LWN.net Logo

LWN.net Weekly Edition for June 1, 2006

Ubuntu Dapper and the distribution business

Ubuntu's "Dapper Drake" release - more prosaically known as "6.06 LTS" - is due on June 1, and may well be available by the time you read this article. A distribution release is not a particularly rare occurrence in the Linux community, but there are a couple of things about Dapper which are just a little bit unusual and worthy of note.

The "LTS" in this release's name stands for "long term support"; this distribution comes with a promise of security updates for five years (on server systems) or three years (on desktop systems). Exactly how that distinction will be made is not entirely clear; one assumes that, for example, graphical mail clients will go unsupported in June, 2009, while mail transfer agents will continue to get updates into 2011. That is the longest credible support promise ever made for a free distribution, and it may change the commercial landscape in interesting ways.

There are many situations where the deployment of a Linux system makes a great deal of sense. In many of those, one wishes to start with reasonably current software, but to not have to worry much about upgrades for a long time thereafter. Web servers, print servers, database servers, kiosks, point of sale systems, and more all fall into this category. Once the system works, any sort of software change offers downtime and the risk of problems, but little in the way of advantages - except, of course, for security fixes. Anybody planning such a deployment must consider how the system will be supported and kept secure through its operating life. In recent years, the available choices have fallen into these categories:

  • An entirely free distribution (Fedora, Debian, OpenSUSE, etc.) can be used. The price is right, and the quality of the software tends to be high. The support window for these distributions tends to be short, and, for some of them, unpredictable. Keeping a Fedora Core system secure can involve upgrades twice a year - not an appealing option for a system which is supposed to be stable and "just work."

  • The "Enterprise" offerings from Red Hat and Novell come with long support promises; there are, undoubtedly, still plenty of systems running 2.4.9 kernels on RHEL 2 with uninterrupted support. These services can be expensive, however. For many customers, a support subscription is easily justified and worth every penny. But others will find that cost hard to swallow.

    Some try to get the best of both worlds through enterprise clone distributions like CentOS. By all accounts, the CentOS team has done a top-quality job with its distribution, but anybody contemplating a long-term deployment will have to be convinced of the project's long-term future and be able to overcome qualms (if any) about free-riding on the enterprise distributions.

  • Security support can be managed in-house. This approach requires a significant investment of time by a skilled administrator or developer, however, and is thus far from being free.

Ubuntu's five-year guarantee provides another choice: install Dapper, and obtain updates until 2011 with no costs at all. The existence of the Ubuntu Foundation, with its $10 million nest egg, helps to make that five-year promise credible, and Ubuntu's record with security updates has been, so far, quite good. So it would not be surprising to see significant uptake on Ubuntu's promise. Whether those new Ubuntu users will come at the cost of the enterprise distributions, or whether they are mostly people getting away from the (relative) upgrade treadmill of the free distributions, remains to be seen.

That leads to the other interesting aspect of this release: the increasing friendliness between Ubuntu/Canonical and Sun Microsystems. The two have just announced that the Dapper release will include a version for Sun's new Niagara SPARC architecture, and Sun executives are issuing quotes on how important a distribution Ubuntu is. Clearly something is going on here.

Sun's troubles in recent years have been well documented; to a great extent, Sun's customers have been steadily turning into customers of the enterprise distributions. To Sun, Ubuntu may well look like an opportunity to poke holes in the revenue streams of its main competitors. Ubuntu, in turn, may see Sun's support (and the Niagara port) as a way to gain a foothold in the server market. If Sun's new servers find customers, Ubuntu will be the obvious distribution for any of those customers who wish to run Linux.

How all of this plays out will be interesting to watch. Ubuntu's past releases have certainly been popular; if Dapper holds together well enough (and the initial signs are good), it may be the best-received Ubuntu release yet. If so, Ubuntu may well change the shape of the Linux distribution landscape.

(For those who are interested in what's actually in the 6.06 LTS release, the "testing Dapper" page has a lot of information and screenshots).

