Ubuntu Dapper and the distribution business
Ubuntu's "Dapper Drake" release - more prosaically known as "6.06 LTS" - is
due on June 1, and may well be available by the time you read this
article. A distribution release is not a particularly rare occurrence in
the Linux community, but there are a couple of things about Dapper which
are just a little bit unusual and worthy of note.
The "LTS" in this release's name stands for "long term support"; this
distribution comes with a promise of security updates for five years
(on server systems) or three years (on desktop systems). Exactly how that
distinction will be made is not entirely clear; one assumes that, for
example, graphical mail clients will go unsupported in June, 2009, while
mail transfer agents will continue to get updates into 2011. That is the
longest credible support promise ever made for a free distribution, and it
may change the commercial landscape in interesting ways.
There are many situations where the deployment of a Linux system makes a
great deal of sense. In many of those, one wishes to start with reasonably
current software, but to not have to worry much about upgrades for a long
time thereafter. Web servers, print servers, database servers, kiosks,
point of sale systems, and more all fall into this category. Once the
system works, any sort of software change offers downtime and the risk of
problems, but little in the way of advantages - except, of course, for
security fixes. Anybody planning such a deployment must consider how the
system will be supported and kept secure through its operating life. In
recent years, the available choices have fallen into these categories:
- An entirely free distribution (Fedora, Debian, OpenSUSE, etc.) can be
used. The price is right, and the quality of the software tends to be
high. The support window for these distributions tends to be short,
and, for some of them, unpredictable. Keeping a Fedora Core system
secure can involve upgrades twice a year - not an appealing option for
a system which is supposed to be stable and "just work."
- The "Enterprise" offerings from Red Hat and Novell come with long
support promises; there are, undoubtedly, still plenty of systems
running 2.4.9 kernels on RHEL 2 with uninterrupted support.
These services can be expensive, however. For many customers, a
support subscription is easily justified and worth every penny.
But others will find that cost hard to swallow.
Some try to get the best of both worlds through enterprise clone
distributions like CentOS. By all
accounts, the CentOS team has done a top-quality job with its
distribution, but anybody contemplating a long-term deployment will
have to be convinced of the project's long-term future and be able to
overcome qualms (if any) about free-riding on the enterprise
distributions.
- Security support can be managed in-house. This approach requires a
significant investment of time by a skilled administrator or
developer, however, and is thus far from being free.
Ubuntu's five-year guarantee provides another choice: install Dapper, and
obtain updates until 2011 with no costs at all. The existence of the
Ubuntu Foundation, with its $10 million nest egg, helps to make that
five-year promise credible, and Ubuntu's record with security updates has
been, so far, quite good. So it would not be surprising to see significant
uptake on Ubuntu's promise. Whether those new Ubuntu users will come at
the cost of the enterprise distributions, or whether they are mostly people
getting away from the (relative) upgrade treadmill of the free
distributions, remains to be seen.
That leads to the other interesting aspect of this release: the increasing
friendliness between Ubuntu/Canonical and Sun Microsystems. The two have
just announced
that the Dapper release will include a version for Sun's new Niagara SPARC
architecture, and Sun executives are issuing quotes on how important a
distribution Ubuntu is. Clearly something is going on here.
Sun's troubles in recent years have been well documented; to a great
extent, Sun's customers have been steadily turning into customers of the
enterprise distributions. To Sun, Ubuntu may well look like an
opportunity to poke holes in the revenue streams of its main competitors.
Ubuntu, in turn, may see Sun's support (and the Niagara port) as a way to
gain a foothold in the server market. If Sun's new servers find customers,
Ubuntu will be the obvious distribution for any of those customers who wish
to run Linux.
How all of this plays out will be interesting to watch. Ubuntu's past
releases have certainly been popular; if Dapper holds together well enough
(and the initial signs are good), it may be the best-received Ubuntu
release yet. If so, Ubuntu may well change the shape of the Linux
distribution landscape.
(For those who are interested in what's actually in the 6.06 LTS release,
the "testing Dapper"
page has a lot of information and screenshots).
