LWN.net Logo

Advertisement

E-Commerce & credit card processing - the Open Source way!

Advertise here

How Mono got into Fedora

Back in January, Red Hat reversed a longstanding policy and allowed the Mono .NET implementation into the Fedora distribution. A set of Mono applications (Tomboy, Banshee, F-spot) also went in at that time. The move was generally welcomed, but a number of observers wondered what had changed to make the addition of Mono possible. The sticking point had been a set of patents on .NET held by Microsoft; presumably those patents were no longer seen as a threat. But no information on why that might be was released at that time.

We missed it at the time, but Fedora hacker Greg DeKoenigsberg posted an explanation in late March. The answer, as it turns out, may offer some clues of how the software patent battle might play out.

Back in November, the Open Invention Network (OIN) announced its existence. OIN is a corporation which has been set up for one express purpose: to acquire patents and use them to promote and defend free software. The OIN patent policy is this:

Patents owned by Open Invention Network will be available on a royalty-free basis to any company, institution or individual that agrees not to assert its patents against the Linux operating system or certain Linux-related applications.

The list of "certain Linux-related applications" is said to exist, though it has not, yet, been posted publicly. But Mono is apparently on that list. So anybody who files patent infringement suits against Mono users, and who is, in turn, making use of technology covered by OIN's patents is setting himself up for a countersuit. Depending on the value of the patents held by OIN, that threat could raise the risk of attacking Mono considerably.

That last sentence is important: a potential OIN countersuit will only have a deterring effect if OIN's patents cover an important technology and look like they would stand up in court. As it happens, OIN holds a set of patents covering a number of fundamental aspects of XML-based web services. These patents (originally assigned to a failing company called Commerce One) created a fair amount of concern when they went up for auction at the end of 2004; many companies feared that they could be used to shake down companies all over the e-commerce field. What actually happened is rather different: they were bought by Novell for $15.5 million and eventually contributed to the OIN pool. These patents, it seems, are considered strong enough to keep Mono safe.

Novell did the community (and perhaps the technology industry as a whole) a big favor by buying those patents; in the process, it beat out bids from a couple of "intellectual property" firms associated with Nathan Myhrvold. Donating them to OIN multiplied the favor by putting these patents directly into the service of free software. We may all be a little safer as a result of this action.

Some observers in the community have criticized the patent pool idea in the past. Playing the software patent game in any way is a little distasteful, and it is not clear to everybody that the owner of the pool would have the standing or interest to defend the target of a patent attack. The true success of OIN can only be judged in the long term, and, in the best case scenario (no software patent suits are ever brought against free software users), its contribution will never be entirely clear. What is clear, however, is that OIN has already brought some peace of mind to some of the people who were most worried about the software patent threat. That seems like a step in the right direction.

Comments (14 posted)

Fear of a Linux virus

There can be no doubt that the folks at Kaspersky Lab are persistent. Back in 1999, Kaspersky released its anti-virus product for Linux; the company also claimed to be preparing "the world's first Linux-based rescue disk." In 2000, the company claimed that "new viruses for Linux appear every day," though it backed down when that claim was questioned. Now Kaspersky claims to have encountered a "cross-platform virus," which is capable of infecting both Linux and Windows systems. Time to be worried:

The virus doesn't have any practical application - it's classic Proof of Concept code, written to show that it is possible to create a cross platform virus. However, our experience shows that once proof of concept code is released, virus writers are usually quick to take the code, and adapt it for their own use.

There is hope, however: worried system administrators need only purchase Kaspersky's anti-virus service, and they will be protected from the threat of this new cross-platform virus.

Strangely enough, Linux administrators have somehow managed to avoid going into a panic over this announcement. In fact, few Linux users feel any more threatened than they did before.

This new "virus" is a program which is able to inject its code into executable files found in the current working directory. It can't be the first code with this capability - that particular problem is not especially hard to solve. Given write access to an executable file, a program can write to that file. If it is coded to write something unpleasant, that is what will happen.

What this "virus" appears to lack is any sort of propagation mechanism. If somebody runs it, their executable files will be corrupted, but it has no way of traveling further. Any attempt to add propagation to this code will run into some well-known problems: (1) getting Linux users to run random malware is still challenging, and (2) most Linux users lack the access to modify most of the executables they run, most of the time. The normal protection mechanisms designed to keep users from accidentally (or maliciously) damaging their systems will also serve to impede any attempt to infect those systems.

