Novell goes for the desktop
Novell took advantage of CeBIT to send out
an
advance announcement for the upcoming SUSE Linux Enterprise
Desktop (SLED) release. SLED has the potential to be a relatively interesting
distribution, and not just because Novell has backed off and restored the
SUSE name. If things go well, SLED might just yet help 2006 to be the year
of Linux on the desktop - for real, this time. But we will have to wait
until the (northern hemisphere) summer before we can actually get our hands
on this distribution.
Desktop Linux efforts are not new by any means. Mandriva got its start as
an effort to add better desktop support to the Red Hat Linux distribution.
Companies like Corel, Xandros, Linspire, and others have created
commercially-supported Linux desktop offerings. While some of those
distributions have found some success, none of them have taken the
corporate desktop by storm. So it does not require a particularly cynical
observer to wonder just why Novell's attempt is destined to be any
different.
Whether SLED will ultimately be successful remains to be seen. But Novell
is doing some things differently, as a result of past experience and the
resources that the company is able to bring to the problem. Even if SLED
fails in the market, it will have succeeded in advancing the state of the
art and highlighting what really needs to be done to bring about
corporate desktop conversions.
Part of Novell's recipe is plain old hard work. From the press release:
Novell conducted hundreds of distinct usability tests and shot
almost 1,500 hours of user interaction video that it used to aid
the design of SUSE Linux Enterprise Desktop. Each feature of SUSE
Linux Enterprise Desktop, such as setting desktop preferences,
finding files, launching applications, using external devices like
USB memory sticks, working with the Internet, and connecting to
local and wireless networks, was rigorously tested and refined for
usability to ensure the best possible performance in a business
environment.
Much of this work has been posted to the Better
Desktop Project site. When it comes to human factors, there is no
substitute for watching people struggle with a program and seeing just
where things go wrong. This is especially true if one is trying to create
a system which is highly approachable for new users. Assuming Novell's
developers pay attention to the lessons from this work, the result should
be a system which is easier to use.
Novell then throws in some eye candy in the form of its XGL work. Solid
support for (some) 3D cards should lead to a desktop with some real visual
appeal. For many, a slicker desktop may be the final piece which pushes
them toward acceptance of a Linux-based system.
For those with more practical concerns, Novell's GroupWise is,
unsurprisingly, well supported. Novell has also added support for
Microsoft visual basic macros in OpenOffice.org 2.0. Support for macros
has been one of the big stumbling blocks for those looking to exchange
documents with heavy Office users. VBA macro support is part of the ooo-build
fork, but has not yet found its way into the OpenOffice.org mainline.
Novell's work in integrating this support should help to push this feature
forward for all users - once Novell releases the code.
Recent experience shows that Novell might be just a little slow to do that
- though the release will certainly happen at some point. Novell is, in
general, taking a very competitive approach to its Linux releases. And,
while Novell is clearly interested in competing with Microsoft, it is also
putting an emphasis on standing out from the other Linux distributions.
So being the first distribution with important new features has become an
important selling point for Novell.
This push may make the competition between distributors a little less
friendly, but that has been due to happen for some time anyway. With luck,
it will also lead to better and faster progress in the area of desktop
Linux, with the improved code finding its way to all users.
Comments (7 posted)
Ethereal and security
When Coverity released its first set of results from its defect scanning of
a number of free software projects, the
Ethereal protocol analyzer turned up with
one of the lowest defect densities of all. Your editor, when posting the
initial results, commented that the low defect density did not seem
entirely consistent with the rather high density of security advisories
for Ethereal. That comment
did not sit
well with the Ethereal developers, with one
observing that "
The article reads as if
it was written by an amateur, not a professional with a proper grasp of
sentence structure." Oh, well, your editor never claimed to be a
"professional."
The original comment was unnecessary, however, and apologies are offered.
In an attempt to make amends, your editor decided to take a closer look at
Ethereal and its approach to security. What much of the world sees is a
long list of security advisories and little else; if there is a larger
story, it has not been told outside of the developers' lists. As it turns
out, there is, indeed, a larger story.
