Looking a Novell gift horse in the mouth
Novell's
February
7 press release proclaiming its contributions to the X.org and GNOME
projects was generally well received. It is hard to disagree with better
graphics and more fun eye candy, after all. Novell's work shows that the
free software community has the potential to take the leadership on desktop
issues, and that is a good thing. Free software desktops will only take
over the world if the community can produce a desktop experience that is
truly better than the alternatives.
Advertisement
The issue that has come up in some quarters, however, is that of
"community." Developers in the wider GNOME community, in particular, are
feeling somewhat excluded from the process. Novell's work, to them, is not
a community development - it's a product which has emerged in complete form
from a corporate cathedral. While it is great that Novell is doing this
work, they say, wouldn't it have been better to involve the community from
the outset? Now community members are in a position of reviewing a large
drop of code that they had no part in designing, and not all of them are
happy about it.
If the words of Novell's Dan Winship are
representative of the company's position (he claims to be speaking only for
himself), Novell believes it has taken the right approach:
If we had proposed the changes on the mailing lists, it would have
started a huge discussion about what people hated about the design
("you can't make the panel menu depend on beagle!!!") and how it
should be different. And then we could have either (a) completely
ignored everyone and done it ourselves anyway, or (b) had a long
conversation about the merits of the design and then not actually
finished the code in time for NLD10.
So we did it ourselves, and now either GNOME will like what we
did, in which case, yay, free code for GNOME, or GNOME won't like
what we did, in which case, no harm no foul for GNOME, and yay,
brand differentiation for Novell.
Dan goes on to say that it simply is not possible to perform software
design in a community setting. Everything good which has ever been done in
the GNOME project has been the result of a small group's work. All big
community debates tend to do is to slow down or stop the process. "Design
by committee," says Dan, does not work.
GNOME hacker Jeff Waugh disagrees
does not want to give up on community
involvement in design:
This is a very sorry state of affairs for GNOME. But it is not only
Novell and its employees who have adopted this commons-sapping,
community-tearing, morally and intellectually lazy approach to open
design and development in GNOME.... Ultimately, this is *killing
our community*. And it must be fought.
One useful perspective in the discussion came from Alan Cox, who made a distinction between "design by
community" and "design in the community." The latter approach leaves the
bulk of the design work in the small group which is most interested in it,
but which recognizes that the community may have something to add. When
design work is taken out of the community altogether, something is lost:
If you design stuff in secret then publish it, it will have no
review of quality, no style checking, no security audit, no extra
pairs of eyes and extra brains on it. Mouths are in oversupply but
brains/eyes are not.
Jeff agreed, and went on to compare GNOME
development with how the Linux kernel is managed:
While the Linux process has its warts, there are two things it is
great at that we should mention here: First, a fairly easy to
understand technical and social leadership - decisions get
made. Second, a pretty uncompromising approach to design in the
community - it's really hard to drop a pre-cooked hairball (cat
hair *or* angel hair) into the kernel process without getting
roasted, spanked and harshly reviewed.
If, from this particular perspective, the kernel process is seen as being
more successful than GNOME, it might be worth asking why. It is indeed
true that the kernel community responds poorly to large piles of code which
appear out of the blue. Often, such code must go through substantial
revisions before it will be considered for merging - the community gets its
say in the end after all. The reiser4 experience is a good example; the
new version of the Reiser filesystem showed up in complete form, with a
request for expedited merging. Numerous problems were found with the code,
however, and reiser4 remains out of the kernel years later, even with
numerous fixes made and features removed. In the kernel space, most
developers learn, sooner or later, to involve the community early in a
project's life.
The leadership issue is worth a look as well. As Jeff pointed out, the kernel has a
relatively clear decision-making process, though it can be frustrating for
contributors to work with. Discussions tend not to go on forever because,
in one way or another, decisions get made. Instead, says Jeff, GNOME is "without coherent
leadership." He would like to see the GNOME project structure reworked so
that decisions are easier to make - though what form those changes would
take is yet to be worked out.
