LWN.net Logo

LWN.net Weekly Edition for February 16, 2006

Toward a free metaverse

Second Life is one of many multiplayer role-playing games springing up on the net. Unlike some others, Second Life gives its players a significant amount of freedom to create their virtual world; players also get ownership rights to their creations. The Second Life developers have made an effort to strengthen the ties between the virtual and real worlds; the idea of making a living in the Second Life "metaverse" is heavily promoted. Various "real life" personalities - Lawrence Lessig, for example - have made high-profile appearances there.

Like many such services, Second Life has built itself an infrastructure heavily based on Linux and other free software tools. Also like many such services, Second Life has returned that favor by providing clients for proprietary operating systems, but not for Linux. Until recently, that is. There is now an alpha-test Linux client available for free download. It is still very much a proprietary client - no source, x86-only, etc. But it is a start, at least.

Your editor would, of course, rather be reading memory management patches or following the interminable "bait Joerg Schilling" festival on linux-kernel. But journalistic ethics required that time be taken out from such rewarding activities to see how this new client works. LWN readers would expect no less.

Alas, no joy was to be found in that direction. This client, it seems, requires a 3D-capable graphics card. It also requires that the proprietary driver be installed for said card. Your editor is willing to make many sacrifices for the cause, but jumping into the world of binary-only kernel modules was pushing things a little too far. So no Second Life; there was real work to get done anyway.

An important thought came out of this exercise anyway. We, in the Linux community, will certainly want to be able to participate in this sort of virtual universe in the future. These worlds will only get more realistic, engaging, and compelling. They will host a growing number of real-world meetings and events. Even if we, personally, have no particular yearnings for a second life in the virtual world, we may well end up going there just for a chance to visit our children. So it is important that Linux users are not excluded from this sort of experience.

Unfortunately, the lack of free drivers for contemporary video hardware threatens to exclude us from that experience. Even those of us who see no need for a 3D version of vi (emacs, of course, will have a full 3D Lisp mode) may have the occasional desire to dress up as some sort of furry animal and commune with the virtual world natives. Much of what will be interesting in the future of computing will involve increasingly realistic interfaces - and that will require good graphics support. If Linux does not provide that support, people will use something else.

Assuming we will eventually get past that issue, there is another, more important question to be answered: why, exactly, should we build our virtual worlds on somebody else's substrate? Even if we "own" our creations, they run on somebody else's server (which they can unplug at any time), uses their currency (which they can degrade at any time), and is subject to their rules (which they can change at any time). A virtual world which is not free is, well, not free.

Instead, the creation of a true "metaverse" should be a project which is a natural for the free software community. A decent set of open protocols and libraries should make it possible for interested people to set up their own neighborhoods on their own servers and tie them all together into a distributed - but integrated - whole. The net was built on free software, and it has served as a platform for no end of interesting developments. If we build our virtual worlds on free software as well, people will, beyond doubt, create environments beyond our wildest imagination. It is hard to see why we would want it any other way.

There are some virtual world projects out there. MUPPETS is an academic project with an educational focus; its last release was last July. MUPPETS appears to be a Windows-only application, however. The Croquet project looks like it is oriented toward people who want to get some real work done, but it looks like it could be put to wider uses. The Open Source Metaverse Project is an attempt to make something very much like a free Second Life. This project appears to have stalled, however; there is still some life in its forums, but the last development release was in August, 2004. Solipsis is an attempt to create a true, distributed virtual world, but it is at a very early stage. Interverse has some nice screen shots, but the project appears to have come to a halt. Verse is a 3D-oriented network protocol associated with the Blender project; it looks like it could be a useful component. The Virtual Object System is a collection of projects around the 3D, virtual reality theme; it released version 0.23.0-pre1 in January. And so on.

So there's a number of projects out there, but it is not clear that any of them have truly reached a critical mass. One would think that such an inherently fun project would attract more developers. Evidently free software developers have other itches to scratch. So we may find ourselves, in the future, building our virtual worlds on non-free platforms and hoping that the Second Life folks live up to their hints that they might open up their protocols - in 2010.