Comments (21 posted)
The end of the JPEG patent - sort of
Forgent Networks is a company which would easily qualify as a patent troll
for many observers. This small company picked up a data compression patent
in 1997, and has been busily using that patent to shake down corporations
ever since. Since this patent is said to cover the JPEG image format,
there is a wide list of possible victims to choose from. Those victims
have dropped more that $100 million into Forgent's bank account, and
Forgent currently has litigation outstanding with some 30 companies.
The Public Patent Foundation chose this patent as one which was vulnerable
to a challenge. The Foundation's work bore fruit on May 25, when the
US Patent Office issued a
ruling on the Forgent patent [PDF]. The resulting press release from the
Public Patent Foundation was triumphant:
"The Patent Office has agreed with our conclusion that it would
have never granted Forgent Networks' '672 patent had it been aware
of the prior art that we uncovered and submitted to them," said Dan
Ravicher, PUBPAT's Executive Director.
It is worth noting that Forgent had a
different spin on the ruling:
...the United States Patent and Trademark Office issued its first
office action, a non-final action, confirming a majority of the
claims in United States Patent 4,698,672. The action upholds 27 of
the 46 claims of Forgent's patent. Forgent will vigorously defend
the remaining claims that were not initially upheld in this first
office action.
Anybody wondering if the world is now safe for JPEG users will clearly need
to look beyond the press releases and dig into the patent and the USPTO
ruling directly. The short story is that, while the independent claims of
U.S.
Patent 4,698,672 have been invalidated, many of the more-specific
dependent claims remain standing. Consider, for example, claim 1:
A method for processing digital signals, where the digital signals
have first values, second values and other values, to reduce the
amount of data utilized to represent the digital signals and to
form statistically coded signals such that the more frequently
occurring values of digital signals are represented by shorter code
lengths and the less frequently occurring values of digital signals
are represented by longer code lengths, comprising,
- forming first runlength code values representing the number of
consecutive first values of said digital signals followed by said
second value,
- forming second runlength code values representing the number
of consecutive first values of said digital signals followed by one
of said other values.
What the Public Patent Foundation asserted is that this claim - covering a
fairly basic run-length encoding scheme - had already been claimed by
another patent: #4,541,012
by Andrew Tescher. The Patent Office agreed, and ruled that claim 1
was invalid.
The story does not stop there, however. There are a number of dependent
claims which make claim 1 more specific; these include:
2. The method of claim 1 further including the step of amplitude
encoding said other values.
3. The method of claim 1 further including the step of encoding
said first and second runlength code values with a sign value.
4. The method of claim 1 wherein said first values have amplitude
zero, said second values have absolute amplitude one, and said
other values have absolute amplitudes greater than one whereby
said first and second runlength codes values are formed
representing the number of consecutive zeros.
5. The method of claim 1 wherein said first values have the highest
frequency of occurrence in said digital signals, wherein said
second values have the next highest frequency of occurrence in
said digital signals, and wherein said other values have the
lowest frequency of occurrence in said digital signals.
Claim 3 (adding a sign value) was also rejected, but claims 2, 4, and 5
were upheld by the Patent Office. The same pattern persists through the
remaining claims: the independent claims were rejected, but the
more-specific versions were allowed. That is why Forgent proclaims that
the majority of its claims had been upheld.
So, to a great extent, the Forgent patent survives, having lost only the
most general of its claims. We asked Dan Ravicher of the Public Patent
Foundation whether this ruling was enough to remove the threat against JPEG
users; his response was:
It likely won't be enough to put an absolute end, but this is a
significant blow to the solitary patent that are using against the
JPEG standard. To the extent we've shown their armor to be made
more of tin or paper, than steel or iron, we've provided the public
the benefit of a more transparent view of the legitimacy of their
claims.
Whether the remaining claims in the patent are applicable to the JPEG
standard is a matter for the courts to determine - and, given the
thirty-some outstanding cases, the courts will certainly have the
opportunity to do so.
There is one interesting additional factor which, thanks to the Public
Patent Foundation's work, may just come into play here. Forgent's patent
was originally filed from a company called Compression Labs, Inc. It turns
out that the Tescher patent, which provided the prior art used against
Forgent's patent, was also developed at Compression Labs. In other words,
when Compression Labs filed for the patent now being wielded by Forgent, it
must have known about the existence of the prior art, since it had
patented that prior art itself. But Compression Labs did not disclose that
prior art to the Patent Office. Failure to disclose known prior art is a
violation of the Patent Office rules. It seems likely that defendants in
Forgent's litigation will find a way to let their respective courts know
that the patent at issue was obtained in bad faith.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
SQL injection vulnerabilities in PostgreSQL
May 31, 2006
This article was contributed by Jake Edge.
