LWN.net Logo

LWN.net Weekly Edition for July 13, 2006

Denial of reality vulnerabilities

On July 7, the folks at rPath sent out a security update for a pair of kernel vulnerabilities. The update reads, in part:

Previous versions of the kernel package are vulnerable to two denial of service attacks. The first allows any local user to fill up file systems by causing core dumps to write to directories to which they do not have write access permissions.

The bug in question is designated CVE-2006-2451; it was fixed in the 2.6.17.4 kernel release. All kernels since 2.6.13 are vulnerable, but one cannot just rely on the nominal version number: Red Hat helpfully backported this bug into the 2.6.9 kernel shipped with RHEL4.

Reading the description above, some system administrators may feel that there is no particular urgency in applying this update. The risk that a rogue user would fill up a disk with core dump files may seem small, so an update fixing the problem - and which requires a system reboot to be effective - can maybe be deferred for a while. After all, the Linux kernel core dump code takes pains to avoid overwriting files with core dumps, so the real potential for harm is small. It's a denial of service bug.

Except that it's not. All that is required is to create a program containing a string in the format understood by cron, send it over to /etc/cron.d, and use the bug to create a core dump there. Eventually cron will wander along, helpfully pick the line it understands out of the surrounding binary junk, and execute (as root) the commands found there. It is a simple and straightforward local root exploit; an example implementation has been posted to the full-disclosure list.

Paul Starzetz has posted a complaint about the characterization of a fully-exploitable vulnerability as a denial of service problem; he has seen this done with other vulnerabilities as well. He is right. "Denial of service" makes the vulnerability seem less severe, especially if it is only exploitable locally. Those words may cause vulnerabilities to remain open longer by inspiring inaction on both the administrator and distributor sides. If a bug can be exploited for privilege escalation, it should not be described as a denial of service problem.

To its credit, Red Hat (which is where the bug was discovered) notes that the bug could be exploited to gain root privileges. Ubuntu, which closed the vulnerability four days later, says "This could be exploited to drain available disk space on system partitions, or, under some circumstances, to execute arbitrary code with full root privileges." This advisory could use an edit as well: "under some circumstances" makes the exploit seem unlikely or difficult. A more accurate wording would be "if the attacker wants."

Lest it seem that rPath and Ubuntu are receiving too much grief: as of this writing, five days after disclosure, rPath, Ubuntu, and Red Hat are the only distributors to have fixed this problem. They have done the most important part: making an update available. All other distributors who have shipped kernels based on 2.6.13 or later remain vulnerable to a trivial local root exploit. Might this slow response be caused, in part, by the perception that this is a mere local denial of service bug?

As a community, we feel that we have the best security support out there. Vulnerabilities are not hidden, and fixes come promptly. In cases like this one, however, we have let our users down. Presenting an easily exploitable root vulnerability as a denial of service problem is just the sort of obfuscation that we normally try to avoid. And the fact that a number of distributions remain vulnerable is a failure to live up to our own promises. We can - and must - do better than that.

Comments (27 posted)

OpenDocument: cleared for use?

The press release from the Software Freedom Law Center came with an attention-getting headline: Software Freedom Law Center Clears OpenDocument Format for Free Software Use. Since a number of free software projects have supported OpenDocument for some years now, and since OpenDocument has been heavily promoted as a way of leveling the office suite playing field, many in the community may have been surprised to see SFLC jumping in to "clear" the format at this time. Still, free software developers will be glad to know that "...that they can legally implement OpenDocument Format (ODF) in free and open source software. OpenDocument Format is a free file format for saving and exchanging editable documents, spreadsheets, databases and presentations."

The problem is that the legal opinion from SFLC says no such thing. With all legal texts, one is well advised to read the fine print; in this case, the small text makes it clear that SFLC's survey was of a rather more limited scope than the press release would suggest.

The SFLC analysis was seemingly inspired by concern over the patent policies of OASIS, the standards body which has adopted ODF. OASIS standards can include patented technology; depending on the policy chosen when a given standard process starts, those patents need not be made available under any sort of license compatible with free software. In the case of ODF, however, the standard was developed in the "royalty free on limited terms" mode. Whether the standard is truly free, in the end, depends on whether the "limited terms" are workable or not.

So the SFLC went to look at the patent terms disclosures required of the standard committee's members. Only Sun had filed such a disclosure, and Sun's terms were deemed to be reasonable. From this work, SFLC concluded that none of the OASIS standard committee members have any patents which they will be able to assert against those who implement OpenDocument. None of the companies which put together this standard have any submarine patents lurking below the surface.

