LWN.net Logo

LWN.net Weekly Edition for April 27, 2006

Time to expand the DMCA?

Since it was enacted, the U.S. Digital Millennium Copyright Act (DMCA) has stifled security research, led to the arrest of visiting programmers, shut down fair use, prohibited the creation of free DVD players for Linux, and facilitated anti-competitive moves by manufacturers of printer cartridges and garage door openers, among others. The EFF and others have been pushing for a reform of the DMCA for some time, and the occasional member of Congress has tried to bring that about. The DMCA is a law which clearly needs fixing.

Now, there is a new attempt to amend the DMCA in the works; a copy of the DMCA with the proposed changes highlighted [PDF] is available for those who are interested. This proposal, however, would have the effect of making the DMCA significantly worse. Here are a few highlights:

  • No longer content with criminalizing copyright infringement, the new law would make even attempted infringement illegal - with the same penalties. There would be no need to actually copy anything to violate the new DMCA.

  • The new law authorizes the impounding of "records documenting the manufacture, sale, or receipt of items involved in such violation" Such records certainly will include Internet service provider logs.

  • The penalty for copyright infringement will be raised to a maximum of ten years in prison - twenty for repeat offenses. In the future, rational criminals will not copy CDs; the potential penalty for simply stealing them will be lower. The new ten-year penalty will apply to those committing the heinous crime of recording a live concert as well.

  • The use of wiretapping and similar techniques is authorized for investigations into criminal copyright infringement or recording of live performances.

  • Criminal and civil forfeiture powers would be available to law enforcement agencies dealing with copyright cases.

The addition of forfeiture powers is, perhaps, the scariest part of this whole proposal. Civil forfeiture has long been a part of the U.S. "drug war," with the result that many law enforcement actions - often against innocent people - have been motivated primarily by the prospect of seizing valuable property. If this law goes through, any music player, laptop, or server deemed to have somehow participated in copyright infringement will be subject to seizure by the police - along with the houses they are found in. Anybody who thinks this power would not be abused has not been paying much attention.

As of this writing, the proposed legislation has not yet been formally introduced for consideration, but has been circulated among some members of the House of Representatives.

A different bill which, according to the EFF has been introduced is the "PERFORM act." This law can be thought of as a sort of broadcast flag for the net; it would require those broadcasting copyrighted material on the net to use DRM-afflicted formats. No more Vorbis or Theora streams - or even MP3. And, obviously, no way to tune into such streams using free software.

These bills make it clear that the powers behind the expansion of "intellectual property rights" are not yet satisfied and want more. This sort of thing will keep coming, and not just in the U.S. If we value our freedom, we must be prepared to keep fighting - and to work to push the pendulum in the other direction.

Comments (12 posted)

The JMRI Project and software patents

April 25, 2006

By Pamela Jones, Editor of Groklaw

[Editor's note: The case of KAM Industries and the JMRI project is an important one; it is one of the first times where a free software developer has been directly attacked by a patent holder and held responsible for royalties for every downloaded copy. If we wish to be able to post software without risking hundreds of thousands of dollars (or more) in royalty demands, we must quickly put an end to this sort of thing. We asked Groklaw founder Pamela Jones to put together a summary of this case and what we can do about it; the following is her response.]

The Right to Create blog has a letter from the attorney, Victoria K. Hall, who is representing Robert Jacobsen, the man who was sent the bill for $203.000 for allegedly infringing patents with his open source model train software. He has struck first, filing a lawsuit himself, Jacobsen v. Katzer et al, charging that the patent was fraudulently obtained and hence is invalid and unenforceable. The complaint also says the patent is invalid on the grounds of obviousness and for failure to meet the written description requirement of 35 U.S.C. Sec. 112.

So, on one side we find an Open Source developer, and, on the other, a guy wielding questionable software patents. Of course, as in all litigation, it's important to keep in mind that nothing is proven by a complaint. It's just the opening salvo, and we haven't yet heard the defendants' side.

Hall is asking the community to look for prior art. Let me tell you a little bit about the case, from the materials in the complaint Jacobsen has filed. It may help you to more effectively find prior art. It will surely motivate you.

The lawsuit

The case is 5:2006cv01905, filed in the US District Court for the Northern District of California, San Francisco Division, for those of you with Pacer accounts. The plaintiff lives there and works at the Lawrence Berkeley National Laboratory of the University of California and he also teaches physics there. He's also a model train hobbyist who has written, with others, open source code called JMRI, or Java Model Railroad Interface, which allows you to control how model trains run on a track. He's the primary developer of the software through the JMRI Project.