A recent urgent update to
PostgreSQL vividly demonstrates the problems with validating user input
that are the foundation of SQL injection attacks. Widely used techniques
to escape characters in user input can still allow SQL injection when
coupled with multibyte character encodings. While this problem was first
discovered in PostgreSQL, today's security fix
announcement for MySQL indicates
a similar problem there as well.
As discussed in the LWN SQL injection
article, inserting strings
of user input into SQL queries can be hazardous. Many applications
do little or no validation of strings entered by a user before dropping
them into a query; this negligence can
lead to a compromise of the entire database. Better behaved programs
attempt to escape various troublesome characters (typically single-quote
and backslash), but because of the multibyte-encoding problem, problems can
remain.
It is not just database clients that need to validate user input, the
database server needs to validate as well as the first bug shows.
PostgreSQL allows the "\'" (backslash + single-quote) sequence to be used to
represent a single-quote character in a query as well as the two single-quote
character sequence ("''") that is the SQL standard.
Unfortunately, the escaping code
used by database clients often ignores the character encoding and just looks
for bytes with a 0x27 ("'") value and replaces them with an
escaped version. The security hole comes about because illegal multibyte
character sequences can be used to enable quotes to slip past the
escaping process. An example provided in the
technical information describes how this can be done.
In the UTF8 encoding, the byte value 0xc8 introduces a two-byte
character; the second byte must be within the range 0xa0-0xff.
However, PostgreSQL would accept any value for the second byte and treat
both bytes as a single character. A malicious user could enter
"0xc8'text", which would be converted by the well meaning
client to "0xc8''text" (or "0xc8\'text"); the
server would then treat the
0xc8' or 0xc8\ sequence as a single character, leaving an
unescaped single-quote in the input, effectively injecting the
attacker-supplied text.
The second issue stems from certain far-eastern encodings where the value
0x5c ("\") is a valid value for the second
byte of a two-byte character. In the SJIS encoding for example,
the two-byte sequence 0x95 0x5c
is a valid character, but a client that is not encoding-aware may try
to escape the 'backslash' that it sees by doubling it. Adding single-quotes
into the mix provides a means for a SQL injection.
"0x95 0x5c'text" could become "0x95 0x5c\''text", which
effectively inserts an unescaped single-quote into the query.
It is interesting to note that 0x27 ("'") is not a valid value for the
second byte of a two-byte character and, if PostgreSQL had rigidly adhered
to the SQL standard and only accepted "''" to escape single-quotes, this
issue would not exist.
There is a straightforward fix for the first problem: do not accept illegal
multibyte character sequences and refuse to process queries that contain
them. Unfortunately, the second problem is more complicated and there is
no single simple fix on the database server side. If database clients
did their escaping in an encoding aware manner, this problem would not
exist; expecting this from all clients is hopeless, however. The PostgreSQL
developers chose to disallow "\'" for any encoding that allows embedded
0x5c characters. This closes the hole for all clients that
use "''" to escape single-quotes but still allows for injections for clients
that use "\'". This change is likely to break those clients
altogether, however.
Both of these problems could have been avoided by using
prepared statements with
placeholders (i.e. 'SELECT * FROM tbl WHERE id=?'). Even if the libraries did
not implement the quoting correctly, the SQL engine would still not allow
the parameter to be treated as anything but data for that particular
spot in the query, thereby avoiding the injection. Another way to
avoid this kind of problem is to use stored procedures. As these
bugs show, it can be very difficult to appropriately filter and/or
validate user input.
Comments (30 posted)
New vulnerabilities
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2006-2362
|
| Created: | May 27, 2006 |
Updated: | August 29, 2006 |
| Description: |
The GNU Binutils has a buffer overflow vulnerability in libbfd.