This is good to know, but the disclaimer text makes it clear just how limited this statement is:

Patent-holders not qualifying as Obligated Members of the OASIS Technical Committee may in future assert essential claims. Obligated Members could in future assert non-essential claims... Programs with additional functionality beyond the implementation of the ODF standard, including programs with office suite functionality, may in fact practice licensed essential claims outside the field of use restriction of one or more licenses... This opinion expresses no view of the validity of any patent, nor whether any patent is infringed by ODF or by any implementation thereof. No patent search has been conducted in connection with the preparation of this opinion.

So SFLC did not actually go looking for possibly relevant patents. Given the current state of affairs, the existence of patents which could possibly applied to ODF seems almost certain. Searching them out would have been pointless; in this field, it is often simply better not to know about possible patent problems. So, while the SFLC has done a good thing by ruling out one particular set of potential ODF patent problems, there are limits to the extent to which ODF can be "cleared for free software use." As long as the current patent regime exists, free software will never be truly safe.

Comments (1 posted)

The end of the multiarch era?

Your editor, having a distinct masochistic streak, runs several different computers, each with a different Linux distribution. For added pain, most of them run the bleeding-edge, development version of their particular distribution. As a result, surprises are, well, not particularly surprising. Even so, your editor's x86-64 system running Fedora development (the distribution formerly known as "Rawhide") managed to raise some eyebrows recently - and the news was not all bad.

One of the endearing features of Fedora Development on x86-64 is that the chances of running "yum update" successfully at any given time tend to be less than 50% - especially if the system has any packages from Extras installed. Between dependency hassles and travel, this particular system had not been updated in some time. Your editor finally broke down, deleted a few packages which were blocking the update, and set off on what looked like a plausible attempt to catch up to the leading edge. After a quick check of the current backups, your editor fired off the "yum update" command.

After thinking at length and forcing every other process out to swap in the way only yum can do, the word came back: the system could be updated, at the cost of downloading some 420 packages. Installing that many potentially unstable packages onto an important system requires a significant girding of loins - a state of preparedness which can be difficult to maintain while waiting for all those packages to download from the (not particularly speedy) mirror network. Once that process completed, yum had another long think, then announced a file conflict: /usr/bin/oowriter from openoffice.org-writer-2.0.3-7 conflicted with the same file in openoffice.org-writer-2.0.3-5.

Yum, of course, refused to update the system. That much is understandable, but its subsequent decision to delete all 420 downloaded (but uninstalled) packages can only be seen as gratuitous and mean-spirited.

To the uninitiated, it would appear that yum is complaining about a package conflicting with itself. Experienced Fedora x86-64 users, however, recognize the problem immediately: the x86-64 and i386 versions of the same package are refusing to play well together. This was, thus, your editor's introduction to the good news portion of this exercise: Fedora Development now has a native 64-bit version of OpenOffice.org. All that was necessary was to manually clear out the old, 32-bit version and rerun the update (in the process re-downloading all 420 packages). Some quick tests show that the 64-bit OpenOffice.org appears to work, and your editor can now begin the task of cleaning out the vast pile of 32-bit libraries that OpenOffice.org traditionally dragged onto the system with it.

While a full assessment is yet to be made, it is your editor's opinion that OpenOffice.org was the last 32-bit application running on this 64-bit system. That means that the whole multi-architecture support infrastructure needed to run 32-bit programs can now go away, and it will not be a moment too soon.

Multiple architecture support seems like a nice idea. With a bit of work, a system can transparently run binaries compiled for a different architecture. That can be good for system migrations, and it can make it easier to grab precompiled (or proprietary) applications from elsewhere and quickly make use of them. It allowed your editor to run OpenOffice.org even though that application was not able to build and run properly on your editor's system.

But multiple-architecture support can be an administrative nightmare. Keeping multiple versions of the same package synchronized can be a challenge, and, if the package creators are not careful, they will not mix well together. It is amazing how many libraries must be dragged along for both architectures; the inevitable crufting up of the system happens much more quickly. Your editor never asked to have two versions of MySQL, CUPS, gphoto, GTK2, PAM, etc., but they showed up anyway. And one can only hope that whoever came up with /lib64 has had the opportunity to spend much time in a solitary cell with a bunch of applications using old configure scripts.

In a world where applications cannot be rebuilt, multiarch support might be a life saver. But, in a free software environment, we should not need it. We can build our programs to run on the target's native architecture, and need not saddle ourselves with the overhead and hassles of multiarch support. Your editor is looking forward to cleaning up the some 140 i386 packages still on this system - they should not be needed anymore.

Comments (49 posted)

Page editor: Jonathan Corbet

Security

Wireless networking driver vulnerabilities

July 12, 2006

This article was contributed by Jake Edge.

