Thunderbird looks forward
The Thunderbird mail client developers have recently posted
a Thunderbird 2 page
describing the changes they anticipate for the next major release.
According to
the
roadmap, this release is expected in the "late Fall 2006" (presumably
northern hemisphere) time frame. The task list is ambitious, but perhaps
not sufficiently so.
One of the planned changes is to introduce multiple views of the folder
pane - the list of mail accounts and folders which appears on the left of
the window. Thunderbird users with vast numbers of folders would evidently
like to be able to filter the display in various ways to make the list
easier to work with. So there will be options to display "favorite"
folders, the most recently used folders, or those with unread messages.
Current Thunderbird implements "labels" for messages; the user can mark a
message as being "important," "work," "personal," "todo," or "later."
There is no facility for adding new labels, so those which might be useful
to your editor ("muchmuchlater") are not available. For 2.0, the
developers have realized that (1) any self-respecting application must
allow users to apply tags to objects, and (2) labels are really just a
form of tags. So labels will be "rebranded" as tags, and users will be
able to create their own tags. The association of colors with tags will be
possible, preserving the color-coding capability that Thunderbird has now.
Another new feature is called "improved phishing support," which, one
assumes, is not exactly what the developers intend to implement. Plans
include integrating the Firefox2 safe
browsing extension and making use of both local and network
blacklists. There are also (unspecified) plans for improving the internal
bayesian filter for spam filtering.
Then, there's the animated new mail
alerts and a tooltip-like popup which can provide a summary of new
messages in a folder without actually opening that folder. Your editor
must confess to being unconvinced that inflicting even more little popup
windows on the desktop will truly improve the overall experience.
There are a few other things which might be nice to have on this list.
Your editor has been using Thunderbird with a (non-LWN) account for a while
now, on the notion that there must be something to these graphical
mail clients which makes them worth using. Based on this experience, he
has a few suggestions for features he would like to see implemented ahead
of animated alerts:
- The ability to configure the printing of messages - or, at a minimum,
a realization that, most of the time, there is little value in using
half a page of paper for every single header, causing even short
messages to be split between two pages.
- Some flexibility in the on-screen header display would be nice as
well. Why should it be necessary have all headers displayed just to
see who a message was sent to?
- A provision for feeding a message to a shell command.
- Replace the confusing "Junk/Not junk" toggle with a non-modal
interface.
- In your editor's experience, the internal bayesian filter is
not as effective as it should be. Rather than try to improve it, why
not fill out Thunderbird's fledgling support for integration with
external filters? Being able to easily train SpamAssassin, say, from
Thunderbird would be a great thing.
- Make it possible to send plain text (such as a patch)
without having to go through strange
rituals to keep it from being reformatted.
- Cause Thunderbird to not send HTML mail by default.
- Somewhere along the way, a bit of attention to reducing Thunderbird's
memory footprint would not be entirely misplaced.
Thunderbird is a nice mail client in a number of ways, and its developers
look like they plan to make it nicer yet. Your editor supports this work,
but hopes that attention to some basic usability issues will not suffer as
new features are added to this application. In many ways, graphical mail
clients are still slower, more awkward, and less powerful than the
text-oriented clients they ostensibly replace. Sooner or later, it would
be nice to close that gap.
Comments (24 posted)
Fedora and MP3
The Linux world hears relatively little from Eric Raymond these days, a
fact which maybe bothers some people more than others. Be that as it may, Eric recently
broke his silence, in classic form, on the
Fedora-devel list. It seems that Eric has come to save the Fedora
distribution and set it back onto the path of Total World Domination.
There are a few small details that Eric would like to see fixed, including
the FC5 artwork ("...backgrounds that look like a Teletubby hocked
loogies into a dish full of soap scum."). But the real issue is in
a different area: media support - DVD playback, Java applets, Flash media,
and, especially:
For a consumer OS to be unable to play MP3s and handle podcasts is
just plain not acceptable, not in the world after iTunes.