Maliciously crafted Tektronix Hex Format files with improper length
characters can cause a crash and possibly lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
cherrypy: information disclosure
| Package(s): | cherrypy |
CVE #(s): | CVE-2006-0847
|
| Created: | May 31, 2006 |
Updated: | May 31, 2006 |
| Description: |
The CherryPy web development framework (prior to version 2.1.1) has a directory traversal vulnerability which could lead to undesired information disclosure. |
| Alerts: |
|
Comments (none posted)
dovecot: information disclosure
| Package(s): | dovecot |
CVE #(s): | CVE-2006-2414
|
| Created: | May 31, 2006 |
Updated: | June 14, 2006 |
| Description: |
The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-2440
|
| Created: | May 25, 2006 |
Updated: | September 5, 2006 |
| Description: |
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result. |
| Alerts: |
|
Comments (none posted)
kernel: netfilter memory corruption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2444
|
| Created: | May 25, 2006 |
Updated: | July 5, 2006 |
| Description: |
The 2.6.12 kernel has a remote memory corruption vulnerability
that can be remotely triggered by loading the ip_nat_snmp_basic
module and traffic is network-translated on port 161 or 162. |
| Alerts: |
|
Comments (none posted)
kernel: information disclosure
| Package(s): | kernel |
CVE #(s): | CVE-2006-1343
|
| Created: | May 31, 2006 |
Updated: | July 20, 2006 |
| Description: |
The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2656
|
| Created: | May 26, 2006 |
Updated: | June 8, 2006 |
| Description: |
The tiffsplit command has a problem in the way that it handles
fixed-size buffers, a stack overflow can result. |
| Alerts: |
|
Comments (none posted)
lynx: denial of service
| Package(s): | lynx |
CVE #(s): | CVE-2004-1617
|
| Created: | May 26, 2006 |
Updated: | June 1, 2006 |
| Description: |
The lynx text-mode web browser has a problem understanding invalid
html involving the TEXTAREA tag. An infinite loop can happen, resulting
in a denial of service. |
| Alerts: |
|
Comments (1 posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-1990
CVE-2006-1991
CVE-2006-3017
|
| Created: | May 25, 2006 |
Updated: | August 18, 2006 |
| Description: |
The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function.
An attacker can use an out-of-bounds offset argument to cause a
memory access violation, causing a denial of service.
A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
tiff: denial of service
| Package(s): | tiff |
CVE #(s): | CVE-2006-2120
|
| Created: | May 27, 2006 |
Updated: | May 31, 2006 |
| Description: |
The tiff image library is vulnerable to a denial of service attack.
Images with specially crafted Yr/Yg/Yb values that exceed the
YCR/YCG/YCB values can cause a crash of the associated application. |
| Alerts: |
|
Comments (none posted)
typespeed: buffer overflow
| Package(s): | typespeed |
CVE #(s): | CVE-2006-1515
|
| Created: | May 31, 2006 |
Updated: | June 19, 2006 |
| Description: |
The typespeed game has a buffer overflow in its network data processing code which could possibly be exploited to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | July 13, 2006 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
awstats: missing input sanitizing
| Package(s): | awstats |
CVE #(s): | CVE-2006-2237
|
| Created: | May 19, 2006 |
Updated: | June 20, 2006 |
| Description: |
Hendrik Weimer discovered that specially crafted web requests can
cause awstats, a powerful and featureful web server log analyzer, to
execute arbitrary commands. |
| Alerts: |
|
Comments (none posted)
zoo: archive problem
| Package(s): | bin |
CVE #(s): | |
| Created: | May 23, 2006 |
Updated: | May 24, 2006 |
| Description: |
A security problem
is zoo's fullpath() function could cause problems if zoo was run in an
automated way, or if a user were to open a malicious zoo archive manually. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 12, 2006 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dia: format string vulnerabilities
| Package(s): | dia |
CVE #(s): | CVE-2006-2453
CVE-2006-2480
|
| Created: | May 24, 2006 |
Updated: | June 8, 2006 |
| Description: |
The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
Comments (1 posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
hostapd: insufficient boundary checks
| Package(s): | hostapd |
CVE #(s): | CVE-2006-2213
|
| Created: | May 22, 2006 |
Updated: | May 25, 2006 |
| Description: |
Matteo Rosi and Leonardo Maccari discovered that hostapd, a wifi network
authenticator daemon, performs insufficient boundary checks on a key length
value, which might be exploited to crash the service. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2271
CVE-2006-2272
CVE-2006-2274
CVE-2006-2275
CVE-2006-1864
|
| Created: | May 12, 2006 |
Updated: | July 13, 2006 |
| Description: |
Multiple vulnerabilities in the Linux have been found.
