| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for December 19, 2002
The Creative Commons launches
Lawrence Lessig (and others) first start talking about the Creative Commons Project some months ago. It took until December 16, however, for the formal launch![[Creative Commons]](/images/ns/ccommons.gif){kind=small}
of the project. Now that Create Commons is live, it's time for a good look
at what they are up to.
The Creative Commons is a reaction to the steady increase in the power of copyright holders over their creations. By allowing creators to lock up their work indefinitely, the expansion of copyright protection is impoverishing the intellectual "commons" -- the pool of ideas and works in the public domain from which all can draw. By denying the growth of the commons, content producers are denying the basic fact that the work they would lock up also has its roots in that commons. Disney may have done children a great service by cleaning up the gory and depressing parts of "The Little Mermaid," but the foundation of the company's work lies deep within the commons where the original Mermaid lives.
The copyright battle is being fought on many fronts, including in legislatures and courts. The Creative Commons is taking a different approach, however: it is attempting to create an explicit commons to which creators of copyrightable works can donate their output. This effort has, for now, two components.
The first is the Licensing Project. This project aims to move works into the commons immediately by providing a whole set of licenses for releasing works with varying degrees of freedom. Content producers can select a license by answering three basic questions:
- Should people redistributing the work be required to credit the
original author?
- Can others make commercial use of the work?
- Can others distribute (and perform, display, etc.) derived products of work, or may it be used only in unaltered form? In the case where changes are allowed, must the changes be distributed under the same license?
The answers to those questions map onto a list of eleven licenses that reflect the author's wishes. (The twelfth case - the one with no restrictions - is apparently deemed as being equivalent to releasing the content into the public domain). The more restrictive licenses would not be considered truly "free," since they restrict commercial use and the ability to make changes. On the other hand, the "Attribution" license is fairly BSD-like, and "ShareAlike" takes its cue from the GPL.
Not everybody wants to make their work freely distributable from the beginning, however. For those who want to enjoy the benefits of copyright protection for a while, but who would still like to see their work pass into the commons in a timely manner, there is the Founders' Copyright project. Essentially, the Founders' Copyright attempts to take copyright law back to 1790 by way of a contract which will release a given work into the public domain after 14 years. O'Reilly & Associates, which has funded the Creative Commons, has pledge to put some (currently unspecified) works into the public domain under these terms.
The path ahead of the Creative Commons project looks difficult; how many content producers will really be interested in giving away their current legal rights in order to nourish an amorphous "commons"? Twenty years ago, however, one could have reasonably asked why any sane programmer would donate code to a seemingly infeasible project to create a free operating system? As people become more aware of the costs of freezing the growth of the true intellectual commons, there may well be room for the development of a privatized version. We need that commons, one way or another.
As an aside, those who are interested in U.S. copyright law and its expansion over the years may want to have a look at The Progress of Science and the Useful Arts, a lengthy report from the Free Expression Policy Project.
The report looks at copyright from the beginning through to current issues (copyright extension, DMCA, etc.). It's a long but worthwhile read.
ElcomSoft gets off
The ElcomSoft trial is over, and the verdict is in: not guilty. In the end, the jury decided that ElcomSoft did not willfully violate the law, and should not be punished. In other words, the court agrees with much of the community that the U.S., last year, violated the rights of an innocent man when it arrested and detained Dmitry Sklyarov.The outcome of this case is good news for ElcomSoft, but it has little to offer others who face possible DMCA prosecutions. As a low-level jury trial, the ElcomSoft case would have had little precedent value in any case; the judge in this case also went out of his way to ensure that the validity of the DMCA itself was not called into question. The issue of whether or not ElcomSoft's software was illegal was not much discussed; what decided the case was the jury's assessment of whether ElcomSoft knowingly and intentionally violated U.S. law.
So ElcomSoft was acquitted, which is good news for the company. But the DMCA itself remains unchallenged, and companies that might consider distributing a "circumvention device" have seen that the DMCA can lead to expensive criminal trials and arrests, even if they win in the end. The DMCA's chilling effect will thus be undiminished, and, for those who remain unchilled, there will certainly be other criminal DMCA trials in the future.
Metrowerks acquires Lineo
Remember Lineo? This company initially was spun out of Caldera as Caldera Thin Systems, but switched over to Lineo shortly thereafter. Lineo received vast amounts of venture capital, went on an acquisition spree (FirePlug, INUP, Moreton Bay, USE, RT-Control, Zentropix, ...), and filed for a $60 million IPO - in May, 2000. Needless to say, things didn't work out that way.Denied its IPO cash windfall, Lineo went into decline. The hardware businesses it had picked up were unacquired. Then, last April, the company was "recapitalized" - from the details that have been made available it seems that the company was foreclosed upon and reincarnated (as "Embedix, Inc.") in the hands of the Canopy Group - the company's venture capital firm. Now Lineo/Embedix has been sold to Metrowerks, which hopes to make a compelling product out of the combination of Embedix and CodeWarrior. Of the 200+ people employed by Lineo when it filed for its IPO, about 30 remain to move to Metrowerks.