Comments (21 posted)

The end of the JPEG patent - sort of

Forgent Networks is a company which would easily qualify as a patent troll for many observers. This small company picked up a data compression patent in 1997, and has been busily using that patent to shake down corporations ever since. Since this patent is said to cover the JPEG image format, there is a wide list of possible victims to choose from. Those victims have dropped more that $100 million into Forgent's bank account, and Forgent currently has litigation outstanding with some 30 companies.

The Public Patent Foundation chose this patent as one which was vulnerable to a challenge. The Foundation's work bore fruit on May 25, when the US Patent Office issued a ruling on the Forgent patent [PDF]. The resulting press release from the Public Patent Foundation was triumphant:

"The Patent Office has agreed with our conclusion that it would have never granted Forgent Networks' '672 patent had it been aware of the prior art that we uncovered and submitted to them," said Dan Ravicher, PUBPAT's Executive Director.

It is worth noting that Forgent had a different spin on the ruling:

...the United States Patent and Trademark Office issued its first office action, a non-final action, confirming a majority of the claims in United States Patent 4,698,672. The action upholds 27 of the 46 claims of Forgent's patent. Forgent will vigorously defend the remaining claims that were not initially upheld in this first office action.

Anybody wondering if the world is now safe for JPEG users will clearly need to look beyond the press releases and dig into the patent and the USPTO ruling directly. The short story is that, while the independent claims of U.S. Patent 4,698,672 have been invalidated, many of the more-specific dependent claims remain standing. Consider, for example, claim 1:

A method for processing digital signals, where the digital signals have first values, second values and other values, to reduce the amount of data utilized to represent the digital signals and to form statistically coded signals such that the more frequently occurring values of digital signals are represented by shorter code lengths and the less frequently occurring values of digital signals are represented by longer code lengths, comprising,
  • forming first runlength code values representing the number of consecutive first values of said digital signals followed by said second value,
  • forming second runlength code values representing the number of consecutive first values of said digital signals followed by one of said other values.

What the Public Patent Foundation asserted is that this claim - covering a fairly basic run-length encoding scheme - had already been claimed by another patent: #4,541,012 by Andrew Tescher. The Patent Office agreed, and ruled that claim 1 was invalid.

The story does not stop there, however. There are a number of dependent claims which make claim 1 more specific; these include:

2. The method of claim 1 further including the step of amplitude encoding said other values.

3. The method of claim 1 further including the step of encoding said first and second runlength code values with a sign value.

4. The method of claim 1 wherein said first values have amplitude zero, said second values have absolute amplitude one, and said other values have absolute amplitudes greater than one whereby said first and second runlength codes values are formed representing the number of consecutive zeros.

5. The method of claim 1 wherein said first values have the highest frequency of occurrence in said digital signals, wherein said second values have the next highest frequency of occurrence in said digital signals, and wherein said other values have the lowest frequency of occurrence in said digital signals.

Claim 3 (adding a sign value) was also rejected, but claims 2, 4, and 5 were upheld by the Patent Office. The same pattern persists through the remaining claims: the independent claims were rejected, but the more-specific versions were allowed. That is why Forgent proclaims that the majority of its claims had been upheld.

So, to a great extent, the Forgent patent survives, having lost only the most general of its claims. We asked Dan Ravicher of the Public Patent Foundation whether this ruling was enough to remove the threat against JPEG users; his response was:

It likely won't be enough to put an absolute end, but this is a significant blow to the solitary patent that are using against the JPEG standard. To the extent we've shown their armor to be made more of tin or paper, than steel or iron, we've provided the public the benefit of a more transparent view of the legitimacy of their claims.

Whether the remaining claims in the patent are applicable to the JPEG standard is a matter for the courts to determine - and, given the thirty-some outstanding cases, the courts will certainly have the opportunity to do so.

