| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for February 9, 2006
Looking a Novell gift horse in the mouth
Novell's February 7 press release proclaiming its contributions to the X.org and GNOME projects was generally well received. It is hard to disagree with better graphics and more fun eye candy, after all. Novell's work shows that the free software community has the potential to take the leadership on desktop issues, and that is a good thing. Free software desktops will only take over the world if the community can produce a desktop experience that is truly better than the alternatives.The issue that has come up in some quarters, however, is that of "community." Developers in the wider GNOME community, in particular, are feeling somewhat excluded from the process. Novell's work, to them, is not a community development - it's a product which has emerged in complete form from a corporate cathedral. While it is great that Novell is doing this work, they say, wouldn't it have been better to involve the community from the outset? Now community members are in a position of reviewing a large drop of code that they had no part in designing, and not all of them are happy about it.
If the words of Novell's Dan Winship are representative of the company's position (he claims to be speaking only for himself), Novell believes it has taken the right approach:
So we did it ourselves, and now either GNOME will like what we did, in which case, yay, free code for GNOME, or GNOME won't like what we did, in which case, no harm no foul for GNOME, and yay, brand differentiation for Novell.
Dan goes on to say that it simply is not possible to perform software design in a community setting. Everything good which has ever been done in the GNOME project has been the result of a small group's work. All big community debates tend to do is to slow down or stop the process. "Design by committee," says Dan, does not work.
GNOME hacker Jeff Waugh disagrees
does not want to give up on community
involvement in design:
One useful perspective in the discussion came from Alan Cox, who made a distinction between "design by community" and "design in the community." The latter approach leaves the bulk of the design work in the small group which is most interested in it, but which recognizes that the community may have something to add. When design work is taken out of the community altogether, something is lost:
Jeff agreed, and went on to compare GNOME development with how the Linux kernel is managed:
If, from this particular perspective, the kernel process is seen as being more successful than GNOME, it might be worth asking why. It is indeed true that the kernel community responds poorly to large piles of code which appear out of the blue. Often, such code must go through substantial revisions before it will be considered for merging - the community gets its say in the end after all. The reiser4 experience is a good example; the new version of the Reiser filesystem showed up in complete form, with a request for expedited merging. Numerous problems were found with the code, however, and reiser4 remains out of the kernel years later, even with numerous fixes made and features removed. In the kernel space, most developers learn, sooner or later, to involve the community early in a project's life.
The leadership issue is worth a look as well. As Jeff pointed out, the kernel has a relatively clear decision-making process, though it can be frustrating for contributors to work with. Discussions tend not to go on forever because, in one way or another, decisions get made. Instead, says Jeff, GNOME is "without coherent leadership." He would like to see the GNOME project structure reworked so that decisions are easier to make - though what form those changes would take is yet to be worked out.
Another issue, raised by Havoc Pennington, is the vision the project has for itself. The GNOME project, says Havoc, needs to come up with a better idea of who its user community is and to not be afraid to lose users who are outside of that community. When the project has a clearer sense of what it is trying to do, decisions will be easier to make. The kernel project knows what it is trying to do:
Havoc suggests that GNOME might want to take a similar approach: create a series of components which can be rearranged and customized by distributors and gadget-makers to fit their specific needs. Such an orientation would let GNOME focus on making the best tool possible while allowing others, who are arguably closer to the ultimate users, to make the desktop fit those users' needs.
That leads to one of the driving forces behind this entire debate. To a great extent, companies distributing Linux (or products incorporating Linux) tend not to differentiate their offerings with kernel features. Distributors do add kernel patches, but the size of those patches has gone down considerably with the advent of the 2.6 development process. This is an important point: the development process change has had the effect of significantly reducing the differences between distributors' kernels. But user interface changes are visible to all who work with a system in a way which most kernel changes are not. Distributors will thus always have a strong incentive to put their particular mark on the desktop and to try to have the coolest features first. So, at best, we are likely to see more desktop work done in relative secret until it is deemed ready to be shipped. At worst, we could see a repeat of the highly tweaked desktops shipped during the worst of the proprietary Unix days.
Distributors have strong reasons to differentiate their offerings, but they also depend heavily on projects like GNOME to provide the foundation on which they can create those offerings. Taking much of their development semi-proprietary may help sales in the next year or so, but that could happen at the cost of eventually tearing apart the community upon which they depend, even if they do not necessarily respect its design guidance. If GNOME is to remain healthy well into the future, these two forces will have to be reconciled. The solution will likely involve a combination of project governance changes and a more community-oriented approach by all participating companies. This should be something the community can achieve.