The problem, of course, is that MP3 is a patented format. Since Fedora is,
by design, a 100%
free distribution, it is unable to include patent-encumbered software. So
no MP3 format in Fedora. Adding MP3 support to an installed Fedora Core
system is not a particularly difficult task for somebody who knows where to
look (or how to ask a search engine), but it does require some extra
steps. Red Hat's lawyers do not even allow Fedora (or its web sites) to
even include a pointer to where this software can be found for fear of
"contributory infringement" charges. As a result, adding MP3 support is
too hard for many desktop users, especially home desktop users.
One option might be to get a distribution license for the GStreamer MP3 plugin. With
such a license, Fedora could ship a fully licensed MP3 decoder, with
BSD-licensed source. There remain issues with just how that plugin could
be shipped with certain GPL-licensed players, but the real problem is
elsewhere: a Fedora distribution with this plugin would no longer be
redistributable by others. It would, in other words, no longer be a 100%
free distribution.
Another option would be to put together some sort of third-party,
repository with a carefully-chosen set of Fedora additions, a few of which
just happen to include MP3 support. Said repository would naturally be
hosted in a carefully-chosen country. Fedora could come with instructions
for configuring the system to use that repository as a source of "useful extra
software," with no mention of what is to be found there. Such a scheme
might be vague enough to make the lawyers relax - though they have not made
their feelings known on the matter.
Yet another approach would be for Eric to make his own, MP3-enabled Fedora
offshoot distribution - call it Fully-Armed Fedora or some such. Eric,
however, has declined that opportunity,
saying:
I don't have the money or the lawyers to pull it off. This sort of thing
is why we have commercial partners with office buildings.
What is really being called for here, in other words, is for Red Hat to
stick its neck out and take the legal risk that comes with providing easy
MP3 capability to Fedora users. Red Hat
is understandably reluctant to do that. The company's relatively high
profile and significant cash pile (around $800 million) make it a more
likely lawsuit target than many others. Red Hat management probably sees
much risk and little benefit in inviting lawsuits by including MP3 support,
directly or indirectly.
Eric's claim is that companies like Red Hat need to make a business
decision to solve the MP3 problem in one way or another, even if it means
making deals with patent trolls or shipping proprietary software. A Linux
desktop which cannot deal with MP3 files is simply too crippled to be taken
seriously by a large portion of the potential user base. If Fedora is ever
to succeed in that market, it must do what the target users want it
to do.
There is a point here. Using Ogg for one's CD collection is no sacrifice,
especially if one's portable player (running Rockbox, say) also supports that format.
But there is an increasing amount of interesting content on the net which
is only available in the MP3 encoding. All of that content is inaccessible
using a stock Fedora Core system. That is, indeed, an unacceptable
situation for many users.
Solutions must be approached carefully, however. Future systems are likely
to present other problems: DRM-encoded video formats, broadcast flags,
locked-down computers which only run officially-signed software, and more.
Any solution which does not also offer at least some hope of addressing
those issues will not get us very far. So, in other words, to properly
solve the MP3 problem, we must (1) continue working to encourage the
creation of content in free formats, and (2) face the legal issues
which are at the root of these problems. Those goals will not be helped
much by bolting proprietary or otherwise encumbered software onto our free
systems.
Meanwhile, some other issues may be amenable to easier solutions. To that
end, Warren Togami has announced the
creation of a new mailing list for the discussion of artwork for future
Fedora Core releases. Fedora Core 6 still won't play MP3 files, but
maybe it can look a little nicer.
Comments (36 posted)
Sveasoft and the GPL
Sveasoft is a small company which
makes its living by selling supported versions of Linux-based firmware for
a number of wireless routers. Paying subscribers can download current
versions of the firmware, which adds a number of features not normally
found on those routers. They can grab updated versions as they become
available, and participate in support forums as well.
Sveasoft's products are based on free software - Linux in particular. The
company's approach to GPL compliance has raised eyebrows for a couple of
years now. One tactic employed by the company has been to terminate
support accounts for any subscriber who further redistributes the Sveasoft
binaries or source. The GPL says that customers are entitled to that code
(for the GPL-licensed portions of Sveasoft's products, at least),
and that they have the right to pass it on to others. Sveasoft has
responded that, when this redistribution happens, it is no longer obligated to provide
future versions of the software. The company has employed various schemes
for determining which subscriber has redistributed any particular version,
and has been quite aggressive at shutting down accounts.
