS X.
It would be hard to come up with a better example of why free software
matters. There are a great many Mozilla users who will never look at the
code, but they will still benefit from the freedom of that code. As long
as there is a sufficient interest in the community, Mozilla, in the form of
SeaMonkey, will live on. No proprietary software has such a bright future.
Comments (11 posted)
Holiday schedule
As is traditional, LWN will be taking next week off; the next Weekly
Edition will come out on January 5, 2006. We'll be posting news items
occasionally over the break, however. Best wishes for a great holiday season from
all of us here at LWN!
Comments (4 posted)
Page editor: Jonathan Corbet
Security
CAN-SPAM: mission accomplished?
LWN first
looked at the CAN-SPAM
act back in 2003. This U.S. law was an attempt to address the spam
problem through legal means. Our impression at the time was that CAN-SPAM
would do little good, and might even do harm by overriding state
legislation and legitimizing certain kinds of commercial email.
One of the provisions of this law was that the U.S. Federal Trade
Commission was required to create a report to Congress on how effective the
law is, and what improvements could be made. That report
is now
available [PDF]. The FTC went through a major investigation; among
other things, it used its compulsory powers to require nine ISPs to provide
email information. The bottom line, according to the FTC: the CAN-SPAM act
has been effective in reducing spam.
Your editor's mailbox, now receiving something over 5,000 spams/day, would
beg to differ from this conclusion. In fact, a deeper reading of the
report suggests that CAN-SPAM has not been as effective as one might expect
from reading the headlines, and that the real progress against spam has
been made elsewhere.
So what has CAN-SPAM accomplished? From the report:
First, the substantive provisions of the Act have mandated adoption
a number of commercial email "best practices" that many legitimate
online marketers are now following. Second, the Act has provided law
enforcement agencies and ISPs with an additional tool to use when
bringing suit against spammers. The more than 50 cases brought to
date by the FTC, the Department Justice, state Attorneys General,
and ISPs demonstrate CAN-SPAM's enforcement efficacy.
Both of these claims are probably true. And, doubtless, many LWN readers
are pleased to know that some of their incoming commercial email follows
"best practices." But the spam problem never had much to do with
"legitimate online marketers." There have been suits brought against
spammers, and that can only be helpful in the end. But even lawsuits will
only be so effective in a world filled with spammers. So one might well
wonder how to square these limited gains against this claim from the
report:
One particularly significant development since the enactment
of CAN-SPAM is that the volume of spam has begun to decrease.
MX Logic, an email filtering company, reported that during the
first eight months of 2005, spam accounted for 67 percent of
email passing through its system, a nine percent decrease from
the same period one year earlier. Some ISPs report an even
more dramatic decline. For example, America Online ("AOL")
reported that its members received 75 percent less spam in
2004 than in 2003. Studies from other countries similarly
report a decrease in the amount of spam reaching consumers'
inboxes. As the Executive Director of the Institute for Spam
and Internet Public Policy succinctly stated, "the average
inbox doesn't have that much spam anymore."
(LWN reported on the MX Logic
report last August.) A reading of the above paragraph might well lead one
to the conclusion that the battle against spam has been won, and that
CAN-SPAM did it. Anybody who deals with email in any serious way knows
that this is not the case.
What is going on - and the report recognizes this - is that anti-spam
techniques unrelated to CAN-SPAM have gotten better. The reported 75% drop
for AOL users does not mean that 75% less spam has been sent in that
direction; it does not even mean that there are 75% fewer AOL users, though
one might be tempted to reach that conclusion. The difference is that much
less spam is actually making it all the way to their mailboxes. Your
editor, too, has seen a reduction in spam reaching his inbox; spamassassin
nicely takes care of the bulk of it. But better filtering is not a solution to
the problem; it is more like sweeping it under the carpet. And, in any
case, it was not legislated by CAN-SPAM.
The report notes that a number of tactics adopted by large ISPs have
helped. These include blocking outgoing access to port 25 (which
imposes unfortunate costs on some users), rate-limiting email entering and
leaving the system, and actively disconnecting users with known-compromised
systems. Blacklisting is an effective tool; the report claims that
large ISPs are able to block 80% of spam before it ever enters their mail
server. The FTC also takes credit for helping to shut down open relays.
Another happy result, according to the FTC, is that "users have grown more
tolerant of spam." That's one way to solve the problem.
For the future, the report notes an increase in phishing mail, as well as
in spam containing malware. There are a few recommendations; one of those
is the adoption of SenderID or some other sort of email authentication
mechanism. The FTC would like to see the "US SAFE WEB Act" passed; this
law would make it easier for the FTC to share information with agencies of
other governments. It would also empower the FTC to compel information
from ISPs and others while requiring confidentiality - an extension of
governmental power which, given recent disclosures in the U.S., may not be
entirely welcome. In fact, this recommendation, along with the agency's
desire for email authentication and more rigorous requirements for WHOIS
information, leads to the question of just how badly we want governments to
"solve" the spam problem for us. Given that the most effective techniques
we have so far did not come from governments, perhaps it's time to
recognize that the solutions lie elsewhere.
Comments (4 posted)
New vulnerabilities
dropbear: buffer overflow
| Package(s): | dropbear |
CVE #(s): | CVE-2005-4178
|
| Created: | December 19, 2005 |
Updated: | December 23, 2005 |
| Description: |
A buffer overflow has been discovered in dropbear, a lightweight SSH2
server and client, that may allow authenticated users to execute
arbitrary code as the server user (usually root). |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
openldap: RUNPATH issues
| Package(s): | openldap |
CVE #(s): | |
| Created: | December 15, 2005 |
Updated: | December 21, 2005 |
| Description: |
OpenLDAP and Gauche have a vulnerability involving the library search
path list. A local attacker who belongs to the portage group can
create a shared object in the Portage temporary build directory,
allowing an unauthorized privilege escalation.
|
| Alerts: |
|
Comments (none posted)
Opera: arbitrary code execution
| Package(s): | opera |
CVE #(s): | CVE-2005-3750
|
| Created: | December 19, 2005 |
Updated: | December 21, 2005 |
| Description: |
Opera before 8.51 allows remote attackers to execute arbitrary code via
shell metacharacters (backticks) in a URL that another product provides in
a command line argument when launching Opera. See the Opera 8.51
changelog for details. |
| Alerts: |
|
Comments (none posted)
otrs: multiple vulnerabilities
| Package(s): | otrs |
CVE #(s): | CVE-2005-3893
CVE-2005-3894
CVE-2005-3895
|
| Created: | December 16, 2005 |
Updated: | February 15, 2006 |
| Description: |
Several vulnerabilities were discovered in the CMS system OTRS. Multiple
SQL injection vulnerabilities in index.pl in Open Ticket Request System
(OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, multiple cross-site
scripting vulnerabilities in index.pl in Open Ticket Request System (OTRS)
1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, and Open Ticket Request System
(OTRS) 1.0.0 through 1.3.2 and 2.0.0 through 2.0.3, when
AttachmentDownloadType is set to inline, renders text/html e-mail
attachments as HTML in the browser when the queue moderator attempts to
download the attachment. |
| Alerts: |
|
Comments (none posted)
redhat-config-nfs: incorrect permissions
| Package(s): | redhat-config-nfs |
CVE #(s): | CVE-2004-0750
|
| Created: | December 19, 2005 |
Updated: | December 21, 2005 |
| Description: |
John Buswell discovered a flaw in redhat-config-nfs that could lead to
incorrect permissions on exported shares when exporting to multiple
hosts. This could cause an option such as "all_squash" to not be
applied to all of the listed hosts. |
| Alerts: |
|
Comments (none posted)
sudo: vulnerability via scripts
| Package(s): | sudo |
CVE #(s): | CAN-2005-4158
CVE-2006-0151
|
| Created: | December 16, 2005 |
Updated: | September 1, 2006 |
| Description: |
Perl and Python scripts run via Sudo can be subverted. |
| Alerts: |
|
Comments (none posted)
udev: insecure files in /dev/input
| Package(s): | udev |
CVE #(s): | CVE-2005-3631
|
| Created: | December 20, 2005 |
Updated: | February 28, 2006 |
| Description: |
Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such as
passwords. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
a2ps: input validation error
| Package(s): | a2ps |
CVE #(s): | CAN-2004-1170
CAN-2004-1377
|
| Created: | November 26, 2004 |
Updated: | December 19, 2005 |
| Description: |
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
apache2: memory leak
| Package(s): | apache2 |
CVE #(s): | CVE-2005-2970
|
| Created: | December 6, 2005 |
Updated: | December 19, 2005 |
| Description: |
A memory leak was found in the Apache 2 'worker' module in the
handling of aborted TCP connections. By repeatedly triggering this
situation, a remote attacker could drain all available memory, which
eventually led to a Denial of Service. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
courier: unauthorized access
| Package(s): | courier |
CVE #(s): | CVE-2005-3532
|
| Created: | December 8, 2005 |
Updated: | December 14, 2005 |
| Description: |
The Courier mail server's courier-authdaemon can grant access to
deactivated accounts, allowing for unauthorized access to information. |
| Alerts: |
|
Comments (none posted)
cpio: directory traversal
| Package(s): | cpio |
CVE #(s): | CAN-2005-1111
|
| Created: | June 20, 2005 |
Updated: | December 26, 2005 |
| Description: |
There is a vulnerability in
cpio (2.6 and previous) that allows a malicious cpio file to
extract to an arbitrary directory of the attackers choice. cpio will
extract to the path specified in the cpio file, this path can be absolute. |
| Alerts: |
|
Comments (1 posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
ethereal: buffer overflow
| Package(s): | ethereal |
CVE #(s): | CVE-2005-3651
|
| Created: | December 13, 2005 |
Updated: | January 4, 2006 |
| Description: |
A buffer overflow has been discovered in ethereal, a commonly used
network traffic analyzer that causes a denial of service and may
potentially allow the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
ethereal: multiple vulnerabilities
Comments (none posted)
evolution: format string issues
Comments (2 posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
FUSE: mtab corruption through fusermount
| Package(s): | fuse |
CVE #(s): | CVE-2005-3531
|
| Created: | November 22, 2005 |
Updated: | January 24, 2006 |
| Description: |
Thomas Biege discovered that fusermount fails to securely handle
special characters specified in mount points. A local attacker could corrupt the contents of the /etc/mtab file by mounting over a maliciously-named directory using fusermount, potentially allowing the attacker to set unauthorized mount options. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gtk-pixbuf, gtk2: denial of service
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2005-0891
|
| Created: | March 30, 2005 |
Updated: | December 19, 2005 |
| Description: |
The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
|
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
htdig: cross site scripting
| Package(s): | htdig |
CVE #(s): | CAN-2005-0085
|
| Created: | February 14, 2005 |
Updated: | January 10, 2006 |
| Description: |
Michael Krax discovered that ht://Dig fails to validate the 'config'
parameter before displaying an error message containing the parameter.
This flaw could allow an attacker to conduct cross-site scripting
attacks. |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: key rebinding
| Package(s): | kernel |
CVE #(s): | CVE-2005-3257
|
| Created: | December 14, 2005 |
Updated: | January 4, 2006 |
| Description: |
Linux kernels through 2.6.14 allow any user to rebind console keys; this opening can be exploited to inject commands when other users are logged in. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|