Comments (14 posted)

On the dual-license model

When people go looking for successful free software business models, the dual-license approach tends to turn up near the top of the list. With this model, a company releases a software component under a copyleft-style license so that all may make use of it. This company also offers the same software (or, perhaps, an enhanced version of it) under a paid, commercial license, allowing other companies to incorporate it into their products without the need to make their own code available. This model will clearly be most successful for software which works as a building block for larger systems. The dual-license model has been employed by companies like MySQL AB, Trolltech, FSMLabs, Sleepycat Software, and others.

The dual-license model can look like the best of both worlds. The free software community gets high-quality, supported code - and often good documentation as well. Developers get paid for working on that code. The company which makes all this happen gets to stay in business. That company's customers get (1) the use of the code in their proprietary projects, and (2) an immediate indication of what it is costing them to keep their own code non-free.

This model is not suitable for every project, and it is not without its disadvantages. One of the strongest of those, perhaps, is the disincentive it presents to potential contributors. A dual-license company can only accept contributions which it will be able to sell under its commercial license; in practice, that implies copyright assignments or some other form of explicit permission from each contributor. Some developers are happy to contribute code under such conditions - those contributions improve the free version of the package, and the developer still probably gets much more back than he or she ever could contribute. But others are less interested in contributing code which can be taken proprietary for somebody else's exclusive commercial benefit.

Another potential snag in the dual-license model was highlighted this week when Oracle announced its acquisition of Sleepycat Software. Like Innosoft (acquired by Oracle last year), Sleepycat provides a transactional engine for MySQL's database offerings. MySQL gets that code under a dual-license arrangement which, in turn, allows MySQL to include it in its own dual-license products. The result is that Oracle now controls two important components shipped by MySQL.

Sleepycat CEO Mike Olson says that neither the free software community nor Sleepycat's commercial customers should be concerned about this acquisition. But Mr. Olson spoke a little differently after the Innosoft acquisition:

Speaking at the Open Source Business Conference, SleepyCat CEO Michael Olson said he believes Oracle's takeover of Innobase, the Finnish developer of InnoDB, a discrete open source transactional database technology that ships with MySQL, is an acknowledgment of the growing importance of open source and of MySQL in particular. "Any attempt to disrupt a competitor is an acknowledgement that the competitor matters," Olson said. "And I think that acquisition was in significant part an attempt to disrupt MySQL's business."

(Thanks to Jim Thompson for the pointer to that article).

It is worth noting that neither acquisition can do immediate harm to the free software community. The code which was released under a free license remains free and cannot be taken back. The worst-case scenario would appear to be that developers could be taken off the projects, slowing or stopping the development of that code.

The situation might be a little more perilous for MySQL AB, however, and its customers as well. Oracle is now in a position to change the licensing terms for both database backends, or even to make them unavailable for dual-licensing altogether. And that points out an important aspect of the dual-licensing model: if you buy into the proprietary side of dual-licensed software, you are very much in the proprietary software world. And, at that point, you can be impacted by policy changes by your supplier - or by their suppliers as well.

Buying proprietary access to dual-licensed software may still be the best path for many companies. It can enable the use of high-quality, community-reviewed software at a reasonable price. But dual-licensed software should not be seen as free software with some commercially inconvenient strings removed. It is proprietary software, with all the risks that come with the proprietary model.

Comments (18 posted)

Another analyst TCO report

Yet another analyst report comparing the costs of running Linux and Windows networks has been released. The report was funded by a corporation with a clear interest in the outcome, but, of course, the authors claim to have done entirely independent work. It features data collected from a number of different companies (the way these companies were selected is not disclosed) and from "self-selected" respondents to a web survey. Information on the availability and cost of administrators was obtained from "a cursory survey of resumes" from online job boards. Surprisingly enough, the report is strongly favorable to the company which sponsored it.

The Linux community, once again, has come together to debunk the findings in this survey. Well, actually, maybe not. This report was sponsored by Levanta and OSDL, and is unequivocally favorable to Linux.