To some, it looks very much like Sveasoft is attempting to add restrictions
to the GPL-licensed software it uses for its products. It is, in essence,
imposing a penalty on anyone who redistributes its products. In the end,
however, challenges to this model have not gotten far, and the Free
Software Foundation has stated that Sveasoft is in compliance with the
GPL - at least, with regard to its support agreements.
It seems that the story does not stop there, however. Sveasoft makes
"pre-release" versions of its firmware available to subscribers. In
practice, it seems that these "pre-release" releases are the actual
product; the "public" releases tend to lag far behind. It also seems that
the corresponding source is not made available to anyone - not even
subscribers. Sveasoft argues that, since this is a limited, "pre-release"
distribution, it is not obligated to provide source as well. The GPL,
however, makes no exceptions for "pre-release" distribution.
The OpenWRT Project, on whose work
Sveasoft's product is based, has had enough. So, in March, the project notified Sveasoft that its OpenWRT license
was terminated due to GPL violations. From OpenWRT's point of view,
Sveasoft no longer has any rights to be distributing OpenWRT's work in any
form. Sveasoft responds that it remains in compliance with the GPL, and
that OpenWRT has improperly incorporated Sveasoft code which was never
meant to be licensed under the GPL - a charge that OpenWRT developers deny.
Since then, there has been a great deal of discussion, and Sveasoft's
proprietor has come forward with an offer
to create source tarballs on request for any subscriber who has received a
copy of the binary firmware. There is also apparently an updated source
tarball available to subscribers, though there has been no independent confirmation, yet,
that it contains all of the source it should. The OpenWRT project has not,
in any public way, rescinded its revocation of Sveasoft's license. Still,
it would appear that public pressure has helped to move things in the right
direction.
For now, at least. History suggests that Sveasoft will continue to push
the boundaries of the GPL. Recent history also suggests, however, that
Sveasoft may become less relevant in this area; by many accounts, the
fully-free alternatives - beyond OpenWRT itself - go beyond the Sveasoft
offerings in a number of ways. See this
page on LinksysInfo.org for a detailed comparison of a few projects.
Comments (5 posted)
Page editor: Jonathan Corbet
Security
.desktop files and security
One of the areas of quiet cooperation between the GNOME and KDE projects is
the shared
specification
for .desktop files. These files create a connection between an icon on
the desktop and an application to be launched or file to be accessed when
the icon is clicked upon by the user. The format is simple and flexible,
and it allows the same desktop icons to be implemented on either desktop
system.
There is been an ongoing level of concern over these files, most recently
voiced by Sam Watkins on the XDG mailing
list. The issue that that .desktop files are, for all practical purposes,
shell scripts capable of doing anything that the user can do. But they do
not have to be marked as executable, and they have complete control over
how they are presented on the desktop. A .desktop file can show up as a
document or image file, but actually be some sort of hostile script. A
user, hoping only to view a file which has shown up on the desktop, may end
up running something entirely different.
A number of ways of addressing the issue have been proposed. The simplest,
perhaps, is to require that .desktop files have execute permission to be
launched. Since setting that bit requires an explicit action on the part
of the user, a hostile icon cannot be put directly onto the desktop by, for
example, a file downloaded via a web browser. Some people have objected
that .desktop files are not actually executables - they cannot be run from
the command line. Putting a suitable #! line at the beginning of
the file would fix that, however.
Another possibility would be to mark known-good .desktop files with an
extended attribute. If an attempt was made to launch an unmarked file, a
suitably scary dialog would be put up and confirmation required from the
user. Or, .desktop files with executable content could be restricted in
the set of icons they could use, so that, at least, the fact that a program
would be run would be obvious. Or some sort of global system database
could keep track of the trusted .desktop files.
Perhaps the most elaborate suggestion is to
run all .desktop programs (and perhaps others) in a tightly-restricted
sandbox with little access to the rest of the system. With some work, the
desktop environment could be reworked to make most things work
transparently for users. For example, selecting a file in a file-browser
dialog would grant the right to access that file to the associated
application. The Plash project has
made progress toward the implementation of such a system.
Which of these solutions will be adopted, if any, remains to be seen. It
is not clear that everybody sees a real problem with the capabilities of
.desktop files. Experience has shown, however, that even difficult and
unlikely attack vectors will be exploited eventually. It would be a shame
if the adoption of desktop Linux were to be held back by security concerns.
