LWN.net Logo

LWN.net Weekly Edition for June 8, 2006

Behavioral standards in the free software community

The GNOME community has recently started a discussion on the adoption of a code of conduct for community members. While a number of people clearly think that such a code makes sense, others are just as clearly uncomfortable with the idea. The free software community is traditionally an open and unregulated group. Its members are concerned with quality of contributions and inclusiveness; there is relatively little interest in conduct rules, and an active dislike for self-appointed enforcers and attempts to exclude potential contributors. So the number of projects with written behavioral codes is relatively small.

Such codes do exist, however, whether or not they are written down. Anybody who doubts this fact may want to ponder on the likely fate of a developer who attempts to contribute plagiarized code. But other standards clearly exist as well. Consider, for example, this case: a Debian developer was not only asked to leave DebConf last month, but was removed from the project altogether. A weblog entry from a nearby participant reads:

The difference in values between Ted and the rest of our project was just too immense. When I was walking out of the room at around 7 in the morning next day my final sentence was "Ted, even if you spend rest of the Debconf apologizing and making friends, I do not see a future for you in this project." and the most important was that Ted and John seemed to agree with me on that

Only two months earlier, Debian went through a protracted debate on whether another developer should be forcibly expelled from the project. In both cases, the issue was not one of plagiarism or other crime; instead, these people are being pushed out for being jerks - for somebody's value of "jerk." Their behavior is said to be so unpleasant, and so off-putting for other members of the project, that their presence is no longer welcome. This is the sort of behavior that the proposed GNOME code of conduct seeks to regulate as well. This proposal contains items like "be respectful and considerate" and "don't be racist." Its supporters are trying to maintain a GNOME community which is pleasant to work in, and which does not drive potential contributors away.

They have a point: it has been noted, for example, that female participation in free software projects is often close to zero. That is, as some have observed, below the usual percentage of women in the general population; but it is also well below the percentage of women found working in technical fields. There is a whole population of potential contributors out there who have chosen not to be a part of the free software community. One very possible reason for their absence is the sort of behavior encountered on mailing lists, at conferences, and in other places where the community gathers. Perhaps, if standards of behavior were higher, more people would choose to participate.

(Then again, the problem could be elsewhere: Richard Stallman chimed in with a claim that the use of the term "open source" may be the real reason why women chose not to participate. This particular line of reasoning has not attracted a large following, however).

Alan Cox points out that the issue is a little broader:

I'd be wary of pursuing just the "women in GNOME" issue, because many of the same things put off far more than just women. Running around shouting "pants off" is not, for example, very compatible with the Japanese cultural expectations.

One can, without great difficulty, make an argument that, as the free software community "grows up" and tries to expand beyond its "western white male geek" stereotype, it should look harder at how its members behave. If one contributor is sufficiently unpleasant to repel the participation of numerous others, then perhaps the community truly is better off without that person. So maybe the community truly does need to be prepared to expel people who are too difficult to be around. Codes of conduct might just make sense.

But consider an episode from just over three years ago, when a prominent developer (let's call him "X" for the moment) was stripped of his commit privileges and kicked out of an important project. One of the people involved in this action justified it with these words:

What X has done is among the most low-class, unprofessional, and tactless things I have ever experienced in my professional career.... Bottom line, in my opinion, is that what X did is unacceptable on its face and he deserves to be held accountable for it. So he's out.

This looks like a clear application of a code of conduct; somebody behaves badly, and is booted from the project. Nothing to complain about. Except that X, in this case, was Keith Packard, who was busily trying to reform the XFree86 project. That project's decision to exclude Keith turned out to be fatal; XFree86 still exists - it even put out a release in May - but nobody cares anymore.

This episode highlights the dangers of behavioral codes. They can be used as a way of silencing people who have something inconvenient to say, but sometimes those people need to be heard. Codes of conduct can evolve into a sort of stifling "political correctness" where people become afraid to express their thoughts. The creation of such an environment will suck the life out of a project more quickly than any number of unpleasant people.