One of the major conveniences of wireless networking is its invisibility, but that is also one of its major weaknesses. A recent announcement of wireless driver flaws serves as a reminder that simply having a wireless card installed may be enough to allow unauthorized access. Unlike other network devices, there is no wire to remind the user that they may be making their computer vulnerable to malware.

Two security researchers used an open source tool called lorcon to send a large number of wireless packets to various wireless devices. They were looking to see if they could cause the drivers to fail when they received unexpected data. The result was that they found many flaws in the wireless drivers, including one that would allow a malicious user to take over a machine that was equipped with the vulnerable wireless card. Many of the driver flaws they found did not require that the user or wireless card actually be connected to the network to be exploited.

It is unclear whether this exploit is of concern to Linux users as the researchers are not releasing many details until their talk at the Black Hat conference on 2 August. It is clear, however, that this is an area that is ripe for exploitation on Linux as well as other platforms. Wireless cards do a lot of things invisibly in order to determine what other devices there are in the neighborhood and these actions are often completely outside of the control of the user.

Normally, open source drivers provide at least a path to quickly fix any security problems discovered -- unfortunately, this is not the case with many of the wireless drivers used on Linux systems. Wireless card manufacturers have so far been mostly unwilling to release enough information for kernel hackers to create full open source drivers for those devices. Because of this, many users are installing closed source drivers to access their wireless cards.

In some cases, users are installing Windows drivers and using NdisWrapper to link those into the Linux kernel. Because the wireless vendors are relatively likely to fix the windows drivers, this approach may provide a reasonably quick resolution to security problems. At least, that may be the case for currently-supported hardware, if the vulnerability does not originate in the interaction between the driver and ndiswrapper, and if the user knows to download and install the updated driver. It is likely that any closed source native Linux wireless driver would have a lower priority for a vendor to fix and therefore a security vulnerability might remain unpatched for a significant amount of time.

It is far better, of course, to use hardware which has open-source support. Vulnerabilities in open-source drivers should be fixed quickly, and those fixes will be made available by the distributor's package management system.

As wireless technology becomes more prevalent and more devices and protocols are deployed, it is clear that more exploits and vulnerabilities will be found. Italian researchers recently ran an experiment at the Milan airport to highlight the number of potentially exploitable Bluetooth devices they could find; in 23 hours were able to spot 1400 of them. Wireless manufacturers and standards committees do not seem to learn from the security flaws of the past and that will lead to exploits in the future.

Comments (4 posted)

New vulnerabilities

gimp: arbitrary code execution

Package(s):gimp CVE #(s):CVE-2006-3404
Created:July 10, 2006 Updated:July 27, 2006
Description: Henning Makholm discovered that gimp did not sufficiently validate the 'num_axes' parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user's privileges.
Alerts:
Ubuntu USN-312-1 2006-07-10
Fedora FEDORA-2006-794 2006-07-11
Fedora FEDORA-2006-795 2006-07-11
Red Hat RHSA-2006:0598-01 2006-07-18
Mandriva MDKSA-2006:127 2006-07-18
Debian DSA-1116-1 2006-07-21
Gentoo 200607-08:02 2006-07-23
Gentoo 200607-08 2006-07-23
Gentoo 200607-08:02 2006-07-23
rPath rPSA-2006-0135-1 2006-07-24
Slackware SSA:2006-207-03 2006-07-27

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2006-2451
Created:July 7, 2006 Updated:July 26, 2006
Description: The Linux kernel, versions 2.6.13 through 2.6.17.3, has a privilege escalation vulnerability that is related to the handling of core dumps. Local users can create a program that can core dump to a directory that the user does not have permission to write to. This can be exploited for the use of a disk consumption denial of service attack, or the unauthorized gaining of root privileges.
Alerts:
Red Hat RHSA-2006:0574-01 2006-07-07
rPath rPSA-2006-0122-1 2006-07-07
Ubuntu USN-311-1 2006-07-11
rPath rPSA-2006-0122-2 2006-07-07
Fedora FEDORA-2006-801 2006-07-14
Fedora FEDORA-2006-806 2006-07-14
SuSE SUSE-SA:2006:042 2006-07-26

Comments (2 posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Alerts:
Ubuntu USN-309-1 2006-07-05
Mandriva MDKSA-2006:117 2006-07-06
Ubuntu USN-315-1 2006-07-12
Mandriva MDKSA-2006:117-1 2006-07-12
Mandriva MDKSA-2006:121 2006-07-12
Gentoo 200607-07 2006-07-20
Slackware SSA:2006-357-05 2006-12-25