- An error in the Stream Control Transmission Protocol (SCTP) code that
uses incorrect state table entries when certain ECNE chunks are received in
CLOSED state, could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- An error exist when handling incoming IP-fragmented SCTP control
chunks, which could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (infinite recursion and crash) via a packet that contains two or
more DATA fragments, which causes an skb pointer to refer back to itself
when the full message is reassembled, leading to infinite recursion in the
sctp_skb_pull function
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (deadlock) via a large number of small messages to a receiver
application that cannot process the messages quickly enough, which leads to
"spillover of the receive buffer."
- A vulnerability has been identified due to an input validation error
when processing arguments containing backslash ("\\") characters passed to
certain commands (e.g. "cd"), which could be exploited by authenticated
attackers to escape chroot restrictions for a CIFS or SMBFS mounted
filesystem.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-1859
CVE-2006-1860
|
| Created: | May 19, 2006 |
Updated: | May 24, 2006 |
| Description: |
Memory leak in __setlease in fs/locks.c in Linux kernel before 2.6.16.16
allows attackers to cause a denial of service (memory consumption) via
unspecified actions related to an "uninitialized return value," aka "slab
leak."
lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers
to cause a denial of service (fcntl_setlease lockup) via actions that cause
lease_init to free a lock that might not have been allocated on the stack. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel-patch-vserver: privilege escalation
| Package(s): | kernel-patch-vserver |
CVE #(s): | CVE-2006-2110
|
| Created: | May 22, 2006 |
Updated: | May 24, 2006 |
| Description: |
Jan Rekorajski discovered that the kernel patch for virtual private servers
does not limit context capabilities to the root user within the virtual
server, which might lead to privilege escalation for some virtual server
specific operations. |
| Alerts: |
|
Comments (none posted)
kphone: insecure file creation
| Package(s): | kphone |
CVE #(s): | CVE-2006-2442
|
| Created: | May 22, 2006 |
Updated: | May 25, 2006 |
| Description: |
Sven Dreyer discovered that KPhone, a Voice over IP client for KDE,
creates a configuration file world-readable, which could leak sensitive
information like SIP passwords. |
| Alerts: |
|
Comments (none posted)
libextractor: heap-based buffer overflows
| Package(s): | libextractor |
CVE #(s): | CVE-2006-2458
|
| Created: | May 22, 2006 |
Updated: | May 31, 2006 |
| Description: |
Luigi Auriemma has found two heap-based buffer overflows in libextractor
0.5.13 and earlier: one of them occurs in the asf_read_header function in
the ASF plugin, and the other occurs in the parse_trak_atom function in the
Qt plugin. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 |
CVE #(s): | CAN-2004-0990
CAN-2004-0941
|
| Created: | October 29, 2004 |
Updated: | June 28, 2006 |
| Description: |
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libtiff: denial of service
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2024
|
| Created: | April 28, 2006 |
Updated: | May 31, 2006 |
| Description: |
Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent
attackers to cause a denial of service via a TIFF image that triggers
errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2)
certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and
(d) tif_zip.c; (3) and improper restoration of setfield and getfield
methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f)
tif_fax3.c, and tif_zip.c. |
| Alerts: |
|
Comments (none posted)
mailman: denial of service
| Package(s): | mailman |
CVE #(s): | CVE-2006-0052
|
| Created: | March 30, 2006 |
Updated: | June 9, 2006 |
| Description: |
Mailman 2.1.5 and below have a denial of service vulnerability
in the Scrubber.py script. If a maliciously created message
with a mime multi part format is received, mailman delivery
can be stopped. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflows
| Package(s): | mpg123 |
CVE #(s): | CVE-2006-1655
|
| Created: | May 24, 2006 |
Updated: | July 3, 2006 |
| Description: |
mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
