| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for July 13, 2006
Denial of reality vulnerabilities
On July 7, the folks at rPath sent out a security update for a pair of kernel vulnerabilities. The update reads, in part:
The bug in question is designated CVE-2006-2451; it was fixed in the 2.6.17.4 kernel release. All kernels since 2.6.13 are vulnerable, but one cannot just rely on the nominal version number: Red Hat helpfully backported this bug into the 2.6.9 kernel shipped with RHEL4.
Reading the description above, some system administrators may feel that there is no particular urgency in applying this update. The risk that a rogue user would fill up a disk with core dump files may seem small, so an update fixing the problem - and which requires a system reboot to be effective - can maybe be deferred for a while. After all, the Linux kernel core dump code takes pains to avoid overwriting files with core dumps, so the real potential for harm is small. It's a denial of service bug.
Except that it's not. All that is required is to create a program containing a string in the format understood by cron, send it over to /etc/cron.d, and use the bug to create a core dump there. Eventually cron will wander along, helpfully pick the line it understands out of the surrounding binary junk, and execute (as root) the commands found there. It is a simple and straightforward local root exploit; an example implementation has been posted to the full-disclosure list.
Paul Starzetz has posted a complaint about the characterization of a fully-exploitable vulnerability as a denial of service problem; he has seen this done with other vulnerabilities as well. He is right. "Denial of service" makes the vulnerability seem less severe, especially if it is only exploitable locally. Those words may cause vulnerabilities to remain open longer by inspiring inaction on both the administrator and distributor sides. If a bug can be exploited for privilege escalation, it should not be described as a denial of service problem.
To its credit, Red Hat (which is where the bug was discovered) notes that the bug could be exploited to gain root privileges. Ubuntu, which closed the vulnerability four days later, says "This could be exploited to drain available disk space on system partitions, or, under some circumstances, to execute arbitrary code with full root privileges." This advisory could use an edit as well: "under some circumstances" makes the exploit seem unlikely or difficult. A more accurate wording would be "if the attacker wants."
Lest it seem that rPath and Ubuntu are receiving too much grief: as of this writing, five days after disclosure, rPath, Ubuntu, and Red Hat are the only distributors to have fixed this problem. They have done the most important part: making an update available. All other distributors who have shipped kernels based on 2.6.13 or later remain vulnerable to a trivial local root exploit. Might this slow response be caused, in part, by the perception that this is a mere local denial of service bug?
As a community, we feel that we have the best security support out there. Vulnerabilities are not hidden, and fixes come promptly. In cases like this one, however, we have let our users down. Presenting an easily exploitable root vulnerability as a denial of service problem is just the sort of obfuscation that we normally try to avoid. And the fact that a number of distributions remain vulnerable is a failure to live up to our own promises. We can - and must - do better than that.
OpenDocument: cleared for use?
The press release from the Software Freedom Law Center came with an attention-getting headline: Software Freedom Law Center Clears OpenDocument Format for Free Software Use. Since a number of free software projects have supported OpenDocument for some years now, and since OpenDocument has been heavily promoted as a way of leveling the office suite playing field, many in the community may have been surprised to see SFLC jumping in to "clear" the format at this time. Still, free software developers will be glad to know that "...that they can legally implement OpenDocument Format (ODF) in free and open source software. OpenDocument Format is a free file format for saving and exchanging editable documents, spreadsheets, databases and presentations."The problem is that the legal opinion from SFLC says no such thing. With all legal texts, one is well advised to read the fine print; in this case, the small text makes it clear that SFLC's survey was of a rather more limited scope than the press release would suggest.
The SFLC analysis was seemingly inspired by concern over the patent policies of OASIS, the standards body which has adopted ODF. OASIS standards can include patented technology; depending on the policy chosen when a given standard process starts, those patents need not be made available under any sort of license compatible with free software. In the case of ODF, however, the standard was developed in the "royalty free on limited terms" mode. Whether the standard is truly free, in the end, depends on whether the "limited terms" are workable or not.
So the SFLC went to look at the patent terms disclosures required of the standard committee's members. Only Sun had filed such a disclosure, and Sun's terms were deemed to be reasonable. From this work, SFLC concluded that none of the OASIS standard committee members have any patents which they will be able to assert against those who implement OpenDocument. None of the companies which put together this standard have any submarine patents lurking below the surface.
