Toward a free metaverse
Second Life is one of many multiplayer
role-playing games springing up on the net. Unlike some others, Second
Life gives its players a significant amount of freedom to create their
virtual world; players also get ownership rights to their creations. The
Second Life developers have made an effort to strengthen the ties between
the virtual and real worlds; the idea of making a living in the Second Life
"metaverse" is heavily promoted. Various "real life" personalities -
Lawrence Lessig, for example - have made high-profile appearances there.
Like many such services, Second Life has built itself an infrastructure
heavily based on Linux and other free software tools. Also like many such
services, Second Life has returned that favor by providing clients for
proprietary operating systems, but not for Linux. Until recently, that
is. There is now an alpha-test Linux
client available for free download. It is still very much a
proprietary client - no source, x86-only, etc. But it is a start, at
least.
Your editor would, of course, rather be reading memory management patches
or following the interminable "bait Joerg Schilling" festival on linux-kernel.
But journalistic ethics required that time be taken out from such rewarding
activities to see how this new client works. LWN readers would expect no
less.
Alas, no joy was to be found in that direction. This client, it seems,
requires a 3D-capable graphics card. It also requires that the
proprietary driver be installed for said card. Your editor is willing to
make many sacrifices for the cause, but jumping into the world of
binary-only kernel modules was pushing things a little too far. So no
Second Life; there was real work to get done anyway.
An important thought came out of this exercise anyway. We, in the Linux
community, will certainly want to be able to participate in this sort of
virtual universe in the future. These worlds will only get more realistic,
engaging, and compelling. They will host a growing number of real-world
meetings and events. Even if we, personally, have no particular
yearnings for a second life in the virtual world, we may well end up going
there just for a chance to visit our children. So it is important that Linux
users are not excluded from this sort of experience.
Unfortunately, the lack of free drivers for contemporary video
hardware threatens to exclude us from that experience. Even those of us
who see no need for a 3D version of vi (emacs, of course, will have a full
3D Lisp mode) may have the occasional desire to dress up as some sort of furry
animal and commune with the virtual world natives. Much of
what will be interesting in the future of computing will involve
increasingly realistic interfaces - and that will require good graphics
support. If Linux does not provide that support, people will use something
else.
Assuming we will eventually get past that issue, there is another, more
important question to be answered: why, exactly, should we build our
virtual worlds on somebody else's substrate? Even if we "own" our
creations, they run on somebody else's server (which they can unplug at any
time), uses their currency (which they can degrade at any time), and is
subject to their rules (which they can change at any time). A virtual
world which is not free is, well, not free.
Instead, the creation of a true "metaverse" should be a project which is a
natural for the free software community. A decent set of open protocols
and libraries should make it possible for interested people to set up their
own neighborhoods on their own servers and tie them all together into a
distributed - but integrated - whole. The net was built on free software,
and it has served as a platform for no end of interesting developments. If
we build our virtual worlds on free software as well, people will, beyond
doubt, create environments beyond our wildest imagination. It is hard to
see why we would want it any other way.
There are some virtual world projects out there. MUPPETS is an
academic project with an educational focus; its last release was last
July. MUPPETS appears to be a Windows-only application, however.
The Croquet project looks
like it is oriented toward people who want to get some real work done, but
it looks like it could be put to wider uses. The Open Source Metaverse Project
is an attempt to make something very much like a free Second Life. This
project appears to have stalled, however; there is still some life in its
forums, but the last development release was in August, 2004. Solipsis
is an attempt to create a true, distributed virtual world, but it is at a
very early stage. Interverse has some
nice screen shots, but the project appears to have come to a halt. Verse is a
3D-oriented network protocol associated with the Blender project; it looks
like it could be a useful component. The Virtual Object System is a collection
of projects around the 3D, virtual reality theme; it released version
0.23.0-pre1 in January. And so on.
So there's a number of projects out there, but it is not clear that any of
them have truly reached a critical mass. One
would think that such an inherently fun project would attract more
developers. Evidently free software developers have other itches to
scratch. So we may find ourselves, in the future, building our virtual
worlds on non-free platforms and hoping that the Second Life folks live up
to their hints that they might open up their protocols - in 2010.