Ms. Hall, although located in Maryland, is admitted to practice in California as well as in Maryland state courts and is a patent attorney admitted to practice before the USPTO. Interestingly, she worked in the chemical engineering and software industries for nine years before she went to law school.

The suit is an action for declaratory judgment that Katzer's patent, US Patent No. 6,530,329, called the '329 patent, is "invalid, unenforceable, void and/or not infringed by Plaintiff Jacobsen". What's a declaratory judgment?

Here's US Code Title 28, Ch 151, § 2201, the Declaratory Judgment Act. And here is a definition from Cornell's Legal Information Institute. If someone is threatening to sue you, but hasn't yet, in certain limited circumstances, you can take the initiative rather than waiting for the axe to fall, go to court and in essence say: "This person or this company is threatening to sue me and I need our respective rights with respect to this dispute settled, so this cloud over my or my company's head doesn't ruin my business."

The court doesn't have to hear a request for a declaratory judgment. It has discretion. It's an enabling statute, and your case has to fit into the confines of the Declaratory Judgment Act, namely you have to have an actual "controversy" in the constitutional sense. That means it isn't a hypothetical problem and it isn't moot, meaning, first, that you really have a realistic and reasonable apprehension of actually being sued, and second, that the court can settle your problem with a declaratory judgment. If the judge accepts the dispute, he can issue a declaratory judgment, in which he "declares" what each party's rights are, the idea being that if, for example, he declares that you aren't infringing your adversary's patent, then you can't be sued.

Mr. Jacobsen's complaint is also a complaint for "violation of federal antitrust laws, the Lanham Act, and California Unfair Competition Act and for libel." The Complaint asks for a decree that the defendants Katzer and his company "have attempted to monopolize the market for multi-train control systems software in the United States" in violation of Section 2 of the Sherman Act.

The defendants

The named defendants are Matthew Katzer, KAMIND Associates, Inc. d/b/a KAM Industries, and Kevin Russell. Katzer is a model train hobbyist who has written software code for controlling model trains and is an expert in the field. He has several patents, and the complaint states that Jacobsen believes there are more pending. KAM is Katzer's business, selling products embodying Katzer's patents.

Here's the surprising twist. The third defendant, Kevin Russell, is their lawyer. He works for a firm in Oregon, Chernoff, Vilhauer, McClung & Stenzel. He's now accused of libel, and the court is asked to find against the defendants, jointly and severally, to the tune of $50,000 plus punitive damages.

Russell filed a a request under the U.S. Freedom of Information Act, with the Lawrence Berkeley National Laboratory, not only accusing Jacobsen of patent infringement, but claiming that the Lab "had sponsored the allegedly infringing JMRI Project's activities." The DOE turned down the request in December of 2005, but not before Jacobsen was embarrassed and had to explain the whole "harassment story," as he describes it, to his boss and the DOE FOIA liaison. The complaint also says it interfered with his work, resulting in a loss of income. The FOIA request, Jacobsen says, caused him embarrassment, particularly because he's "a scientist whose work involves the creation of intellectual property." The complaint continues, saying that Russell knew that the Lab, which has a contract with the U.S. Department of Energy, which has nothing to do with the JMRI Project. The defendants made the allegation, says the complaint, "to effect Defendants' goal to embarrass Plaintiff Jacobsen and force him to shut down the JMRI Project and to pay royalties to Defendant KAM."

The patent

According to Jacobson, the basis for claiming that the patent is not valid is the defendant's history of applying for patents on what others invent without telling the patent office about the prior art. Another charge is that Katzer didn't tell the patent office that some of KAM's products "were in public use, published, offered for sale or sold more than 1 year before Defendant Katzer filed the '461 application," which would disqualify them for patent protection. The patent in question, '329, claims the benefit of earlier patent applications' filing dates, '461 being the earliest filed in the chain that '329 issues from.

The complaint lists prior art dating back to the 1986 that it says Katzer ought to have told the USPTO about, since the complaint alleges he knew about them. For example, in late March of 2002, the story continues, the JMRI Project software's client-server capabilities were described in a posting to a public mailing list, which Katzer is on. Then in April 14, 2002, the first version of JMRI with the new capabilities was released for public download and announced on several mailing lists and on the JMRI website. "Three days later, Defendant Katzer filed a patent application tailored to claim the capabilities of the JMRI Project software." Again, the Complaint says, Katzer didn't tell the patent examiner about the JMRI Project.