This is good to know, but the disclaimer text makes it clear just how limited this statement is:
So SFLC did not actually go looking for possibly relevant patents. Given the current state of affairs, the existence of patents which could possibly applied to ODF seems almost certain. Searching them out would have been pointless; in this field, it is often simply better not to know about possible patent problems. So, while the SFLC has done a good thing by ruling out one particular set of potential ODF patent problems, there are limits to the extent to which ODF can be "cleared for free software use." As long as the current patent regime exists, free software will never be truly safe.
The end of the multiarch era?
Your editor, having a distinct masochistic streak, runs several different computers, each with a different Linux distribution. For added pain, most of them run the bleeding-edge, development version of their particular distribution. As a result, surprises are, well, not particularly surprising. Even so, your editor's x86-64 system running Fedora development (the distribution formerly known as "Rawhide") managed to raise some eyebrows recently - and the news was not all bad.One of the endearing features of Fedora Development on x86-64 is that the chances of running "yum update" successfully at any given time tend to be less than 50% - especially if the system has any packages from Extras installed. Between dependency hassles and travel, this particular system had not been updated in some time. Your editor finally broke down, deleted a few packages which were blocking the update, and set off on what looked like a plausible attempt to catch up to the leading edge. After a quick check of the current backups, your editor fired off the "yum update" command.
After thinking at length and forcing every other process out to swap in the way only yum can do, the word came back: the system could be updated, at the cost of downloading some 420 packages. Installing that many potentially unstable packages onto an important system requires a significant girding of loins - a state of preparedness which can be difficult to maintain while waiting for all those packages to download from the (not particularly speedy) mirror network. Once that process completed, yum had another long think, then announced a file conflict: /usr/bin/oowriter from openoffice.org-writer-2.0.3-7 conflicted with the same file in openoffice.org-writer-2.0.3-5.
Yum, of course, refused to update the system. That much is understandable, but its subsequent decision to delete all 420 downloaded (but uninstalled) packages can only be seen as gratuitous and mean-spirited.
To the uninitiated, it would appear that yum is complaining about a package conflicting with itself. Experienced Fedora x86-64 users, however, recognize the problem immediately: the x86-64 and i386 versions of the same package are refusing to play well together. This was, thus, your editor's introduction to the good news portion of this exercise: Fedora Development now has a native 64-bit version of OpenOffice.org. All that was necessary was to manually clear out the old, 32-bit version and rerun the update (in the process re-downloading all 420 packages). Some quick tests show that the 64-bit OpenOffice.org appears to work, and your editor can now begin the task of cleaning out the vast pile of 32-bit libraries that OpenOffice.org traditionally dragged onto the system with it.
While a full assessment is yet to be made, it is your editor's opinion that OpenOffice.org was the last 32-bit application running on this 64-bit system. That means that the whole multi-architecture support infrastructure needed to run 32-bit programs can now go away, and it will not be a moment too soon.
Multiple architecture support seems like a nice idea. With a bit of work, a system can transparently run binaries compiled for a different architecture. That can be good for system migrations, and it can make it easier to grab precompiled (or proprietary) applications from elsewhere and quickly make use of them. It allowed your editor to run OpenOffice.org even though that application was not able to build and run properly on your editor's system.
But multiple-architecture support can be an administrative nightmare. Keeping multiple versions of the same package synchronized can be a challenge, and, if the package creators are not careful, they will not mix well together. It is amazing how many libraries must be dragged along for both architectures; the inevitable crufting up of the system happens much more quickly. Your editor never asked to have two versions of MySQL, CUPS, gphoto, GTK2, PAM, etc., but they showed up anyway. And one can only hope that whoever came up with /lib64 has had the opportunity to spend much time in a solitary cell with a bunch of applications using old configure scripts.
In a world where applications cannot be rebuilt, multiarch support might be a life saver. But, in a free software environment, we should not need it. We can build our programs to run on the target's native architecture, and need not saddle ourselves with the overhead and hassles of multiarch support. Your editor is looking forward to cleaning up the some 140 i386 packages still on this system - they should not be needed anymore.
Page editor: Jonathan Corbet
Security
Wireless networking driver vulnerabilities
One of the major conveniences of wireless networking is its invisibility, but that is also one of its major weaknesses. A recent announcement of wireless driver flaws serves as a reminder that simply having a wireless card installed may be enough to allow unauthorized access. Unlike other network devices, there is no wire to remind the user that they may be making their computer vulnerable to malware.