Lineo is a relic of the Linux Bubble Days; perhaps the only surprising thing is that it lasted this long. The company certainly had worthwhile products in its Embedix system, development tools, and embedded web browser. But they got caught up in the hype of those days and went off buying big trade show booths, acquiring companies of marginal use, and generally trying to tread the high-flying IPO-bound path. When the IPO failed to happen, there really just wasn't a whole lot left.
Lineo pursued a path that appeared to be rational and lucrative at the time; it's hard to put (too much) blame on the company's management. It has taken years, however, to divest the pieces of a company built around the dotcom business model. What's left, finally, is the core of a real Linux business, which, as part of a bigger structure, will be doing its part for Linux World Domination in a more realistic way. The end of the dotcom bubble has brought hard times to many Linux companies and developers, but it has also brought a new focus on creating products and services that customers actually want to buy. That change will, in the long run, do far more good for Linux and free software than the Bubble Days ever did.
News from LWN
We'll start with the most fun news: the LWN.net 2002 Linux Timeline is now available. For the fifth straight year, we have gone through and pulled out the most interesting news from the last twelve months. The result is a concise, and, we hope, fun summary of what's been going on.And...there's more! As some of you may know, LWN.net will turn five years old next month. In a bit of early celebration, we have put together the the LWN.net Five-Year Timeline, giving a condensed view of what has happened while LWN has been watching.
There are now just over 2400 individual LWN.net subscribers. The number continues its slow, steady growth despite an increase in the number of expiring subscriptions. With luck, that trend will continue, but we remain distant from our short-term goal of 4000 subscribers. (Meanwhile, the kind soul who subscribed "cypherpunks" needs to renew, as it has expired...).
This is the last LWN Weekly Edition for 2002; there will be no Weekly Edition during the Christmas week. We will return to our regular schedule on January 2, 2003 (the front page will continue to be updated during this time). Hopefully our readers will forgive us if we're still a little hung over at the time.
This has been a challenging year, to say the least. Through all of our ups and downs, we have continued producing LWN because we have such a great set of readers. Best wishes to all of you for great holidays and a happy new year from the folks at LWN.
Page editor: Jonathan Corbet
Security
Security news
Guest article: Germany sees security in free software
[This article was contributed by LWN reader Burt Janz]
Earlier this month, Schwäbisch Hall began an IBM-hosted initiative to convert hundreds of its city-run computers to Linux. With Sony announcing that it would be dropping Microsoft Office in favor of StarOffice on most consumer systems sold in Europe, the availability of OEM-hosted Open Source desktop applications may be prompting the next step in the adoption of Linux as an alternative to Microsoft - especially in government.Now, another initiative to convert Germany's government computer operations to Linux has been announced. Joachim Jacobs, the Federal Commissioner for Data Security, apparently feels that Open Source provides a more secure set of network management tools than those available under Windows, and will begin the conversion by moving mail, file services, DHCP and DNS, and other network services to Linux. Additionally, up to 75 desktop systems will also be converted to Linux.
In his announcement, Mr. Jacobs addressed one of the primary issues cited by anti-Linux advocates: training. Herr Jacobs knows that there will be a certain amount of retraining necessary in moving to Linux, but also knows that Linux is sufficiently close to UNIX in most of his required operations so that these retraining costs should be minimal.
However, Mr. Jacobs also attacks the retraining issue in another realm: the desktop. This is the one area where Linux opponents are most vocal, and the place where Microsoft is placing its largest bets. Mr. Jacob's response to the issue is simple: since he has to retrain people every five years or so, and since he has to have a budget to do it, why not retrain them to use Open Source instead of Windows? This is a compelling argument, and could be used to make the case for "test conversions" to Linux in the corporate world.
(See also: this Heise News article (in German)).
December CRYPTO-GRAM Newsletter
Bruce Schneier's CRYPTO-GRAM Newsletter for December is out; it looks at counterattacks, the new U.S. Department of Homeland Security, and the Internet's next big thing: "I think the next big Internet security trend is going to be crime. Not the spray-painting cow-tipping annoyance-causing crime we've been seeing over the past few years. Not the viruses and Trojans and DDoS attacks for fun and bragging rights. Not even the epidemics that sweep the Internet in hours and cause millions of dollars of damage. Real crime."
CERT advisory on SSH vulnerabilities
CERT has issued an advisory describing a number of SSH vulnerabilities which can lead to remote root exploits. OpenSSH is not affected by these problems; neither is lsh.