Those who are interested in the details are encouraged to look at the press release, the executive summary, or the full, 21-page, pie-chart-stuff report [PDF]. In essence, however, it says [Piechart] this: Linux systems are cheaper to purchase and install, cheaper and more reliable to administer, and more secure than the alternatives. Linux administration staff can be had cheaply, and is in plentiful supply. Oh, and if those administrators are well equipped with "sophisticated administration tools," such as those sold by, say, Levanta, they'll be even more efficient.

Much of what is found on these glossy pages corresponds to the experience of those of us who have managed large networks of systems. A Linux administrator really can manage more systems than a Windows administrator. But the sad fact, which not all in the community seem to want to recognize, is that this report is the same sort of subjective analyst recycle bin fodder that the proprietary software companies crank out. We should not invest it with a higher level of credibility than the other offerings in its genre.

It is worth noting that this report appears to have had the desired initial effect. The technical press has dutifully carried the "Linux is cheaper" news. Presumably, the pointy-haired bosses who are held to be impressed by these reports will be suitably influenced. It seems that these analyst reports are simply part of how this game is played. People who are trying to get some real work done on a Linux platform need a stack of glossy paper to justify their decisions to certain levels of management. The other side is producing a long stream of these reports; if the Linux side has no reports of its own, it looks like it has no answer at all. So it may be a good thing that somebody is going to the effort of producing all this paper. But we shouldn't make the mistake of believing that reports like this one prove anything.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

A look at nmap 4.0

February 13, 2006

This article was contributed by Jake Edge.

With its first major release in nearly 2 years, Nmap has made great strides in speed and usability. Nmap 4.00 was released on 31 January and has a very large list of features and upgrades since the 3.50 release in February 2004.

Nmap is a "network mapper" that allows a network administrator or curious user to discover many things about a network or host. Nmap will do host discovery to determine which hosts are available and port scanning to determine open ports and what services are running behind those ports. It can also try to determine which operating system is running on a target machine by examining the contents of packets and responses using a technique known as TCP/IP stack fingerprinting. One of the main uses for Nmap is security auditing a network in order to detect and possibly disable any and all unnecessary services running on a host or network.

The feature that users are most excited about, according to Fyodor, creator of Nmap, is status reporting which provides real-time information on how much progress Nmap has made and an estimated time of completion. One can get this report by pressing return while Nmap is running; other keys will increase or decrease the verbosity and debug levels or toggle packet tracing. This makes for a much nicer user experience:

With Nmap 3.50, you would start a scan and Nmap would quietly chug away for a variable amount of time (from minutes to hours) before suddenly reporting results for a target host. ... Staring at a screen for 30 minutes waiting for Nmap to complete is frustrating, but when you know the time in advance you can simply go out for lunch.

Speed and memory usage improvements in the port scanning engine were a big focus of the improvements made since 3.50. Several functions, such as reverse DNS lookup and UDP scans have been parallelized and Nmap now uses raw Ethernet packets to do ARP requests which speeds up host detection significantly. The speed improvements were not readily apparent in the relatively simple scans the author tried; they are largely geared for scanning many thousands of ports on large numbers of hosts.

Documentation was another focus of the 4.00 effort and Fyodor has rewritten the man page, an install guide, and a version detection guide. He says:

Open source software is frequently characterized as having poor documentation. I tried to fight that stereotype by putting a lot of work into Nmap 4.00 docs.

Thanks to the DAG repository, upgrading to Nmap 4.00 was painless on the (now obsolete) Fedora Core 3 distribution. Running Nmap is fairly straightforward, but there are an enormous number of options and ways to specify targets. Wading through the very comprehensive man page is required to do anything very complicated, though Nmap often seems to suggest useful options when scans fail and this feature can be very helpful.

Nmap 4.00 looks to be a very solid release of a tool that should be on every administrator's list of essential security tools.