There is one interesting additional factor which, thanks to the Public Patent Foundation's work, may just come into play here. Forgent's patent was originally filed from a company called Compression Labs, Inc. It turns out that the Tescher patent, which provided the prior art used against Forgent's patent, was also developed at Compression Labs. In other words, when Compression Labs filed for the patent now being wielded by Forgent, it must have known about the existence of the prior art, since it had patented that prior art itself. But Compression Labs did not disclose that prior art to the Patent Office. Failure to disclose known prior art is a violation of the Patent Office rules. It seems likely that defendants in Forgent's litigation will find a way to let their respective courts know that the patent at issue was obtained in bad faith.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

SQL injection vulnerabilities in PostgreSQL

May 31, 2006

This article was contributed by Jake Edge.

A recent urgent update to PostgreSQL vividly demonstrates the problems with validating user input that are the foundation of SQL injection attacks. Widely used techniques to escape characters in user input can still allow SQL injection when coupled with multibyte character encodings. While this problem was first discovered in PostgreSQL, today's security fix announcement for MySQL indicates a similar problem there as well.

As discussed in the LWN SQL injection article, inserting strings of user input into SQL queries can be hazardous. Many applications do little or no validation of strings entered by a user before dropping them into a query; this negligence can lead to a compromise of the entire database. Better behaved programs attempt to escape various troublesome characters (typically single-quote and backslash), but because of the multibyte-encoding problem, problems can remain.

It is not just database clients that need to validate user input, the database server needs to validate as well as the first bug shows. PostgreSQL allows the "\'" (backslash + single-quote) sequence to be used to represent a single-quote character in a query as well as the two single-quote character sequence ("''") that is the SQL standard. Unfortunately, the escaping code used by database clients often ignores the character encoding and just looks for bytes with a 0x27 ("'") value and replaces them with an escaped version. The security hole comes about because illegal multibyte character sequences can be used to enable quotes to slip past the escaping process. An example provided in the technical information describes how this can be done.

In the UTF8 encoding, the byte value 0xc8 introduces a two-byte character; the second byte must be within the range 0xa0-0xff. However, PostgreSQL would accept any value for the second byte and treat both bytes as a single character. A malicious user could enter "0xc8'text", which would be converted by the well meaning client to "0xc8''text" (or "0xc8\'text"); the server would then treat the 0xc8' or 0xc8\ sequence as a single character, leaving an unescaped single-quote in the input, effectively injecting the attacker-supplied text.

The second issue stems from certain far-eastern encodings where the value 0x5c ("\") is a valid value for the second byte of a two-byte character. In the SJIS encoding for example, the two-byte sequence 0x95 0x5c is a valid character, but a client that is not encoding-aware may try to escape the 'backslash' that it sees by doubling it. Adding single-quotes into the mix provides a means for a SQL injection. "0x95 0x5c'text" could become "0x95 0x5c\''text", which effectively inserts an unescaped single-quote into the query. It is interesting to note that 0x27 ("'") is not a valid value for the second byte of a two-byte character and, if PostgreSQL had rigidly adhered to the SQL standard and only accepted "''" to escape single-quotes, this issue would not exist.

There is a straightforward fix for the first problem: do not accept illegal multibyte character sequences and refuse to process queries that contain them. Unfortunately, the second problem is more complicated and there is no single simple fix on the database server side. If database clients did their escaping in an encoding aware manner, this problem would not exist; expecting this from all clients is hopeless, however. The PostgreSQL developers chose to disallow "\'" for any encoding that allows embedded 0x5c characters. This closes the hole for all clients that use "''" to escape single-quotes but still allows for injections for clients that use "\'". This change is likely to break those clients altogether, however.

Both of these problems could have been avoided by using prepared statements with placeholders (i.e. 'SELECT * FROM tbl WHERE id=?'). Even if the libraries did not implement the quoting correctly, the SQL engine would still not allow the parameter to be treated as anything but data for that particular spot in the query, thereby avoiding the injection. Another way to avoid this kind of problem is to use stored procedures. As these bugs show, it can be very difficult to appropriately filter and/or validate user input.