Comments (22 posted)
Security news
Coverity: one bug fixed every six minutes
Coverity has sent out
a press release claiming that free software projects fixed one bug every six minutes in the week following the release of the results from the company's first scan. "
In seven
days, the defect density for 32 open source projects analyzed dropped from
0.434 defects per thousand lines of code to 0.371 defects. Samba, a widely
used open source project used to connect Linux and Windows networks, showed
the fastest developer response, reducing software defects in Samba from 216 to
18 in the first seven days."
Comments (33 posted)
New vulnerabilities
dia: buffer overflows
| Package(s): | dia |
CVE #(s): | CVE-2006-1550
|
| Created: | April 3, 2006 |
Updated: | May 3, 2006 |
| Description: |
Three buffer overflows were discovered in the Xfig file format importer.
By tricking a user into opening a specially crafted .fig file with dia, an
attacker could exploit this to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
horde: two remotely exploitable vulnerabilities
| Package(s): | horde |
CVE #(s): | CVE-2006-1491
CVE-2006-1260
|
| Created: | April 5, 2006 |
Updated: | April 14, 2006 |
| Description: |
Versions of horde prior to 3.1.1 have two vulnerabilities, both of which are remotely exploitable: code execution in the help viewer and an input validation error which could allow read access to arbitrary files. |
| Alerts: |
|
Comments (none posted)
kaffeine: buffer overflow
| Package(s): | kaffeine |
CVE #(s): | CVE-2006-0051
|
| Created: | April 5, 2006 |
Updated: | April 6, 2006 |
| Description: |
Marcus Meissner discovered that kaffeine, a media player for
KDE 3, contains an unchecked buffer that can be overwritten remotely
when fetching remote RAM playlists which can cause the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2006-0052
|
| Created: | March 30, 2006 |
Updated: | June 9, 2006 |
| Description: |
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped. |
| Alerts: |
|
Comments (none posted)
mediawiki: cross-site scripting
| Package(s): | mediawiki |
CVE #(s): | CVE-2006-1498
|
| Created: | April 4, 2006 |
Updated: | April 4, 2006 |
| Description: |
MediaWiki fails to decode certain encoded URLs correctly. By supplying
specially crafted links, a remote attacker could exploit this vulnerability
to inject malicious HTML or JavaScript code that will be executed in a
user's browser session in the context of the vulnerable site. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
php: insecure data
| Package(s): | php |
CVE #(s): | CVE-2006-1490
|
| Created: | April 4, 2006 |
Updated: | April 4, 2006 |
| Description: |
A vulnerability was discovered where the html_entity_decode() function
would return a chunk of memory with length equal to the string supplied,
which could include php code, php ini data, other user data, etc. |
| Alerts: |
|
Comments (none posted)
samba: clear text password exposure
| Package(s): | samba |
CVE #(s): | CVE-2006-1059
|
| Created: | March 31, 2006 |
Updated: | April 4, 2006 |
| Description: |
According to this Samba advisory the
winbindd daemon included in Samba 3.0.21 and subsequent patch releases
(3.0.21a-c) writes the clear text of server's machine credentials to its
log file at level 5. The winbindd log files are world readable by default
and often log files are requested on open mailing lists as tools used to
debug server misconfigurations. This vulnerability has been fixed in Samba
3.0.22. |
| Alerts: |
|
Comments (none posted)
storebackup: multiple vulnerabilities
| Package(s): | storebackup |
CVE #(s): | CVE-2005-3146
CVE-2005-3147
CVE-2005-3148
|
| Created: | April 4, 2006 |
Updated: | April 4, 2006 |
| Description: |
Several vulnerabilities have been discovered in the backup utility
storebackup.