Comments (5 posted)

New vulnerabilities

adzapper: denial of service

Package(s):adzapper CVE #(s):CVE-2006-0046
Created:February 9, 2006 Updated:February 15, 2006
Description: If the adzapper proxy advertisement add-on is installed as a squid plugin, it can cause high proxy host CPU resource consumption, resulting in a denial of service.
Alerts:
Debian DSA-966-1 2006-02-09

Comments (none posted)

elog: multiple vulnerabilities

Package(s):elog CVE #(s):CVE-2005-4439 CVE-2006-0347 CVE-2006-0348 CVE-2006-0597 CVE-2006-0598 CVE-2006-0599 CVE-2006-0600
Created:February 10, 2006 Updated:February 15, 2006
Description: Several security problems have been found in elog, an electronic logbook to manage notes.
Alerts:
Debian DSA-967-1 2006-02-10

Comments (none posted)

gnutls: denial of service

Package(s):gnutls CVE #(s):CVE-2006-0645
Created:February 13, 2006 Updated:March 6, 2006
Description: Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution.
Alerts:
Debian DSA-986-1 2006-03-06
Debian DSA-985-1 2006-03-06
Fedora-Legacy FLSA:181014 2006-02-27
Gentoo 200602-08 2006-02-16
Ubuntu USN-251-1 2006-02-16
Mandriva MDKSA-2006:039 2006-02-13
Fedora FEDORA-2006-107 2006-02-10
Red Hat RHSA-2006:0207-01 2006-02-10

Comments (none posted)

heimdal: privilege escalation

Package(s):heimdal CVE #(s):CVE-2006-0582
Created:February 13, 2006 Updated:March 17, 2006
Description: A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them.
Alerts:
Gentoo 200603-14 2006-03-17
Debian DSA-977-1 2006-02-16
Ubuntu USN-247-1 2006-02-10

Comments (none posted)

kronolith: cross-site scripting

Package(s):kronolith CVE #(s):CVE-2005-4189
Created:February 14, 2006 Updated:February 15, 2006
Description: Johannes Greil of SEC Consult discovered several cross-site scripting vulnerabilities in kronolith, the Horde calendar application.
Alerts:
Debian DSA-970-1 2006-02-14

Comments (none posted)

libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:February 15, 2006
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
Alerts:
Red Hat RHSA-2006:0205-01 2006-02-13

Comments (1 posted)

noweb: insecure temporary file

Package(s):noweb CVE #(s):CVE-2005-3342
Created:February 13, 2006 Updated:February 27, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that a script in noweb, a web like literate-programming tool, creates a temporary file in an insecure fashion.
Alerts:
Gentoo 200602-14 2006-02-26
Ubuntu USN-254-1 2006-02-21
Debian DSA-968-1 2006-02-13

Comments (none posted)

PostgreSQL: privilege escalation

Package(s):postgresql CVE #(s):CVE-2006-0553
Created:February 15, 2006 Updated:February 19, 2006
Description: From the advisory: "By issuing SET ROLE with a specially crafted argument, it is possible for any logged-in database user to acquire the privileges of any other database user, including superusers. Database superuser status allows access to the machine's filesystem and hence might be used to mount remote attacks against the rest of the server's operating system." This problem has been fixed in PostgreSQL releases 8.0.7, 7.4.12, and 7.3.14.
Alerts:
OpenPKG OpenPKG-SA-2006.004 2006-02-19

Comments (none posted)

sun-jdk: privilege escalation

Package(s):sun-jdk CVE #(s):CVE-2006-0614 CVE-2006-0615 CVE-2006-0616 CVE-2006-0617
Created:February 15, 2006 Updated:February 15, 2006
Description: Various vulnerabilities in the Java runtime "reflection" APIs can enable applications to escape the sandbox and access local resources. See this Sun advisory for more information.
Alerts:
Gentoo 200602-07 2006-02-15

Comments (none posted)

Updated vulnerabilities

ADOdb: PostgresSQL command injection

Package(s):adodb CVE #(s):CVE-2006-0410
Created:February 6, 2006 Updated:April 17, 2006
Description: Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host.
Alerts:
Gentoo 200604-07 2006-04-14
Debian DSA-1031-1 2006-04-08
Debian DSA-1030-1 2006-04-08
Debian DSA-1029-1 2006-04-08
Gentoo 200602-02 2006-02-06

