Some notes from the Coverity survey
Back in January, LWN
reported
on a grant awarded to Coverity by the U.S. Department of Homeland
Security. Coverity (working with Stanford) would apply its static analysis
tools to the code bases of a large set of free software projects and report
on the results. The effort was designed to help provide a sense of the
quality of free software while simultaneously helping to improve that
quality.
Coverity has now announced
its first set of results in the form of a press release, a table of defect counts, and a glossy
report. The main point made in the report - and picked up on by most of
the media coverage - is that the software which makes up the "LAMP stack"
(kernel, Apache, MySQL, PostgreSQL, PHP, Perl, Python) has a significantly
lower rate of defects than the larger set of projects reviewed. From this
result, one might well conclude that the most heavily-used and
carefully-reviewed projects tend to have better code. Perhaps not a
breathtaking result, but it's still nice to know.
The projects with the lowest defect density include Ethereal, OpenVPN,
Perl, and xmms; the all-time winner is xmms, with a total of six detected
errors. At the other end of the scale, one finds Amanda, Firebird,
NetSNMP, OpenLDAP, Samba, X, and Xine. The MySQL code base turned up 136
defects (a density of 0.224 per thousand lines of code), while PostgreSQL
has 295 (density of 0.362). Those results are interesting in the context
of this quote from the report:
For example, MySQL, PostgreSQL, and Berkeley DB have certified
versions of their software that contain zero Coverity defects.
We asked Coverity CTO Ben Chelf about the discrepancy between this claim
and the published results, and heard back:
We are working with the community now to determine exactly why that
is. Obviously the code changes over time so that is one potential
factor for the new issues. We hope that by opening up this mainline
access, we can assure that all _future_ versions of many of these
packages will contain zero Coverity defects.
Unfortunately, that response does not really answer the question. The
possibilities would seem to be: (1) whoever paid for the "certified
versions" has not fed the resulting fixes back into the mainline;
(2) all of the detected defects have been introduced into the code
base since the certification run was done, or (3) the tests run on the
"certified versions" were less comprehensive. None of those ideas is
particularly reassuring.
That notwithstanding, the work being done at Coverity is clearly helping to
clean up the code of the projects being surveyed. Patches for some bugs
found in the kernel are already circulating, and various
other projects are looking at the results as well.
With regard to Samba, the Coverity
folks provided us with a quote from Jeremy Allison:
Coverity has found bugs in parts of Samba that we had previously
considered completely robust and tested. It's like having a
developer on the team with an inhuman attention to detail, who
points out all the corner cases and boundary conditions you hadn't
considered when you first wrote the code. It's making a *major*
contribution to the code quality of the Samba project.
Running static analysis tools on the code is a clear win for software
quality and Coverity, by chasing down the resources to pay for this kind of
work, is helping the free software community. Even so, we could not resist
asking Mr. Chelf this question: wouldn't it help the community even more to
release the checker under a free license, so that the community could do
its own analysis and improve the tool as well? He responded:
We want to have a very strong relationship with the open source
community for a long time to come. We recognize that open source
software is a more and more critical part of many organizations'
(commercial and non-commercial) infrastructure. As we keep a
healthy finger on the heartbeat of what the community wants from
this type of technology, we feel we'll be the best ones to provide
it, regardless of form. Does that mean open source? It's too early
to say at this point.
In other words, we'll have to content ourselves with the reports from
Coverity - when Coverity sees fit to provide them - for the foreseeable
future. It is vastly preferable to not having those reports.
Still, there would be a great advantage to having static analysis tools
which did not depend on any one corporation's generosity to run. The
community seems to be a bit slow in the development of these tools,
however. The "sparse" utility, written by Linus Torvalds, is regularly
used to find certain types of bugs in the kernel. It has seen little use
beyond the kernel, however, and has not developed anything close to the
capabilities of Coverity's tools. The once-promising smatch project seems to have
stalled for the last two years. Various other projects exist (Wikipedia
has a
list), but none seem to have reached any sort of critical mass.
The free software community prides itself on the quality of its code.