- Storebackup creates a temporary file predictably, which can be
exploited to overwrite arbitrary files on the system with a symlink
attack. (CVE-2005-3146)
- The backup root directory is created with world-readable permissions,
which may leak sensitive data. (CVE-2005-3147)
- The user and group rights of symlinks are set incorrectly when making
or restoring a backup, which may leak sensitive data. (CVE-2005-3148)
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cairo: denial of service
| Package(s): | cairo |
CVE #(s): | CVE-2006-0528
|
| Created: | March 21, 2006 |
Updated: | March 31, 2006 |
| Description: |
The cairo library (libcairo), as used in GNOME Evolution and possibly other
products, allows remote attackers to cause a denial of service (persistent
client crash) via an attached text file that contains "Content-Disposition:
inline" in the header, and a very long line in the body, which causes the
client to repeatedly crash until the e-mail message is manually removed,
possibly due to a buffer overflow, as demonstrated using an XML
attachment. |
| Alerts: |
|
Comments (none posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3527
CVE-2005-3783
CVE-2005-3784
CVE-2005-3805
CVE-2005-3806
CVE-2005-3808
|
| Created: | January 20, 2006 |
Updated: | April 18, 2006 |
| Description: |
Here's another set of vulnerabilities in the Linux kernel:
- A race condition in the 2.6 kernel could allow a local user to cause a
DoS by triggering a core dump in one thread while another thread has a
pending SIGSTOP (CVE-2005-3527).
- The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using
CLONE_THREAD, does not use the thread group ID to check whether it is
attaching to itself, which could allow local users to cause a DoS
(CVE-2005-3783).
- The auto-reap child process in 2.6 kernels prior to 2.6.15 include
processes with ptrace attached, which leads to a dangling ptrace
reference and allows local users to cause a crash (CVE-2005-3784).
- A locking problem in the POSIX timer cleanup handling on exit on
kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local
user to cause a deadlock involving process CPU timers (CVE-2005-3805).
- The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to
2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances,
which allows local users to corrupt kernel memory or cause a crash by
triggering a free of non-allocated memory (CVE-2005-3806).
- An integer overflow in 2.6.14 and earlier could allow a local user to
cause a hang via 64-bit mmap calls that are not properly handled on a
32-bit system (CVE-2005-3808).
|
| Alerts: |
|
Comments (none posted)
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 |
CVE #(s): | CVE-2006-0042
|
| Created: | March 14, 2006 |
Updated: | April 18, 2006 |
| Description: |
An algorithm weakness has been discovered in Apache2::Request, the
generic request library for Apache2 which can be exploited remotely
and cause a denial of service via CPU consumption. |
| Alerts: |
|
Comments (5 posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
mod_python: remote access vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2005-0088
|
| Created: | February 10, 2005 |
Updated: | April 9, 2006 |
| Description: |
mod_python has a vulnerability in the publisher handler that may allow
a remote user to use a specially crafted URL to allow access to
objects that should be protected. An information leak can result. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2005-4134
CVE-2006-0292
CVE-2006-0296
|
| Created: | February 2, 2006 |
Updated: | May 4, 2006 |
| Description: |
Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code.
The XULDocument.persist() function has a bug that can be triggered by
viewing specially crafted web sites, RDF data can be injected into the
localstore.rdf file, allowing arbitrary javascript code to be executed.
The Mozilla history saving mechanism is vulnerable to a denial of
service attack, visiting sites with extra-long titles can cause a
crash or very slow startup the next time the browser is run. |
| Alerts: |
|
Comments (none posted)
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2006-0884
|
| Created: | March 3, 2006 |
Updated: | May 4, 2006 |
| Description: |
The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier
allows user-complicit attackers to bypass javascript security settings and
obtain sensitive information or cause a crash via an e-mail containing a
javascript URI in the SRC attribute of an IFRAME tag, which is executed
when the user edits the e-mail. |
| Alerts: |
|
Comments (1 posted)
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs |
CVE #(s): | CAN-2005-0013
CAN-2005-0014
|
| Created: | January 31, 2005 |
Updated: | May 15, 2006 |
| Description: |
Erik Sjolund discovered two vulnerabilities in the programs bundled
with ncpfs: there is a potentially exploitable buffer overflow in
ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities
using the NetWare client functions insecurely access files with
elevated privileges (CAN-2005-0013). |
| Alerts: |
|
Comments (none posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
perl: setuid vulnerabilities
| Package(s): | perl |
CVE #(s): | CAN-2005-0155
CAN-2005-0156
|
| Created: | February 2, 2005 |
Updated: | August 11, 2006 |
| Description: |
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