The community as a whole may well want to think about how people interact, and how that interaction can be made more pleasant and more globally inclusive. Behavior which is rude, sexist, racist, or worse runs counter to our values (one hopes), and it makes us weaker. So discussions of how we wish to treat each other and how we can avoid pushing away people who could make our community richer are worth having. But we must work toward that goal without silencing our more outspoken members; sometimes they are saying something we should hear, even if it makes us uncomfortable.

Comments (31 posted)

How clean must the room be?

The discussion on what features should be merged into the 2.6.18 kernel has begun (see this week's Kernel Page for the details). One item which was mentioned is the acx100 driver, which has been sitting in the -mm tree for some time. This driver works, is useful to a broad community of users, and appears to be entirely acceptable to the kernel developers who have reviewed it - except for one little problem.

This driver, it seems, was developed by reverse engineering a binary-only driver released by TI for the 2.4 kernels. Reverse engineering is not a problem in itself, as long as due care is taken to avoid copying any code from the non-free driver. The normal way of taking due care is to employ a "clean room" technique: the person who does the reverse engineering work writes a document describing how the hardware functions, but does not write any code. Instead, another developer, who has never looked at the original driver in any way, writes the new driver based on the information in the document. This approach shields the developers from any charges of copying code, since they have never seen the code in question.

The acx100 driver was not developed in this way; instead, the people who did the reverse engineering went on to implement the new driver directly. Nobody has alleged that these developers copied any code in this process. But the process they used opens the door to such charges in the future. So the code is seen as being tainted, even though it is probably entirely legitimate. This taint has been enough to keep the driver out of the kernel.

One kernel developer objects to this course of events, calling it excessive:

I disagree there (not speaking for any company just for myself here): the "clean room" thing is ONLY a USA thing, and is not even required in the USA. It is a "we want to be extra safe in the USA" thing only.

He goes on to say that, if the developers can certify that they copied no code, and especially if the work was done outside of the USA, the driver should be able to go into the mainline kernel.

Others disagree, however, noting that "being extra safe" is no bad thing. The SCO case has shown how disruptive a copyright-based challenge to the Linux code base can be. Linux has, by all appearances, come through that challenge looking even better than it did before; the kernel code truly is clean. What a shame it would be to merge code which ends up bringing on another lawyer storm and ruining the kernel's hard-won clean bill of health. Sad though it may be, leaving out the driver might be the better choice.

Still, there is a lingering issue here: which laws should be allowed to control which code is accepted into the kernel? By many accounts, the acx100 driver would pass muster in Europe; it is U.S. laws that are of concern. But the laws of, for example, Haiti, Egypt, and Georgia have not been consulted. Complying with laws across the entire planet would be a tall order. Conflicts with laws on, say, spectrum use, surveillance capabilities, or "piracy prevention" in various parts of the world seem increasingly likely. Steering a global operating system through this maze will be an interesting challenge.

Comments (14 posted)

The UK Parliament on DRM

The All Party Parliamentary Internet Group is an organization in the UK which "exists to provide a discussion forum between new media industries and Parliamentarians for the mutual benefit of both parties." It is open to members of the House of Commons and the House of Lords; its actual makeup (in terms of party representation and such) is not entirely clear. This group decided to have a hard look at the interaction of digital rights management (DRM) schemes and copyright law. To that end, they received written input from dozens of groups on all sides of the copyright dispute and listened to a large number of interested people. The result of all this work is a report [PDF] and a series of recommendations.

This group shows some signs of having actually understood the problem - or parts of it, at least. A reading of the full report is recommended for those who are interested in the issue. For everybody else, here is a set of select quotes.

To start with, the group does not buy the notion that DRM schemes will always be easily overcome.

In the future it must be expected that TPMs [technical protection measures] will rely more and more upon specialist hardware functionality ­ and that some systems will prove to be extremely complex to overcome and to develop generic evasion technology for. It would therefore be unwise to base public policy upon a continuation of the situation that TPMs are relatively easy to overcome. It may well be that propping up technical measures with legislation will become entirely irrelevant. Equally, assuming that egregious problems caused by TPMs can be addressed by just `breaking into the system' may become unrealistic. (¶ 21).

So the "speed bump" view of DRM does not necessarily apply into the future.

Often, the discussion at the political level appears to have lost track of what copyright is for. So it is somewhat refreshing that this group has not forgotten entirely:

Copyright is generally understood to be a trade-off. The creator of copyright material is given a monopoly on exploiting it for a period of time. Currently for a new song or book this is until the creator dies plus 70 years. At the end of this period, the created work enters the public domain and may be exploited by anyone. This scheme is intended to ensure that there are incentives for creators, without creating an indefinite monopoly....

However, should all available versions of the material be protected by highly effective TPM systems, it may prove impossible, when the copyright expires, for the exploitation to occur ­ because the material will remain inaccessible except via the monopolistic TPM system. (¶ 32-4).

The report goes on, however, to dismiss this concern by claiming that "all available versions" of any given work are unlikely to go under DRM anytime soon. The authors may find themselves surprised by the ambitions of the entertainment industry.

At least some of the costs of DRM are understood:

From a completely different perspective, Intel told us that it was important that the legal infrastructure does not inhibit technical innovation ­ and they feel that the `trade-off' should address this as well! As an example, they pointed out that there were no portable video jukeboxes on the market ­ just devices capable of video downloads or playing consumer recordings ­ because it was against the DVD consortium rules to create a portable device. (¶ 49).

Alternative licenses from the Creative Commons and elsewhere are touched upon:

Several of the rights-holders were rather negative about these licenses, suggesting that the creators and performers did not always understand what they were "giving away forever" and how it could affect an artist's ability to enter into an exclusive license at a later stage in their career. Although artists should naturally consider these matters, we suspect that these licenses are clearer than many media industry contracts. (¶ 71).

The report's authors seem to believe that the worst DRM-related problems will be addressed in the market. But, they say, fully-informed consumers will help to bring that about:

Because, as we have observed, consumers expect to copy CDs, we believe that all CDs should in future come with a prominent label saying, "you are not permitted to make any copies of this CD for any reason"... The prominent label should add, when appropriate, "and if you try to make a copy, you should note that we have tried very hard to ensure that you will fail". Doubtless, even clearer and more accurate wording is possible....

For some types of content the labelling will need to warn the user, "you cannot access some parts of this DVD without a working Internet connection to enable us to record your identity", or "your playing of this song may be recorded in marketing databases in foreign countries". (¶ 100-102).

There is also some discussion of what happens if a DRM-using vendor goes out of business or changes policies. The potential loss of an individual's media collection is raised, but the possibility that valuable material could be lost to society as a whole is not.

There is little patience with DRM code which ignores users' commands, hides itself, or endangers the host system:

[W]e recommend that OFCOM publish guidance to make it clear that companies distributing TPM systems in the UK would, if they have features such as those in Sony-BMG's MediaMax and XCP systems, run a significant risk of being prosecuted for criminal actions. (¶ 118).

The authors received input from a number of groups related to free software, but the bulk of that input appears to have been boiled down to about two sentences. The lack of free DVD players is mentioned, as is the effect of governmental DRM mandates. The report claims, however, that no DRM mandates are in view in Europe; evidently broadcast flags and anti-circumvention laws don't count. In general, the needs of the free software community were either not understood or not seen to be important.

So, in the end, the APIG report is not all that one might have hoped for. Still, this document shows a higher level of understanding of the issues than can be found in many other government venues. Let us hope that it is a sign of progress in the right direction.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

New security releases for Firefox and Thunderbird

Security vulnerabilities in the Firefox browser and Thunderbird mail client are scary. Both tools are widely used, exposed to arbitrary data from the Internet, and used with important (and confidential) information. A widespread exploit has the potential to affect large numbers of people in highly unfortunate ways. So, whenever the Mozilla Project fixes a set of vulnerabilities, it's worth paying attention.

The recently released Firefox 1.5.0.4 addresses a fairly long list of vulnerabilities. Some of the most significant of those (the ones rated "critical") are:

There are also several vulnerabilities which are not considered to be quite as frightening, but which are still in need of fixing.

Thunderbird 1.5.0.4 is also out, with its own vulnerability list. Only one of these is deemed critical: a double-free error on an invalid VCard which appears to be exploitable. It is worth noting, however, that Thunderbird uses much of the Firefox code base for rendering HTML, so it can also suffer from Firefox's vulnerabilities. So, in particular, if a user allows the execution of JavaScript in incoming mail (an especially bad idea which is not the default behavior), most of the Firefox vulnerabilities listed above are also exploitable in Thunderbird.

There is another common theme found in all of the Firefox vulnerabilities: they can all be mitigated by turning off JavaScript. The sad fact is that executable content seems to be a hard thing to get right; it is an ongoing source of vulnerabilities in almost every context where it can be found. So it is not surprising that many people simply turn off JavaScript entirely. It is unfortunate that so many web sites are inaccessible to browsers running without JavaScript, forcing security-conscious users to enable a problematic feature they might prefer to do without.

(See the LWN vulnerability entry for distributor updates addressing these problems. As of this writing, the list of updates is discouragingly short, with only Slackware and rPath getting fixed out within the first couple of days after disclosure).

Comments (11 posted)

New vulnerabilities

evolution: denial of service

Package(s):evolution CVE #(s):
Created:June 1, 2006 Updated:June 6, 2006
Description: Evolution is vulnerable to a denial of service attack. The display of maliciously crafted images can crash the application if the "Load images if sender is in address book" option in enabled.
Alerts:
Mandriva MDKSA-2006:094 2006-06-01

Comments (none posted)

mozilla products have multiple vulnerabilities

Package(s):mozilla seamonkey firefox thunderbird CVE #(s):CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787
Created:June 5, 2006 Updated:August 2, 2006
Description: There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details.
Alerts:
Debian DSA-1134-1 2006-08-02
Ubuntu USN-297-3 2006-07-26
Ubuntu USN-323-1 2006-07-25
Ubuntu USN-296-2 2006-07-25
Debian DSA-1120-1 2006-07-23
Debian DSA-1118-1 2006-07-22
Red Hat RHSA-2006:0578-01 2006-07-20
SuSE SUSE-SA:2006:035 2006-06-23
Gentoo 200606-21 2006-06-19
Fedora FEDORA-2006-717 2006-06-15
Fedora FEDORA-2006-715 2006-06-15
Ubuntu USN-297-2 2006-06-15
Ubuntu USN-297-1 2006-06-13
Gentoo 200606-12 2006-06-11
Slackware SSA:2006-155-02 2006-06-05
rPath rPSA-2006-0091-1 2006-06-02

Comments (none posted)

mysql: SQL injection vulnerability

Package(s):mysql CVE #(s):CVE-2006-2753
Created:June 2, 2006 Updated:June 16, 2006
Description: This MySQL 4.1.20 release announcement covers an SQL injection vulnerability.
Alerts:
Ubuntu USN-303-1 2006-06-16
Fedora FEDORA-2006-702 2006-06-13
Fedora FEDORA-2006-703 2006-06-13
Gentoo 200606-13 2006-06-11
Red Hat RHSA-2006:0544-01 2006-06-09
Trustix TSLSA-2006-0034 2006-06-09
Mandriva MDKSA-2006:097 2006-06-07
Debian DSA-1092-1 2006-06-08
Slackware SSA:2006-155-01 2006-06-05
rPath rPSA-2006-0089-1 2006-06-01

Comments (none posted)

rug: remote command execution

Package(s):rug CVE #(s):CVE-2006-2703
Created:June 1, 2006 Updated:June 6, 2006
Description: The rug tool from the RedCarpet remote administration utility does not verify SSL certificates from the server, leaving it vulnerable to a man in the middle attack. An attacker can read traffic and insert commands.

Also, the /etc/ximian/rcd.conf file permissions are set incorrectly, leaving the rc password exposed.

Alerts:
SuSE SUSE-SA:2006:029 2006-05-31

Comments (none posted)

spamassassin: arbitrary command execution

Package(s):spamassassin CVE #(s):CVE-2006-2447
Created:June 6, 2006 Updated:June 15, 2006
Description: A vulnerability has been discovered in SpamAssassin, a Perl-based spam filter using text analysis, that can allow remote attackers to execute arbitrary commands. This problem only affects systems where spamd is reachable via the internet and used with vpopmail virtual users, via the "-v" / "--vpopmail" switch, and with the "-P" / "--paranoid" switch.
Alerts:
Mandriva MDKSA-2006:103 2006-06-14
Gentoo 200606-09 2006-06-11
rPath rPSA-2006-0096-1 2006-06-07
Red Hat RHSA-2006:0543-01 2006-06-06
Fedora FEDORA-2006-598 2006-06-06
Fedora FEDORA-2006-658 2006-06-06
Debian DSA-1090-1 2006-06-06

Comments (none posted)

xmcd: insecure file permissions

Package(s):xmcd CVE #(s):CVE-2006-2542
Created:June 2, 2006 Updated:June 6, 2006
Description: The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1.
Alerts:
Debian DSA-1086-1 2006-06-02

Comments (none posted)

Updated vulnerabilities

awstats: missing input sanitizing

Package(s):awstats CVE #(s):CVE-2006-2237
Created:May 19, 2006 Updated:June 20, 2006
Description: Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands.
Alerts:
SuSE SUSE-SA:2006:033 2006-06-20
Ubuntu USN-290-1 2006-06-08
Gentoo 200606-06 2006-06-07
Debian DSA-1075-1 2006-05-26
Ubuntu USN-285-1 2006-05-23
Debian DSA-1058-1 2006-05-18

Comments (none posted)

binutils: buffer overflow

Package(s):binutils CVE #(s):CVE-2006-2362
Created:May 27, 2006 Updated:August 29, 2006
Description: The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:153 2006-08-28
Ubuntu USN-292-1 2006-06-09
OpenPKG OpenPKG-SA-2006.009 2006-05-26

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cherrypy: information disclosure

Package(s):cherrypy CVE #(s):CVE-2006-0847
Created:May 31, 2006 Updated:May 31, 2006
Description: The CherryPy web development framework (prior to version 2.1.1) has a directory traversal vulnerability which could lead to undesired information disclosure.
Alerts:
Gentoo 200605-16 2006-05-30

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:July 13, 2006
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 12, 2006
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

curl: heap-based buffer overflow

Package(s):curl CVE #(s):CVE-2006-1061
Created:March 21, 2006 Updated:June 28, 2006
Description: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
Alerts:
OpenPKG OpenPKG-SA-2006.012 2006-06-28
Trustix TSLSA-2006-0016 2006-03-24
Gentoo 200603-19 2006-03-21
Fedora FEDORA-2006-189 2006-03-21

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dia: format string vulnerabilities

Package(s):dia CVE #(s):CVE-2006-2453 CVE-2006-2480
Created:May 24, 2006 Updated:June 8, 2006
Description: The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name.
Alerts:
Gentoo 200606-03 2006-06-07
SuSE SUSE-SR:2006:012 2006-06-02
Red Hat RHSA-2006:0541-02 2006-06-01
Mandriva MDKSA-2006:093 2006-05-30
Fedora FEDORA-2006-580 2006-05-24
Ubuntu USN-286-1 2006-05-24

Comments (none posted)

dovecot: information disclosure

Package(s):dovecot CVE #(s):CVE-2006-2414
Created:May 31, 2006 Updated:June 14, 2006
Description: The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes.
Alerts:
Ubuntu USN-288-4 2006-06-13
Debian DSA-1080-1 2006-05-29