One should not say that writing a rapidly-propagating, Linux-based virus or worm is not possible. Sooner or later, somebody will probably pull it off. But any such malware will have to exploit an open security vulnerability in the target systems, and any vulnerability which is exploited in this manner will be closed in a hurry. Commercial anti-virus products work by trying to keep threatening malware away from the system altogether. The Linux way of doing things, instead, is to make the system resistant to the attack vector used by the malware in the first place. Security updates may propagate a little more slowly than virus descriptions, but the end result will tend to be far longer-lasting.

So it is not clear that there will ever be a real market niche for anti-virus products on Linux systems. Linux administrators prefer to fix the root problem, and most distributors have well-tuned mechanisms in place for making those fixes quick and easy. Anti-virus products add complexity to a system, can create problems of their own, and may well not be any more effective against any sort of "zero-day" attack. If, in the future, we find ourselves truly needing anti-virus software, our development process will have failed badly. Chances are that we will not fail in that way, but the flow of scary press releases from anti-virus companies will certainly continue regardless.

Comments (14 posted)

Some distribution disagreements

Back when Red Hat Linux was a product delivered by Red Hat Inc. in its final form, the user community had little visibility into the decisions that affected the distribution. One of the early promises that came with the Fedora Project was that the important discussions would happen in a public forum. Things have not always happened that way, and a number of things still seem to happen by anonymous decree. It is true, however, that the public discussion has grown more vibrant as the wider Fedora community insists on having its say.

One recurring discussion has to do with one of those decisions by decree: Fedora Core 5 lacks the "install everything" option which has characterized Red Hat releases for many years. The reasons behind this change make some sense: it is increasingly hard to support as the distribution grows, and as the distribution is split between "core" and "extras." Some packages conflict with others, making a true "everything" install impossible in any case. Installing everything is an invitation to unnecessary security problems. And the Anaconda installer has been reworked around a yum-based backend which is not so well equipped to do "everything" installs in any case. Administrators who do a lot of "everything" installs can use kickstart to obtain something close to the old behavior.

So removing this option was not an unreasonable thing to do. But the community was not involved in the decision, and quite a few Fedora users are most unhappy with the change. Since there was no discussion - not even an announcement of the change - these unhappy users continue to fill the Fedora lists with complaints; it is beginning to look like one of those threads which never really goes away. But, "install everything" has gone away, and appears highly unlikely to return.

A more relevant discussion, perhaps, is this one: what is to happen with evolution in Fedora Core? The state of the FC5 evolution package is evidently so poor that some Red Hat developers are suggesting that it should be shoved out to Fedora Extras, or dropped altogether:

Evolution in extras is a bad idea. Evolution in core is a worse idea. What other as good as unmaintained large buggy package exposed to external attack and with known unfixed DoS bugs (and probably worse yet to be found) do we ship.

Evolution belongs in the bitbucket.

(Alan Cox).

The state of evolution is a bit of a problem. It has been pushed for some time as the mail user agent for Red Hat and Fedora systems; it is also the only mail client with its particular combination of email and calendar features. Quite a few Fedora (and RHEL) users depend on it heavily. So the chances are that evolution is not truly destined for the bit bucket.

There appear to be two issues here. One is that the core evolution project has been on hold for some time. There is a new set of developers working on evolution, and there are signs that the process is beginning to move again - though some observers are not yet convinced. The other issue is that the evolution package within Fedora is unmaintained, and has been for some time. This is a different sort of problem: Red Hat is actively trying to hire somebody to maintain the evolution package, but has not yet found anybody. Until that position can be filled, the evolution package in Fedora is likely to continue to languish.

An interesting side note on this discussion is that some participants have complained about Red Hat engineers suggesting the removal of Evolution. It seems that Red Hat folks have a duty to not scare the users that way. But the truth of the matter is that we cannot have it both ways: if we want to have a vibrant and open Fedora development community, the engineers involved must be able to speak their minds.

Meanwhile, the Ubuntu community has run into a different sort of issue. The original Ubuntu distribution was very much GNOME-based, with a KDE-based version ("Kubuntu") being somewhat of a second-class citizen. Last November, however, Mark Shuttleworth announced that Kubuntu would become "a first class distribution within the Ubuntu community." From the outside, it would appear that things have happened that way; Kubuntu releases happen at about the same time as "plain" Ubuntu releases, and Kubuntu has a large and (seemingly) happy user community.

As of this writing, however, visitors to the Kubuntu.de site are greeted with a protest message rather than the normal resources found there. It seems that some of the developers working on Kubuntu are not particularly happy with their relationship with Canonical. They do not feel that Kubuntu is, yet, a "first-class distribution."