The list of Ethereal security
advisories is
indeed long. The six advisories issued in 2005 enumerate 105 different
security-related bugs, a number of which are of the form "several dissectors
will do something unpleasant in these circumstances." There are 23
different CVE numbers cited. The Ethereal security page gives a
number of suggestions for running Ethereal in a more secure way (don't run
as root, use something like tcpdump to capture packets, etc.), and notes
that "The Ethereal developers agree that the current situation isn't
actually satisfying." Your editor, it seems, is not entirely alone
in noting that some security issues may exist with Ethereal.
Ethereal has a couple of special challenges. One is that it must deal
directly with arbitrary data which may have been specially generated by
hostile parties. Any set of bits can come off a network, and Ethereal must
do the right thing with it; most applications, instead, receive a cleaner
and more controlled input stream from the outside. Ethereal also must deal
with a wide variety of packet types, which leads to the inclusion of a
large library of protocol-specific "dissectors." These dissectors bear
some resemblance to device drivers in an operating system kernel: they are
specialized, written by a diverse group of authors, and can be hard for
others to review and test. And, as with drivers in the kernel, dissectors
are the source of a large percentage of Ethereal bugs.
Ethereal vulnerabilities can also be serious. While problems in packages
like cube, zoo, or tetex are very much worth
fixing, the chances of systems being compromised by those vulnerabilities
are relatively small. Ethereal, however, is a tool used by system and
network administrators. Known vulnerabilities in Ethereal can be used to
compromise an administrator's system; all that is required is the injection
of a suitably-crafted packet onto a network where Ethereal is running. So
Ethereal vulnerabilities could be especially attractive to an attacker with
a specific target. This fact can be driven home by doing a quick search
for Ethereal exploits; a number have been posted over the years.
So the Ethereal developers clearly need to keep security in mind. The good
news is that they seem to be doing exactly that. While some of the
vulnerabilities disclosed in 2005 were found by outside parties, the vast
majority of them were turned up by the Ethereal hackers themselves. The
developers, it seems, are putting some significant effort into finding
problems before hostile outsiders do. This
activity nicely explains both the large number of advisories and the small
number of defects in the current Ethereal code base.
Clearly, the right kind of work is being done. Here (from the Ethereal security
development page) are some of the things the Ethereal developers are
doing to improve the security of their project:
- Fuzz testing. As
has been discovered in many applications, the feeding of random data
to a program can turn up all kinds of interesting behavior. Ethereal
has a "randpkt" utility which feeds entirely random data to the
system. There is also an "editcap" program which introduces random
corruption into files containing streams of real packets. Any
dissector which is not truly paranoid about the data contained in the
packets presented to it will eventually be caught out by a fuzzed
packet.
- Automatic code generation. Rather than hand-crafting code to deal
with the structure of every packet type, the project is looking at
generating dissector code from a description of the packet format.
Once the code generator has been verified as safe, the resulting
dissectors should be much more solid. Code generation is being used
in a number of projects (Samba 4, for example) to produce better
code in less time; Ethereal is machine generating some of its
dissectors now, with an eye toward generating most or all of them at
some point in the future.
- Various changes aimed at avoiding dangerous code. These include core
API changes to make certain kinds of errors harder to create. The
tvbuff abstraction, for example, allows a portion of a packet
to be passed to a dissector and catches any attempts to access data
outside of that area. The Ethereal developers are also making a
(somewhat belated) effort to stop using dangerous C library functions
like sprintf() and strcat().
Throw in techniques like privilege separation and good, old-fashioned code
review, and the result should be a relatively secure package. Perfect
security is hard to come by, and Ethereal users should still stay on top of
their updates. But the Ethereal developers appear to have a handle on the
problem and are trying to do the right things. If all free software
projects took security as seriously, our systems would be rather more
solid.
Comments (24 posted)
Another round of changes at Mandriva
Back in July, 1998, LWN received
a message from
Gaël Duval announcing the first Linux-Mandrake release. This new
distribution was a reworked version of the Red Hat 5.1 GPL release with
KDE 1.0 (then not well supported by Red Hat) integrated. It was
intended to be an easy to use, desktop-oriented distribution.
Linux-Mandrake was also a classic case of an itch being scratched:
Gaël put together the distribution he wished he had, released it onto
the net, and immediately departed on vacation. The response he found on
his return was rather beyond his expectations.