Static analysis techniques will clearly be an important part of maintaining
that quality in the future. Many eyeballs do indeed shake out bugs; adding
some automated eyeballs to the mix will help find even more of them. We have
been lucky that a company which has developed some interesting static
analysis techniques has - for a few years, now - shared the
results of its analysis with parts of the free software community. We
should hope that this generosity continues for a long time, but we may also
want to think about creating some tools of our own for the day when that
generosity runs out.
Comments (43 posted)
The next generation office suite
OpenOffice.org is a great package. It provides powerful capabilities in a
number of areas - document editing, spreadsheets, presentations, etc. - and
makes it possible for Linux users to interoperate with the large part of
the world which is dependent on proprietary office applications. Much of
the time, OpenOffice is
the tool needed to enable Linux to replace a
proprietary desktop system. It would be a hard tool to live without.
That said, there is some truth in a
comment recently posted by Jeff Waugh:
OpenOffice.org is not aggressively competitive with Microsoft
Office - it's playing to match the feature matrix instead of
leapfrogging and defining new ground to fight on. That is not a
winning strategy, particularly when the stakes involve the future
of Software Freedom in the hands of users around the world.
This statement is, perhaps, not entirely true; OpenOffice has, for example,
been a big part of the push toward the Open Document Format. The open
format push has most certainly shifted the battle, to the point that even
Microsoft has had to respond. Beyond that, however, it is hard to point to
a long list of new things which OpenOffice has brought to the office
productivity arena. It is mostly a good copy of that other office
application.
Critics of free software are fond of claims that the community is
restricted to imitating developments done in the proprietary world. Free
software, it is said, is not where innovation is done. To a great extent,
OpenOffice could be said to validate that claim. It is not clear that this
situation can change; OpenOffice is a large and intimidating code base
which can be hard to contribute to, and the project's mission would seem to
argue against the creation of surprising new features.
The community is not limited to OpenOffice, however. Jeff's posting
points to a weblog entry by Marc
Maurer, wherein he (by way of a large Flash file) demonstrates the
long-anticipated collaborative editing addition to AbiWord. Authors,
connected by the net, can simultaneously work on the same document and see
each others' changes as they happen. Now every document can be written by
committee, a process known to produce superior results.
Seriously, however, there are clear advantages to being able to work in
this mode. Perhaps the tiresome process of sending document files around
as attachments and trying to integrate changes from others could eventually
fade away. And the world has shown, many times, that if people are given
new ways to communicate and work together, they will do surprising things
with that capability. So this addition to AbiWord (hopefully due to show
up in the 2.6 release) is a welcome step forward.
Meanwhile, the KDE project recently held a "GUI and functionality design
competition" for KOffice 2. the results of
this competition have now been posted; they show that a number of smart
people are thinking about where KOffice could go from here. The winning
entry [PDF] from Martin Pfeiffer takes a long look at how people work
with documents. His ideas, if realized, could take much of the tiresome
clicking out of the editing process and make the task of putting together
documents (especially large ones) much more straightforward and fun.
The fact that much effort in the free software community has gone into the
replication of features available elsewhere is not particularly
surprising. If one wants to build a user community for a software package,
one is well advised to provide the capabilities that the target users have
come to expect. In many areas, however, that goal has been met, and the
time has come to move into new capabilities that users do not - yet -
expect to find. By many accounts, office suites are one of those areas.
We have the capabilities that most users need; it will be fun to watch as
developers create features that users do not yet know that they need.
Comments (12 posted)
Some lessons from MythTV
Your editor's eighth-grade son was looking around for an end-of-year school
project. Fearing the alternatives (most of which seemed to involve
explosives), your editor made the logical suggestion: let's build a
MythTV box together. That project looked
like a good Linux learning project which might just yield a device which
would be useful around the house. Plus, with what he thought was expert
Linux guidance (kids are so gullible sometimes), the project couldn't
fail.
Well, it didn't fail, but it was not always clear that a successful outcome
was in the works. For the benefit of others who may be considering the
creation of such a box, here's a few things your editor learned on the way.