The protest appears to be lead by Andreas Mueller, a co-founder of the Kubuntu project and the maintainer of Kubuntu.de. Mr. Mueller is a volunteer Kubuntu developer, not currently on the Canonical payroll. There are a number of complaints being voiced, and it is not entirely clear what the real problem is. Discussion on the lists suggests that a misunderstanding over administrative accounts is part of it. The core, however, may well be this:

Kubuntu needs more paid developers. Even though Canonical says that there is one paid developer for GNOME and one KDE (seb128/jriddell), the rest of the paid developers rather tend to support GNOME. It would be reasonable to pay at least 2-3 more developers to balance, because only providing KDE-packages is not enough.

A cynical observer might be tempted to conclude that Mr. Mueller is trying to shame Canonical into hiring him.

It is hard to say whether Canonical is putting sufficient resources into Kubuntu or not. It is true that there has been no great outpouring of support for this protest on the Kubuntu mailing lists. Kubuntu users seem generally content with their lot. Hopefully this disagreement can be resolved without changing that situation.

Comments (31 posted)

Page editor: Jonathan Corbet

Security

Cross-site scripting attacks

April 12, 2006

This article was contributed by Jake Edge.

Two weeks ago, this page examined SQL injection attacks on web applications. Another well-known attack is cross-site scripting, often abbreviated as "XSS." Cross-site scripting is, perhaps, a more subtle way of breaking web applications, but its effects can be just as damaging as SQL Injection.

The basic vector for XSS is user input into a website that is not filtered to remove dangerous content. One of the more obvious ways this can occur is with sites that allow users to add comments to stories, without removing or altering HTML tags that they enter. For example, if one adds a comment that contains:

    <script>alert("howdy")</script>
and someone else, when looking at that comment, gets the alert, the site is vulnerable to XSS. Obviously, a javascript popup is not particularly dangerous and would be a clear sign that something odd is going on. This kind of 'attack' is only used as a proof of concept. The key thing to note is that one user can run javascript in the context of another user's browser, with all of the information and privileges of the targeted user (or, at least, the subset granted to javascript).

There are other mechanisms to inject this kind of malicious content, either as HTML links or by causing error messages that display the content. Essentially any place that a web application displays user input can be exploited if the input or output is not filtered correctly. When XSS attacks appear in links, they are often encoded in hex using the '%xx' or '&#xx;' so that it is not immediately apparent that the link contains malicious content.

A wide variety of actions can be triggered by an XSS exploit, including cookie theft, account hijacking, and denial of service. A clever attacker could make a page that looks exactly like the login page of a popular website (Google for example) and an unwary user could be fooled into entering their username and password into this page after following a link. By exploiting an XSS hole recently reported and discussed on the Bugtraq mailing list, the link would not obviously be malicious and could start with http://www.google.com.

Another common attack is to hijack a session by using an XSS exploit to capture a cookie value that stores a session ID. An attacker can then use that session ID to take over a currently logged-in session at the web site and for all intents and purposes, become that user. This attack is especially nasty if that user happens to be an administrative user - or is logged into, say, a financial site.

Avoiding XSS in a web application requires diligence in filtering user input (a common theme in nearly all web application vulnerabilities). Any user input that is sent back to browser for any reason needs to have certain characters converted to strings that will display properly, but not be interpreted as HTML by the browser. An XSS FAQ recommends replacing the following characters: < > ( ) & and # with &lt;, &gt;, &#40, etc.

XSS vulnerabilities are one of the most commonly reported security issues with web applications today. New XSS techniques are discovered regularly that find new ways to evade various security measures implemented by the browser scripting languages and new ways to fool users into falling into an XSS trap. Any technique that allows attackers to run code in your browser with your permissions is obviously cause for worry. Website users can only take some fairly drastic measures to avoid XSS (turning off javascript, not following links, etc.). This is clearly something that website owners must handle to protect their users.

Comments (9 posted)

Security news

Anti-virus to protect against anti-virus vulnerabilities

Users of the ClamAV free anti-virus system should be aware of the recent vulnerabilities in that package. No need to fear, however: SonicWALL has announced that its (proprietary) anti-virus system is now equipped to shield your network from attempts to exploit one of those vulnerabilities. So ClamAV users need not actually apply the update - just layer another anti-virus package on top of it instead.