Comments (none posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Alerts:
Slackware SSA:2006-129-01 2006-05-10
SuSE SUSE-SR:2006:004 2006-02-24
Fedora-Legacy FLSA:175406 2006-02-18
Gentoo 200602-03 2006-02-06
Fedora FEDORA-2006-052 2006-01-20
Red Hat RHSA-2006:0158-01 2006-01-17
Ubuntu USN-241-1 2006-01-12
Trustix TSLSA-2005-0074 2005-12-23
Mandriva MDKSA-2006:007 2006-01-05
Red Hat RHSA-2006:0159-01 2006-01-05
OpenPKG OpenPKG-SA-2005.029 2005-12-14

Comments (none posted)

auth_ldap: format string vulnerability

Package(s):auth_ldap CVE #(s):CVE-2006-0150
Created:January 10, 2006 Updated:February 28, 2006
Description: The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication.
Alerts:
Fedora-Legacy FLSA:177694 2006-02-27
Debian DSA-952-1 2006-01-23
Mandriva MDKSA-2006:017 2006-01-19
Red Hat RHSA-2006:0179-01 2006-01-10

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

curl: buffer overflow

Package(s):curl CVE #(s):CVE-2005-4077
Created:December 8, 2005 Updated:March 27, 2006
Description: The curl file transfer utility has a buffer overflow vulnerability in the URL authentication code. If an overly long URL is used, a buffer overflow can result, allowing for local unauthorized access.
Alerts:
Gentoo 200603-25 2006-03-27
Debian DSA-919-2 2006-03-10
Trustix TSLSA-2005-0072 2005-12-16
Red Hat RHSA-2005:875-01 2005-12-20
Gentoo 200512-09 2005-12-16
Ubuntu USN-228-1 2005-12-12
Fedora FEDORA-2005-1137 2005-12-12
Fedora FEDORA-2005-1136 2005-12-12
Debian DSA-919-1 2005-12-12
OpenPKG OpenPKG-SA-2005.028 2005-12-10
Mandriva MDKSA-2005:224 2005-12-08
Fedora FEDORA-2005-1129 2005-12-08
Fedora FEDORA-2005-1130 2005-12-08

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Debian DSA-1025-1 2006-04-06
Mandriva MDKSA-2005:187 2005-10-20
Gentoo 200510-06 2005-10-06
Debian DSA-847-1 2005-10-08
SuSE SUSE-SR:2005:022 2005-10-07
Ubuntu USN-193-1 2005-10-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

evolution: format string issues

Package(s):evolution CVE #(s):CAN-2005-2549 CAN-2005-2550
Created:August 15, 2005 Updated:March 23, 2006
Description: Evolution has format string issues. SITIC advisory SA05-001 contains more information.
Alerts:
Debian DSA-1016-1 2006-03-23
SuSE SUSE-SA:2005:054 2005-09-16
Red Hat RHSA-2005:267-01 2005-08-29
Gentoo 200508-12 2005-08-23
Mandriva MDKSA-2005:141 2005-08-17
Fedora FEDORA-2005-742 2005-08-11
Fedora FEDORA-2005-743 2005-08-11

Comments (2 posted)

fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
Alerts:
rPath rPSA-2006-0084-1 2006-05-26
Fedora-Legacy FLSA:164512 2006-05-12
Slackware SSA:2006-045-01 2006-02-15
Debian DSA-939-1 2006-01-13
Ubuntu USN-233-1 2006-01-02
Mandriva MDKSA-2005:236 2005-12-23
Fedora FEDORA-2005-1187 2005-12-20
Fedora FEDORA-2005-1186 2005-12-20