Comments (none posted)

ppp: privilege escalation

Package(s):ppp CVE #(s):CVE-2006-2194
Created:July 6, 2006 Updated:August 14, 2006
Description: Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation.
Alerts:
Ubuntu USN-310-1 2006-07-05
Debian DSA-1106-1 2006-07-10
Mandriva MDKA-2006:119 2006-07-10
Debian DSA-1150-1 2006-08-12

Comments (none posted)

samba: memory exhaustion

Package(s):samba CVE #(s):CVE-2006-3403
Created:July 11, 2006 Updated:July 26, 2006
Description: The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations, according to this advisory.
Alerts:
Mandriva MDKSA-2006:120 2006-07-10
rPath rPSA-2006-0128-1 2006-07-11
Ubuntu USN-314-1 2006-07-12
Fedora FEDORA-2006-807 2006-07-14
Fedora FEDORA-2006-808 2006-07-14
Slackware SSA:2006-195-01 2006-07-17
Debian DSA-1110-1 2006-07-16
Slackware SSA:2006-200-01 2006-07-19
SuSE SUSE-SR:2006:017 2006-07-21
Red Hat RHSA-2006:0591-01 2006-07-25
Gentoo 200607-10 2006-07-25

Comments (none posted)

shadow: privilege escalation

Package(s):passwd shadow CVE #(s):
Created:July 6, 2006 Updated:July 12, 2006
Description: Ilja van Sprundel discovered that passwd, when called with the -f, -g, or -s option, did not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes, a local attacker could exploit this to execute chfn, gpasswd, or chsh with root privileges.
Alerts:
Ubuntu USN-308-1 2006-07-05

Comments (none posted)

SHOUTcast server: multiple vulnerabilities

Package(s):shoutcast CVE #(s):
Created:July 10, 2006 Updated:July 12, 2006
Description: The SHOUTcast server is vulnerable to a file disclosure when the server receives a specially crafted GET request. Furthermore it also fails to sanitize the input passed to the "Description", "URL", "Genre", "AIM", and "ICQ" fields. It also has multiple cross-site scripting vulnerabilities.
Alerts:
Gentoo 200607-05 2006-07-09

Comments (none posted)

Updated vulnerabilities

ImageMagick: heap overflow vulnerability

Package(s):ImageMagick CVE #(s):CVE-2006-2440
Created:May 25, 2006 Updated:September 5, 2006
Description: The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result.
Alerts:
Fedora FEDORA-2006-587 2006-05-24
Fedora FEDORA-2006-588 2006-05-24
Debian DSA-1168-1 2006-09-04

Comments (none posted)

Py2Play: remote execution of arbitrary Python code

Package(s):Py2Play CVE #(s):CAN-2005-2875
Created:September 19, 2005 Updated:September 6, 2006
Description: Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client.
Alerts:
Gentoo 200509-09 2005-09-17
Debian DSA-856-1 2005-10-10
Gentoo 200509-09:02 2005-09-17

Comments (none posted)

acroread: unspecified security problems

Package(s):acroread CVE #(s):CVE-2006-3093
Created:July 4, 2006 Updated:July 5, 2006
Description: Various unspecified security problems have been fixed in Acrobat Reader version 7.0.8. Adobe does not provide detailed information about the nature of the security problems. Therefore, it is necessary to assume that remote code execution is possible.
Alerts:
SuSE SUSE-SA:2006:041 2006-07-04

Comments (1 posted)

asterisk: buffer overflow

Package(s):asterisk CVE #(s):CVE-2006-2898
Created:June 15, 2006 Updated:July 27, 2006
Description: The Asterisk PBX application has a buffer overflow vulnerability in the IAX2 channel driver that can be used for the remote execution of arbitrary code.
Alerts:
Gentoo 200606-15 2006-06-14
Debian DSA-1126-1 2006-07-27

Comments (none posted)

binutils: buffer overflow

Package(s):binutils CVE #(s):CVE-2006-2362
Created:May 27, 2006 Updated:August 29, 2006
Description: The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code.
Alerts:
OpenPKG OpenPKG-SA-2006.009 2006-05-26
Ubuntu USN-292-1 2006-06-09
Mandriva MDKSA-2006:153 2006-08-28

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Fedora FEDORA-2006-510 2006-05-04
Fedora FEDORA-2006-511 2006-05-04
Red Hat RHSA-2007:0244-02 2007-05-01

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
Ubuntu USN-127-1 2005-05-17
Mandriva MDKSA-2005:091 2005-05-18
Debian DSA-730-1 2005-05-27
SuSE SUSE-SR:2005:015 2005-06-07
OpenPKG OpenPKG-SA-2005.008 2005-06-10
Red Hat RHSA-2005:474-01 2005-06-16
Debian DSA-741-1 2005-07-07
rPath rPSA-2007-0004-1 2007-01-09