Do not expect it to be easy. Contemporary Linux users tend to be a
spoiled bunch. For the most part, any of thousands of programs can be
installed by way of a single package manager operation. Often these
programs come pre-configured in some sort of minimally working way;
finishing the job is just a matter of making a few tweaks. So what could
be so hard about installing MythTV? After all, there are packages for many
distributions just waiting to be used.
Even with pre-built packages, installing MythTV reminds your editor of
installing Linux back in 1993. Remember trying to come up with an XFree86
configuration file for a previously unknown monitor? MythTV is somewhat
like that. There's a great deal of configuration to perform, and a lot of
parameters to tweak. Get one wrong, and the whole thing fails in
mysterious ways. Anybody who is not up for a long setup experience would
be well advised to stick with simpler tasks - like writing new sendmail
rulesets.
Choose your hardware with care. MythTV requires a fairly strong
system in general; it's not a suitable application for that Pentium 100
system gathering dust in the basement. A capable (but supported!) video
card is required. Then, there is the issue of choosing a TV card.
Your editor, after some digging, stumbled across the pcHDTV HD3000 tuner
card. It had a number of seemingly nice features, such as the ability to
tune in high-definition TV broadcasts while avoiding obvious obnoxious
misfeatures - broadcast flag compliance, for example. What won your
editor's heart, however,
was the statement that, while Linux was supported, Windows drivers were not
available. How could a card which supported only Linux fail to work?
And it does work, once one gets it configured correctly. That involves
tracking down the firmware and putting it in the right place, ensuring that
the correct modules get loaded (something that doesn't seem to happen by
default), and going through a
lengthy process of figuring out which stations can actually be tuned
and carefully instructing MythTV to avoid all the others. That last step,
incidentally, requires a development version of the dvb-apps package
obtained from CVS. Then
one finds out that, in order to cope with a high-definition signal, one needs
a seriously fast processor; that 1.8GHz Athlon you have gathering dust in
the basement just won't cut it. Meanwhile, getting plain old,
low-resolution TV out of the card, while said to be possible, has proved to
be a challenge in real life.
Expect pitfalls. One of the many MythTV configuration screens is
for setting up the TV card(s). One of the options given there is
the pcHDTV HD3000. Every day, some well-meaning MythTV user probably tells
the system that his or her pcHDTV HD3000 is a pcHDTV HD3000, while a
hundred experienced users, if they only knew, would be shouting "NO, YOU
FOOL! It's a trap!" at the top of their lungs. This poor user is heading
for some significant pain; MythTV will never work in that configuration.
As the battle-hardened veterans know, an HD3000 card should be configured
as a DVB device (described in the
documentation as "a video standard primarily found in Europe"). Then
it will work. One can only imagine a legion of sadistic MythTV hackers
leaving the pcHDTV-HD3000 option on the menu as a way of ensuring that
beginning users spend more time staring at Google than watching TV.
The allegedly easy path isn't necessarily so. Part of the work plan
involved researching the best distribution for the creation of a MythTV
box. What better way for an eighth grader to learn about how Linux systems
are created? He quickly settled on KnoppMyth, which comes
with claims like:
KnoppMyth can be installed in as little as 10 minutes (depending
upon your hardware speed) then all you have to wait for is the
first week of TV scheduling to be downloaded. If all your hardware
is supported under Linux, you may not have to edit any
configuration files.
Why bother with anything else when you can get all of the pieces off a
single disk?
KnoppMyth does not appear to be a project which receives a great deal of
development time; the 5.0 release has been in the works for quite a while.
A number of the download links on the main page are dead. It still uses
version 0.18 of MythTV.
More to the point, however: while one may not have to edit configuration
files, nothing gets one out of the need to go through a couple dozen MythTV
setup and configuration screens. There are dozens of operating parameters
to tweak. TV cards must be set up. A separate step is required to set up
video sources. Yet another step exists just to connect the configured TV
cards with the configured video sources. Then there's the set of channel
configuration screens. One has to figure out where the
programming information will come from and set that up. Then one has to
actually make the resulting combination work - something your editor never
succeeded in doing.
Among other things, KnoppMyth did not set up the video card (a Radeon
9250-based card) correctly in its XFree86-based graphics system, with the
result that the XVideo extension was
not available. Suffice to say that MythTV (along with lower-level tools
like mplayer) is not happy without XVideo.