Another issue, raised by Havoc Pennington,
is the vision the project has for itself. The GNOME project, says Havoc,
needs to come up with a better idea of who its user community is and to not
be afraid to lose users who are outside of that community. When the
project has a clearer sense of what it is trying to do, decisions will be
easier to make. The kernel project knows what it is trying to do:
They are writing a component for use by developers, not an end-user
product. And they aren't ashamed of it and they optimize for it and
they do it well.
Havoc suggests that GNOME might want to take a similar approach: create a
series of components which can be rearranged and customized by distributors and
gadget-makers to fit their specific needs. Such an orientation would let
GNOME focus on making the best tool possible while allowing others, who are
arguably closer to the ultimate users, to make the desktop fit those users'
needs.
That leads to one of the driving forces behind this entire debate. To a
great extent, companies distributing Linux (or products incorporating
Linux) tend not to differentiate their offerings with kernel features.
Distributors do add kernel patches, but the size of those patches has gone
down considerably with the advent of the 2.6 development process. This is
an important point: the development process change has had the effect of
significantly reducing the differences between distributors' kernels. But
user interface changes are visible to all who work with a system in a way
which most kernel changes are not. Distributors will thus always have a strong
incentive to put their particular mark on the desktop and to try to have
the coolest features first. So, at best, we are likely to see more desktop
work done in relative secret until it is deemed ready to be shipped. At
worst, we could see a repeat of the highly tweaked desktops shipped during
the worst of the proprietary Unix days.
Distributors have strong reasons to differentiate their offerings, but they
also depend heavily on projects like GNOME to provide the foundation on
which they can create those offerings. Taking much of their development
semi-proprietary may help sales in the next year or so, but that could
happen at the cost of eventually tearing apart the community upon which they
depend, even if they do not necessarily respect its design guidance. If
GNOME is to remain healthy well into the future, these two forces will have
to be reconciled. The solution will likely involve a combination of project
governance changes and a more community-oriented approach by all
participating companies. This should be something the community can
achieve.
Comments (29 posted)
Easter eggs and free software
Someday, when you feel that you have been sufficiently productive for a
while, fire up the OpenOffice.org spreadsheet application. Select a cell,
and insert
=Game("StarWars") into that cell. Launch missiles at
alien creatures until you feel ready to get something useful done again.
Yes, the OpenOffice.org developers, evidently feeling that the application
![[StarWars]](/images/ns/openoffice-starwars-sm.png)
had become too small and quick, decided to toss in an easter egg. Judging
from the occasional German-language popup window, this feature has been
present for quite some time. Others exist as well, happy hunting.
Easter eggs have been present in software - free and proprietary - for many
years. Old versions of make used to respond to
"make love" with "not war?"; your editor notes with
sadness that GNU make does not retain that feature.
In general, easter eggs are a way for developers to express themselves, and are
generally seen by users as amusing, or harmless at the worst.
Recently, however, an OpenOffice user complained
about the presence of the StarWars game. Free programs, he says, should
not contain hidden features like that. One of the advantages of free
software is supposed to be the lack of surprises; if you install an office
suite, that is what you should get. The hiding of games, pictures of the
developers, and other unrelated features in free software threatens to make
the whole enterprise appear to be insufficiently serious.
Others have argued that easter eggs can endanger the use of free software
in settings (like schools) where hidden games might not be welcome. This
is, they say, one Microsoft feature that we do not need to emulate. To
that end, various bug
reports have been filed asking for the removal of easter egg features.
As a counterpoint, one could argue that free software is supposed to be fun
for both its developers and its users. Those who don't want to play
"StarWars" might be well advised to install a sense of humor upgrade and
simply not invoke the feature - which, after all, one has to go looking for
in the first place. When the code police start going after easter eggs,
humorous diagnostics (the kernel still has several variants of the
"peripheral is on fire" message), or possibly offensive code comments, some
of the developers will start to think that they want to go elsewhere.