Two security researchers used an open source tool called lorcon to send a large number of wireless packets to various wireless devices. They were looking to see if they could cause the drivers to fail when they received unexpected data. The result was that they found many flaws in the wireless drivers, including one that would allow a malicious user to take over a machine that was equipped with the vulnerable wireless card. Many of the driver flaws they found did not require that the user or wireless card actually be connected to the network to be exploited.
It is unclear whether this exploit is of concern to Linux users as the researchers are not releasing many details until their talk at the Black Hat conference on 2 August. It is clear, however, that this is an area that is ripe for exploitation on Linux as well as other platforms. Wireless cards do a lot of things invisibly in order to determine what other devices there are in the neighborhood and these actions are often completely outside of the control of the user.
Normally, open source drivers provide at least a path to quickly fix any security problems discovered -- unfortunately, this is not the case with many of the wireless drivers used on Linux systems. Wireless card manufacturers have so far been mostly unwilling to release enough information for kernel hackers to create full open source drivers for those devices. Because of this, many users are installing closed source drivers to access their wireless cards.
In some cases, users are installing Windows drivers and using NdisWrapper to link those into the Linux kernel. Because the wireless vendors are relatively likely to fix the windows drivers, this approach may provide a reasonably quick resolution to security problems. At least, that may be the case for currently-supported hardware, if the vulnerability does not originate in the interaction between the driver and ndiswrapper, and if the user knows to download and install the updated driver. It is likely that any closed source native Linux wireless driver would have a lower priority for a vendor to fix and therefore a security vulnerability might remain unpatched for a significant amount of time.
It is far better, of course, to use hardware which has open-source support. Vulnerabilities in open-source drivers should be fixed quickly, and those fixes will be made available by the distributor's package management system.
As wireless technology becomes more prevalent and more devices and protocols are deployed, it is clear that more exploits and vulnerabilities will be found. Italian researchers recently ran an experiment at the Milan airport to highlight the number of potentially exploitable Bluetooth devices they could find; in 23 hours were able to spot 1400 of them. Wireless manufacturers and standards committees do not seem to learn from the security flaws of the past and that will lead to exploits in the future.
New vulnerabilities
gimp: arbitrary code execution
| Package(s): | gimp | CVE #(s): | CVE-2006-3404 | |||||||||||||||||||||||||||||||||
| Created: | July 10, 2006 | Updated: | July 27, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Henning Makholm discovered that gimp did not sufficiently validate the 'num_axes' parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2006-2451 | |||||||||||||||||||||
| Created: | July 7, 2006 | Updated: | July 26, 2006 | |||||||||||||||||||||
| Description: | The Linux kernel, versions 2.6.13 through 2.6.17.3, has a privilege escalation vulnerability that is related to the handling of core dumps. Local users can create a program that can core dump to a directory that the user does not have permission to write to. This can be exploited for the use of a disk consumption denial of service attack, or the unauthorized gaining of root privileges. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libmms: buffer overflows
| Package(s): | libmms | CVE #(s): | CVE-2006-2200 | |||||||||||||||||||||
| Created: | July 6, 2006 | Updated: | December 25, 2006 | |||||||||||||||||||||
| Description: | Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
ppp: privilege escalation
| Package(s): | ppp | CVE #(s): | CVE-2006-2194 | ||||||||||||
| Created: | July 6, 2006 | Updated: | August 14, 2006 | ||||||||||||
| Description: | Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation. | ||||||||||||||
| Alerts: |
| ||||||||||||||
samba: memory exhaustion
| Package(s): | samba | CVE #(s): | CVE-2006-3403 | |||||||||||||||||||||||||||||||||
| Created: | July 11, 2006 | Updated: | July 26, 2006 | |||||||||||||||||||||||||||||||||
| Description: | The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations, according to this advisory. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
shadow: privilege escalation
| Package(s): | passwd shadow | CVE #(s): | ||||
| Created: | July 6, 2006 | Updated: | July 12, 2006 | |||
| Description: | Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges. | |||||
| Alerts: |
| |||||
SHOUTcast server: multiple vulnerabilities
| Package(s): | shoutcast | CVE #(s): | ||||