So your editor dumped the whole mess and installed Fedora Core 4,
which had no trouble figuring out the video configuration. The excellent
Fedora Myth(TV)ology
document made most of the rest of the setup relatively easy - modulo
the level-60 secret incantations required to make the HD3000 work properly.
Don't expect it to tell you anything.. The MythTV setup program
will not work properly if the MythTV backend daemon is running. But it
won't check for said daemon, and it won't say why it is failing. MythTV
has a built-in logging system with eight log levels, but your editor has
yet to find anything of interest there. Other things just fail silently,
with no indication of why, for example, an attempt to watch TV in real time
yields a black screen for ten seconds before returning to the menu.
In summary: MythTV may have a lot of things to recommend it, but
there is some work to be done to make it installable by normal people.
Today's MythTV reminds your editor of installing early Slackware releases:
a long and fiddly process with the occasional trap to avoid. The Linux
installation problem has been nicely solved; if the target hardware is
supported, putting together a Linux system to use that hardware is usually
a straightforward task. What has been done for Linux as a whole can
certainly be done for MythTV. Until it has been done, MythTV is likely to
be inaccessible to many who would like to use it.
Having written the summary, your editor would like to briefly touch on two
other lessons.
It's seriously cool. Once the system works, it does just what it is
claimed to do. It can watch and record television, skip over
advertisements, move around quickly in the program, handle multiple tuners,
juggle conflicting recording schedules, work with a wide variety of remote
controls, browse the web, play games, etc. Packaged in a suitably powerful
and quiet box, MythTV could be a welcome part of one's larger entertainment
complex.
We may not be able to build MythTV boxes for much longer. The
capabilities provided by MythTV go against everything the Powers That Be in
the entertainment industry want us to have. As they continue to push for hostile
legislation and DRM-encumbered hardware, they will eventually make the
creation of a MythTV box impossible. Hardware which can tune in tomorrow's
signals, and which makes the result available to software that doesn't know
the secret handshakes, will be unavailable. MythTV is a powerful - if
rough-edged - tool; it's how access to video programming should be. It
would be a shame if MythTV were to smooth out the setup experience, only to
be obliterated by legal systems worldwide.
Comments (27 posted)
Page editor: Jonathan Corbet
Security
An introduction to Elliptic Curve Cryptography
March 8, 2006
This article was contributed by Jake Edge.
Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement
for RSA public key cryptography largely based on its efficiency, but also
because the US National Security Agency (NSA) included
it, while excluding RSA, from its
Suite
B cryptography recommendations. Suite B is a set of algorithms that the
NSA recommends for use in protecting both classified and unclassified
US government information and systems.
Public key cryptography is the basis for tools like ssh as well as Secure
Sockets Layer (SSL) for encrypting web traffic.
For readers who would like more information, a nice introduction to
public key
cryptography and the
RSA algorithm can be found on
Wikipedia.
ECC is based on some very deep
math
involving elliptic curves in a finite field. It relies on the difficulty
of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) in much
the same way that RSA depends on the difficulty of factoring the product
of two large primes. The best known method for solving
ECDLP is fully exponential, whereas the number field sieve (for factoring) is
sub-exponential. This allows ECC to use drastically smaller keys to provide
the equivalent security; a 160-bit ECC key is equivalent to a 1024-bit RSA key.
Smaller key sizes lead to faster processing, which is very interesting to
folks that are implementing encryption on small, mobile devices with limited
resources in terms of power, CPU and memory. It is also very desirable for
large web servers that will be handling many encrypted sessions. These are
the technical considerations driving adoption. The NSA's recommendation makes
it very attractive to companies that sell encryption products to the
government and many non-governmental entities will also want products
that implement ECC.
In order to use elliptic curves as part of a public key cryptosystem, both
parties must agree on a set of domain parameters that fully specify the curve
that is being used. Various groups, notably the US National Institute for
Standards and Technology (NIST) and the Standards for Efficient Cryptography
Group (SECG) have recommendations for the domain parameters to be used for
various key sizes. The Internet Engineering Task Force (IETF) also has a
draft
specification for adding ECC to SSL/TLS.