Comments (14 posted)
On the dual-license model
When people go looking for successful free software business models, the
dual-license approach tends to turn up near the top of the list. With this
model, a company releases a software component under a copyleft-style
license so that all may make use of it. This company also offers the same
software (or, perhaps, an enhanced version of it) under a paid, commercial
license, allowing other companies to incorporate it into their products
without the need to make their own code available. This model will clearly
be most successful for software which works as a building block for larger
systems. The dual-license model has been employed by
companies like MySQL AB, Trolltech, FSMLabs, Sleepycat Software, and
others.
The dual-license model can look like the best of both worlds. The free
software community gets high-quality, supported code - and often good
documentation as well. Developers get paid for working on that code. The
company which makes all this happen gets to stay in business. That
company's customers get (1) the use of the code in their proprietary
projects, and (2) an immediate indication of what it is costing them
to keep their own code non-free.
This model is not suitable for every project, and it is not without its
disadvantages. One of the strongest of those, perhaps, is the disincentive
it presents to potential contributors. A dual-license company can only
accept contributions which it will be able to sell under its commercial
license; in practice, that implies copyright assignments or some other form
of explicit permission from each contributor. Some developers are happy to
contribute code under such conditions - those contributions
improve the free version of the package, and the developer still probably
gets much more back than he or she ever could contribute. But others are
less interested in contributing code which can be taken proprietary for
somebody else's exclusive commercial benefit.
Another potential snag in the dual-license model was highlighted this week
when Oracle announced
its acquisition of Sleepycat Software. Like Innosoft (acquired by
Oracle last year), Sleepycat provides a transactional engine for MySQL's
database offerings. MySQL gets that code under a dual-license arrangement
which, in turn, allows MySQL to include it in its own dual-license
products. The result is that Oracle now controls two important components
shipped by MySQL.
Sleepycat CEO Mike Olson says that
neither the free software community nor Sleepycat's commercial customers
should be concerned about this acquisition. But Mr. Olson spoke
a little differently after the Innosoft acquisition:
Speaking at the Open Source Business Conference, SleepyCat CEO
Michael Olson said he believes Oracle's takeover of Innobase, the
Finnish developer of InnoDB, a discrete open source transactional
database technology that ships with MySQL, is an acknowledgment of
the growing importance of open source and of MySQL in
particular. "Any attempt to disrupt a competitor is an
acknowledgement that the competitor matters," Olson said. "And I
think that acquisition was in significant part an attempt to
disrupt MySQL's business."
(Thanks to Jim Thompson for the pointer
to that article).
It is worth noting that neither acquisition can do immediate harm to the
free software community. The code which was released under a free license
remains free and cannot be taken back. The worst-case scenario would
appear to be that developers could be taken off the projects, slowing or
stopping the development of that code.
The situation might be a little more perilous for MySQL AB, however, and
its customers as well. Oracle is now in a position to change the licensing
terms for both database backends, or even to make them unavailable for
dual-licensing altogether. And that points out an important aspect of the
dual-licensing model: if you buy into the proprietary side of dual-licensed
software, you are very much in the proprietary software world. And, at
that point, you can be impacted by policy changes by your supplier - or by
their suppliers as well.
Buying proprietary access to dual-licensed software may still be the best
path for many companies. It can enable the use of high-quality,
community-reviewed software at a reasonable price. But dual-licensed
software should not be seen as free software with some commercially
inconvenient strings removed. It is proprietary software, with all the
risks that come with the proprietary model.
Comments (18 posted)
Another analyst TCO report
Yet another analyst report comparing the costs of running Linux and Windows
networks has been released. The report was funded by a corporation with a
clear interest in the outcome, but, of course, the authors claim to have
done entirely independent work. It features data collected from a number
of different companies (the way these companies were selected is not
disclosed) and from "self-selected" respondents to a web survey.
Information on the availability and cost of administrators was obtained
from "a cursory survey of resumes" from online job boards. Surprisingly
enough, the report is strongly favorable to the company which sponsored
it.
The Linux community, once again, has come together to debunk the findings
in this survey. Well, actually, maybe not. This report was sponsored by
Levanta and OSDL, and is unequivocally favorable to Linux.