New vulnerabilities
exim: format string vulnerability
| Package(s): | exim | CVE #(s): | ||||
| Created: | December 17, 2002 | Updated: | December 17, 2002 | |||
| Description: | Versions of exim prior to 4.10 have a format string vulnerability which may be used, in certain limited circumstances, for a local root exploit; see this advisory for details. | |||||
| Alerts: |
| |||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
micq: Denial of service
| Package(s): | micq | CVE #(s): | |||||||
| Created: | December 13, 2002 | Updated: | April 24, 2003 | ||||||
| Description: | Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash. | ||||||||
| Alerts: |
| ||||||||
MySQL: multiple vulnerabilities
| Package(s): | mysql | CVE #(s): | ||||||||||||||||||||||||||||||||||
| Created: | December 13, 2002 | Updated: | April 10, 2003 | |||||||||||||||||||||||||||||||||
| Description: | The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 | CVE #(s): | CAN-2002-1378 CAN-2002-1379 | |||||||||||||||||||||
| Created: | December 6, 2002 | Updated: | February 21, 2003 | |||||||||||||||||||||
| Description: | OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries (openldap2-devel package) have been fixed. Since there is no workaround possible except shutting down the LDAP server, an update is strongly recommended. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache | CVE #(s): | CAN-2002-0839 | |||||||||||||||||||||||||||||||||
| Created: | October 9, 2002 | Updated: | December 18, 2002 | |||||||||||||||||||||||||||||||||
| Description: | Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related vulnerabilities which can be exploited by local users running under the Apache user ID. In-server scripting languages, such as PHP, are the most likely means of carrying out the attacks. One vulnerability causes the server to fork off new processes, leading to denial of service scenarios; the other allows an attacker to send SIGUSR1 to any process as root, probably killing that process. See this iDEFENSE advisory for the details. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
BIND8: Multiple vulnerabilities
| Package(s): | bind | CVE #(s): | CAN-2002-1219 CAN-2002-1220 CAN-2002-1221 | |||||||||||||||||||||||||||
| Created: | November 13, 2002 | Updated: | March 6, 2003 | |||||||||||||||||||||||||||
| Description: | Three new vulnerabilities have been found in version 8 of the Berkeley
Internet Domain Server; see this
ISS advisory, the CERT Advisory
CA-2002-31, or the November 14 LWN
Security Page for details.
Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
dhcpcd: Character expansion vulnerability
| Package(s): | dhcpcd | CVE #(s): | |||||||||||||
| Created: | November 19, 2002 | Updated: | January 10, 2003 | ||||||||||||
| Description: | dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon.
dhcpcd has the ability to execute an external script named /sbin/dhcpcd-<interface>.exe when assigning a new IP address to a network interface. This script sources a file named /var/lib/dhcpcd/dhcpcd-<interface>.info that contains several shell variables and assigments with DHCP information. Simon Kelley pointed out a vulnerability in the way quotes inside these assignments are treated. By exploiting this, a malicious DHCP server (or attackers able to spoof DHCP responses) can execute arbitrary shell commands on the DHCP client (which is run by root). | ||||||||||||||
| Alerts: |
| ||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | December 17, 2002 | |||||||||||||||||||||||||||
| Description: | e-matters GmbH has issued an advisory warning of a new set of buffer overflows in the fetchmail header parsing code. The vulnerabilities have been fixed in fetchmail 6.1.0. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gtetrinet: buffer overflows
| Package(s): | gtetrinet | CVE #(s): | |||||||
| Created: | November 25, 2002 | Updated: | December 11, 2002 | ||||||
| Description: | Several buffer overflows were found in gtetrinet versions below 0.4.3. According to the authors these could be remotely exploited. | ||||||||
| Alerts: |
| ||||||||
IM: creates temporary files insecurely
| Package(s): | im | CVE #(s): | CAN-2002-1395 | |||||||||
| Created: | December 3, 2002 | Updated: | March 6, 2003 | |||||||||
| Description: | Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
| |||||||||||
| Alerts: |
| |||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs | CVE #(s): | CAN-2002-1281 CAN-2002-1282 | ||||||||||||
| Created: | November 22, 2002 | Updated: | March 14, 2003 | ||||||||||||
| Description: | Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files: /usr/share/services/telnet.protocol and /usr/share/services/rlogin.protocol. If either file also exists in a user's ~/.kde/share/services directory, they should likewise be removed. See also: http://www.kde.org/info/security/advisory-20021111-1.txt | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdenetwork: buffer overflow
| Package(s): | kdenetwork | CVE #(s): | CAN-2002-1247 | ||||||||||||
| Created: | November 11, 2002 | Updated: | December 20, 2002 | ||||||||||||
| Description: | iDEFENSE reports a security vulnerability in the klisa package, that provides a LAN information service similar to "Network Neighbourhood", which was discovered by Texonet. It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: local denial of service vulnerability
| Package(s): | kernel | CVE #(s): | |||||||||||||||||||