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Debian-Testing DTSA-23-1 2005-12-05
Gentoo 200512-11 2005-12-20
Debian DSA-1083-1 2006-05-31
Debian DSA-1088-1 2006-06-03
Gentoo 200608-27 2006-08-29

Comments (none posted)

courier: denial of service

Package(s):courier CVE #(s):CVE-2006-2659
Created:June 9, 2006 Updated:August 4, 2006
Description: A denial of service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable.
Alerts:
Ubuntu USN-294-1 2006-06-09
Debian DSA-1101-1 2006-06-23
Gentoo 200608-06 2006-08-04

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
Ubuntu USN-234-1 2006-01-02
Red Hat RHSA-2007:0245-02 2007-05-01
rPath rPSA-2007-0094-1 2007-05-07

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:July 13, 2006
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
rPath rPSA-2006-0082-1 2006-05-25
SuSE SUSE-SA:2006:027 2006-05-31
Gentoo 200606-07 2006-06-09
Red Hat RHSA-2006:0539-01 2006-07-12

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Gentoo 200604-09 2006-04-21
Ubuntu USN-272-1 2006-04-24
Mandriva MDKSA-2006:073 2006-04-24
Debian DSA-1042-1 2006-04-25
Fedora FEDORA-2006-515 2006-05-04
SuSE SUSE-SA:2006:025 2006-05-05
Red Hat RHSA-2007:0795-01 2007-09-04
Red Hat RHSA-2007:0878-01 2007-09-04

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Ubuntu USN-291-1 2006-06-08
Debian DSA-1095-1 2006-06-10
rPath rPSA-2006-0100-1 2006-06-12
Mandriva MDKSA-2006:099 2006-06-12
Mandriva MDKSA-2006:099-1 2006-06-13
SuSE SUSE-SA:2006:037 2006-06-27
Gentoo 200607-02 2006-07-09
Mandriva MDKSA-2006:129 2006-07-20
Slackware SSA:2006-207-02 2006-07-27
Ubuntu USN-324-1 2006-07-27
OpenPKG OpenPKG-SA-2006.017 2006-07-28
SuSE SUSE-SA:2006:045 2006-08-01
Fedora FEDORA-2006-912 2006-08-14
Red Hat RHSA-2006:0634-01 2006-08-21
Red Hat RHSA-2006:0635-01 2006-08-21
Mandriva MDKSA-2006:148 2006-08-24
rPath rPSA-2006-0157-1 2006-08-25
Gentoo 200609-04 2006-09-06
Ubuntu USN-341-1 2006-09-06
Debian DSA-1178-1 2006-09-16
Gentoo 200710-09 2007-10-09

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Gentoo 200505-15 2005-05-20
Ubuntu USN-135-1 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-136-2 2005-05-27
Mandriva MDKSA-2005:095 2005-05-30
Trustix TSLSA-2005-0025 2005-05-31
Gentoo 200506-01 2005-06-01
Fedora FEDORA-2005-497 2005-06-29
Fedora FEDORA-2005-498 2005-06-29
Red Hat RHSA-2005:659-01 2005-09-28
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:801-01 2005-10-18
Fedora FEDORA-2005-1032 2005-10-27
Fedora FEDORA-2005-1033 2005-10-27
Mandriva MDKSA-2005:215 2005-11-23
Red Hat RHSA-2006:0368-01 2006-07-20
Red Hat RHSA-2006:0354-01 2006-08-10

Comments (5 posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Fedora FEDORA-2006-338 2006-04-19
Debian DSA-1040-1 2006-04-24
Ubuntu USN-278-1 2006-05-03
Mandriva MDKSA-2006:083 2006-05-09
Red Hat RHSA-2007:0286-02 2007-05-01

Comments (none posted)

gnupg: remote denial of service

Package(s):gnupg CVE #(s):CVE-2006-3082
Created:June 21, 2006 Updated:July 28, 2006
Description: A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that could allow a remote attacker to cause gpg to crash and possibly overwrite memory via a message packet with a large length.
Alerts:
Mandriva MDKSA-2006:110 2006-06-20
OpenPKG OpenPKG-SA-2006.010 2006-06-26
Ubuntu USN-304-1 2006-06-26
Slackware SSA:2006-178-02 2006-06-28
rPath rPSA-2006-0120-1 2006-06-29
SuSE SUSE-SR:2006:015 2006-06-30
Fedora FEDORA-2006-755 2006-06-30
Fedora FEDORA-2006-757 2006-06-30
Debian DSA-1107-1 2006-07-10
Debian DSA-1115-1 2006-07-21
SuSE SUSE-SR:2006:018 2006-07-28