Those who are interested in the details are encouraged to look at the press
release, the executive summary, or
the full,
21-page, pie-chart-stuff report [PDF]. In essence, however, it says
![[Piechart]](/images/ns/levanta-report-piechart-sm.png)
this: Linux systems are cheaper to purchase and install, cheaper and more
reliable to administer, and more secure than the alternatives. Linux
administration staff can be had cheaply, and is in plentiful supply. Oh,
and if those administrators are well equipped with "sophisticated
administration tools," such as those sold by, say, Levanta, they'll be even
more efficient.
Much of what is found on these glossy pages corresponds to the experience
of those of us who have managed large networks of systems. A Linux
administrator really can manage more systems than a Windows administrator.
But the sad fact, which not all in the community seem to want to
recognize, is that this report is the same sort of subjective analyst
recycle bin fodder that the proprietary software companies crank out. We
should not invest it with a higher level of credibility than the other
offerings in its genre.
It is worth noting that this report appears to have had the
desired initial effect. The technical press has dutifully carried the
"Linux is cheaper" news. Presumably, the pointy-haired bosses who are held
to be impressed by these reports will be suitably influenced. It seems
that these analyst reports are simply part of how this game is played. People who
are trying to get some real work done on a Linux platform need a stack of
glossy paper to justify their decisions to certain levels of management. The other side is producing a
long stream of these reports; if the Linux side has no reports of its own,
it looks like it has no answer at all. So it may be a good thing that
somebody is going to the effort of producing all this paper. But we
shouldn't make the mistake of believing that reports like this one prove
anything.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
A look at nmap 4.0
February 13, 2006
This article was contributed by Jake Edge.
With its first major release in nearly 2 years,
Nmap has made great strides
in speed and usability. Nmap 4.00 was released on 31 January and has a
very large
list
of features and upgrades since the 3.50 release in February 2004.
Nmap is a "network mapper" that allows a network administrator or curious
user to discover many things about a network or host. Nmap will do host
discovery to determine which hosts are available and port scanning to
determine open ports and what services are running behind those ports.
It can also try to determine which operating system is running on a target machine by
examining the contents of packets and responses using a technique known
as
TCP/IP
stack fingerprinting. One of the main uses for Nmap is security
auditing a network in order to detect and possibly disable any and all
unnecessary services running on a host or network.
The feature that users are most excited about, according to
Fyodor, creator of Nmap, is status reporting which
provides real-time information on how much progress Nmap has made and an
estimated time of completion. One can get this report by pressing return
while Nmap is running; other keys will increase or decrease the verbosity
and debug levels or toggle packet tracing. This makes for a much
nicer user experience:
With Nmap 3.50, you would start a scan and Nmap would
quietly chug away for a variable amount of time (from minutes to
hours) before suddenly reporting results for a target host. ...
Staring at a screen for 30 minutes waiting for
Nmap to complete is frustrating, but when you know the time in advance
you can simply go out for lunch.
Speed and memory usage improvements in the port scanning engine were a big
focus of the improvements made since 3.50. Several functions, such as reverse
DNS lookup and UDP scans have been parallelized and Nmap now uses raw
Ethernet packets to do ARP requests which speeds up host detection
significantly. The speed improvements were not readily apparent
in the relatively simple scans the author tried; they are largely geared for
scanning many thousands of ports on large numbers of hosts.
Documentation was another focus of the 4.00 effort and Fyodor has rewritten
the man page,
an install guide, and
a version detection guide.
He says:
Open source software is frequently characterized as having poor
documentation. I tried to fight that stereotype by putting a lot of
work into Nmap 4.00 docs.
Thanks to the DAG
repository, upgrading to Nmap 4.00 was painless on the (now obsolete)
Fedora Core 3
distribution. Running Nmap is fairly straightforward, but there are an
enormous number of options and ways to specify targets. Wading through
the very comprehensive man page is required to do anything very complicated,
though Nmap often seems to suggest useful options when scans fail and this
feature can be very helpful.
Nmap 4.00 looks to be a very solid release of a tool that should be on
every administrator's list of essential security tools.