Easter eggs and free software
Someday, when you feel that you have been sufficiently productive for a while, fire up the OpenOffice.org spreadsheet application. Select a cell, and insert =Game("StarWars") into that cell. Launch missiles at alien creatures until you feel ready to get something useful done again. Yes, the OpenOffice.org developers, evidently feeling that the application![[StarWars]](/images/ns/openoffice-starwars-sm.png)
had become too small and quick, decided to toss in an easter egg. Judging
from the occasional German-language popup window, this feature has been
present for quite some time. Others exist as well, happy hunting.
Easter eggs have been present in software - free and proprietary - for many years. Old versions of make used to respond to "make love" with "not war?"; your editor notes with sadness that GNU make does not retain that feature. In general, easter eggs are a way for developers to express themselves, and are generally seen by users as amusing, or harmless at the worst. Recently, however, an OpenOffice user complained about the presence of the StarWars game. Free programs, he says, should not contain hidden features like that. One of the advantages of free software is supposed to be the lack of surprises; if you install an office suite, that is what you should get. The hiding of games, pictures of the developers, and other unrelated features in free software threatens to make the whole enterprise appear to be insufficiently serious.
Others have argued that easter eggs can endanger the use of free software in settings (like schools) where hidden games might not be welcome. This is, they say, one Microsoft feature that we do not need to emulate. To that end, various bug reports have been filed asking for the removal of easter egg features.
As a counterpoint, one could argue that free software is supposed to be fun for both its developers and its users. Those who don't want to play "StarWars" might be well advised to install a sense of humor upgrade and simply not invoke the feature - which, after all, one has to go looking for in the first place. When the code police start going after easter eggs, humorous diagnostics (the kernel still has several variants of the "peripheral is on fire" message), or possibly offensive code comments, some of the developers will start to think that they want to go elsewhere.
As free software development processes mature and the user base increases, it seems likely that many of the easter eggs are likely to disappear, especially in the larger, more mainstream applications. Developers who are interested in code quality and bloat will see an easy way to remove an apparently unnecessary feature. Projects which have their own PR departments (and, yes, such projects exist) will not welcome the sort of attention that easter eggs bring. And those which remain may be excised by the more business-oriented distributors. But, free software developers being what they are, there will always be a surprise or two waiting for those who know where to look.
Page editor: Jonathan Corbet
Security
crypt_blowfish
In the early days of Unix, the DES-based algorithm used to encrypt (actually, to generate hashes from) passwords was considered to be quite secure. Hashing a password took a significant fraction of a second, so brute-force attacks were considered impractical. The possibility of attacks using hardware-based DES engines was closed off by the addition of a "salt" parameter which perturbed the algorithm slightly. All in all, the early crypt() authors felt pretty good about their work, to the point that the encrypted passwords were stored in a world-readable file and nobody worried about it.Along came faster processors and smarter software. Simple passwords became easy to crack with the right software (which was widely available), and the harder passwords looked less hard all the time. So a few changes were made, including moving the password hashes to a read-protected file and changing to the MD5 hashing algorithm. Everything looked better for a while. But along came faster processors and smarter software, and now MD5 passwords look rather less secure than they once did.
The attentive reader might notice a pattern here. Hashing algorithms must be sufficiently expensive to compute that they are not susceptible to brute-force attacks. But they cannot be so expensive that the user community rebels. So the designers of a password hashing algorithm must find a compromise between security from attackers and security from aggravated users. As computers inevitably become more powerful, that compromise must shift in favor of the attackers.
A solution to this problem was presented by Niels Provos and David Mazières in a 1999 USENIX paper. Their conclusion was that, in order to have a future-proof password hashing algorithm, one must be able to dial up the computational cost of that algorithm over time. If the cost can be provided as a parameter - and stored with the hashed password - then password hashing can be made more expensive (in terms of CPU cycles) while maintaining compatibility with currently-hashed passwords.
The authors implemented a version of the Blowfish algorithm with a tweak to the key schedule generation mechanism. That code has a "cost" parameter which controls how expensive the generation step is; a higher cost will result in a longer key schedule generation task. Needless to say, code checking a password must use the same cost as the code which initially generated the hash, or the results will not match.
OpenBSD has used the variable-cost Blowfish code (called "bcrypt") for some years now, but it is still relatively difficult to find on Linux systems. Perhaps that will change with the release of crypt_blowfish 1.0, just announced by Solar Designer. This release, being "the first mature version," comes with a password-hashing interface and a PAM module for hooking it into Linux systems. It should, thus, be relatively easy for distributors to add to their configurations, as an option, at least. Making the front door to Linux systems a little more secure has just gotten easier.