Comments (1 posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
Ubuntu USN-158-1 2005-08-01
Ubuntu USN-161-1 2005-08-04
Fedora-Legacy FLSA:157696 2005-08-10
Fedora-Legacy FLSA:158801 2005-11-14
Mandriva MDKSA-2006:026 2006-01-30
Mandriva MDKSA-2006:027 2006-01-30
OpenPKG OpenPKG-SA-2007.002 2007-01-08

Comments (2 posted)

Hashcash: possible heap overflow

Package(s):hashcash CVE #(s):CVE-2006-3251
Created:June 27, 2006 Updated:July 21, 2006
Description: Andreas Seltenreich has reported a possible heap overflow in the array_push() function in hashcash.c, as a result of an incorrect amount of allocated memory for the "ARRAY" structure.
Alerts:
Gentoo 200606-25 2006-06-26
Debian DSA-1114-1 2006-07-21

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Mandriva MDKSA-2005:160 2005-09-06
Ubuntu USN-176-1 2005-09-07
Slackware SSA:2005-251-01 2005-09-09
Debian DSA-815-1 2005-09-16
Red Hat RHSA-2006:0582-01 2006-08-10

Comments (none posted)

kdebase: privilege escalation

Package(s):kdebase CVE #(s):CVE-2006-2449
Created:June 15, 2006 Updated:August 28, 2006
Description: The KDE Display Manager(KDM) is vulnerable to a local symlink attack. A local user can use this to read arbitrary files that they do not have permission to access. See this KDE advisory for more information.
Alerts:
Red Hat RHSA-2006:0548-01 2006-06-14
Ubuntu USN-301-1 2006-06-14
rPath rPSA-2006-0106-1 2006-06-15
Mandriva MDKSA-2006:105 2006-06-15
Mandriva MDKSA-2006:106 2006-06-15
Fedora FEDORA-2006-725 2006-06-19
Fedora FEDORA-2006-726 2006-06-19
Gentoo 200606-23 2006-06-22
Slackware SSA:2006-178-01 2006-06-28
SuSE SUSE-SA:2006:039 2006-07-03
Red Hat RHSA-2006:0576-01 2006-07-25
Debian DSA-1156-1 2006-08-27
Fedora FEDORA-2006-942 2006-08-28

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Fedora FEDORA-2005-594 2005-07-19
Mandriva MDKSA-2005:122 2005-07-20
Ubuntu USN-150-1 2005-07-21
Red Hat RHSA-2005:612-01 2005-07-27
Debian DSA-804-1 2005-09-08
Debian DSA-804-2 2005-11-10
Gentoo 200611-21 2006-11-27

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864
Created:May 12, 2006 Updated:July 13, 2006
Description: Multiple vulnerabilities in the Linux have been found.
  • An error in the Stream Control Transmission Protocol (SCTP) code that uses incorrect state table entries when certain ECNE chunks are received in CLOSED state, could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • An error exist when handling incoming IP-fragmented SCTP control chunks, which could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
  • A vulnerability has been identified due to an input validation error when processing arguments containing backslash ("\\") characters passed to certain commands (e.g. "cd"), which could be exploited by authenticated attackers to escape chroot restrictions for a CIFS or SMBFS mounted filesystem.
Alerts:
Trustix TSLSA-2006-0026 2006-05-12
Mandriva MDKSA-2006:086 2006-05-18
Red Hat RHSA-2006:0493-01 2006-05-24
SuSE SUSE-SA:2006:028 2006-05-31
Debian DSA-1103-1 2006-06-27
Red Hat RHSA-2006:0579-01 2006-07-13
Red Hat RHSA-2006:0580-01 2006-07-13

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2934
Created:July 5, 2006 Updated:July 7, 2006
Description: The netfilter SCTP connection tracking code can crash when faced with a "packet without chunks." This vulnerability was fixed in the 2.6.17.3 kernel release.
Alerts:
Fedora FEDORA-2006-769 2006-07-05
Fedora FEDORA-2006-772 2006-07-05
Trustix TSLSA-2006-0040 2006-07-07

Comments (none posted)

kernel: netfilter memory corruption

Package(s):kernel CVE #(s):CVE-2006-2444
Created:May 25, 2006 Updated:July 5, 2006
Description: The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162.
Alerts:
Mandriva MDKSA-2006:087 2006-05-24
Trustix TSLSA-2006-0030 2006-05-26
Ubuntu USN-302-1 2006-06-15
Mandriva MDKSA-2006:116 2006-07-05

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2445 CVE-2006-2448 CVE-2006-3085
Created:June 23, 2006 Updated:August 11, 2006
Description: There is a race condition error in the "posix-cpu-timers.c" script that does not prevent another CPU from attaching the timer to an exiting process. This could be exploited by attackers to cause a denial of service.