As free software development processes mature and the user base increases,
it seems likely that many of the easter eggs are likely to disappear,
especially in the larger, more mainstream applications. Developers who are
interested in code quality and bloat will see an easy way to remove an
apparently unnecessary feature. Projects which have their own PR
departments (and, yes, such projects exist) will not welcome the sort of
attention that easter eggs bring. And those which remain may be excised by
the more business-oriented distributors. But, free software developers
being what they are, there will always be a surprise or two waiting for
those who know where to look.
Comments (22 posted)
Page editor: Jonathan Corbet
Security
crypt_blowfish
In the early days of Unix, the DES-based algorithm used to encrypt
(actually, to generate hashes from) passwords was considered to be quite
secure. Hashing a password took a significant fraction of a second, so
brute-force attacks were considered impractical. The possibility of
attacks using hardware-based DES engines was closed off by the addition of
a "salt" parameter which perturbed the algorithm slightly. All in all, the
early
crypt() authors felt pretty good about their work, to the
point that the encrypted passwords were stored in a world-readable file and
nobody worried about it.
Along came faster processors and smarter software. Simple passwords became
easy to crack with the right software (which was widely available), and the
harder passwords looked less hard all the time. So a few changes were
made, including moving the password hashes to a read-protected file and
changing to the MD5 hashing algorithm. Everything looked better for a
while. But along came faster processors and smarter software, and now MD5
passwords look rather less secure than they once did.
The attentive reader might notice a pattern here. Hashing algorithms
must be sufficiently expensive to compute that they are not susceptible to
brute-force attacks. But they cannot be so expensive that the user
community rebels. So the designers of a password hashing algorithm must
find a compromise between security from attackers and security from
aggravated users. As computers inevitably become more powerful, that
compromise must shift in favor of the attackers.
A solution to this problem was presented by Niels Provos and David Mazières
in a 1999
USENIX paper. Their conclusion was that, in order to have a
future-proof password hashing algorithm, one must be able to dial up the
computational cost of that algorithm over time. If the cost can be
provided as a parameter - and stored with the hashed password - then
password hashing can be made more expensive (in terms of CPU cycles) while
maintaining compatibility with currently-hashed passwords.
The authors implemented a version of the Blowfish algorithm with
a tweak to the key schedule generation mechanism. That code has a "cost"
parameter which controls how expensive the generation step is; a higher
cost will result in a longer key schedule generation task. Needless to
say, code checking a password must use the same cost as the code which
initially generated the hash, or the results will not match.
OpenBSD has used the variable-cost Blowfish code (called "bcrypt") for some
years now, but it is still relatively difficult to find on Linux systems.
Perhaps that will change with the release of crypt_blowfish 1.0, just announced by Solar
Designer. This release, being "the first mature version," comes with a
password-hashing interface and a PAM module for hooking it into Linux
systems. It should, thus, be relatively easy for distributors to add to
their configurations, as an option, at least. Making the front door to
Linux systems a little more secure has just gotten easier.
(For more information, see the
crypt_blowfish web page).
Comments (6 posted)
New vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
gnocatan: buffer overflow
| Package(s): | gnocatan |
CVE #(s): | CVE-2006-0467
|
| Created: | February 3, 2006 |
Updated: | February 7, 2006 |
| Description: |
A problem has been discovered in gnocatan, the computer version of the
settlers of Catan boardgame, that can lead the server and other clients
to exit via an assert, and hence does not permit the execution of
arbitrary code. The game has been renamed into Pioneers after the
release of Debian sarge. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0454
|
| Created: | February 8, 2006 |
Updated: | February 17, 2006 |
| Description: |
A denial of service vulnerability has been found in the kernel ICMP code; kernel 2.6.15.3 fixes the problem. |
| Alerts: |
|
Comments (1 posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
OpenOffice.org: bypass security settings
| Package(s): | openoffice.org |
CVE #(s): | CVE-2005-4636
|
| Created: | February 3, 2006 |
Updated: | February 7, 2006 |
| Description: |
OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not
prevent the user from clicking the WWW-browser button in the Hyperlink
dialog, which makes it easier for attackers to trick the user into
bypassing intended security settings. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-0207
CVE-2006-0208
|
| Created: | February 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
PHP has a response splitting vulnerability, remote attackers can inject
arbitrary HTTP headers via an unknown method, possibly using a
Set-Cookie header.