| Created: | July 10, 2006 | Updated: | July 12, 2006 | |||
| Description: | The SHOUTcast server is vulnerable to a file disclosure when the server receives a specially crafted GET request. Furthermore it also fails to sanitize the input passed to the "Description", "URL", "Genre", "AIM", and "ICQ" fields. It also has multiple cross-site scripting vulnerabilities. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick | CVE #(s): | CVE-2006-2440 | |||||||||
| Created: | May 25, 2006 | Updated: | September 5, 2006 | |||||||||
| Description: | The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result. | |||||||||||
| Alerts: |
| |||||||||||
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
acroread: unspecified security problems
| Package(s): | acroread | CVE #(s): | CVE-2006-3093 | |||
| Created: | July 4, 2006 | Updated: | July 5, 2006 | |||
| Description: | Various unspecified security problems have been fixed in Acrobat Reader version 7.0.8. Adobe does not provide detailed information about the nature of the security problems. Therefore, it is necessary to assume that remote code execution is possible. | |||||
| Alerts: |
| |||||
asterisk: buffer overflow
| Package(s): | asterisk | CVE #(s): | CVE-2006-2898 | ||||||
| Created: | June 15, 2006 | Updated: | July 27, 2006 | ||||||
| Description: | The Asterisk PBX application has a buffer overflow vulnerability in the IAX2 channel driver that can be used for the remote execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2006-2362 | |||||||||
| Created: | May 27, 2006 | Updated: | August 29, 2006 | |||||||||
| Description: | The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
busybox: insecure password generation
| Package(s): | busybox | CVE #(s): | CVE-2006-1058 | |||||||||
| Created: | May 5, 2006 | Updated: | May 2, 2007 | |||||||||
| Description: | The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
courier: denial of service
| Package(s): | courier | CVE #(s): | CVE-2006-2659 | |||||||||
| Created: | June 9, 2006 | Updated: | August 4, 2006 | |||||||||
| Description: | A denial of service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable. | |||||||||||
| Alerts: |
| |||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
vixie-cron: privilege escalation
| Package(s): | cron | CVE #(s): | CVE-2006-2607 | ||||||||||||
| Created: | May 31, 2006 | Updated: | July 13, 2006 | ||||||||||||
| Description: | The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdm: improper file permissions
| Package(s): | gdm | CVE #(s): | CVE-2006-1057 | |||||||||||||||
| Created: | April 19, 2006 | Updated: | May 2, 2007 | |||||||||||||||
| Description: | The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gnupg: remote denial of service
| Package(s): | gnupg | CVE #(s): | CVE-2006-3082 | |||||||||||||||||||||||||||||||||
| Created: | June 21, 2006 | Updated: | July 28, 2006 | |||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that could allow a remote attacker to cause gpg to crash and possibly overwrite memory via a message packet with a large length. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Hashcash: possible heap overflow
| Package(s): | hashcash | CVE #(s): | CVE-2006-3251 | ||||||
| Created: | June 27, 2006 | Updated: | July 21, 2006 | ||||||
| Description: | Andreas Seltenreich has reported a possible heap overflow in the array_push() function in hashcash.c, as a result of an incorrect amount of allocated memory for the "ARRAY" structure. | ||||||||
| Alerts: |
| ||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdebase: privilege escalation
| Package(s): | kdebase | CVE #(s): | CVE-2006-2449 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 15, 2006 | Updated: | August 28, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | The KDE Display Manager(KDM) is vulnerable to a local symlink attack. A local user can use this to read arbitrary files that they do not have permission to access. See this KDE advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864 | |||||||||||||||||||||
| Created: | May 12, 2006 | Updated: | July 13, 2006 | |||||||||||||||||||||
| Description: | Multiple vulnerabilities in the Linux have been found.
| |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-2934 | |||||||||
| Created: | July 5, 2006 | Updated: | July 7, 2006 | |||||||||
| Description: | The netfilter SCTP connection tracking code can crash when faced with a "packet without chunks." This vulnerability was fixed in the 2.6.17.3 kernel release. | |||||||||||
| Alerts: |
| |||||||||||
kernel: netfilter memory corruption
| Package(s): | kernel | CVE #(s): | CVE-2006-2444 | ||||||||||||
| Created: | May 25, 2006 | Updated: | July 5, 2006 | ||||||||||||
| Description: | The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-2445 CVE-2006-2448 CVE-2006-3085 | |||||||||||||||
| Created: | June 23, 2006 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | There is a race condition error in the "posix-cpu-timers.c" script that
does not prevent another CPU from attaching the timer to an exiting
process. This could be exploited by attackers to cause a denial of
service.
A flaw due to errors in "powerpc/kernel/signal_32.c" and "powerpc/kernel/signal_32.c" could allow userspace to provoke a machine check on 32-bit kernels. An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers to exhaust all available memory resources, creating a denial of service condition. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2006-1343 | ||||||||||||||||||
| Created: | May 31, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||
| Description: | The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kiax: arbitrary code execution
| Package(s): | kiax | CVE #(s): | CVE-2006-2923 | |||
| Created: | June 30, 2006 | Updated: | July 5, 2006 | |||
| Description: | The iax_net_read function in the iaxclient library fails to properly handle IAX2 packets with truncated full frames or mini-frames. These frames are detected in a length check but processed anyway, leading to buffer overflows. | |||||
| Alerts: |
| |||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: denial of service
| Package(s): | libgd2 | CVE #(s): | CVE-2006-2906 | |||||||||||||||
| Created: | June 14, 2006 | Updated: | January 16, 2007 | |||||||||||||||
| Description: | Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap | CVE #(s): | CAN-2005-2641 | ||||||||||||
| Created: | August 25, 2005 | Updated: | October 6, 2006 | ||||||||||||
| Description: | libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libtiff: buffer overflow
| Package(s): | libtiff | CVE #(s): | CVE-2006-2193 | ||||||||||||||||||
| Created: | June 15, 2006 | Updated: | September 5, 2006 | ||||||||||||||||||
| Description: | The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
mozilla products have multiple vulnerabilities
| Package(s): | mozilla seamonkey firefox thunderbird | CVE #(s): | CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 5, 2006 | Updated: | August 2, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mutt: IMAP namespace buffer overflow
| Package(s): | mutt | CVE #(s): | CVE-2006-3242 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2006 | Updated: | October 24, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user. See this Secunia advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
mysql: denial of service
| Package(s): | mysql | CVE #(s): | CVE-2006-3081 | |||||||||
| Created: | June 23, 2006 | Updated: | July 18, 2006 | |||||||||
| Description: | Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before 5.1.6 allows remote authorized users to cause a denial of service (crash) via a NULL second argument to the str_to_date function. | |||||||||||
| Alerts: |
| |||||||||||
ntp: uses wrong gid
| Package(s): | ntp | CVE #(s): | CAN-2005-2496 | |||||||||||||||
| Created: | August 26, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openmotif: buffer overflows
| Package(s): | openmotif | CVE #(s): | CVE-2005-3964 | |||||||||
| Created: | December 29, 2005 | Updated: | July 27, 2006 | |||||||||
| Description: | The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org | CVE #(s): | CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 | ||||||||||||||||||||||||||||||||||||
| Created: | June 30, 2006 | Updated: | January 4, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
OpenSSH: double shell expansion
| Package(s): | openssh | CVE #(s): | CVE-2006-0225 | ||||||||||||||||||||||||||||||
| Created: | January 23, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||||||||||||||
| Description: | OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
opera: integer overflow and SSL spoof
| Package(s): | opera | CVE #(s): | CVE-2006-3198 CVE-2006-3331 | |||
| Created: | July 3, 2006 | Updated: | July 5, 2006 | |||
| Description: | Opera before version 9.0 has an integer overflow vulnerability due to the improper handling of JPEG files. Also Opera did not reset the SSL security bar after displaying a download dialog from an SSL-enabled website, which could allow remote attackers to spoof a trusted SSL certificate from an untrusted website and facilitate phishing attacks. | |||||
| Alerts: |
| |||||
perl: setuid vulnerabilities
| Package(s): | perl | CVE #(s): | CAN-2005-0155 CAN-2005-0156 | ||||||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | August 11, 2006 | ||||||||||||||||||||||||
| Description: | There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2006-1990 CVE-2006-1991 CVE-2006-3017 | ||||||||||||||
| Created: | May 25, 2006 | Updated: | August 18, 2006 | ||||||||||||||
| Description: | The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service. A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables | ||||||||||||||||
| Alerts: |
| ||||||||||||||||