A flaw due to errors in "powerpc/kernel/signal_32.c" and "powerpc/kernel/signal_32.c" could allow userspace to provoke a machine check on 32-bit kernels.

An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers to exhaust all available memory resources, creating a denial of service condition.

Alerts:
Trustix TSLSA-2006-0037 2006-06-23
rPath rPSA-2006-0110-1 2006-06-23
Mandriva MDKSA-2006:123 2006-07-13
Red Hat RHSA-2006:0575-01 2006-08-10
SuSE SUSE-SA:2006:047 2006-08-11

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2006-1343
Created:May 31, 2006 Updated:July 20, 2006
Description: The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release.
Alerts:
rPath rPSA-2006-0087-1 2006-05-31
Trustix TSLSA-2006-0032 2006-06-05
Fedora FEDORA-2006-697 2006-06-11
Fedora FEDORA-2006-698 2006-06-11
Debian DSA-1097-1 2006-06-14
Red Hat RHSA-2006:0437-01 2006-07-20

Comments (none posted)

kiax: arbitrary code execution

Package(s):kiax CVE #(s):CVE-2006-2923
Created:June 30, 2006 Updated:July 5, 2006
Description: The iax_net_read function in the iaxclient library fails to properly handle IAX2 packets with truncated full frames or mini-frames. These frames are detected in a length check but processed anyway, leading to buffer overflows.
Alerts:
Gentoo 200606-30 2006-06-30

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-769-1 2005-07-29
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-813-1 2005-09-15

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
Ubuntu USN-298-1 2006-06-13
Mandriva MDKSA-2006:112 2006-06-27
Mandriva MDKSA-2006:113 2006-06-27
Debian DSA-1117-1 2006-07-21
rPath rPSA-2007-0008-1 2007-01-15

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
Debian DSA-785-1 2005-08-25
Gentoo 200508-22 2005-08-31
Mandriva MDKSA-2005:190 2005-10-20
rPath rPSA-2006-0183-1 2006-10-05

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2193
Created:June 15, 2006 Updated:September 5, 2006
Description: The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:102 2006-06-14
Trustix TSLSA-2006-0036 2006-06-16
SuSE SUSE-SR:2006:014 2006-06-20
Gentoo 200607-03 2006-07-09
SuSE SUSE-SA:2006:044 2006-08-01
Fedora FEDORA-2006-952 2006-09-05

Comments (none posted)

mozilla products have multiple vulnerabilities

Package(s):mozilla seamonkey firefox thunderbird CVE #(s):CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787
Created:June 5, 2006 Updated:August 2, 2006
Description: There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details.
Alerts:
rPath rPSA-2006-0091-1 2006-06-02
Slackware SSA:2006-155-02 2006-06-05
Gentoo 200606-12 2006-06-11
Ubuntu USN-297-1 2006-06-13
Ubuntu USN-297-2 2006-06-15
Fedora FEDORA-2006-715 2006-06-15
Fedora FEDORA-2006-717 2006-06-15
Gentoo 200606-21 2006-06-19
SuSE SUSE-SA:2006:035 2006-06-23
Red Hat RHSA-2006:0578-01 2006-07-20
Debian DSA-1118-1 2006-07-22
Debian DSA-1120-1 2006-07-23
Ubuntu USN-296-2 2006-07-25
Ubuntu USN-323-1 2006-07-25
Ubuntu USN-297-3 2006-07-26
Debian DSA-1134-1 2006-08-02

Comments (none posted)

mutt: IMAP namespace buffer overflow

Package(s):mutt CVE #(s):CVE-2006-3242
Created:June 28, 2006 Updated:October 24, 2006
Description: TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user. See this Secunia advisory for more information.
Alerts:
Ubuntu USN-307-1 2006-06-28
Gentoo 200606-27 2006-06-28
Mandriva MDKSA-2006:115 2006-06-28
rPath rPSA-2006-0116-1 2006-06-29
Trustix TSLSA-2006-0038 2006-06-30
Fedora FEDORA-2006-760 2006-06-29
Fedora FEDORA-2006-761 2006-06-29
Debian DSA-1108-1 2006-07-11
Red Hat RHSA-2006:0577-01 2006-07-12
SuSE SUSE-SR:2006:016 2006-07-14
OpenPKG OpenPKG-SA-2006.013 2006-07-15
Slackware SSA:2006-207-01 2006-07-27
Fedora FEDORA-2006-1061 2006-10-24