(For more information, see the crypt_blowfish web page).
New vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb | CVE #(s): | CVE-2006-0410 | |||||||||||||||
| Created: | February 6, 2006 | Updated: | April 17, 2006 | |||||||||||||||
| Description: | Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gnocatan: buffer overflow
| Package(s): | gnocatan | CVE #(s): | CVE-2006-0467 | |||
| Created: | February 3, 2006 | Updated: | February 7, 2006 | |||
| Description: | A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server and other clients to exit via an assert, and hence does not permit the execution of arbitrary code. The game has been renamed into Pioneers after the release of Debian sarge. | |||||
| Alerts: |
| |||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-0454 | |||||||||||||||
| Created: | February 8, 2006 | Updated: | February 17, 2006 | |||||||||||||||
| Description: | A denial of service vulnerability has been found in the kernel ICMP code; kernel 2.6.15.3 fixes the problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mozilla: multiple vulnerabilities
| Package(s): | mozilla | CVE #(s): | CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 | |||||||||||||||||||||||||||
| Created: | February 2, 2006 | Updated: | May 4, 2006 | |||||||||||||||||||||||||||
| Description: | Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code. The XULDocument.persist() function has a bug that can be triggered by viewing specially crafted web sites, RDF data can be injected into the localstore.rdf file, allowing arbitrary javascript code to be executed. The Mozilla history saving mechanism is vulnerable to a denial of service attack, visiting sites with extra-long titles can cause a crash or very slow startup the next time the browser is run. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
OpenOffice.org: bypass security settings
| Package(s): | openoffice.org | CVE #(s): | CVE-2005-4636 | |||
| Created: | February 3, 2006 | Updated: | February 7, 2006 | |||
| Description: | OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. | |||||
| Alerts: |
| |||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2006-0207 CVE-2006-0208 | |||||||||
| Created: | February 2, 2006 | Updated: | March 23, 2006 | |||||||||
| Description: | PHP has a response splitting vulnerability, remote attackers can inject arbitrary HTTP headers via an unknown method, possibly using a Set-Cookie header. Also, a number of cross-site scripting vulnerabilities can be used by remote attackers to inject arbitrary web scripts or html pages. | |||||||||||
| Alerts: |
| |||||||||||
PHP: safe_mode bypass
| Package(s): | php | CVE #(s): | CVE-2005-3391 | |||||||||
| Created: | February 8, 2006 | Updated: | March 10, 2006 | |||||||||
| Description: | A vulnerability in the PHP GD extension (prior to version 4.4.1) can enable a remote attacker to bypass safe_mode restrictions. | |||||||||||
| Alerts: |
| |||||||||||
unzip: long file name buffer overflow
| Package(s): | unzip | CVE #(s): | CVE-2005-4667 | |||||||||||||||||||||
| Created: | February 6, 2006 | Updated: | May 2, 2007 | |||||||||||||||||||||
| Description: | A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
xpdf heap based buffer overflow
| Package(s): | kpdf xpdf kdegraphics poppler | CVE #(s): | CVE-2006-0301 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 3, 2006 | Updated: | March 17, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Another heap based buffer overflow has been found in xpdf and other programs that share the same code. This one is in Splash.cc and it can cause crashes and possibly arbitrary code execution. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2005-3352 | |||||||||||||||||||||||||||||||||
| Created: | December 14, 2005 | Updated: | May 10, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
auth_ldap: format string vulnerability
| Package(s): | auth_ldap | CVE #(s): | CVE-2006-0150 | ||||||||||||
| Created: | January 10, 2006 | Updated: | February 28, 2006 | ||||||||||||
| Description: | The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication. | ||||||||||||||
| Alerts: |
| ||||||||||||||
blender: integer overflow
| Package(s): | blender | CVE #(s): | CVE-2005-4470 | |||||||||||||||
| Created: | January 6, 2006 | Updated: | June 15, 2006 | |||||||||||||||
| Description: | Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
curl: buffer overflow
| Package(s): | curl | CVE #(s): | CVE-2005-4077 | |||||||||||||||||||||||||||||||||||||||
| Created: | December 8, 2005 | Updated: | March 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
dia: missing input sanitizing
| Package(s): | dia | CVE #(s): | CAN-2005-2966 | ||||||||||||||||||
| Created: | October 4, 2005 | Updated: | April 6, 2006 | ||||||||||||||||||
| Description: | Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
drupal: several vulnerabilities
| Package(s): | drupal | CVE #(s): | CVE-2005-3973 CVE-2005-3974 CVE-2005-3975 | |||
| Created: | January 27, 2006 | Updated: | January 31, 2006 | |||