Comments (35 posted)

New vulnerabilities

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2006-1614 CVE-2006-1615 CVE-2006-1630
Created:April 6, 2006 Updated:April 12, 2006
Description: The ClamAV anti-virus toolkit has three vulnerabilities. the PE header parser has an integer overflow problem, the logging code has format string vulnerabilities that may lead to the execution of arbitrary code, and the cli_bitset_set() function can be used to create a denial of service.
Alerts:
Debian DSA-1024-1 2006-04-05
Trustix TSLSA-2006-0020 2006-04-07
Gentoo 200604-06 2006-04-07
Mandriva MDKSA-2006:067 2006-04-07
SuSE SUSE-SA:2006:020 2006-04-11

Comments (1 posted)

doomsday: format string vulnerability

Package(s):doomsday CVE #(s):CVE-2006-1618
Created:April 6, 2006 Updated:April 12, 2006
Description: The doomsday gaming engine has a format string vulnerability that may be utilized by a remote attacker for the execution of arbitrary code.
Alerts:
Gentoo 200604-05 2006-04-06

Comments (none posted)

libimager-perl: denial of service

Package(s):libimager-perl CVE #(s):CVE-2006-0053
Created:April 9, 2006 Updated:April 12, 2006
Description: The libimager-perl Perl extension has a vulnerability in which maliciously created 4-channel JPEG images can cause a segmentation fault and cause a denial of service.
Alerts:
Debian DSA-1028-1 2006-03-07

Comments (none posted)

mplayer: integer overflows

Package(s):mplayer CVE #(s):CVE-2006-1502
Created:April 9, 2006 Updated:May 1, 2006
Description: MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities. Remote attackers can maliciously craft an ASF file or an AVI file in order to cause a denial of service.
Alerts:
Mandriva MDKSA-2006:068 2006-04-07
Gentoo 200605-01 2006-05-01

Comments (none posted)

openvpn: arbitrary code execution

Package(s):openvpn CVE #(s):CVE-2006-1629
Created:April 11, 2006 Updated:April 27, 2006
Description: OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.
Alerts:
Mandriva MDKSA-2006:069 2006-04-10
Debian DSA-1045-1 2006-04-27

Comments (none posted)

plone: unauthorized access

Package(s):plone CVE #(s):CVE-2006-1711
Created:April 12, 2006 Updated:April 12, 2006
Description: From the Debian advisory: "It was discovered that the Plone content management system lacks security declarations for three internal classes. This allows manipulation of user portraits by unprivileged users."
Alerts:
Debian DSA-1032-1 2006-04-12

Comments (none posted)

xscreensaver: possible password exposure

Package(s):xscreensaver CVE #(s):CVE-2004-2655
Created:April 11, 2006 Updated:May 24, 2006
Description: In some cases, xscreensaver did not properly grab the keyboard when reading the password for unlocking the screen, so that the password was typed into the currently active application window. The only known vulnerable case was when xscreensaver activated while an rdesktop session was currently active.
Alerts:
Ubuntu USN-269-1 2006-04-11
Red Hat RHSA-2006:0498-01 2006-05-23

Comments (none posted)

Updated vulnerabilities

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09:02 2005-09-17

Comments (none posted)

ADOdb: PostgresSQL command injection

Package(s):adodb CVE #(s):CVE-2006-0410
Created:February 6, 2006 Updated:April 17, 2006
Description: Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host.
Alerts:
Gentoo 200602-02 2006-02-06
Debian DSA-1029-1 2006-04-08
Debian DSA-1030-1 2006-04-08
Debian DSA-1031-1 2006-04-08
Gentoo 200604-07 2006-04-14

Comments (none posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Alerts:
OpenPKG OpenPKG-SA-2005.029 2005-12-14
Red Hat RHSA-2006:0159-01 2006-01-05
Mandriva MDKSA-2006:007 2006-01-05
Trustix TSLSA-2005-0074 2005-12-23
Ubuntu USN-241-1 2006-01-12
Red Hat RHSA-2006:0158-01 2006-01-17
Fedora FEDORA-2006-052 2006-01-20
Gentoo 200602-03 2006-02-06
Fedora-Legacy FLSA:175406 2006-02-18
SuSE SUSE-SR:2006:004 2006-02-24
Slackware SSA:2006-129-01 2006-05-10

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Ubuntu USN-238-1 2006-01-06
Ubuntu USN-238-2 2006-01-06
Gentoo 200601-08 2006-01-13
Debian DSA-1039-1 2006-04-24
Debian-Testing DTSA-29-1 2006-06-15