Shortly thereafter, MandrakeSoft was founded in an attempt to build a
business around Linux-Mandrake. The story since then has been a series of
ups and downs.
The Linux bubble hit MandrakeSoft harder than many
other companies; when the bottom fell out, MandrakeSoft found itself with a
heavy load of expenses, an externally-imposed management team which had
little interest in community or the Mandrake distribution, and a rapidly
shrinking bank account. After going into bankruptcy, dumping the managers,
and refocusing on its real customers, MandrakeSoft actually managed to turn
a small profit. Last year, MandrakeSoft acquired Conectiva and renamed
itself Mandriva.
On March 7, the company released its
first quarter results, which clearly show that Mandriva is not, yet,
out of the woods. These results are, as described by the report,
"disappointing." Mandriva is no longer making a profit; instead, the
company shows a €590,000 loss. Revenue is nearly flat from one year
ago, despite the acquisition of Conectiva in the mean time.
So why is Mandriva hurting again? The report gives a number of reasons,
including "slower than expected" revenue from OEM contracts, fewer retail
sales, money spent on execution of large enterprise accounts, and higher
marketing costs. The drop in retail sales is blamed on the spread of
broadband Internet connections, which may be partially true. But the
availability of other desktop-friendly, free distributions has also grown,
and some of those alternatives are quite good. If Mandriva wants to
continue to sell individual boxes with Linux disks, it needs to offer
something which is clearly better. Mandriva's recent releases have not
been that much better.
Mandriva is responding to these results in a number of ways. Cost cutting
will be a necessary part of that response. From the report, it seems that
Mandriva is engaging in some belated reduction of redundancies caused by
the Conectiva acquisition. Unfortunately, it seems that engineering is one
place where the company feels over-staffed at the moment, so a number of
developers have been let go. So Mandriva's participation in community
development, already much reduced from its early years, will shrink again.
The company has also laid off Gaël Duval, the person who got the whole
thing started. Jacques Le Marois, another founder of MandrakeSoft, is also
on the way out. This company, it seems, is now completely disconnected from
its origins.
The report notes that "enterprise services" saw a big increase over the
quarter, to the point that they account for 42% of total sales. So
"enterprise" appears to be the company's direction for the future. To that
end, Mandriva has been working on an administrative tool called "Pulse"
which, it is said, will be released in the near future. There is a new
distribution for individuals in the works; it will be called "Mandriva
One." But this distribution almost looks like an afterthought.
The enterprise market may be where the money is, but there is some
competition there too. As Mandriva aims for the corporate clients, it will
be running up against Red Hat and Novell, and, to an extent, against the
corporate services offered by companies like IBM, HP, and others. Mandriva
looks like a bit of an underdog in that crowd. Underdogs can be
successful, but their life is not always easy. In response to pressures
from this market, Mandriva seems likely to move further away from its
community roots. It is telling, in that regard, that Mandriva's reports no
longer mention the Mandriva
Club, which was once an important part of the company's business.
Mandriva moved away from its community roots once before, and things did
not go particularly well. One can only hope that the prospects are better
this time around.
Comments (11 posted)
Page editor: Jonathan Corbet
Security
GPG signature verification trouble
Keeping secrets is only one of the applications of encryption technology.
Another useful thing that can be done with cryptographic algorithms is
signing of documents. Once something has been signed with an appropriate
private key, anybody with access to the corresponding public key can
confirm that (1) the document originated with the holder of the
private key, and (2) that document has not been modified by anybody
since it was signed. Thus, public-key signatures can add a level of
assurance to ordinary communications; it can also play a crucial part in
the creation of legally binding communications or contracts.
All of this depends on the signature mechanism working as advertised,
however. So a couple of recently discovered bugs in GnuPG are a little
disconcerting.
The first problem was discovered by the
Gentoo project in February. The GnuPG tools which perform signature
verification did not always set their exit code properly. So any program
which used GnuPG to automatically verify signatures, and which relied
solely on the exit code (which is not the recommended mode of operation,
but which should work) could accept a signature which failed to verify. Thus,
for example, a script which automatically downloads and installs package
updates could be fooled into installing a third-party package. This
problem was fixed in GnuPG version 1.4.2.1.