Comments (30 posted)

New vulnerabilities

binutils: buffer overflow

Package(s):binutils CVE #(s):CVE-2006-2362
Created:May 27, 2006 Updated:August 29, 2006
Description: The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:153 2006-08-28
Ubuntu USN-292-1 2006-06-09
OpenPKG OpenPKG-SA-2006.009 2006-05-26

Comments (none posted)

cherrypy: information disclosure

Package(s):cherrypy CVE #(s):CVE-2006-0847
Created:May 31, 2006 Updated:May 31, 2006
Description: The CherryPy web development framework (prior to version 2.1.1) has a directory traversal vulnerability which could lead to undesired information disclosure.
Alerts:
Gentoo 200605-16 2006-05-30

Comments (none posted)

dovecot: information disclosure

Package(s):dovecot CVE #(s):CVE-2006-2414
Created:May 31, 2006 Updated:June 14, 2006
Description: The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes.
Alerts:
Ubuntu USN-288-4 2006-06-13
Debian DSA-1080-1 2006-05-29

Comments (1 posted)

ImageMagick: heap overflow vulnerability

Package(s):ImageMagick CVE #(s):CVE-2006-2440
Created:May 25, 2006 Updated:September 5, 2006
Description: The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result.
Alerts:
Debian DSA-1168-1 2006-09-04
Fedora FEDORA-2006-588 2006-05-24
Fedora FEDORA-2006-587 2006-05-24

Comments (none posted)

kernel: netfilter memory corruption

Package(s):kernel CVE #(s):CVE-2006-2444
Created:May 25, 2006 Updated:July 5, 2006
Description: The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162.
Alerts:
Mandriva MDKSA-2006:116 2006-07-05
Ubuntu USN-302-1 2006-06-15
Trustix TSLSA-2006-0030 2006-05-26
Mandriva MDKSA-2006:087 2006-05-24

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2006-1343
Created:May 31, 2006 Updated:July 20, 2006
Description: The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release.
Alerts:
Red Hat RHSA-2006:0437-01 2006-07-20
Debian DSA-1097-1 2006-06-14
Fedora FEDORA-2006-698 2006-06-11
Fedora FEDORA-2006-697 2006-06-11
Trustix TSLSA-2006-0032 2006-06-05
rPath rPSA-2006-0087-1 2006-05-31

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2656
Created:May 26, 2006 Updated:June 8, 2006
Description: The tiffsplit command has a problem in the way that it handles fixed-size buffers, a stack overflow can result.
Alerts:
Ubuntu USN-289-1 2006-06-08
Debian DSA-1091-1 2006-06-08
Mandriva MDKSA-2006:095 2006-06-05
Fedora FEDORA-2006-592 2006-05-25
Fedora FEDORA-2006-591 2006-05-25

Comments (none posted)

lynx: denial of service

Package(s):lynx CVE #(s):CVE-2004-1617
Created:May 26, 2006 Updated:June 1, 2006
Description: The lynx text-mode web browser has a problem understanding invalid html involving the TEXTAREA tag. An infinite loop can happen, resulting in a denial of service.
Alerts:
Debian DSA-1085-1 2006-06-01
Debian DSA-1077-1 2006-05-26
Debian DSA-1076-1 2006-05-26

Comments (1 posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2006-1990 CVE-2006-1991 CVE-2006-3017
Created:May 25, 2006 Updated:August 18, 2006
Description: The php wordwrap() function is vulnerable to an integer overflow. Attackers can submit long arguments to cause a heap-based buffer overflow, allowing arbitrary code execution.

PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service.