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
Ubuntu USN-127-1 2005-05-17
Mandriva MDKSA-2005:091 2005-05-18
Debian DSA-730-1 2005-05-27
SuSE SUSE-SR:2005:015 2005-06-07
OpenPKG OpenPKG-SA-2005.008 2005-06-10
Red Hat RHSA-2005:474-01 2005-06-16
Debian DSA-741-1 2005-07-07
rPath rPSA-2007-0004-1 2007-01-09

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Debian-Testing DTSA-23-1 2005-12-05
Gentoo 200512-11 2005-12-20
Debian DSA-1083-1 2006-05-31
Debian DSA-1088-1 2006-06-03
Gentoo 200608-27 2006-08-29

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
Ubuntu USN-234-1 2006-01-02
Red Hat RHSA-2007:0245-02 2007-05-01
rPath rPSA-2007-0094-1 2007-05-07

Comments (none posted)

crossfire: arbitrary code execution

Package(s):crossfire CVE #(s):CVE-2006-1010
Created:March 14, 2006 Updated:April 24, 2006
Description: It was discovered that Crossfire, a multiplayer adventure game, performs insufficient bounds checking on network packets when run in "oldsocketmode", which may possibly lead to the execution of arbitrary code.
Alerts:
Debian DSA-1001-1 2006-03-14
Gentoo 200604-11 2006-04-22

Comments (none posted)

curl: heap-based buffer overflow

Package(s):curl CVE #(s):CVE-2006-1061
Created:March 21, 2006 Updated:June 28, 2006
Description: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
Alerts:
Fedora FEDORA-2006-189 2006-03-21
Gentoo 200603-19 2006-03-21
Trustix TSLSA-2006-0016 2006-03-24
OpenPKG OpenPKG-SA-2006.012 2006-06-28

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Gentoo 200502-29 2005-02-23
SuSE SUSE-SA:2005:009 2005-02-24
Ubuntu USN-87-1 2005-02-28
Mandrake MDKSA-2005:051 2005-03-04
Conectiva CLA-2005:937 2005-03-17
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Fedora FEDORA-2005-339 2005-04-27
Red Hat RHSA-2005:408-01 2005-05-17
Fedora-Legacy FLSA:156290 2006-04-04

Comments (none posted)

dia: missing input sanitizing

Package(s):dia CVE #(s):CAN-2005-2966
Created:October 4, 2005 Updated:April 6, 2006
Description: Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user.
Alerts:
Ubuntu USN-193-1 2005-10-04
SuSE SUSE-SR:2005:022 2005-10-07
Debian DSA-847-1 2005-10-08
Gentoo 200510-06 2005-10-06
Mandriva MDKSA-2005:187 2005-10-20
Debian DSA-1025-1 2006-04-06

Comments (none posted)

dia: buffer overflows

Package(s):dia CVE #(s):CVE-2006-1550
Created:April 3, 2006 Updated:May 3, 2006
Description: Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user's privileges.
Alerts:
Ubuntu USN-266-1 2006-04-03
Mandriva MDKSA-2006:062 2006-04-03
Fedora FEDORA-2006-261 2006-04-05
Gentoo 200604-14 2006-04-23
Red Hat RHSA-2006:0280-01 2006-05-03

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Ubuntu USN-76-1 2005-02-07
Debian DSA-670-1 2005-02-08
Debian DSA-671-1 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Fedora FEDORA-2005-116 2005-02-08
Red Hat RHSA-2005:112-01 2005-02-10
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:133-01 2005-02-15
Fedora FEDORA-2005-145 2005-02-14
Fedora FEDORA-2005-146 2005-02-14
Gentoo 200502-20 2005-02-15
Mandrake MDKSA-2005:038 2005-02-15
Debian DSA-685-1 2005-02-17
Fedora-Legacy FLSA:152898 2006-05-12

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
Debian DSA-654-1 2005-01-21
Ubuntu USN-68-1 2005-01-24
Fedora FEDORA-2005-015 2005-01-26
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-096 2005-01-31
Red Hat RHSA-2005:039-01 2005-02-01
Gentoo 200502-03 2005-02-02
Mandrake MDKSA-2005:033 2005-02-10
Red Hat RHSA-2005:040-01 2005-02-15
Fedora-Legacy FLSA:152892 2005-12-17
rPath rPSA-2006-0083-1 2006-05-26

Comments (none posted)

fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
Alerts:
Fedora FEDORA-2005-1186 2005-12-20
Fedora FEDORA-2005-1187 2005-12-20
Mandriva MDKSA-2005:236 2005-12-23
Ubuntu USN-233-1 2006-01-02
Debian DSA-939-1 2006-01-13
Slackware SSA:2006-045-01 2006-02-15
Fedora-Legacy FLSA:164512 2006-05-12
rPath rPSA-2006-0084-1 2006-05-26