As part of its response to this bug, the GnuPG developers took a closer
look at the signature verification code. There, they found a rather more
serious vulnerability: GnuPG can fail to detect
injected data. In particular, when attached signatures are being used,
arbitrary data can be added to the beginning or the end of the text, and
GnuPG will fail to detect the change. This problem is fixed in version
1.4.2.2; all prior versions are vulnerable.
The fact that this vulnerability was able to persist for so long is a bit
discouraging. Code like GnuPG is (one hopes!) subject to a relatively high
degree of review. The developers want to be sure that the system they ship
is secure, and outside researchers have plenty of reasons for wanting to
find holes. But, despite this review, a fairly large hole remained in the
code for years. The sad fact is that, while code review can help to find
problems, it is not enough.
Comments (9 posted)
New vulnerabilities
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 |
CVE #(s): | CVE-2006-0042
|
| Created: | March 14, 2006 |
Updated: | April 18, 2006 |
| Description: |
An algorithm weakness has been discovered in Apache2::Request, the
generic request library for Apache2 which can be exploited remotely
and cause a denial of service via CPU consumption. |
| Alerts: |
|
Comments (5 posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
cube: multiple vulnerabilities
| Package(s): | cube |
CVE #(s): | CVE-2006-1100
CVE-2006-1101
CVE-2006-1102
|
| Created: | March 13, 2006 |
Updated: | March 14, 2006 |
| Description: |
Luigi Auriemma reported that Cube is vulnerable to a buffer overflow in
the sgetstr() function (CVE-2006-1100) and that the sgetstr() and
getint() functions fail to verify the length of the supplied argument,
possibly leading to the access of invalid memory regions
(CVE-2006-1101). Furthermore, he discovered that a client crashes when
asked to load specially crafted mapnames (CVE-2006-1102). |
| Alerts: |
|
Comments (none posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
kpdf: insufficient patching
| Package(s): | kpdf kdegraphics |
CVE #(s): | CVE-2006-0746
|
| Created: | March 14, 2006 |
Updated: | March 17, 2006 |
| Description: |
Certain patches for kpdf do not include all relevant patches from xpdf that
were associated with CVE-2005-3627.
See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
libcrypt-cbc-perl: programming error
| Package(s): | libcrypt-cbc-perl |
CVE #(s): | CVE-2006-0898
|
| Created: | March 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
Lincoln Stein discovered that the Perl Crypt::CBC module produces weak
ciphertext when used with block encryption algorithms with blocksize >
8 bytes. |
| Alerts: |
|
Comments (none posted)
lurker: several vulnerabilities
| Package(s): | lurker |
CVE #(s): | CVE-2006-1062
CVE-2006-1063
CVE-2006-1064
|
| Created: | March 14, 2006 |
Updated: | March 14, 2006 |
| Description: |
Several security related problems have been discovered in lurker, an
archive tool for mailing lists with integrated search engine.