Jacobsen says he received a letter from KAM in March of 2005, offering to license for $19 per program installed on a computer, saying that JMRI was infringing claim 1 of the '329 patent. Jacobsen says he wrote a letter back asking exactly how he was infringing, and his answer was a letter in August, saying that he was infringing claim 1 and that they were now investigating to see if any other patents were infringed by JMRI. Oh, and the price to license was now $29. The letter also demanded $203,000 for the 7,000 copies already distributed. In October came a bill with finance charges, so the total had risen to more than $206,000. He's gotten bills roughly every month since.

Jacobsen is about to release a new version of his software, and that's why he's asking the Court to bring resolution to the matter, because he believes the defendants will sue him when he releases the new version. He's also asking for redress.

The request

Aside from the declaratory judgments, the antitrust decree, and the libel damages, the Plaintiff is asking for the following:

  • An injunction ordering Defendant Katzer to identify all patents and patents applications filed in the United States and throughout the world, to produce to their respective patent offices all material references discovered through this litigation, and to request re-examination (or the nearest equivalent proceeding outside the U.S.) of any patents issuing from the patent applications.

  • An award of treble damages for the loss of income and other property on the antitrust claim.
  • A decree that Defendants Katzer and KAM have engaged in unlawful, unfair and/or fraudulent business practices in violation of the California Unfair Competition Act, California Business and Professions Code, and an order enjoining them from any future such conduct.

  • An order finding that Katzer cybersquatted on the trademarked name, www.decoderpro.com in violation of the Lanham Act and requiring him to turn the domain name over to Plaintiff Jacobsen.

  • An order enjoining Defendant Katzer and Defendant KAM, and all persons and entities under their direction or control, from engaging in or carrying out any further anti-competitive or bad faith conduct

  • An order referring the matter to the U.S. Attorney's Office for investigation into antitrust violations, perjury, mail fraud, and cancellation proceedings against any patents involved in this litigation, and any related patents.

  • An order awarding costs and attorney's fees as permitted by law, including 35 U.S.C. Section 285.

What you can do

Ms. Hall in her letter asks that no one harass the defendants "through calls, letters, faxes, emails, etc. It does NOT advance the case in Mr. Jacobsen’s favor." What does help is to find prior art. Groklaw just published a basic tutorial on prior art, Prior Art and Its Uses - a Primer, by a patent attorney, Theodore C. McCullough. It might help you.

Here is what Ms. Hall is asking for:

The key date is prior art existing before June 24, 1998, and more importantly, prior art existing before June 24, 1997. The prior art that we are looking for is:

  • A patent or printed publication that described the invention. Source can be from anywhere in the world.

  • Evidence of public use, offer for sale, or sale in the United States. (If it’s from outside the U.S., please make a note and send it so we can follow up.)

  • Evidence of another person inventing the same thing in the U.S. – the invention must not have been suppressed, concealed or abandoned.

  • If the evidence is not the exact invention, then any information (in addition to the evidence) suggesting that the evidence could be combined with something else to successfully make the invention.

Here's her contact information, if you do find prior art. Snail mail is the best, she says. I can't help but point out that had the Peer to Patent Project mentioned in McCullough's article been in place a few years ago, these patents might well have been blocked before they issued, and all this woe could have been prevented. If nothing else, this incident can help us to understand what patents project like that are designed to address.

So, there you have the information and the tools to get started searching for prior art. Happy hunting.

Comments (25 posted)

Learning the lesson: open content licensing

April 26, 2006

This article was contributed by Glyn Moody

As the previous feature on open content noted, the need for an appropriate license was felt from the earliest days. Strangely, it was not Richard Stallman who filled this gap: even though the GNU General Public License dates back to 1984, it was only in 2000 that the corresponding GNU Free Documentation License was created. As a result, the honor for the creation of the first formal non-software open license goes to David Wiley.

In the summer of 1998, Wiley had joined the graduate program in Instructional Psychology and Technology at Brigham Young University, where he began doctoral work on “learning objects” - small-scale, reusable computer-based educational materials designed to be used in a variety of settings. This was just a couple of months after the term “open source” had been devised at the Freeware Summit, and Wiley realized that what was needed was a kind of open source for instructional content.