| Description: | Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. Several cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CVE-2005-3973). When running on PHP5, Drupal does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission (CVE-2005-3974). An interpretation conflict allows remote authenticated users to inject arbitrary web script or HTML via HTML in a file with a GIF or JPEG file extension (CVE-2005-3975). | |||||
| Alerts: |
| |||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
evolution: format string issues
| Package(s): | evolution | CVE #(s): | CAN-2005-2549 CAN-2005-2550 | |||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | March 23, 2006 | |||||||||||||||||||||
| Description: | Evolution has format string issues. SITIC advisory SA05-001 contains more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
fetchmail: multidrop bug
| Package(s): | fetchmail | CVE #(s): | CVE-2005-4348 | ||||||||||||||||||||||||
| Created: | December 20, 2005 | Updated: | May 27, 2006 | ||||||||||||||||||||||||
| Description: | Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ffmpeg: buffer overflow
| Package(s): | ffmpeg | CVE #(s): | CVE-2005-4048 | |||||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2005 | Updated: | March 17, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The avcodec_default_get_buffer() function of the ffmpeg library has a buffer overflow vulnerability. A user can be tricked into playing a maliciously created PNG movie, allowing the attacker to run arbitrary code with the user's privileges. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 22, 2005 | Updated: | February 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gaim: buffer overflow
| Package(s): | gaim | CVE #(s): | CAN-2005-2103 | ||||||||||||||||||||||||
| Created: | August 10, 2005 | Updated: | February 27, 2006 | ||||||||||||||||||||||||
| Description: | Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gallery: cross-site scripting vulnerability
| Package(s): | gallery | CVE #(s): | ||||
| Created: | January 26, 2006 | Updated: | January 31, 2006 | |||
| Description: | Gallery, a web-based photo management system, has an input sanitizing problem with the user's fullname. An attacker can create a specially crafted fullname and inject script code into a victim's browser window in order to compromise the user's gallery. | |||||
| Alerts: |
| |||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 | CVE #(s): | CVE-2005-3186 CVE-2005-2976 CVE-2005-2975 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | November 15, 2005 | Updated: | March 20, 2006 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
gettext: Insecure temporary file handling
| Package(s): | gettext | CVE #(s): | CAN-2004-0966 | ||||||||||||||||||
| Created: | October 11, 2004 | Updated: | March 1, 2006 | ||||||||||||||||||
| Description: | gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
groff: insecure temporary directory
| Package(s): | groff | CVE #(s): | CAN-2004-0969 | |||||||||
| Created: | November 1, 2004 | Updated: | February 9, 2006 | |||||||||
| Description: | Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program. | |||||||||||
| Alerts: |
| |||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
imagemagick: arbitrary command execution
| Package(s): | imagemagick | CVE #(s): | CVE-2005-4601 CVE-2006-0082 | |||||||||||||||||||||||||||
| Created: | January 24, 2006 | Updated: | March 24, 2006 | |||||||||||||||||||||||||||
| Description: | Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2005-3732 | |||||||||||||||||||||
| Created: | December 1, 2005 | Updated: | June 8, 2006 | |||||||||||||||||||||
| Description: | ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdelibs: heap overflow
| Package(s): | kdelibs | CVE #(s): | CVE-2006-0019 | |||||||||||||||||||||||||||
| Created: | January 19, 2006 | Updated: | March 17, 2006 | |||||||||||||||||||||||||||
| Description: | Konqueror's kjs JavaScript interpreter engine has a heap overflow vulnerability. Specially crafted JavaScript code could be placed on a web site, leading to arbitrary code execution. Other kde applications are also subject to this vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2005-3356 CVE-2005-4605 CVE-2005-4618 CVE-2005-4639 CVE-2006-0095 CVE-2006-0096 | |||||||||
| Created: | January 18, 2006 | Updated: | March 7, 2006 | |||||||||
| Description: | The latest set of kernel vulnerabilities includes:
| |||||||||||
| Alerts: |
| |||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2005-2709 CVE-2005-2973 CVE-2005-3055 CVE-2005-3180 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 CVE-2005-3274 CVE-2005-3275 CVE-2005-3276 |
| Created: | November 22, 2005 | Updated: | March 15, 2006 |
| Description: | Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973) Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an "USB Request Block" (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055) Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180) A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. (CVE-2005-3271) Stephen Hemminger discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. (CVE-2005-3272) David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large "ngidis" argument, a local attacker could cause a kernel crash. (CVE-2005-3273) Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274) Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attac | ||