- Lurker's mechanism for specifying configuration files was vulnerable to
being overridden. As lurker includes sections of unparsed config files in
its output, an attacker could manipulate lurker into reading any file
readable by the www-data user. (CVE-2006-1062)
- It is possible for a remote attacker to create or overwrite files in
any writable directory that is named "mbox". (CVE-2006-1063)
- Missing input sanitizing allows an attacker to inject arbitrary web
script or HTML. (CVE-2006-1064)
|
| Alerts: |
|
Comments (none posted)
Ubuntu installer: plain text passwords in log file
| Package(s): | base-config passwd |
CVE #(s): | |
| Created: | March 13, 2006 |
Updated: | March 14, 2006 |
| Description: |
Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
passwords in the installer log files. Since these files were
world-readable, any local user could see the password of the first
user account, which has full sudo privileges by default. |
| Alerts: |
|
Comments (none posted)
webcalendar: multiple vulnerabilities
| Package(s): | webcalendar |
CVE #(s): | CVE-2005-3949
CVE-2005-3961
CVE-2005-3982
|
| Created: | March 15, 2006 |
Updated: | May 15, 2006 |
| Description: |
The PHP-based webcalendar package suffers from three vulnerabilities: a set of SQL injection problems (CVE-2005-3949), an input sanitizing failure allowing local files to be overwritten (CVE-2005-3961), and a response splitting vulnerability (CVE-2005-3982). |
| Alerts: |
|
Comments (none posted)
zoph: SQL injection vulnerability
| Package(s): | zoph |
CVE #(s): | CVE-2006-0402
|
| Created: | March 9, 2006 |
Updated: | March 14, 2006 |
| Description: |
The Zoph web-based photo management system has an SQL injection vulnerability. Insufficient input sanitization in the photo searching
code can be used by an attacker for an SQL injection attack. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bluez-hcidump: buffer overflow
| Package(s): | bluez-hcidump |
CVE #(s): | CVE-2006-0670
|
| Created: | February 17, 2006 |
Updated: | March 10, 2006 |
| Description: |
A buffer overflow in l2cap.c in hcidump allows remote attackers to cause a
denial of service (crash) through a wireless Bluetooth connection via a
malformed Logical Link Control and Adaptation Protocol (L2CAP) packet. |
| Alerts: |
|
Comments (none posted)
bmv: integer overflow
| Package(s): | bmv |
CVE #(s): | CVE-2005-3278
|
| Created: | March 2, 2006 |
Updated: | March 8, 2006 |
| Description: |
The bmv PostScript viewer has an integer overflow vulnerability.
If a specially crafted PostScript file is read by bmv, it may be
possible to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
BomberClone: remote execution of arbitrary code
| Package(s): | bomberclone |
CVE #(s): | CVE-2006-0460
|
| Created: | February 17, 2006 |
Updated: | March 14, 2006 |
| Description: |
Stefan Cornelius of the Gentoo Security team discovered multiple
missing buffer checks in BomberClone's code. By sending overly long error
messages to the game via network, a remote attacker may exploit buffer
overflows to execute arbitrary code with the rights of the user running
BomberClone. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflow
| Package(s): | ffmpeg |
CVE #(s): | CVE-2005-4048
|
| Created: | December 15, 2005 |
Updated: | March 17, 2006 |
| Description: |
The avcodec_default_get_buffer() function of the ffmpeg library
has a buffer overflow vulnerability. A user can be tricked into
playing a maliciously created PNG movie, allowing the attacker to
run arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
flex: buffer overflow
| Package(s): | flex |
CVE #(s): | CVE-2006-0459
|
| Created: | March 7, 2006 |
Updated: | March 28, 2006 |
| Description: |
Chris Moore discovered a buffer overflow in a particular class of
lexicographical scanners generated by flex. This could be exploited to
execute arbitrary code by processing specially crafted user-defined
input to an application that uses a flex scanner for parsing. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeciv: denial of service
| Package(s): | freeciv |
CVE #(s): | CVE-2006-0047
|
| Created: | March 8, 2006 |
Updated: | March 16, 2006 |
| Description: |
The freeciv "civserver" application is susceptible to a denial of service vulnerability. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdk-pixbuf: multiple vulnerabilities
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CVE-2005-3186
CVE-2005-2976
CVE-2005-2975
|
| Created: | November 15, 2005 |
Updated: | March 20, 2006 |
| Description: |
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code when the file was opened by a victim.
Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened by a
victim.
Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim. |
| Alerts: |
|
Comments (none posted)
gnupg: false positive signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0455
|
| Created: | February 17, 2006 |
Updated: | March 10, 2006 |
| Description: |
Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP
replacement, verifies external signatures of files successfully even
though they don't contain a signature at all. See this update from the gnuPG team for more
information. |
| Alerts: |
|
Comments (2 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
heimdal: privilege escalation
| Package(s): | heimdal |
CVE #(s): | CVE-2006-0582
|
| Created: | February 13, 2006 |
Updated: | March 17, 2006 |
| Description: |
A privilege escalation flaw has been found in the heimdal rsh (remote
shell) server. This allowed an authenticated attacker to overwrite
arbitrary files and gain ownership of them. |
| Alerts: |
|
Comments (none posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
initscripts: privilege escalation
| Package(s): | initscripts |
CVE #(s): | CVE-2005-3629
|
| Created: | March 7, 2006 |
Updated: | March 15, 2006 |
| Description: |
A bug was found in the way initscripts handled various environment
variables when the /sbin/service command is run. It is possible for a local
user with permissions to execute /sbin/service via sudo to execute
arbitrary commands as the 'root' user. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
irssi-text: denial of service
| Package(s): | irssi-text |
CVE #(s): | CVE-2006-0458
|
| Created: | March 2, 2006 |
Updated: | March 8, 2006 |
| Description: |
irssi-text has a remote denial of service vulnerability that is caused
by incomplete verification of arguments by the DCC
ACCEPT command handler. A remote attacker can crash irssi and cause
a denial of service. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: heap overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-0019
|
| Created: | January 19, 2006 |
Updated: | March 17, 2006 |
| Description: |
Konqueror's kjs JavaScript interpreter engine has a heap overflow
vulnerability. Specially crafted JavaScript code could be placed on
a web site, leading to arbitrary code execution.
Other kde applications are also subject to this vulnerability. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-2709
CVE-2005-2973
CVE-2005-3055
CVE-2005-3180
CVE-2005-3271
CVE-2005-3272
CVE-2005-3273
CVE-2005-3274
CVE-2005-3275
CVE-2005-3276
|
| Created: | November 22, 2005 |
Updated: | March 15, 2006 |
| Description: |
Al Viro discovered a race condition in the /proc file handler of
network devices. A local attacker could exploit this by opening any
file in /proc/sys/net/ipv4/conf/<interface>/ and waiting until that
interface was shut down. Under certain circumstances this could lead
to a kernel crash or even arbitrary code execution with full kernel
privileges. (CVE-2005-2709)
Tetsuo Handa discovered a local Denial of Service vulnerability in the
udp_v6_get_port() function. On computers which use IPv6, a local
attacker could exploit this to trigger an infinite loop in the kernel.
(CVE-2005-2973)
Harald Welte discovered a Denial of Service vulnerability in the USB
devio driver. A local attacker could exploit this by sending an "USB
Request Block" (URB) and terminating the sending process before the
arrival of the answer, which left an invalid pointer and caused a
kernel crash. (CVE-2005-3055)
Pavel Roskin discovered an information leak in the Orinoco wireless
card driver. When increasing the buffer length for storing data, the
buffer was not padded with zeros, which exposed a random part of the
system memory to the user. (CVE-2005-3180)
A resource leak has been discovered in the handling of POSIX timers in
the exec() function. This could be exploited to a Denial of Service
attack by a group of local users. (CVE-2005-3271)
Stephen Hemminger discovered a weakness in the network bridge driver.
Packets which had already been dropped by the packet filter could
poison the forwarding table, which could be exploited to make the
bridge forward spoofed packages. (CVE-2005-3272)
David S. Miller discovered a buffer overflow in the rose_rt_ioctl()
function. By calling the function with a large "ngidis" argument, a
local attacker could cause a kernel crash. (CVE-2005-3273)
Neil Horman discovered a race condition in the connection timer
handling. This allowed a local attacker to set up an expiration
handler which modified the connection list while the list still being
traversed, which could result in a kernel crash. This vulnerability
only affects multiprocessor (SMP) systems. (CVE-2005-3274)
Patrick McHardy noticed a logic error in the network address
translation (NAT) connection tracker. A remote attacker could exploit
this by causing two packets for the same protocol to be NATed at the
same time, which resulted in a kernel crash. (CVE-2005-3275)
Paolo Giarrusso discovered an information leak in the
sys_get_thread_area(). The returned structure was not properly
cleared, which exposed a small amount of kernel memory to userspace
programs. This could possibly expose confidential data.
(CVE-2005-3276) |
| Alerts: |
|
Comments (2 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-0741
CVE-2006-0555
|
| Created: | March 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
The Linux kernel has multiple vulnerabilities including
a sanity check problem with sys_mbind that can lead to a local
denial of service, an ELF vulnerability that can crash
Intel EM64T systems and an NFS client panic problem that
can be triggered by direct I/O from a local user. |
| Alerts: |
|