Sun Microsystems has donated ECC code to OpenSSL and the Network Security
Services (NSS) library; this allows the Apache web server and Mozilla browsers
(and many other programs) to use ECC.
Unfortunately, as with RSA before its patent expired, the ECC landscape is
littered with patent claims; some of dubious enforceability due to prior
art. Sun claims patents on ECC technology, but has provided a "patent peace"
provision in its license that states that it will not enforce its patent
claims and asks that anyone holding patents associated with the code not
enforce them against Sun.
The wild card in the ECC patent arena seems to
be Certicom which claims a large number of ECC patents and has not made a
clear statement of its intentions with regard to open source implementations.
The NSA licensed Certicom's patents for $25 million to allow them and their
suppliers to use ECC, lending some credence to at least some of the
Certicom patents.
Other companies also have
patents on various
pieces of ECC technology.
As is often the case with patents, it is well nigh impossible to determine
what the patents cover and if an implementation infringes without going to
court. Ironically, the clearest description of what is and is not patented
is an RSA Laboratories
FAQ entry:
In all of these cases, it is the implementation technique that is patented,
not the prime or representation, and there are alternative, compatible
implementation techniques that are not covered by the patents.
Of course, this is not legal advice from RSA and may or may not be how it
is interpreted by the courts. We will all have to wait and see how it
plays out if one or more of the patent holders decides to sue.
[The author wishes to thank his employer,
Privacy Networks, for sending
him to the RSA 2006 conference which inspired this article.]
Comments (7 posted)
New vulnerabilities
bmv: integer overflow
| Package(s): | bmv |
CVE #(s): | CVE-2005-3278
|
| Created: | March 2, 2006 |
Updated: | March 8, 2006 |
| Description: |
The bmv PostScript viewer has an integer overflow vulnerability.
If a specially crafted PostScript file is read by bmv, it may be
possible to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
flex: buffer overflow
| Package(s): | flex |
CVE #(s): | CVE-2006-0459
|
| Created: | March 7, 2006 |
Updated: | March 28, 2006 |
| Description: |
Chris Moore discovered a buffer overflow in a particular class of
lexicographical scanners generated by flex. This could be exploited to
execute arbitrary code by processing specially crafted user-defined
input to an application that uses a flex scanner for parsing. |
| Alerts: |
|
Comments (none posted)
freeciv: denial of service
| Package(s): | freeciv |
CVE #(s): | CVE-2006-0047
|
| Created: | March 8, 2006 |
Updated: | March 16, 2006 |
| Description: |
The freeciv "civserver" application is susceptible to a denial of service vulnerability. |
| Alerts: |
|
Comments (none posted)
initscripts: privilege escalation
| Package(s): | initscripts |
CVE #(s): | CVE-2005-3629
|
| Created: | March 7, 2006 |
Updated: | March 15, 2006 |
| Description: |
A bug was found in the way initscripts handled various environment
variables when the /sbin/service command is run. It is possible for a local
user with permissions to execute /sbin/service via sudo to execute
arbitrary commands as the 'root' user. |
| Alerts: |
|
Comments (none posted)
irssi-text: denial of service
| Package(s): | irssi-text |
CVE #(s): | CVE-2006-0458
|
| Created: | March 2, 2006 |
Updated: | March 8, 2006 |
| Description: |
irssi-text has a remote denial of service vulnerability that is caused
by incomplete verification of arguments by the DCC
ACCEPT command handler. A remote attacker can crash irssi and cause
a denial of service. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-0741
CVE-2006-0555
|
| Created: | March 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
The Linux kernel has multiple vulnerabilities including
a sanity check problem with sys_mbind that can lead to a local
denial of service, an ELF vulnerability that can crash
Intel EM64T systems and an NFS client panic problem that
can be triggered by direct I/O from a local user. |
| Alerts: |
|
Comments (none posted)
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0884
|
| Created: | March 3, 2006 |
Updated: | May 4, 2006 |
| Description: |
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail. |
| Alerts: |
|
Comments (1 posted)
WordPress: SQL injection