Comments (5 posted)
New vulnerabilities
adzapper: denial of service
| Package(s): | adzapper |
CVE #(s): | CVE-2006-0046
|
| Created: | February 9, 2006 |
Updated: | February 15, 2006 |
| Description: |
If the adzapper proxy advertisement add-on is installed as a squid
plugin, it can cause high proxy host CPU resource consumption,
resulting in a denial of service. |
| Alerts: |
|
Comments (none posted)
elog: multiple vulnerabilities
Comments (none posted)
gnutls: denial of service
| Package(s): | gnutls |
CVE #(s): | CVE-2006-0645
|
| Created: | February 13, 2006 |
Updated: | March 6, 2006 |
| Description: |
Several flaws were found in the way libtasn1 decodes DER. An attacker
could create a carefully crafted invalid X.509 certificate in such a way
that could trigger this flaw if parsed by an application that uses GNU TLS.
This could lead to a denial of service (application crash). It is not
certain if this issue could be escalated to allow arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
heimdal: privilege escalation
| Package(s): | heimdal |
CVE #(s): | CVE-2006-0582
|
| Created: | February 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
A privilege escalation flaw has been found in the heimdal rsh (remote
shell) server. This allowed an authenticated attacker to overwrite
arbitrary files and gain ownership of them. |
| Alerts: |
|
Comments (none posted)
kronolith: cross-site scripting
| Package(s): | kronolith |
CVE #(s): | CVE-2005-4189
|
| Created: | February 14, 2006 |
Updated: | February 15, 2006 |
| Description: |
Johannes Greil of SEC Consult discovered several cross-site scripting
vulnerabilities in kronolith, the Horde calendar application. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | February 15, 2006 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
noweb: insecure temporary file
| Package(s): | noweb |
CVE #(s): | CVE-2005-3342
|
| Created: | February 13, 2006 |
Updated: | February 27, 2006 |
| Description: |
Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that a script in noweb, a web like literate-programming
tool, creates a temporary file in an insecure fashion. |
| Alerts: |
|
Comments (none posted)
PostgreSQL: privilege escalation
| Package(s): | postgresql |
CVE #(s): | CVE-2006-0553
|
| Created: | February 15, 2006 |
Updated: | February 19, 2006 |
| Description: |
From the advisory: "By issuing SET ROLE with a specially crafted argument, it is possible
for any logged-in database user to acquire the privileges of any other
database user, including superusers. Database superuser status allows
access to the machine's filesystem and hence might be used to mount
remote attacks against the rest of the server's operating system." This problem has been fixed in PostgreSQL releases 8.0.7, 7.4.12, and 7.3.14. |
| Alerts: |
|
Comments (none posted)
sun-jdk: privilege escalation
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
auth_ldap: format string vulnerability
| Package(s): | auth_ldap |
CVE #(s): | CVE-2006-0150
|
| Created: | January 10, 2006 |
Updated: | February 28, 2006 |
| Description: |
The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database. A format string flaw was
found in the way auth_ldap logs information. It may be possible for a
remote attacker to execute arbitrary code as the 'apache' user if auth_ldap
is used for user authentication. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gaim: buffer overflow
| Package(s): | gaim |
CVE #(s): | CAN-2005-2103
|
| Created: | August 10, 2005 |
Updated: | February 27, 2006 |
| Description: |
Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
groff: insecure temporary directory
| Package(s): | groff |
CVE #(s): | CAN-2004-0969
|
| Created: | November 1, 2004 |
Updated: | February 9, 2006 |
| Description: |
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: heap overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-0019
|
| Created: | January 19, 2006 |
Updated: | March 17, 2006 |
| Description: |
Konqueror's kjs JavaScript interpreter engine has a heap overflow
vulnerability. Specially crafted JavaScript code could be placed on
a web site, leading to arbitrary code execution.
Other kde applications are also subject to this vulnerability. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0454
|
| Created: | February 8, 2006 |
Updated: | February 17, 2006 |
| Description: |
A denial of service vulnerability has been found in the kernel ICMP code; kernel 2.6.15.3 fixes the problem. |
| Alerts: |
|
Comments (1 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3356
CVE-2005-4605
CVE-2005-4618
CVE-2005-4639
CVE-2006-0095
CVE-2006-0096
|
| Created: | January 18, 2006 |
Updated: | March 7, 2006 |
| Description: |
The latest set of kernel vulnerabilities includes:
- A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)
- A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)
- An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)
- A buffer overflow in the TwinHan DST
Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)
- A potential key disclosure in dm-crypt. (CVE-2006-0095)
- Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