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
Gentoo 200409-24 2004-09-20
Fedora FEDORA-2004-303 2004-09-21
Conectiva CLA-2004:880 2004-10-27
Fedora-Legacy FLSA:2076 2004-11-05
SuSE SUSE-SA:2006:026 2006-05-30

Comments (none posted)

freeradius: authentication bypass

Package(s):freeradius CVE #(s):CVE-2006-1354
Created:March 24, 2006 Updated:June 5, 2006
Description: An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
Alerts:
Mandriva MDKSA-2006:060 2006-03-23
SuSE SUSE-SA:2006:019 2006-03-28
Red Hat RHSA-2006:0271-01 2006-04-04
Gentoo 200604-03 2006-04-04
Mandriva MDKSA-2006:066 2006-04-05
Debian DSA-1089-1 2006-06-03

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Gentoo 200505-15 2005-05-20
Ubuntu USN-135-1 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-136-2 2005-05-27
Mandriva MDKSA-2005:095 2005-05-30
Trustix TSLSA-2005-0025 2005-05-31
Gentoo 200506-01 2005-06-01
Fedora FEDORA-2005-497 2005-06-29
Fedora FEDORA-2005-498 2005-06-29
Red Hat RHSA-2005:659-01 2005-09-28
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:801-01 2005-10-18
Fedora FEDORA-2005-1032 2005-10-27
Fedora FEDORA-2005-1033 2005-10-27
Mandriva MDKSA-2005:215 2005-11-23
Red Hat RHSA-2006:0368-01 2006-07-20
Red Hat RHSA-2006:0354-01 2006-08-10

Comments (5 posted)

gnupg: incorrect signature verification

Package(s):gnupg CVE #(s):CVE-2006-0049
Created:March 13, 2006 Updated:May 15, 2006
Description: Another vulnerability has been found in GnuPG. "Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data."
Alerts:
Debian DSA-993-1 2006-03-10
Gentoo 200603-08 2006-03-10
Debian DSA-993-2 2006-03-13
Ubuntu USN-264-1 2006-03-13
Mandriva MDKSA-2006:055 2006-03-13
Fedora FEDORA-2006-147 2006-03-13
Slackware SSA:2006-072-02 2006-03-14
Red Hat RHSA-2006:0266-01 2006-03-15
Trustix TSLSA-2006-0014 2006-03-20
Fedora-Legacy FLSA:185355 2006-05-12

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
Ubuntu USN-158-1 2005-08-01
Ubuntu USN-161-1 2005-08-04
Fedora-Legacy FLSA:157696 2005-08-10
Fedora-Legacy FLSA:158801 2005-11-14
Mandriva MDKSA-2006:026 2006-01-30
Mandriva MDKSA-2006:027 2006-01-30
OpenPKG OpenPKG-SA-2007.002 2007-01-08

Comments (2 posted)

horde: two remotely exploitable vulnerabilities

Package(s):horde CVE #(s):CVE-2006-1491 CVE-2006-1260
Created:April 5, 2006 Updated:April 14, 2006
Description: Versions of horde prior to 3.1.1 have two vulnerabilities, both of which are remotely exploitable: code execution in the help viewer and an input validation error which could allow read access to arbitrary files.
Alerts:
Gentoo 200604-02 2006-04-04
Debian DSA-1033-1 2006-04-12
Debian DSA-1034-1 2006-04-14

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Red Hat RHSA-2005:114-01 2005-02-18
Fedora-Legacy FLSA:152912 2005-05-12
Fedora-Legacy FLSA:184074 2006-04-04

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Ubuntu USN-221-1 2005-12-01
Gentoo 200512-04 2005-12-12
SuSE SUSE-SA:2005:070 2005-12-20
Mandriva MDKSA-2006:020 2006-01-25
Debian DSA-965-1 2006-02-06
Red Hat RHSA-2006:0267-01 2006-04-25
Fedora-Legacy FLSA:190941 2006-06-06

Comments (none posted)

kaffeine: buffer overflow

Package(s):kaffeine CVE #(s):CVE-2006-0051
Created:April 5, 2006 Updated:April 6, 2006
Description: Marcus Meissner discovered that kaffeine, a media player for KDE 3, contains an unchecked buffer that can be overwritten remotely when fetching remote RAM playlists which can cause the execution of arbitrary code.
Alerts:
Debian DSA-1023-1 2006-04-05
Mandriva MDKSA-2006:065 2006-04-05
Gentoo 200604-04 2006-04-05
Ubuntu USN-268-1 2006-04-06