A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables

Alerts:
Slackware SSA:2006-217-01 2006-08-07
Gentoo 200605-08:02 2006-05-08
Fedora-Legacy FLSA:175040 2006-07-27
Ubuntu USN-320-2 2006-07-26
Red Hat RHSA-2006:0567-01 2006-07-25
Ubuntu USN-320-1 2006-07-19
Red Hat RHSA-2006:0568-01 2006-07-12
Mandriva MDKSA-2006:122 2006-07-13
SuSE SUSE-SA:2006:034 2006-06-22
SuSE SUSE-SA:2006:031 2006-06-14
Mandriva MDKSA-2006:091 2006-05-24

Comments (none posted)

shadow-utils: mailbox creation vulnerability

Package(s):shadow-utils CVE #(s):CVE-2006-1174
Created:May 25, 2006 Updated:June 12, 2007
Description: The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called.
Alerts:
Red Hat RHSA-2007:0431-01 2007-06-11
rPath rPSA-2007-0096-1 2007-05-11
Red Hat RHSA-2007:0276-02 2007-05-01
Gentoo 200606-02 2006-06-07
Mandriva MDKSA-2006:090 2006-05-24

Comments (none posted)

tiff: denial of service

Package(s):tiff CVE #(s):CVE-2006-2120
Created:May 27, 2006 Updated:May 31, 2006
Description: The tiff image library is vulnerable to a denial of service attack. Images with specially crafted Yr/Yg/Yb values that exceed the YCR/YCG/YCB values can cause a crash of the associated application.
Alerts:
Debian DSA-1078-1 2006-05-27

Comments (none posted)

typespeed: buffer overflow

Package(s):typespeed CVE #(s):CVE-2006-1515
Created:May 31, 2006 Updated:June 19, 2006
Description: The typespeed game has a buffer overflow in its network data processing code which could possibly be exploited to execute arbitrary code.
Alerts:
Gentoo 200606-20 2006-06-19
Debian DSA-1084-1 2006-05-31

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:July 13, 2006
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

Updated vulnerabilities

awstats: missing input sanitizing

Package(s):awstats CVE #(s):CVE-2006-2237
Created:May 19, 2006 Updated:June 20, 2006
Description: Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands.
Alerts:
SuSE SUSE-SA:2006:033 2006-06-20
Ubuntu USN-290-1 2006-06-08
Gentoo 200606-06 2006-06-07
Debian DSA-1075-1 2006-05-26
Ubuntu USN-285-1 2006-05-23
Debian DSA-1058-1 2006-05-18

Comments (none posted)

zoo: archive problem

Package(s):bin CVE #(s):
Created:May 23, 2006 Updated:May 24, 2006
Description: A security problem is zoo's fullpath() function could cause problems if zoo was run in an automated way, or if a user were to open a malicious zoo archive manually.
Alerts:
Slackware SSA:2006-142-02 2006-05-23

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 12, 2006
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

curl: heap-based buffer overflow

Package(s):curl CVE #(s):CVE-2006-1061
Created:March 21, 2006 Updated:June 28, 2006
Description: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
Alerts:
OpenPKG OpenPKG-SA-2006.012 2006-06-28
Trustix TSLSA-2006-0016 2006-03-24
Gentoo 200603-19 2006-03-21
Fedora FEDORA-2006-189 2006-03-21

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dia: format string vulnerabilities

Package(s):dia CVE #(s):CVE-2006-2453 CVE-2006-2480
Created:May 24, 2006 Updated:June 8, 2006
Description: The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name.
Alerts:
Gentoo 200606-03 2006-06-07
SuSE SUSE-SR:2006:012 2006-06-02
Red Hat RHSA-2006:0541-02 2006-06-01
Mandriva MDKSA-2006:093 2006-05-30
Fedora FEDORA-2006-580 2006-05-24
Ubuntu USN-286-1 2006-05-24