Also, a number of cross-site scripting vulnerabilities can be used by
remote attackers to inject arbitrary web scripts or html pages. |
| Alerts: |
|
Comments (none posted)
PHP: safe_mode bypass
| Package(s): | php |
CVE #(s): | CVE-2005-3391
|
| Created: | February 8, 2006 |
Updated: | March 10, 2006 |
| Description: |
A vulnerability in the PHP GD extension (prior to version 4.4.1) can enable a remote attacker to bypass safe_mode restrictions. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
xpdf heap based buffer overflow
| Package(s): | kpdf xpdf kdegraphics poppler |
CVE #(s): | CVE-2006-0301
|
| Created: | February 3, 2006 |
Updated: | March 17, 2006 |
| Description: |
Another heap based buffer overflow has been
found in xpdf and other programs that share the same code. This one is
in Splash.cc and it can cause crashes and possibly arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play |
CVE #(s): | CAN-2005-2875
|
| Created: | September 19, 2005 |
Updated: | September 6, 2006 |
| Description: |
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
auth_ldap: format string vulnerability
| Package(s): | auth_ldap |
CVE #(s): | CVE-2006-0150
|
| Created: | January 10, 2006 |
Updated: | February 28, 2006 |
| Description: |
The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database. A format string flaw was
found in the way auth_ldap logs information. It may be possible for a
remote attacker to execute arbitrary code as the 'apache' user if auth_ldap
is used for user authentication. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
drupal: several vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2005-3973
CVE-2005-3974
CVE-2005-3975
|
| Created: | January 27, 2006 |
Updated: | January 31, 2006 |
| Description: |
Several security related problems have been discovered in drupal, a
fully-featured content management/discussion engine. Several cross-site
scripting vulnerabilities allow remote attackers to inject arbitrary web
script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not
correctly enforce user privileges, which allows remote attackers to bypass
the "access user profiles" permission (CVE-2005-3974). An interpretation
conflict allows remote authenticated users to inject arbitrary web script
or HTML via HTML in a file with a GIF or JPEG file extension
(CVE-2005-3975). |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gallery: cross-site scripting vulnerability
| Package(s): | gallery |
CVE #(s): | |
| Created: | January 26, 2006 |
Updated: | January 31, 2006 |
| Description: |
Gallery, a web-based photo management system, has an input sanitizing
problem with the user's fullname. An attacker can create a specially
crafted fullname and inject script code into a victim's browser window
in order to compromise the user's gallery. |
| Alerts: |
|
Comments (2 posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: heap overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-0019
|
| Created: | January 19, 2006 |
Updated: | March 17, 2006 |
| Description: |
Konqueror's kjs JavaScript interpreter engine has a heap overflow
vulnerability. Specially crafted JavaScript code could be placed on
a web site, leading to arbitrary code execution.
Other kde applications are also subject to this vulnerability. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3356
CVE-2005-4605
CVE-2005-4618
CVE-2005-4639
CVE-2006-0095
CVE-2006-0096
|
| Created: | January 18, 2006 |
Updated: | March 7, 2006 |
| Description: |
The latest set of kernel vulnerabilities includes:
- A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)
- A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)
- An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)
- A buffer overflow in the TwinHan DST
Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)
- A potential key disclosure in dm-crypt. (CVE-2006-0095)
- Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attac |