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Mandriva MDKSA-2005:160 2005-09-06
Ubuntu USN-176-1 2005-09-07
Slackware SSA:2005-251-01 2005-09-09
Debian DSA-815-1 2005-09-16
Red Hat RHSA-2006:0582-01 2006-08-10

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Fedora FEDORA-2005-594 2005-07-19
Mandriva MDKSA-2005:122 2005-07-20
Ubuntu USN-150-1 2005-07-21
Red Hat RHSA-2005:612-01 2005-07-27
Debian DSA-804-1 2005-09-08
Debian DSA-804-2 2005-11-10
Gentoo 200611-21 2006-11-27

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
SuSE SUSE-SA:2005:018 2005-03-24
Fedora FEDORA-2005-262 2005-03-28
Conectiva CLA-2005:945 2005-03-31
Debian DSA-1067-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1069-1 2006-05-20
Debian DSA-1082-1 2006-05-29

Comments (none posted)

kernel multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2005-3527 CVE-2005-3783 CVE-2005-3784 CVE-2005-3805 CVE-2005-3806 CVE-2005-3808
Created:January 20, 2006 Updated:April 18, 2006
Description: Here's another set of vulnerabilities in the Linux kernel:
  • A race condition in the 2.6 kernel could allow a local user to cause a DoS by triggering a core dump in one thread while another thread has a pending SIGSTOP (CVE-2005-3527).
  • The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which could allow local users to cause a DoS (CVE-2005-3783).
  • The auto-reap child process in 2.6 kernels prior to 2.6.15 include processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a crash (CVE-2005-3784).
  • A locking problem in the POSIX timer cleanup handling on exit on kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local user to cause a deadlock involving process CPU timers (CVE-2005-3805).
  • The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to 2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a crash by triggering a free of non-allocated memory (CVE-2005-3806).
  • An integer overflow in 2.6.14 and earlier could allow a local user to cause a hang via 64-bit mmap calls that are not properly handled on a 32-bit system (CVE-2005-3808).
Alerts:
Mandriva MDKSA-2006:018 2006-01-20
Red Hat RHSA-2006:0191-01 2006-02-01
Mandriva MDKSA-2006:044 2006-02-21
SuSE SUSE-SA:2006:012 2006-02-27
Fedora-Legacy FLSA:157459-3 2006-03-16
Fedora-Legacy FLSA:157459-4 2006-03-16
Fedora-Legacy FLSA:157459-1 2006-03-16
Fedora-Legacy FLSA:157459-2 2006-03-16
Debian DSA-1017-1 2006-03-23
Debian DSA-1018-1 2006-03-26
Debian DSA-1018-2 2006-04-05
Mandriva MDKSA-2006:072 2006-04-17

Comments (none posted)

libapreq2: algorithm weakness

Package(s):libapreq2-perl apache2 CVE #(s):CVE-2006-0042
Created:March 14, 2006 Updated:April 18, 2006
Description: An algorithm weakness has been discovered in Apache2::Request, the generic request library for Apache2 which can be exploited remotely and cause a denial of service via CPU consumption.
Alerts:
Debian DSA-1000-1 2006-03-14
Debian DSA-1000-2 2006-04-03
Gentoo 200604-08 2006-04-17

Comments (5 posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-769-1 2005-07-29
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-813-1 2005-09-15

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Ubuntu USN-11-1 2004-10-28
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Gentoo 200411-08 2004-11-03
Debian DSA-589-1 2004-11-09
Debian DSA-591-1 2004-11-09
Ubuntu USN-21-1 2004-11-09
Fedora FEDORA-2004-411 2004-11-11
Fedora FEDORA-2004-412 2004-11-11
Ubuntu USN-25-1 2004-11-15
Mandrake MDKSA-2004:132 2004-11-15
Debian DSA-601-1 2004-11-29
Debian DSA-602-1 2004-11-29
Ubuntu USN-33-1 2004-11-29
Red Hat RHSA-2004:638-01 2004-12-17
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2006:0194-01 2006-02-01
Mandriva MDKSA-2006:114 2006-06-27

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
Debian DSA-785-1 2005-08-25
Gentoo 200508-22 2005-08-31
Mandriva MDKSA-2005:190 2005-10-20
rPath rPSA-2006-0183-1 2006-10-05