| Package(s): | wordpress |
CVE #(s): | |
| Created: | March 6, 2006 |
Updated: | March 8, 2006 |
| Description: |
Patrik Karlsson reported that WordPress 1.5.2 makes use of an
insufficiently filtered User Agent string in SQL queries related to
comments posting. This vulnerability was already fixed in the 2.0-series
of WordPress. |
| Alerts: |
|
Comments (none posted)
zoo: stack-based buffer overflow
| Package(s): | zoo |
CVE #(s): | CVE-2006-0855
|
| Created: | March 7, 2006 |
Updated: | March 16, 2006 |
| Description: |
Stack-based buffer overflow in the fullpath function in misc.c for zoo 2.10
and earlier allows user-complicit attackers to execute arbitrary code via a
crafted ZOO file that causes the combine function to return a longer string
than expected. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bluez-hcidump: buffer overflow
| Package(s): | bluez-hcidump |
CVE #(s): | CVE-2006-0670
|
| Created: | February 17, 2006 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow in l2cap.c in hcidump allows remote attackers to cause a
denial of service (crash) through a wireless Bluetooth connection via a
malformed Logical Link Control and Adaptation Protocol (L2CAP) packet. |
| Alerts: |
|
Comments (none posted)
BomberClone: remote execution of arbitrary code
| Package(s): | bomberclone |
CVE #(s): | CVE-2006-0460
|
| Created: | February 17, 2006 |
Updated: | March 14, 2006 |
| Description: |
Stefan Cornelius of the Gentoo Security team discovered multiple
missing buffer checks in BomberClone's code. By sending overly long error
messages to the game via network, a remote attacker may exploit buffer
overflows to execute arbitrary code with the rights of the user running
BomberClone. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
gnupg: false positive signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0455
|
| Created: | February 17, 2006 |
Updated: | March 10, 2006 |
| Description: |
Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP
replacement, verifies external signatures of files successfully even
though they don't contain a signature at all. See this update from the gnuPG team for more
information. |
| Alerts: |
|
Comments (2 posted)
gnutls: denial of service
| Package(s): | gnutls |
CVE #(s): | CVE-2006-0645
|
| Created: | February 13, 2006 |
Updated: | March 6, 2006 |
| Description: |
Several flaws were found in the way libtasn1 decodes DER. An attacker
could create a carefully crafted invalid X.509 certificate in such a way
that could trigger this flaw if parsed by an application that uses GNU TLS.
This could lead to a denial of service (application crash). It is not
certain if this issue could be escalated to allow arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
heimdal: privilege escalation
| Package(s): | heimdal |
CVE #(s): | CVE-2006-0582
|
| Created: | February 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
A privilege escalation flaw has been found in the heimdal rsh (remote
shell) server. This allowed an authenticated attacker to overwrite
arbitrary files and gain ownership of them. |
| Alerts: |
|
Comments (none posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: heap overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-0019
|
| Created: | January 19, 2006 |
Updated: | March 17, 2006 |
| Description: |
Konqueror's kjs JavaScript interpreter engine has a heap overflow
vulnerability. Specially crafted JavaScript code could be placed on
a web site, leading to arbitrary code execution.
Other kde applications are also subject to this vulnerability. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3356
CVE-2005-4605
CVE-2005-4618
CVE-2005-4639
CVE-2006-0095
CVE-2006-0096
|
| Created: | January 18, 2006 |
Updated: | March 7, 2006 |
| Description: |
The latest set of kernel vulnerabilities includes:
- A reference counting bug in sys_mq_open(), exploitable by a local user to crash the kernel. (CVE-2005-3356)
- A misuse of signed data types in /proc, potentially providing read access to random kernel memory. (CVE-2005-4605)
- An off-by-one error in sysctl(), with the potential for arbitrary code execution. (CVE-2005-4618)
- A buffer overflow in the TwinHan DST
Frontend/Card DVB driver; potential code execution. (CVE-2005-4639)
- A potential key disclosure in dm-crypt. (CVE-2006-0095)
- Missing capability check could (maybe) allow arbitrary users to load new firmware into SDLA WAN cards. (CVE-2006-0096)
|
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|