He contacted people like Richard Stallman and Eric Raymond to ask their advice, and drew up his first license in July 1998. Wiley decided to call his approach “open content” - a term which he seems to have been the first to use consistently. For Stallman, the idea of “open” as opposed to “free” is anathema, and he also refuses to refer to works as “content”, so ultimately he wanted nothing to do with this new “OpenContent License”, even though he and Wiley had previously worked together in an attempt to tweak the GNU GPL for content. Raymond, by contrast, was an important influence on the fledgling open content idea, as the following passage from the newly-created Opencontent.org site indicates:

OpenContent advocates adoption of the principles Eric S. Raymond outlines in his essay “The Cathedral and the Bazaar” for use in the development of Content. ... The Bazaar model for Content development will bring these same benefits to online instructional content; namely the creativity, expertise, and problem-solving power of a potentially infinite team of instructional designers and subject matter experts. A development effort of this kind will fill the Internet with high quality, well-maintained, frequently updated Content.

More input was provided by Tim O'Reilly and Andy Oram, making the license more palatable to publishers so that online versions of printed books and journals could be distributed for free. The result was the Open Publication License (OPL), released in June 1999. Appropriately enough, Raymond's “Cathedral and the Bazaar” was released under the OPL (as was his “Brief History of Hackerdom”). A number of other books, mostly in the field of computing, adopted the license, including GTK+/Gnome Application Development by Havoc Pennington, and Grokking the GIMP, by Carey Bunks. It was also adopted for Bruce Perens' Open Source Series, published by Prentice Hall.

Although the OPL led to a modest increase in open content being made available, the license still had some problems. One was that it came in four versions – OPL, OPL-A, OPL-B and OPL-AB - according to which, if any, of two optional clauses were included. These dealt with the thorny issues of “substantively modified works” and whether the work or derivatives of it could be published in book form for commercial purposes. The combinations obviously made it harder to be sure what exactly an OPL license permitted, and meant that users were forced to refer to the license to find out what their rights were. What was needed was some legal input to produce a series of open content licenses that clearly delineated what could and could not be done with them.

Fortunately, in the second half of the 1990s, a group of lawyers were becoming increasingly interested in the interrelated issues of copyright, intellectual property, digital content and the public domain. Pioneers here include Pamela Samuelson, James Boyle and Yochai Benkler. But the person who has become most closely associated with this whole area is undoubtedly Larry Lessig.

He rose to prominence with his book “Code and other laws of Cyberspace”, which asserted that the Net's software codes necessarily implied legal codes. From this early interest in architectures and their growing power to affect everyday life, Lessig's focus gradually shifted back to the legal domain, where he sought to counter the threats posed by the music and film industries to the new creative possibilities opened up by the Net.

His first attempt at a solution was the creation of Copyright's Commons in 1999, “a coalition devoted to promoting the public availability of literature, art, music, and film.” Its principal instrument was the use of what it called “counter-copyright”, which “strips away the exclusivity that a copyright provides and allows others to use your work as a source or a foundation for their own creative ideas. The counter-copyright initiative is analogous to the idea of open source in the software context.”

When Copyright's Commons became involved in the Eldred vs. Ashcroft lawsuit – which tried to block the extension of US copyright by 20 years - it also pioneered what it called “openlaw”, where legal arguments were posted online for open discussion.

It was Lessig who argued the Eldred vs. Ashcroft case in court – and lost, much to his chagrin. A more positive outcome from this work was the creation of a second, more ambitious, organization called Creative Commons, and the drawing up of a series of formal open content licenses. Like Wiley's Open Publication license, these Creative Commons licenses allow several options. While this lends them great flexibility, it also means that there is now a confusing array of Creative Commons licenses. Indeed, Richard Stallman no longer supports the Creative Commons project because not all of these licenses meet his requirements for freedom.

Despite Stallman's concerns, there is no doubt that the Creative Commons licenses have transformed the open content scene. They offer creators a range of rigorous licenses that have been drawn up by lawyers with a deep understanding of the issues of copyright in the Net age. An important recent court case in the Netherlands has confirmed their legality, at least in that jurisdiction.

Wiley's original licenses were created for educational materials, and among the first applications of the Creative Commons licenses were two major open content projects in the field of what has come to be called open courseware, both funded by the Hewlett Foundation. Just as open source avoids re-inventing the wheel by building on existing code, so open courseware aims to save time, effort and money by making educational material freely available for others to re-use, extend and improve.