Comments (none posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2006-0052
Created:March 30, 2006 Updated:June 9, 2006
Description: Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped.
Alerts:
Mandriva MDKSA-2006:061 2006-03-29
Ubuntu USN-267-1 2006-04-03
Debian DSA-1027-1 2006-04-06
SuSE SUSE-SR:2006:008 2006-04-07
Red Hat RHSA-2006:0486-01 2006-06-09

Comments (none posted)

mod_python: remote access vulnerability

Package(s):mod_python CVE #(s):CAN-2005-0088
Created:February 10, 2005 Updated:April 9, 2006
Description: mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result.
Alerts:
Fedora FEDORA-2005-139 2005-02-10
Fedora FEDORA-2005-140 2005-02-10
Red Hat RHSA-2005:104-01 2005-02-10
Ubuntu USN-80-1 2005-02-11
Trustix TSLSA-2005-0003 2005-02-11
Gentoo 200502-14 2005-02-13
Red Hat RHSA-2005:100-01 2005-02-15
Debian DSA-689-1 2005-02-23
Conectiva CLA-2005:926 2005-03-02
Fedora-Legacy FLSA:152896 2006-04-04

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):mozilla CVE #(s):CVE-2005-4134 CVE-2006-0292 CVE-2006-0296
Created:February 2, 2006 Updated:May 4, 2006
Description: Mozilla has three new vulnerabilities. The Javascript interpreter has a problem with dereferencing objects. A user can visit a specially crafted web page which can crash the browser or cause it to execute arbitrary code.

The XULDocument.persist() function has a bug that can be triggered by viewing specially crafted web sites, RDF data can be injected into the localstore.rdf file, allowing arbitrary javascript code to be executed.

The Mozilla history saving mechanism is vulnerable to a denial of service attack, visiting sites with extra-long titles can cause a crash or very slow startup the next time the browser is run.

Alerts:
Red Hat RHSA-2006:0199-01 2006-02-02
Red Hat RHSA-2006:0200-01 2006-02-02
Fedora FEDORA-2006-075 2006-02-02
Fedora FEDORA-2006-076 2006-02-02
Mandriva MDKSA-2006:036 2006-02-07
Mandriva MDKSA-2006:037 2006-02-07
Fedora-Legacy FLSA:180036 2006-02-23
Debian DSA-1046-1 2006-04-27
Ubuntu USN-275-1 2006-04-27

Comments (none posted)

Mozilla Thunderbird: remote code execution and DoS

Package(s):mozilla-thunderbird CVE #(s):CVE-2006-0884
Created:March 3, 2006 Updated:May 4, 2006
Description: The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier allows user-complicit attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail.
Alerts:
Mandriva MDKSA-2006:052 2006-03-02
Debian DSA-1051-1 2006-05-04

Comments (1 posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 15, 2006
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Mandriva MDKSA-2006:064 2006-04-03
Ubuntu USN-274-1 2006-04-27
Ubuntu USN-274-2 2006-05-15

Comments (2 posted)

ncpfs: multiple vulnerabilities

Package(s):ncpfs CVE #(s):CAN-2005-0013 CAN-2005-0014
Created:January 31, 2005 Updated:May 15, 2006
Description: Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013).
Alerts:
Gentoo 200501-44 2005-01-30
Mandrake MDKSA-2005:028 2005-02-01
Red Hat RHSA-2005:371-01 2005-05-17
Fedora FEDORA-2005-435 2005-08-16
Fedora-Legacy FLSA:152904 2006-05-12

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Fedora FEDORA-2005-812 2005-08-26
Ubuntu USN-175-1 2005-09-01
Debian DSA-801-1 2005-09-05
Mandriva MDKSA-2005:156 2005-09-06
Red Hat RHSA-2006:0393-01 2006-08-10

Comments (none posted)

openmotif: buffer overflows

Package(s):openmotif CVE #(s):CVE-2005-3964
Created:December 29, 2005 Updated:July 27, 2006
Description: The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code.
Alerts:
Gentoo 200512-16 2005-12-28
Red Hat RHSA-2006:0272-01 2006-04-04
Fedora FEDORA-2006-854 2006-07-26

Comments (none posted)

OpenSSH: double shell expansion

Package(s):openssh CVE #(s):CVE-2006-0225
Created:January 23, 2006 Updated:July 20, 2006
Description: OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp.
Alerts:
Fedora FEDORA-2006-056 2006-01-23
Mandriva MDKSA-2006:034 2006-02-06
SuSE SUSE-SA:2006:008 2006-02-14
Slackware SSA:2006-045-06 2006-02-15
OpenPKG OpenPKG-SA-2006.003 2006-02-18