| Created: | November 19, 2002 | Updated: | February 5, 2003 | ||||||||||||||||||
| Description: | All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and 2.5.47 contain a vulnerability which allows any local user to crash the system. This LWN article describes how the exploit works in detail. The vulnerability affects only x86 systems. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
krb5: Buffer Overflow in Kerberos Administration Daemon
| Package(s): | krb5, heimdal | CVE #(s): | CAN-2002-1235 | |||||||||||||||||||||||||||
| Created: | October 29, 2002 | Updated: | January 14, 2003 | |||||||||||||||||||||||||||
| Description: | CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
Overview Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system. The CERT/CC has received reports that indicate that this vulnerability is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002 notes that an exploit is circulating. We strongly encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc | CVE #(s): | CAN-2002-0738 CAN-2002-1307 CAN-2002-1388 | |||||||||
| Created: | September 11, 2002 | Updated: | January 3, 2003 | |||||||||
| Description: | Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. | |||||||||||
| Alerts: |
| |||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
mod_ssl: cross site scripting problem
| Package(s): | mod_ssl, libapache-mod-ssl | CVE #(s): | CAN-2002-1157 | |||||||||||||||||||||
| Created: | October 22, 2002 | Updated: | December 12, 2002 | |||||||||||||||||||||
| Description: | Joe Orton discovered a cross site scripting problem in mod_ssl, an
Apache module that adds Strong cryptography (i.e. HTTPS support) to
the webserver. The module will return the server name unescaped in
the response to an HTTP request on an SSL port.
Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" and wildcard DNS. This is very unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it already escapes this HTML. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla | CVE #(s): | CAN-2002-1126 CAN-2002-1091 | ||||||
| Created: | November 1, 2002 | Updated: | February 13, 2003 | ||||||
| Description: | Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to corrupt heap memory and execute arbitrary code via a GIF image with a zero width. See also Mozilla's Recently fixed security issues page. All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla. | ||||||||
| Alerts: |
| ||||||||
Buffer overflow in nss_ldap
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0825 CAN-2002-0374 | |||||||||
| Created: | October 9, 2002 | Updated: | December 11, 2002 | |||||||||
| Description: | The nss_ldap package has a buffer overflow which can be exploited when the module configures itself from information in DNS. The problem is fixed in nss_ldap-199 and later. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pine: buffer overflow parsing "From:" addresses
| Package(s): | pine | CVE #(s): | CAN-2002-1320 | |||||||||||||||
| Created: | November 27, 2002 | Updated: | January 3, 2003 | |||||||||||||||
| Description: | A malicious user could send a message with a specially crafted "From:" address and cause a segmentation fault on the client. Pine 4.50 fixes this vulnerability (CAN-2002-1320) and several others. Read the full advisory here. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
smb2www: arbitrary command execution
| Package(s): | smb2www | CVE #(s): | ||||
| Created: | December 5, 2002 | Updated: | December 11, 2002 | |||
| Description: | Robert Luberda found a security problem in smb2www, a Windows Network client that is accessible through a web browser. This could lead a remote attacker to execute arbitrary programs under the user id www-data on the host where smb2www is running. | |||||
| Alerts: |
| |||||
squirrelmail: cross-site scripting vulnerability
| Package(s): | squirrelmail | CVE #(s): | CAN-2002-1131 CAN-2002-1132 | |||||||||||||||
| Created: | October 16, 2002 | Updated: | January 2, 2003 | |||||||||||||||
| Description: | The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tcpdump: buffer overflow
| Package(s): | tcpdump | CVE #(s): | ||||||||||
| Created: | November 20, 2002 | Updated: | December 19, 2002 | |||||||||
| Description: | A new buffer overflow in the printing of BGP packets could, conceivably, be remotely exploitable. | |||||||||||
| Alerts: |
| |||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat | CVE #(s): | ||||||||||||||||
| Created: | September 25, 2002 | Updated: | January 29, 2003 | |||||||||||||||
| Description: | Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
| |||||||||||||||||
| Alerts: |
| |||||||||||||||||
traceroute-nanog: buffer overflow and root exploit
| Package(s): | traceroute-nanog/nkitb | CVE #(s): | |||||||
| Created: | November 12, 2002 | Updated: | February 27, 2003 | ||||||
| Description: | Traceroute is a tool that can be used to track packets in a TCP/IP network to determine it's route or to find out about not working routers. Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point. | ||||||||
| Alerts: |
| ||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
wget:directory traversal bug
| Package(s): | wget | CVE #(s): | CAN-2002-1344 | ||||||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||||||
| Description: | Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine. See also this Bugtraq article from 1997. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||