The first such project, Connexions, came from Rice University. It was the brainchild of Richard Baraniuk, professor of electrical engineering, who was directly inspired by the example of open source. Connexions uses a content creation platform called Rhaptos, which is released under the GNU GPL. The other major open courseware project came from MIT. One of the people behind the OpenCourseWare idea – which arose out of an earlier failed attempt to make money from selling MIT courses online – was Hal Abelson, who is also one of the founders of Creative Commons. This joint involvement simplified the issue of licensing, something that was a major issue for Rice initially, until it too adopted a Creative Commons license.

MIT does not use an open source platform, but David Wiley has started a project called eduCommons, based on Plone, that offers this facility. Another of his free software projects, called Open Learning Support, and now part of eduCommons, provides Rice's Connexions and MIT's OpenCourseWare with online discussion boards. Baraniuk, for his part, is working on a range of ancillary open source software, including systems to aid translation, and a rating system for courses. It is also worth mentioning the free software course management package Moodle, which is widely used around the world, and Sakai, a similar project, funded by the Hewlett Foundation.

Although both Connexions and OpenCourseWare allow course materials to be modified, they do not make any provision in their platforms for true collaborative development. The final article in this short series will explore how this issue has been addressed by open content projects.

Glyn Moody writes about open source and open content at opendotdotdot.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

A flurry of kernel security fixes

April 26, 2006

This article was contributed by Jake Edge.

Over the last month, there have been eleven separate releases in the 2.6.16 stable kernel series, seven of which were single-patch releases for security related issues. This flurry of security fixes would make one think that there was a concerted effort by an individual or organization to try and find kernel security problems, but that is not the case. It is entirely coincidental that all of these fixes came about at around the same time.

A chronological look at each of these fixes gives a nice picture of the diverse places that kernel developers are looking for bugs in general and security bugs in particular.

Roughly a week after the original 2.6.16 release, the 2.6.16.1 release contained 19 patches, including one that fixed CVE-2006-1242. Code had been put into the kernel in the 2.4 series to stop leaking information in the form of fragment IDs in TCP packets that did not require them. Packets that have the DF (don't fragment) bit set do not need a fragment ID and eliminating that information is a countermeasure to a technique called idle scanning. Unfortunately when the original change was made, the response to a certain kind of packet (a SYN-ACK packet) was missed and that was discovered in March.

The 2.6.16.2 release came out on 7 April and had a quite a few fixes including a change to the sysfs interface covered by LWN two weeks ago.

On the 11th and 12th of April, there were 3 releases, each of which included just one security fix. 2.6.16.3 is a fix for a bug that would allow a user to oops the kernel by passing invalid arguments to the keyctl utility (CVE-2006-1522). If the user specified a key as the target for an "add key" operation, rather than a keyring, a invalid dereference in the kernel would result.

A call to BUG_ON() in the __group_complete_signal() function (which is part of the RCU signal handling code) "has unknown impact and attack vectors" and was patched as 2.6.16.4. If a user process could cause the condition in the BUG_ON call, it could oops the kernel and lead to a denial of service. (CVE-2006-1523).

A difference in the way Intel and AMD 64-bit CPUs handle non-canonical return addresses led to the 2.6.16.5 release. The Intel CPU reports the exception on the SYSRET instruction which causes the kernel exception handler to run using the user stack. (CVE-2006-0744). Kernel processing using a user created stack would seem rife with opportunities for exploitation.

The 2.6.16.6 release came out a week later with another long list of patches, two of which have security implications. The m32r architecture had a bug in the get_user and put_user macros that did not check the address passed to them which would allow access outside of the process address space.

A more widespread issue was addressed with a patch in this release and then fixed in the 2.6.16.7 release later in the day. The MADV_REMOVE vulnerability (CVE-2006-1524) has been present in kernels since 2.4 and allows local users to potentially bypass the access restrictions on a read-only attachment of shared memory. The user process could call mprotect() and gain write permission on a piece of memory even though the memory was explicitly set to be read-only when shared via the shared memory IPC mechanism.

Prior to 2.6.16.8, the kernel was vulnerable to users causing a kernel panic by requesting a route for a multicast IP address (CVE-2006-1525). Using a simple 'ip' command from the shell would cause a null pointer dereference in ip_route_input and panic the kernel. This is another example of a local denial of service vulnerability.