Comments (none posted)

mysql: denial of service

Package(s):mysql CVE #(s):CVE-2006-3081
Created:June 23, 2006 Updated:July 18, 2006
Description: Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before 5.1.6 allows remote authorized users to cause a denial of service (crash) via a NULL second argument to the str_to_date function.
Alerts:
Mandriva MDKSA-2006:111 2006-06-23
Ubuntu USN-306-1 2006-06-27
Debian DSA-1112-1 2006-07-18

Comments (none posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Fedora FEDORA-2005-812 2005-08-26
Ubuntu USN-175-1 2005-09-01
Debian DSA-801-1 2005-09-05
Mandriva MDKSA-2005:156 2005-09-06
Red Hat RHSA-2006:0393-01 2006-08-10

Comments (none posted)

openmotif: buffer overflows

Package(s):openmotif CVE #(s):CVE-2005-3964
Created:December 29, 2005 Updated:July 27, 2006
Description: The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code.
Alerts:
Gentoo 200512-16 2005-12-28
Red Hat RHSA-2006:0272-01 2006-04-04
Fedora FEDORA-2006-854 2006-07-26

Comments (none posted)

openoffice.org: several vulnerabilities

Package(s):openoffice.org CVE #(s):CVE-2006-2198 CVE-2006-2199 CVE-2006-3117
Created:June 30, 2006 Updated:January 4, 2007
Description: Several vulnerabilities have been discovered in OpenOffice.org, a free office suite.
  • It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction. (CVE-2006-2198)
  • It is possible to evade the Java sandbox with specially crafted Java applets. (CVE-2006-2199)
  • Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code. (CVE-2006-3117)
Alerts:
Debian DSA-1104-1 2006-06-30
Fedora FEDORA-2006-764 2006-06-30
Fedora FEDORA-2006-770 2006-07-03
SuSE SUSE-SA:2006:040 2006-07-03
Red Hat RHSA-2006:0573-01 2006-07-03
Debian DSA-1104-2 2006-07-06
Mandriva MDKSA-2006:118 2006-07-07
Ubuntu USN-313-1 2006-07-11
Ubuntu USN-313-2 2006-07-19
Gentoo 200607-12 2006-07-28
rPath rPSA-2006-0173-1 2006-09-26
Fedora FEDORA-2007-005 2007-01-03

Comments (none posted)

OpenSSH: double shell expansion

Package(s):openssh CVE #(s):CVE-2006-0225
Created:January 23, 2006 Updated:July 20, 2006
Description: OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp.
Alerts:
Fedora FEDORA-2006-056 2006-01-23
Mandriva MDKSA-2006:034 2006-02-06
SuSE SUSE-SA:2006:008 2006-02-14
Slackware SSA:2006-045-06 2006-02-15
OpenPKG OpenPKG-SA-2006.003 2006-02-18
Fedora-Legacy FLSA:168935 2006-02-18
Gentoo 200602-11 2006-02-20
Ubuntu USN-255-1 2006-02-21
Red Hat RHSA-2006:0044-01 2006-03-07
Red Hat RHSA-2006:0298-01 2006-07-20

Comments (none posted)

opera: integer overflow and SSL spoof

Package(s):opera CVE #(s):CVE-2006-3198 CVE-2006-3331
Created:July 3, 2006 Updated:July 5, 2006
Description: Opera before version 9.0 has an integer overflow vulnerability due to the improper handling of JPEG files. Also Opera did not reset the SSL security bar after displaying a download dialog from an SSL-enabled website, which could allow remote attackers to spoof a trusted SSL certificate from an untrusted website and facilitate phishing attacks.
Alerts:
SuSE SUSE-SA:2006:038 2006-07-03

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Ubuntu USN-72-1 2005-02-02
Red Hat RHSA-2005:105-01 2005-02-07
Mandrake MDKSA-2005:031 2005-02-08
SuSE SUSE-SR:2005:004 2005-02-11
Gentoo 200502-13 2005-02-11
Red Hat RHSA-2005:103-01 2005-02-15
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2006:0605-01 2006-08-10

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2006-1990 CVE-2006-1991 CVE-2006-3017
Created:May 25, 2006 Updated:August 18, 2006
Description: The php wordwrap() function is vulnerable to an integer overflow. Attackers can submit long arguments to cause a heap-based buffer overflow, allowing arbitrary code execution.

PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service.

A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables

Alerts:
Mandriva MDKSA-2006:091 2006-05-24
SuSE SUSE-SA:2006:031 2006-06-14
SuSE SUSE-SA:2006:034 2006-06-22
Mandriva MDKSA-2006:122 2006-07-13
Red Hat