Comments (1 posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla CVE #(s):CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742
Created:April 14, 2006 Updated:June 9, 2006
Description: There are multiple vulnerabilities in Firefox and related products including Thunderbird, SeaMonkey and the Mozilla Suite. This CERT Advisory contains additional information.
Alerts:
Ubuntu USN-296-1 2006-06-09
Fedora-Legacy FLSA:189137-2 2006-06-06
Fedora-Legacy FLSA:189137-1 2006-06-06
Gentoo 200605-09 2006-05-08
Slackware SSA:2006-123-02 2006-05-04
Fedora FEDORA-2006-494 2006-05-03
Fedora FEDORA-2006-493 2006-05-03
Fedora FEDORA-2006-491 2006-05-03
Fedora FEDORA-2006-490 2006-05-03
Fedora FEDORA-2006-487 2006-05-03
Fedora FEDORA-2006-495 2006-05-03
Fedora FEDORA-2006-492 2006-05-03
Fedora FEDORA-2006-486 2006-05-03
Fedora FEDORA-2006-489 2006-05-03
Fedora FEDORA-2006-488 2006-05-03
Ubuntu USN-276-1 2006-05-03
Slackware SSA:2006-120-01 2006-05-01
Gentoo 200604-18 2006-04-28
Mandriva MDKSA-2006:078 2006-04-25
Mandriva MDKSA-2006:076 2006-04-25
Debian DSA-1044-1 2006-04-26
SuSE SUSE-SA:2006:022 2006-04-25
Mandriva MDKSA-2006:075 2006-04-24
Slackware SSA:2006-114-01 2006-04-25
Gentoo 200604-12 2006-04-23
Red Hat RHSA-2006:0330-01 2006-04-21
SuSE SUSE-SA:2006:021 2006-04-20
Ubuntu USN-271-1 2006-04-19
Fedora FEDORA-2006-411 2006-04-18
Fedora FEDORA-2006-410 2006-04-18
Red Hat RHSA-2006:0329-01 2006-04-18
Slackware SSA:2006-107-01 2006-04-17
Red Hat RHSA-2006:0328-01 2006-04-14

Comments (1 posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

freeradius: authentication bypass

Package(s):freeradius CVE #(s):CVE-2006-1354
Created:March 24, 2006 Updated:June 5, 2006
Description: An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
Alerts:
Debian DSA-1089-1 2006-06-03
Mandriva MDKSA-2006:066 2006-04-05
Gentoo 200604-03 2006-04-04
Red Hat RHSA-2006:0271-01 2006-04-04
SuSE SUSE-SA:2006:019 2006-03-28
Mandriva MDKSA-2006:060 2006-03-23

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: heap overflow vulnerability

Package(s):ImageMagick CVE #(s):CVE-2006-2440
Created:May 25, 2006 Updated:September 5, 2006
Description: The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result.
Alerts:
Debian DSA-1168-1 2006-09-04
Fedora FEDORA-2006-588 2006-05-24
Fedora FEDORA-2006-587 2006-05-24

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864
Created:May 12, 2006 Updated:July 13, 2006
Description: Multiple vulnerabilities in the Linux have been found.
  • An error in the Stream Control Transmission Protocol (SCTP) code that uses incorrect state table entries when certain ECNE chunks are received in CLOSED state, could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • An error exist when handling incoming IP-fragmented SCTP control chunks, which could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
  • A vulnerability has been identified due to an input validation error when processing arguments containing backslash ("\\") characters passed to certain commands (e.g. "cd"), which could be exploited by authenticated attackers to escape chroot restrictions for a CIFS or SMBFS mounted filesystem.
Alerts:
Red Hat RHSA-2006:0580-01 2006-07-13
Red Hat RHSA-2006:0579-01 2006-07-13
Debian DSA-1103-1 2006-06-27
SuSE SUSE-SA:2006:028 2006-05-31
Red Hat RHSA-2006:0493-01 2006-05-24
Mandriva MDKSA-2006:086 2006-05-18
Trustix TSLSA-2006-0026 2006-05-12

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003
Created:March 24, 2005 Updated:May 31, 2006
Description: A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code.
Alerts:
Debian DSA-1082-1 2006-05-29
Debian DSA-1069-1 2006-05-20
Debian DSA-1070-1 2006-05-21
Debian DSA-1067-1 2006-05-20
Conectiva CLA-2005:945 2005-03-31
Fedora FEDORA-2005-262 2005-03-28
SuSE SUSE-SA:2005:018 2005-03-24

Comments (none posted)

kernel: netfilter memory corruption

Package(s):kernel CVE #(s):CVE-2006-2444
Created:May 25, 2006 Updated:July 5, 2006
Description: The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162.
Alerts:
Mandriva MDKSA-2006:116 2006-07-05
Ubuntu USN-302-1 2006-06-15
Trustix TSLSA-2006-0030 2006-05-26
Mandriva MDKSA-2006:087 2006-05-24

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2006-1343
Created:May 31, 2006 Updated:July 20, 2006
Description: The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release.
Alerts:
Red Hat RHSA-2006:0437-01 2006-07-20
Debian DSA-1097-1 2006-06-14
Fedora FEDORA-2006-698 2006-06-11
Fedora FEDORA-2006-697 2006-06-11
Trustix TSLSA-2006-0032 2006-06-05
rPath rPSA-2006-0087-1 2006-05-31

Comments (none posted)

libextractor: heap-based buffer overflows

Package(s):libextractor CVE #(s):CVE-2006-2458
Created:May 22, 2006 Updated:May 31, 2006
Description: Luigi Auriemma has found two heap-based buffer overflows in libextractor 0.5.13 and earlier: one of them occurs in the asf_read_header function in the ASF plugin, and the other occurs in the parse_trak_atom function in the Qt plugin.
Alerts:
Debian DSA-1081-1 2006-05-29
Gentoo 200605-14 2006-05-21

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2656
Created:May 26, 2006 Updated:June 8, 2006
Description: The tiffsplit command has a problem in the way that it handles fixed-size buffers, a stack overflow can result.
Alerts:
Ubuntu USN-289-1 2006-06-08
Debian DSA-1091-1 2006-06-08
Mandriva MDKSA-2006:095 2006-06-05
Fedora FEDORA-2006-592 2006-05-25
Fedora FEDORA-2006-591 2006-05-25

Comments (none posted)

libtiff: denial of service

Package(s):libtiff CVE #(s):CVE-2006-2024
Created:April 28, 2006 Updated:May 31, 2006
Description: Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.
Alerts:
Gentoo 200605-17 2006-05-30
Red Hat RHSA-2006:0425-01 2006-05-09
Debian DSA-1054-1 2006-05-09
Mandriva MDKSA-2006:082 2006-05-03
Ubuntu USN-277-1 2006-05-03
SuSE SUSE-SR:2006:009 2006-04-28
Fedora FEDORA-2006-474 2006-04-27
Fedora FEDORA-2006-473 2006-04-27

Comments (none posted)

lynx: denial of service

Package(s):lynx CVE #(s):CVE-2004-1617
Created:May 26, 2006 Updated:June 1, 2006
Description: The lynx text-mode web browser has a problem understanding invalid html involving the TEXTAREA tag. An infinite loop can happen, resulting in a denial of service.
Alerts:
Debian DSA-1085-1 2006-06-01
Debian DSA-1077-1 2006-05-26
Debian DSA-1076-1 2006-05-26

Comments (1 posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2006-0052
Created:March 30, 2006 Updated:June 9, 2006
Description: Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped.
Alerts:
Red Hat RHSA-2006:0486-01 2006-06-09
SuSE SUSE-SR:2006:008 2006-04-07
Debian DSA-1027-1 2006-04-06
Ubuntu USN-267-1 2006-04-03
Mandriva MDKSA-2006:061 2006-03-29

Comments (none posted)

mpg123: buffer overflows

Package(s):mpg123 CVE #(s):CVE-2006-1655
Created:May 24, 2006 Updated:July 3, 2006
Description: mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities.
Alerts:
Gentoo 200607-01 2006-07-03
Mandriva MDKSA-2006:092 2006-05-26
Debian DSA-1074-1 2006-05-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

mysql: information leaks

Package(s):mysql mysql-dfsg CVE #(s):CVE-2006-1516 CVE-2006-1517
Created:May 8, 2006 Updated:June 23, 2006
Description: Stefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516)

Stefano Di Paola also found a similar information leak in the parser for the COM_TABLE_DUMP request. (CVE-2006-1517)

Alerts:
SuSE SUSE-SA:2006:036 2006-06-23
Debian DSA-1079-1 2006-05-29
Debian DSA-1073-1 2006-05-22
Debian DSA-1071-1 2006-05-22
Fedora FEDORA-2006-553 2006-05-17
Fedora FEDORA-2006-554 2006-05-17
Gentoo 200605-13 2006-05-11
Slackware SSA:2006-129-02 2006-05-10
Mandriva MDKSA-2006:084 2006-05-10
Ubuntu USN-283-1 2006-05-08

Comments (1 posted)

nagios: buffer overflow

Package(s):nagios CVE #(s):