2.6.16.9 patches a problem that affected both Linux and FreeBSD kernels running on AMD processors which would allow a malicious process running on the same CPU to determine portions of the state of floating point instructions in a target process. AMD had some comments on the bug and provided some background information on why they chose to implement the FXRSTOR and FXSAVE instructions differently than they are implemented in Intel processors. Essentially, these two instructions do not save and restore all of the same registers as Intel does and this allows information to leak from one process to another. The patch ensures that the floating point state is constant between context switches on affected processors. (CVE-2006-1056)

Last on our tour of kernel security fixes is a patch made in 2.6.16.11 and released on Monday that disallows backslashes in path components unless POSIX paths have been negotiated. This change is for the CIFS (aka Samba) filesystem code; one can only imagine the kinds of havoc one could cause by putting backslashes (the standard Windows path separator) into CIFS paths. This bug is CVE-2006-1863, but the CVE database just shows a placeholder page for that number at the time of this writing.

Observant readers will have noticed that we skipped over 2.6.16.10 as it was a release with quite a few patches, none of which were noted as being security related.

As this laundry list of issues shows, there are a wide variety of places that kernel bugs can impact security, but the many eyes of kernel developers seem to be finding and fixing them. This process plays out in the open and that can give competitors ammunition to claim that Linux is less secure than certain proprietary systems. Reasonable people would more likely come to the conclusion that Linux developers are much more interested in finding these issues and fixing them. The kernel community has no interest in hiding vulnerabilities or playing games with security patch descriptions to make the OS look more secure. PR considerations just do not seem to be on the radar of the technical contributors and that is just as it should be.

Comments (2 posted)

New vulnerabilities

abc2ps: buffer overflows

Package(s):abc2ps abcmidi CVE #(s):CVE-2006-1513 CVE-2006-1514
Created:April 25, 2006 Updated:April 26, 2006
Description: Erik Sjölund discovered that abc2ps, a translator for ABC music description files into PostScript, does not check the boundaries when reading in ABC music files resulting in buffer overflows.

The abcmidi-yaps utility suffers from similar problems.

Alerts:
Debian DSA-1043-1 2006-04-26
Debian DSA-1041-1 2006-04-25

Comments (none posted)

beagle: command line injection

Package(s):beagle CVE #(s):
Created:April 21, 2006 Updated:April 26, 2006
Description: Chris Evans discovered that while indexing, Beagle will build certain command lines in an insecure manner. When Beagle executes external helper applications, it is possible to cause beagle to execute arbitrary commands as the user running beagle.
Alerts:
Fedora FEDORA-2006-440 2006-04-21

Comments (none posted)

ethereal: multiple vulnerabilities

Package(s):ethereal CVE #(s):CVE-2006-1937 CVE-2006-1933 CVE-2006-1932 CVE-2006-1935 CVE-2006-1934 CVE-2006-1938 CVE-2006-1939 CVE-2006-1940 CVE-2006-1936
Created:April 25, 2006 Updated:May 12, 2006
Description: There are multiple vulnerabilities in Ethereal version up to 0.10.14, including various dissector crashes and an off-by-one error in the OID printing routine.
Alerts:
SuSE SUSE-SR:2006:010 2006-05-12
Red Hat RHSA-2006:0420-01 2006-05-03
Debian DSA-1049-1 2006-05-02
Gentoo 200604-17 2006-04-27
Mandriva MDKSA-2006:077 2006-04-25
Fedora FEDORA-2006-461 2006-04-26
Fedora FEDORA-2006-456 2006-04-25

Comments (none posted)

fbida: insecure temporary file creation

Package(s):fbida CVE #(s):CVE-2006-1695
Created:April 24, 2006 Updated:May 22, 2006
Description: The fbgs script in the fbi package 2.01-1.4, when the TMPDIR environment variable is not defined, allows local users to overwrite arbitrary files via a symlink attack on temporary files in /var/tmp/fbps-[PID].
Alerts:
Debian DSA-1068-1 2006-05-20
Gentoo 200604-13 2006-04-23

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-1056 CVE-2006-1525 CVE-2006-1524 CVE-2006-0744 CVE-2006-1522 CVE-2006-1055
Created:April 20, 2006 Updated:May 4, 2006
Description: Multiple kernel vulnerabilities have been fixed, including an x87 information leak between processes, an ip_route_input panic, a MADV_REMOVE vulnerability, an mprotect write permission problem, insecure MPBL0010 driver sysfs permissions, an x86_64 force IRET issue, RCU signal handling, a key addition oops, a sysfs write buffer issue and more.
Alerts:
Ubuntu USN-281-1 2006-05-04
Trustix TSLSA-2006-0022 2006-04-21
Fedora FEDORA-2006-423 2006-04-20
Fedora FEDORA-2006-421 2006-04-19

Comments (none posted)

php: several vulnerabilities

Package(s):php CVE #(s):CVE-2006-0996 CVE-2006-1494 CVE-2006-1608
Created:April 25, 2006 Updated:May 24, 2006
Description: There are several vulnerabilities in PHP v5.1.2 and earlier.
  • A cross-site scripting (XSS) vulnerability in phpinfo (info.c) allows remote attackers to inject arbitrary web script or HTML via long array variables. (CVE-2006-0996)
  • A directory traversal vulnerability in file.c allows local users to bypass open_basedir restrictions and allows remote attackers to create files in arbitrary directories via the tempnam function. (CVE-2006-1494)
  • The copy function in file.c allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI. (CVE-2006-1608)
Alerts:
Red Hat RHSA-2006:0501-02 2006-05-23
Fedora FEDORA-2006-289 2006-05-16
Gentoo 200605-08 2006-05-08
SuSE SUSE-SA:2006:024 2006-05-05
Red Hat RHSA-2006:0276-01 2006-04-25
Mandriva MDKSA-2006:074 2006-04-24

Comments (none posted)

ruby1.8: denial of service

Package(s):ruby1.8 CVE #(s):CVE-2006-1931
Created:April 24, 2006 Updated:May 10, 2006
Description: The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data.
Alerts:
Gentoo 200605-11 2006-05-10
Red Hat RHSA-2006:0427-01 2006-05-09
Mandriva MDKSA-2006:079 2006-04-25
Ubuntu USN-273-1 2006-04-24

Comments (none posted)

xzgv: heap overflow

Package(s):xzgv CVE #(s):CVE-2006-1060
Created:April 21, 2006 Updated:June 12, 2006
Description: Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate insufficient memory when rendering images with more than 3 output components, such as images using the YCCK or CMYK colour space. When xzgv or zgv attempt to render the image, data from the image overruns a heap allocated buffer.
Alerts:
Gentoo 200604-10:02 2006-04-21
Debian DSA-1038-1 2006-04-22
Debian DSA-1037-1 2006-04-21
Gentoo 200604-10 2006-04-21

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2005-3352
Created:December 14, 2005 Updated:May 10, 2006
Description: Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details.
Alerts:
Slackware SSA:2006-129-01 2006-05-10
SuSE SUSE-SR:2006:004 2006-02-24
Fedora-Legacy FLSA:175406 2006-02-18
Gentoo 200602-03 2006-02-06
Fedora FEDORA-2006-052 2006-01-20
Red Hat RHSA-2006:0158-01 2006-01-17
Ubuntu USN-241-1 2006-01-12
Trustix TSLSA-2005-0074 2005-12-23
Mandriva MDKSA-2006:007 2006-01-05
Red Hat RHSA-2006:0159-01 2006-01-05
OpenPKG OpenPKG-SA-2005.029 2005-12-14

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

bsdgames: buffer overflow

Package(s):bsdgames CVE #(s):CVE-2006-1744
Created:April 17, 2006 Updated:April 19, 2006
Description: A buffer overflow problem has been discovered in sail, a game contained in the bsdgames package, a collection of classic textual Unix games, which could lead to games group privilege escalation.
Alerts:
Debian DSA-1036-1 2006-04-17

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

crossfire: arbitrary code execution

Package(s):crossfire CVE #(s):CVE-2006-1010
Created:March 14, 2006 Updated:April 24, 2006
Description: It was discovered that Crossfire, a multiplayer adventure game, performs insufficient bounds checking on network packets when run in "oldsocketmode", which may possibly lead to the execution of arbitrary code.
Alerts:
Gentoo 200604-11 2006-04-22
Debian DSA-1001-1 2006-03-14

Comments (none posted)

curl: heap-based buffer overflow

Package(s):curl CVE #(s):CVE-2006-1061
Created:March 21, 2006 Updated:June 28, 2006
Description: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
Alerts:
OpenPKG OpenPKG-SA-2006.012 2006-06-28
Trustix TSLSA-2006-0016 2006-03-24
Gentoo 200603-19 2006-03-21
Fedora FEDORA-2006-189 2006-03-21

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dia: buffer overflows

Package(s):dia CVE #(s):CVE-2006-1550
Created:April 3, 2006 Updated:May 3, 2006
Description: Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user's privileges.
Alerts:
Red Hat RHSA-2006:0280-01 2006-05-03
Gentoo 200604-14 2006-04-23
Fedora FEDORA-2006-261 2006-04-05
Mandriva MDKSA-2006:062 2006-04-03
Ubuntu USN-266-1 2006-04-03

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

fcheck: insecure temporary file

Package(s):fcheck CVE #(s):CVE-2006-1753
Created:April 17, 2006 Updated:April 19, 2006
Description: Steve Kemp from the Debian Security Audit project discovered that a cronjob contained in fcheck, a file integrity checker, creates a temporary file in an insecure fashion.
Alerts:
Debian DSA-1035-1 2005-04-15

Comments (none posted)

fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
Alerts:
rPath rPSA-2006-0084-1 2006-05-26
Fedora-Legacy FLSA:164512 2006-05-12
Slackware SSA:2006-045-01 2006-02-15
Debian DSA-939-1 2006-01-13
Ubuntu USN-233-1 2006-01-02
Mandriva MDKSA-2005:236 2005-12-23
Fedora FEDORA-2005-1187 2005-12-20
Fedora FEDORA-2005-1186 2005-12-20

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla CVE #(s):CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742
Created:April 14, 2006 Updated:June 9, 2006
Description: There are multiple vulnerabilities in Firefox and related products including Thunderbird, SeaMonkey and the Mozilla Suite. This CERT Advisory contains additional information.
Alerts:
Ubuntu USN-296-1 2006-06-09
Fedora-Legacy FLSA:189137-2 2006-06-06
Fedora-Legacy FLSA:189137-1 2006-06-06
Gentoo 200605-09 2006-05-08
Slackware SSA:2006-123-02 2006-05-04
Fedora FEDORA-2006-494 2006-05-03
Fedora FEDORA-2006-493 2006-05-03
Fedora FEDORA-2006-491 2006-05-03
Fedora FEDORA-2006-490 2006-05-03
Fedora FEDORA-2006-487 2006-05-03
Fedora FEDORA-2006-495 2006-05-03
Fedora FEDORA-2006-492 2006-05-03
Fedora FEDORA-2006-486 2006-05-03
Fedora FEDORA-2006-489 2006-05-03
Fedora FEDORA-2006-488 2006-05-03
Ubuntu USN-276-1 2006-05-03
Slackware SSA:2006-120-01 2006-05-01
Gentoo 200604-18 2006-04-28
Mandriva MDKSA-2006:078 2006-04-25
Mandriva MDKSA-2006:076 2006-04-25
Debian DSA-1044-1 2006-04-26
SuSE SUSE-SA:2006:022 2006-04-25
Mandriva MDKSA-2006:075 2006-04-24
Slackware SSA:2006-114-01 2006-04-25
Gentoo 200604-12 2006-04-23
Red Hat RHSA-2006:0330-01 2006-04-21
SuSE SUSE-SA:2006:021 2006-04-20
Ubuntu USN-271-1 2006-04-19
Fedora FEDORA-2006-411 2006-04-18
Fedora FEDORA-2006-410 2006-04-18
Red Hat RHSA-2006:0329-01 2006-04-18
Slackware SSA:2006-107-01 2006-04-17
Red Hat RHSA-2006:0328-01 2006-04-14

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

freeradius: authentication bypass

Package(s):freeradius CVE #(s):CVE-2006-1354
Created:March 24, 2006 Updated:June 5, 2006
Description: An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
Alerts:
Debian DSA-1089-1 2006-06-03
Mandriva MDKSA-2006:066 2006-04-05
Gentoo 200604-03 2006-04-04
Red Hat RHSA-2006:0271-01 2006-04-04
SuSE SUSE-SA:2006:019 2006-03-28
Mandriva MDKSA-2006:060 2006-03-23

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gnupg: incorrect signature verification

Package(s):gnupg CVE #(s):CVE-2006-0049
Created:March 13, 2006 Updated:May 15, 2006
Description: Another vulnerability has been found in GnuPG. "Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data."
Alerts:
Fedora-Legacy FLSA:185355 2006-05-12
Trustix TSLSA-2006-0014 2006-03-20
Red Hat RHSA-2006:0266-01 2006-03-15
Slackware SSA:2006-072-02 2006-03-14
Fedora FEDORA-2006-147 2006-03-13
Mandriva MDKSA-2006:055 2006-03-13
Ubuntu USN-264-1 2006-03-13
Debian DSA-993-2 2006-03-13
Gentoo 200603-08 2006-03-10
Debian DSA-993-1 2006-03-10

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2006-0052
Created:March 30, 2006 Updated:June 9, 2006
Description: Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped.
Alerts:
Red Hat RHSA-2006:0486-01 2006-06-09