Comments (none posted)

ffmpeg: buffer overflow

Package(s):ffmpeg CVE #(s):CVE-2005-4048
Created:December 15, 2005 Updated:March 17, 2006
Description: The avcodec_default_get_buffer() function of the ffmpeg library has a buffer overflow vulnerability. A user can be tricked into playing a maliciously created PNG movie, allowing the attacker to run arbitrary code with the user's privileges.
Alerts:
Debian DSA-1005-1 2006-03-16
Debian DSA-1004-1 2006-03-16
Debian DSA-992-1 2006-03-10
Gentoo 200603-03 2006-03-04
Gentoo 200602-01 2006-02-05
Gentoo 200601-06 2006-01-10
Ubuntu USN-230-2 2005-12-16
Ubuntu USN-230-1 2005-12-14
Mandriva MDKSA-2005:228 2005-12-14
Mandriva MDKSA-2005:229 2005-12-14
Mandriva MDKSA-2005:232 2005-12-14
Mandriva MDKSA-2005:230 2005-12-14
Mandriva MDKSA-2005:231 2005-12-14

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968
Created:September 22, 2005 Updated:February 15, 2006
Description: The Firefox browser has multiple vulnerabilities including problems with XBM image file processing, Unicode sequence processing, XMLHttp requests, malicious XBL binding, a JavaScript engine buffer overflow, about: pages, opening of new windows, and command line URL processing.
Alerts:
Slackware SSA:2006-045-02 2006-02-15
Fedora-Legacy FLSA:168375 2006-01-09
Ubuntu USN-200-1 2005-10-11
Ubuntu USN-155-3 2005-10-04
Debian DSA-838-1 2005-10-02
Gentoo GLSA 200509-11:02 2005-09-18
SuSE SUSE-SA:2005:058 2005-09-30
Mandriva MDKSA-2005:170 2005-09-26
Mandriva MDKSA-2005:169 2005-09-26
Slackware SSA:2005-269-01 2005-09-26
Fedora FEDORA-2005-934 2005-09-26
Fedora FEDORA-2005-933 2005-09-26
Fedora FEDORA-2005-932 2005-09-26
Fedora FEDORA-2005-931 2005-09-26
Fedora FEDORA-2005-930 2005-09-26
Fedora FEDORA-2005-929 2005-09-26
Fedora FEDORA-2005-928 2005-09-26
Fedora FEDORA-2005-927 2005-09-26
Fedora FEDORA-2005-926 2005-09-26
Ubuntu USN-186-2 2005-09-25
Ubuntu USN-186-1 2005-09-23
Red Hat RHSA-2005:789-01 2005-09-22
Red Hat RHSA-2005:785-01 2005-09-22

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

gaim: buffer overflow

Package(s):gaim CVE #(s):CAN-2005-2103
Created:August 10, 2005 Updated:February 27, 2006
Description: Gaim suffers from a heap-based buffer overflow which can be exploited via a hostile "away message" to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:158543 2006-02-25
Slackware SSA:2005-242-03 2005-08-31
Fedora FEDORA-2005-751 2005-08-17
Fedora FEDORA-2005-750 2005-08-17
Mandriva MDKSA-2005:139 2005-08-15
Gentoo 200508-06 2005-08-15
Ubuntu USN-168-1 2005-08-12
Red Hat RHSA-2005:589-01 2005-08-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdk-pixbuf: multiple vulnerabilities

Package(s):gdk-pixbuf gtk2 CVE #(s):CVE-2005-3186 CVE-2005-2976 CVE-2005-2975
Created:November 15, 2005 Updated:March 20, 2006
Description: The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim.

Alerts:
Fedora-Legacy FLSA:173274 2006-03-16
Debian DSA-913-1 2005-12-01
Debian DSA-911-1 2005-11-29
Trustix TSLSA-2005-0066 2005-11-18
Mandriva MDKSA-2005:214 2005-11-18
Ubuntu USN-216-1 2005-11-16
SuSE SUSE-SA:2005:065 2005-11-16
Gentoo 200511-14 2005-11-16
Fedora FEDORA-2005-1088 2005-11-15
Fedora FEDORA-2005-1087 2005-11-15
Fedora FEDORA-2005-1086 2005-11-15
Fedora FEDORA-2005-1085 2005-11-15
Red Hat RHSA-2005:811-01 2005-11-15
Red Hat RHSA-2005:810-01 2005-11-15