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

fetchmail: multidrop bug

Package(s):fetchmail CVE #(s):CVE-2005-4348
Created:December 20, 2005 Updated:May 27, 2006
Description: Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode.
Alerts:
rPath rPSA-2006-0084-1 2006-05-26
Fedora-Legacy FLSA:164512 2006-05-12
Slackware SSA:2006-045-01 2006-02-15
Debian DSA-939-1 2006-01-13
Ubuntu USN-233-1 2006-01-02
Mandriva MDKSA-2005:236 2005-12-23
Fedora FEDORA-2005-1187 2005-12-20
Fedora FEDORA-2005-1186 2005-12-20

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla CVE #(s):CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742
Created:April 14, 2006 Updated:June 9, 2006
Description: There are multiple vulnerabilities in Firefox and related products including Thunderbird, SeaMonkey and the Mozilla Suite. This CERT Advisory contains additional information.
Alerts:
Ubuntu USN-296-1 2006-06-09
Fedora-Legacy FLSA:189137-2 2006-06-06
Fedora-Legacy FLSA:189137-1 2006-06-06
Gentoo 200605-09 2006-05-08
Slackware SSA:2006-123-02 2006-05-04
Fedora FEDORA-2006-494 2006-05-03
Fedora FEDORA-2006-493 2006-05-03
Fedora FEDORA-2006-491 2006-05-03
Fedora FEDORA-2006-490 2006-05-03
Fedora FEDORA-2006-487 2006-05-03
Fedora FEDORA-2006-495 2006-05-03
Fedora FEDORA-2006-492 2006-05-03
Fedora FEDORA-2006-486 2006-05-03
Fedora FEDORA-2006-489 2006-05-03
Fedora FEDORA-2006-488 2006-05-03
Ubuntu USN-276-1 2006-05-03
Slackware SSA:2006-120-01 2006-05-01
Gentoo 200604-18 2006-04-28
Mandriva MDKSA-2006:078 2006-04-25
Mandriva MDKSA-2006:076 2006-04-25
Debian DSA-1044-1 2006-04-26
SuSE SUSE-SA:2006:022 2006-04-25
Mandriva MDKSA-2006:075 2006-04-24
Slackware SSA:2006-114-01 2006-04-25
Gentoo 200604-12 2006-04-23
Red Hat RHSA-2006:0330-01 2006-04-21
SuSE SUSE-SA:2006:021 2006-04-20
Ubuntu USN-271-1 2006-04-19
Fedora FEDORA-2006-411 2006-04-18
Fedora FEDORA-2006-410 2006-04-18
Red Hat RHSA-2006:0329-01 2006-04-18
Slackware SSA:2006-107-01 2006-04-17
Red Hat RHSA-2006:0328-01 2006-04-14

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

freeradius: authentication bypass

Package(s):freeradius CVE #(s):CVE-2006-1354
Created:March 24, 2006 Updated:June 5, 2006
Description: An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
Alerts:
Debian DSA-1089-1 2006-06-03
Mandriva MDKSA-2006:066 2006-04-05
Gentoo 200604-03 2006-04-04
Red Hat RHSA-2006:0271-01 2006-04-04
SuSE SUSE-SA:2006:019 2006-03-28
Mandriva MDKSA-2006:060 2006-03-23

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

hostapd: insufficient boundary checks

Package(s):hostapd CVE #(s):CVE-2006-2213
Created:May 22, 2006 Updated:May 25, 2006
Description: Matteo Rosi and Leonardo Maccari discovered that hostapd, a wifi network authenticator daemon, performs insufficient boundary checks on a key length value, which might be exploited to crash the service.
Alerts:
Mandriva MDKSA-2006:088 2006-05-24
Debian DSA-1065-1 2006-05-19