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

imagemagick: arbitrary command execution

Package(s):imagemagick CVE #(s):CVE-2005-4601 CVE-2006-0082
Created:January 24, 2006 Updated:March 24, 2006
Description: Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus).
Alerts:
SuSE SUSE-SR:2006:006 2006-03-17
Gentoo 200602-13 2006-02-26
Slackware SSA:2006-045-03 2006-02-15
Red Hat RHSA-2006:0178-01 2006-02-14
Gentoo 200602-06 2006-02-13
Debian DSA-957-2 2006-01-31
Mandriva MDKSA-2006:024 2006-01-26
Debian DSA-957-1 2006-01-26
Ubuntu USN-246-1 2006-01-24

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: heap overflow

Package(s):kdelibs CVE #(s):CVE-2006-0019
Created:January 19, 2006 Updated:March 17, 2006
Description: Konqueror's kjs JavaScript interpreter engine has a heap overflow vulnerability. Specially crafted JavaScript code could be placed on a web site, leading to arbitrary code execution. Other kde applications are also subject to this vulnerability.
Alerts:
Fedora-Legacy FLSA:178606 2006-03-16
Slackware SSA:2006-045-05 2006-02-15
Gentoo 200601-11 2006-01-22
Mandriva MDKSA-2006:019 2006-01-20
Fedora FEDORA-2006-050 2006-01-20
SuSE SUSE-SA:2006:003 2006-01-20
Debian DSA-948-1 2005-01-20
Ubuntu USN-245-1 2006-01-20
Red Hat RHSA-2006:0184-01 2006-01-19

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-0454
Created:February 8, 2006 Updated:February 17, 2006
Description: A denial of service vulnerability has been found in the kernel ICMP code; kernel 2.6.15.3 fixes the problem.
Alerts:
Mandriva MDKSA-2006:040 2006-02-17
Ubuntu USN-250-1 2006-02-13
Trustix TSLSA-2006-0006 2006-02-10
SuSE SUSE-SA:2006:006 2006-02-09
Fedora FEDORA-2006-102 2006-02-07

Comments (1 posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3356 CVE-2005-4605 CVE-2005-4618 CVE-2005-4639 CVE-2006-0095 CVE-2006-0096
Created:January 18, 2006 Updated:March 7, 2006
Description: The latest set of kernel vulnerabilities includes:

  • A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)

  • A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)

  • An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)

  • A buffer overflow in the TwinHan DST Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)

  • A potential key disclosure in dm-crypt. (CVE-2006-0095)

  • Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
Alerts:
Red Hat RHSA-2006:0132-01 2006-03-07
Trustix TSLSA-2006-0004 2006-01-27
Ubuntu USN-244-1 2006-01-18

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-2709 CVE-2005-2973 CVE-2005-3055 CVE-2005-3180 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 CVE-2005-3274 CVE-2005-3275 CVE-2005-3276
Created:November 22, 2005 Updated:March 15, 2006
Description: Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709)

Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973)

Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an "USB Request Block" (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055)

Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180)

A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. (CVE-2005-3271)

Stephen Hemminger discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. (CVE-2005-3272)

David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large "ngidis" argument, a local attacker could cause a kernel crash. (CVE-2005-3273)

Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274)

Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275)

Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276)

Alerts:
Red Hat RHSA-2006:0144-01 2006-03-15
Red Hat RHSA-2006:0140-01 2006-01-19
Red Hat RHSA-2006:0101-01 2006-01-17
Mandriva MDKSA-2005:235 2005-12-21
Debian DSA-922-1 2005-12-14
Debian DSA-921-1 2005-12-14
SuSE SUSE-SA:2005:068 2005-12-14
SuSE SUSE-SA:2005:067 2005-12-06
Mandriva MDKSA-2005:220 2005-11-30
Mandriva MDKSA-2005:219 2005-11-30
Mandriva MDKSA-2005:218 2005-11-30
Fedora FEDORA-2005-1104 2005-11-28
Trustix TSLSA-2005-0064 2005-11-11
Ubuntu USN-219-1 2005-11-22</