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864
Created:May 12, 2006 Updated:July 13, 2006
Description: Multiple vulnerabilities in the Linux have been found.
  • An error in the Stream Control Transmission Protocol (SCTP) code that uses incorrect state table entries when certain ECNE chunks are received in CLOSED state, could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • An error exist when handling incoming IP-fragmented SCTP control chunks, which could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
  • A vulnerability has been identified due to an input validation error when processing arguments containing backslash ("\\") characters passed to certain commands (e.g. "cd"), which could be exploited by authenticated attackers to escape chroot restrictions for a CIFS or SMBFS mounted filesystem.
Alerts:
Red Hat RHSA-2006:0580-01 2006-07-13
Red Hat RHSA-2006:0579-01 2006-07-13
Debian DSA-1103-1 2006-06-27
SuSE SUSE-SA:2006:028 2006-05-31
Red Hat RHSA-2006:0493-01 2006-05-24
Mandriva MDKSA-2006:086 2006-05-18
Trustix TSLSA-2006-0026 2006-05-12

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-1859 CVE-2006-1860
Created:May 19, 2006 Updated:May 24, 2006
Description: Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (memory consumption) via unspecified actions related to an "uninitialized return value," aka "slab leak."

lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to cause a denial of service (fcntl_setlease lockup) via actions that cause lease_init to free a lock that might not have been allocated on the stack.

Alerts:
rPath rPSA-2006-0079-1 2006-05-23
Fedora FEDORA-2006-573 2006-05-21
Fedora FEDORA-2006-572 2006-05-21
Trustix TSLSA-2006-0028 2006-05-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kernel-patch-vserver: privilege escalation

Package(s):kernel-patch-vserver CVE #(s):CVE-2006-2110
Created:May 22, 2006 Updated:May 24, 2006
Description: Jan Rekorajski discovered that the kernel patch for virtual private servers does not limit context capabilities to the root user within the virtual server, which might lead to privilege escalation for some virtual server specific operations.
Alerts:
Debian DSA-1060-1 2006-05-19

Comments (none posted)

kphone: insecure file creation

Package(s):kphone CVE #(s):CVE-2006-2442
Created:May 22, 2006 Updated:May 25, 2006
Description: Sven Dreyer discovered that KPhone, a Voice over IP client for KDE, creates a configuration file world-readable, which could leak sensitive information like SIP passwords.
Alerts:
Mandriva MDKSA-2006:089 2006-05-24
Debian DSA-1062-1 2006-05-19

Comments (none posted)

libextractor: heap-based buffer overflows

Package(s):libextractor CVE #(s):CVE-2006-2458
Created:May 22, 2006 Updated:May 31, 2006
Description: Luigi Auriemma has found two heap-based buffer overflows in libextractor 0.5.13 and earlier: one of them occurs in the asf_read_header function in the ASF plugin, and the other occurs in the parse_trak_atom function in the Qt plugin.
Alerts:
Debian DSA-1081-1 2006-05-29
Gentoo 200605-14 2006-05-21

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libtiff: denial of service

Package(s):libtiff CVE #(s):CVE-2006-2024
Created:April 28, 2006 Updated:May 31, 2006
Description: Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.
Alerts:
Gentoo 200605-17 2006-05-30
Red Hat RHSA-2006:0425-01 2006-05-09
Debian DSA-1054-1 2006-05-09
Mandriva MDKSA-2006:082 2006-05-03
Ubuntu USN-277-1 2006-05-03
SuSE SUSE-SR:2006:009 2006-04-28
Fedora FEDORA-2006-474 2006-04-27
Fedora FEDORA-2006-473 2006-04-27

Comments (none posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2006-0052
Created:March 30, 2006 Updated:June 9, 2006
Description: Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped.
Alerts:
Red Hat RHSA-2006:0486-01 2006-06-09
SuSE SUSE-SR:2006:008 2006-04-07
Debian DSA-1027-1 2006-04-06
Ubuntu USN-267-1 2006-04-03
Mandriva MDKSA-2006:061 2006-03-29

Comments (none posted)

mpg123: buffer overflows

Package(s):mpg123 CVE #(s):CVE-2006-1655
Created:May 24, 2006 Updated:July 3, 2006
Description: mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities.
Alerts:
Gentoo 200607-01 2006-07-03
Mandriva MDKSA-2006:092 2006-05-26
Debian DSA-1074-1 2006-05-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva