OLS: Open source graphics drivers
An Ottawa Linux Symposium talk called
Open
source graphic drivers - they don't kill kittens caught your editor's
attention. The relative safety of kittens in the presence of these drivers
had, until now, been something which, your editor thought, could be taken
for granted. Sure enough, young felines need not worry too much -
especially since open source graphic drivers have a distressing tendency to
not exist for a fair number of cards. That situation may be changing,
however.
Speaker David Airlie started with a review of the current state of free
graphics drivers. Intel chipsets are relatively well supported, thanks to
an enlightened position being taken by that company. ATI is a "former
leading light" in the free software world, but is no longer cooperating.
Even so, the free R200 driver is feature-complete and, at this point,
faster than the binary-only fglrx driver. The reverse-engineered R300/R400
driver is getting closer to being ready; there is no hope for the R500
chipset at this point. Nvidia has a 2D driver in X.org which is "written
in hex" and a well-supported, binary 3D driver. Said driver "still sucks," of
course.
David took the time to point out that, once you load a 1MB binary blob into
your kernel, you are no longer running a free operating system. There is
no way to know what that code is doing, no way to fix it, and no way to
support systems which have that code loaded. Support going into the future
tends to be problematic; the vendors drop support for old cards sooner than
many users would like, and are not always quick to add support for the
newer chipsets.
Why do vendors refuse to support the free software community? David noted,
with amusement, that both ATI and Nvidia withdrew support at about the same
time that they got Xbox contracts. Let's hope, he says, that Intel never
works an Xbox deal. More seriously, there is the usual talk of patent
problems, third-party software which cannot be freed, and so on. These
problems tend to evaporate when enough money is applied to the situation,
however.
So what do things look like in the future? For Intel chipsets, says David,
the future is "mostly excellent." Intel is friendly, and driver support
tends to be available about the same time that new chipsets are released.
For now, this is a group which seems to get it.
On the ATI front, the R300 reverse engineering effort continues. Support
for the 9800 series cards has been stabilized - an effort which, at one
point, required almost six months of a developer's time to find a single
bit in one register which was causing the card to lock up. The R500 series
is harder - though it does not differ all that greatly from previous
offerings. David actually has a 2D driver which he wrote, and which he has
submitted to ATI for permission to distribute. ATI has sat on the driver
for some months with no response. Until such a time as ATI gives
permission, David (due to NDA constraints) is unable to release his code.
On the Nvidia side, the best hope is the Nouveau project, which has set
out to create a reverse-engineered 3D Nvidia driver. There about five or
six people currently working on the project, which also looks to add some
nice 2D features (EXA acceleration, dual head support). The Nouveau
developers have no code to show at this point, being heavily involved in
the reverse engineering work. Progress is being made, but this is a large
project, bigger than the ATI R300 effort. For those who are interested in
contributing to the community, Nouveau looks like a project which could use
some more help.
Linux needs free drivers for graphics adapters. The challenges
involved in freeing this part of our systems are daunting - there is a
great deal of work yet to be done. The overall tone of the talk was
optimistic, however. Developers are on the task, progress is being made,
and the goal is, slowly, getting closer. The kittens will have their
revenge in the end.
Comments (44 posted)
Free Software Sets the Computing Agenda
July 19, 2006
This article was contributed by Glyn Moody
The news
that the European Commission is to fine Microsoft - €280.5 million has
naturally provoked plenty of headlines, both in the technical and
non-technical press. But big as that number might seem, it is in truth a
gnat-bite as far as the Microsoft behemoth is concerned: last
year its net income was $12 billion, and it holds cash and short-term
investments worth over $39 billion. Against this background, the EU's fine
is a little more than an accountancy rounding error.
What is interesting about the whole affair is that the sticking point seems
to be an apparently minor requirement to provide technical information that
would allow third parties to interoperate better with networks running
Microsoft Windows. But as a press release from the Free
Software Foundation Europe rightly points out, this obstinacy is not over
some general principle, whatever Microsoft might claim, but is actually
highly specific, and has one aim above all: to thwart Samba's rise in the
enterprise.
Thus Microsoft's brinkmanship with the European Commission is driven almost
entirely by its need to react to free software. It turns out that this is
by no means the only sphere where Microsoft has ceased to be master of its
own destiny, and finds itself constantly responding to open source
initiatives, and playing catch-up with free software projects.
A good example is to be found in the world of high-performance computing
(HPC). GNU/Linux was first used for computing clusters back in 1994, when
the Beowulf
project began. Since then, free software has established itself as the
pre-eminent HPC solution. In June 2006, the TOP500 listing of the most
powerful supercomputers in the world showed that well over 70% of them ran
some variant of GNU/Linux; precisely two systems out of 500 used some form
of Windows. The same month, Microsoft finally launched
its official HPC solution, the Windows Computer Cluster Server 2003 –
fully 12 years after the first free software solution was made available
for this sector.
While the crushing lead that free software has over Windows in the HPC area
is little known outside specialist circles, most people in computing are
familiar with the fact that the Apache Web server has maintained a
commanding lead over Microsoft's Internet Information Server (IIS) for the
past few years.
Microsoft, too, is obviously acutely aware of this, and recently has been
making sustained efforts to reduce the embarrassingly large lead Apache
holds, and with some success. For example, the Netcraft survey for June
2006 showed that Microsoft IIS gained 4.5 million Web servers, while
Apache lost 429,000, giving Microsoft a whopping 4.25% gain for the month,
and cutting the gap between them to 31.5%, a drop of 16.7% in just three
months. Closer examination reveals exactly why this is happening. As
Netcraft's analysis explains:
Apache's loss of hostnames is due to decreases for
Linux at a number of hosting companies. In addition to Go Daddy [which
moved over 1.6 million hostnames from Apache to IIS], six hosts reduced
their use of Linux by 40K or more, including leading UK provider PIPEX
Communications, Lycos and Zipa.
This is unlikely to be coincidence. After a year of steady market share,
the graph for IIS has been rising sharply since March 2006, which suggests
a concerted effort by Microsoft to court hosting companies in order to
swing them away from Apache on GNU/Linux towards IIS running on Windows.
Once again, then, this shows Microsoft being forced to react to free
software's successes. Despite these efforts, the market still seems to be
moving away from Microsoft: the Netcraft survey for July
2006 shows a gain of 1.8% for Apache, mostly made of up incremental
gains at a dozen hosting companies.
Perhaps the best-known example of Microsoft being compelled to revise its
strategy thanks to free software is in the world of Web browsers.
Development work on Microsoft's browser had effectively came to a halt
after the release of Internet Explorer 6 in August 2001. Microsoft's
refusal to provide any significant updates to IE 6, despite its mounting
security problems, was one of the prime
reasons why the Firefox project was started. Firefox's steady rise in
popularity, and the corresponding drop in Internet Explorer's market share,
eventually compelled Bill Gates to announce
a reversal of Microsoft's previous decision not to produce a standalone
browser before Vista appeared.
With betas available of both IE 7 and Firefox 2.0, the emerging consensus
seems to be that Microsoft has largely caught up with the free software
world as far as browser technology is concerned, but the price that it has
paid for its lengthy refusal to satisfy the needs of users is a serious
loss of market share. Latest
figures from OneStat.com show that Firefox holds some 15.8% of the
browser market in the US, and a massive 39% in Germany.
Even though the appearance of IE 7 is likely to staunch the flow of users
away from IE to Firefox, the latter has established itself as a serious
rival, one that Microsoft will need to track continually to prevent more of
its users defecting. In itself, this is not a huge problem for Microsoft.
The appearance of Firefox has essentially made Microsoft more responsive to
users, and more amenable to following open standards. It does not, though,
imply any loss of revenues.
The situation for office suites is quite different. Microsoft Office is
one of the main cash cows for the whole company: any loss of market share
here will have serious financial repercussions. This makes Microsoft's decision
to sponsor a project to create tools to build "a technical bridge"
between the Microsoft Office Open XML Formats and the OpenDocument Format
all the more surprising, since potentially it could lead to a costly leak
of Office users to other office suites supporting ODF.
It shows once more the world's leading software company being forced to
backtrack in response to developments in the open source world.
Microsoft's position initially was that no one was using ODF, and so there
was no point supporting it. But the announcements by Massachusetts
and, particularly, the Belgian
and Danish
governments in favor of ODF - with administrations in France,
Germany
and elsewhere
considering the move - meant that Microsoft was forced to cede to the
growing pressure for some kind of ODF support in Office. The fact that
Google has joined
the ODF Alliance - whose members now number 260
- and will be supporting the ODF standard with its online word processor Writely
means that Microsoft's scope for independent action is even more
circumscribed.
Taken on their own, each of these instances of Microsoft emulating or
accommodating free software might seem fairly minor. Put together, they
represent a consistent pattern of loss of control that is unprecedented in
the company's recent history. From being on the fringes, ignored or at
best derided by traditional software companies, open source has gradually
moved to the centre, to the point where today it is free software - and not
Microsoft - that is setting the agenda for computing at practically every
level.
Glyn Moody writes about open source at opendotdotdot.
Comments (29 posted)
Page editor: Rebecca Sobol
Security
The /proc vulnerability
July 19, 2006
This article was contributed by Jake Edge.
A second local privilege escalation bug has been found recently in the 2.6
kernel series. The first, covered
by LWN last week, configured processes to dump core in directories not normally
writable by the user. The most recent vulnerability exploits the setuid
permissions bit on files in the /proc filesystem and a kernel
race. In both cases, the result is root privileges for interested local users.
The first indication of the vulnerability came as a working exploit
posted
to the full-disclosure mailing list. The exploit uses an mmap() of
a large file on the disk to slow the system down enough to exploit a race
condition in the /proc filesystem handling. Permissions for the
/proc/self/environ file can be set with the setuid bit 'on' and
prctl() can be used to set the owner of that file to root. Tacking
an a.out executable onto the environ file allows a local
user to get a root shell.
The fix is fairly obvious: setuid and setgid bits do not make any sense for
/proc filesystem entries and removing that 'feature' fixes the
problem. The stable 2.6 kernels were
patched the same day as
the exploit was released and a tweak to the original fix was
released the next day.
A fairly simple workaround is to mount (or remount) /proc with the
nosuid flag. That flag will prevent the setuid/setgid bits from
having any affect for files on that filesystem. It should be noted that
this workaround was the right thing to do for /proc all along;
nothing good can come from allowing those bits to be used. Distributions
should take a look at tightening these kinds of restrictions and help
their users avoid these kinds of problems whenever possible.
Systems that have sufficiently restricted SELinux configurations were not
affected by this vulnerability. For example, the targeted policy in enforcing
mode that is the default for Red Hat Enterprise Linux 4 will not allow
setting those bits on /proc files. In addition, kernels that
did not have a.out support enabled would not be affected by this exploit, but
there may be other ways to exploit the bug without using an a.out binary.
Even so, this vulnerability is a good example of why it makes sense to
disable unused functionality, even if it doesn't have any immediate
security implementations. Most currently-running Linux systems have
probably never seen an a.out binary; they certainly do not need that format
enabled in their kernels.
It is fairly common for local privilege escalation issues to be given
insufficient attention by system administrators because their systems
either have no login user accounts or trust the people who do have them.
Unfortunately, there is often a significant risk even to those kinds of
systems. All that it takes is an exploit in a web program or other network
service that allows a malicious user to get a shell. That shell will be
running with the permissions of the user
that runs the exploited service ('apache' for example), but a privilege
escalation can allow that limited shell access to become a full takeover
of the box. Any network accessible system should be considered vulnerable
to this kind of problem and be patched accordingly.
Comments (7 posted)
New vulnerabilities
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: race condition
| Package(s): | kernel |
CVE #(s): | CVE-2006-3626
|
| Created: | July 17, 2006 |
Updated: | July 21, 2006 |
| Description: |
It was discovered that a race condition in the process filesystem can lead
to privilege escalation. |
| Alerts: |
|
Comments (2 posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | November 17, 2006 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libtunepimp: buffer overflows
| Package(s): | libtunepimp |
CVE #(s): | CVE-2006-3600
|
| Created: | July 13, 2006 |
Updated: | August 2, 2006 |
| Description: |
The libtunepimp tag parser has multiple buffer overflow vulnerabilities.
If a user can be tricked into opening specially crafted tagged
multimedia files, arbitrary code can be executed with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
rssh: bypass access restrictions
| Package(s): | rssh |
CVE #(s): | CVE-2006-1320
|
| Created: | July 17, 2006 |
Updated: | July 19, 2006 |
| Description: |
Russ Allbery discovered that rssh, a restricted shell, performs
insufficient checking of incoming commands, which might lead to a bypass
of access restrictions. |
| Alerts: |
|
Comments (none posted)
vixie-cron: directory permissions
| Package(s): | vixie-cron |
CVE #(s): | |
| Created: | July 18, 2006 |
Updated: | July 19, 2006 |
| Description: |
vixie-cron has a directory permission issue,
the cron spool directories had the wrong permissions and
have been changed to 0700. The security implications of
the previous permissions are unspecified. |
| Alerts: |
|
Comments (none posted)
webmin: arbitrary file read
| Package(s): | webmin |
CVE #(s): | CVE-2006-3392
|
| Created: | July 19, 2006 |
Updated: | August 7, 2006 |
| Description: |
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path
function before decoding HTML, which allows remote attackers to read
arbitrary files. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
Comments (none posted)
zope: privilege escalation
| Package(s): | zope |
CVE #(s): | CVE-2006-3458
|
| Created: | July 13, 2006 |
Updated: | August 9, 2006 |
| Description: |
Zope version 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 has a
privilege escalation vulnerability related to its failure to deactivate the
raw command. Remote users with privileges to edit zope pages with
RestructuredText can cause arbitrary files to become exposed. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
asterisk: buffer overflow
| Package(s): | asterisk |
CVE #(s): | CVE-2006-2898
|
| Created: | June 15, 2006 |
Updated: | July 27, 2006 |
| Description: |
The Asterisk PBX application has a buffer overflow vulnerability in the
IAX2 channel driver that can be used for the remote execution of
arbitrary code.
|
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2006-2362
|
| Created: | May 27, 2006 |
Updated: | August 29, 2006 |
| Description: |
The GNU Binutils has a buffer overflow vulnerability in libbfd.
Maliciously crafted Tektronix Hex Format files with improper length
characters can cause a crash and possibly lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
courier: denial of service
| Package(s): | courier |
CVE #(s): | CVE-2006-2659
|
| Created: | June 9, 2006 |
Updated: | August 4, 2006 |
| Description: |
A denial of service vulnerability has been found in the function for
encoding email addresses. Addresses containing a '=' before the '@'
character caused the Courier to hang in an endless loop, rendering the
service unusable. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | July 13, 2006 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gimp: arbitrary code execution
| Package(s): | gimp |
CVE #(s): | CVE-2006-3404
|
| Created: | July 10, 2006 |
Updated: | July 27, 2006 |
| Description: |
Henning Makholm discovered that gimp did not sufficiently validate the
'num_axes' parameter in XCF files. By tricking a user into opening a
specially crafted XCF file with Gimp, an attacker could exploit this
to execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
gnupg: remote denial of service
| Package(s): | gnupg |
CVE #(s): | CVE-2006-3082
|
| Created: | June 21, 2006 |
Updated: | July 28, 2006 |
| Description: |
A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that
could allow a remote attacker to cause gpg to crash and possibly overwrite
memory via a message packet with a large length. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
Hashcash: possible heap overflow
| Package(s): | hashcash |
CVE #(s): | CVE-2006-3251
|
| Created: | June 27, 2006 |
Updated: | July 21, 2006 |
| Description: |
Andreas Seltenreich has reported a possible heap overflow in the
array_push() function in hashcash.c, as a result of an incorrect amount
of allocated memory for the "ARRAY" structure. |
| Alerts: |
|
Comments (none posted)
ImageMagick: heap overflow vulnerability
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-2440
|
| Created: | May 25, 2006 |
Updated: | September 5, 2006 |
| Description: |
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdebase: privilege escalation
| Package(s): | kdebase |
CVE #(s): | CVE-2006-2449
|
| Created: | June 15, 2006 |
Updated: | August 28, 2006 |
| Description: |
The KDE Display Manager(KDM) is vulnerable to a local symlink attack.
A local user can use this to read arbitrary files that they do not
have permission to access. See this KDE
advisory for more information. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2271
CVE-2006-2272
CVE-2006-2274
CVE-2006-2275
CVE-2006-1864
|
| Created: | May 12, 2006 |
Updated: | July 13, 2006 |
| Description: |
Multiple vulnerabilities in the Linux have been found.
- An error in the Stream Control Transmission Protocol (SCTP) code that
uses incorrect state table entries when certain ECNE chunks are received in
CLOSED state, could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- An error exist when handling incoming IP-fragmented SCTP control
chunks, which could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (infinite recursion and crash) via a packet that contains two or
more DATA fragments, which causes an skb pointer to refer back to itself
when the full message is reassembled, leading to infinite recursion in the
sctp_skb_pull function
- Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (deadlock) via a large number of small messages to a receiver
application that cannot process the messages quickly enough, which leads to
"spillover of the receive buffer."
- A vulnerability has been identified due to an input validation error
when processing arguments containing backslash ("\\") characters passed to
certain commands (e.g. "cd"), which could be exploited by authenticated
attackers to escape chroot restrictions for a CIFS or SMBFS mounted
filesystem.
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2006-2451
|
| Created: | July 7, 2006 |
Updated: | July 26, 2006 |
| Description: |
The Linux kernel, versions 2.6.13 through 2.6.17.3, has a privilege
escalation vulnerability that is related to the handling of core dumps.
Local users can create a program that can core dump to a
directory that the user does not have permission to write to.
This can be exploited for the use of a disk consumption denial
of service attack, or the unauthorized gaining of root privileges. |
| Alerts: |
|
Comments (2 posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-2445
CVE-2006-2448
CVE-2006-3085
|
| Created: | June 23, 2006 |
Updated: | August 11, 2006 |
| Description: |
There is a race condition error in the "posix-cpu-timers.c" script that
does not prevent another CPU from attaching the timer to an exiting
process. This could be exploited by attackers to cause a denial of
service.
A flaw due to errors in "powerpc/kernel/signal_32.c" and
"powerpc/kernel/signal_32.c" could allow userspace to provoke a machine
check on 32-bit kernels.
An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers
to exhaust all available memory resources, creating a denial of service
condition. |
| Alerts: |
|
Comments (none posted)
kernel: information disclosure
| Package(s): | kernel |
CVE #(s): | CVE-2006-1343
|
| Created: | May 31, 2006 |
Updated: | July 20, 2006 |
| Description: |
The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
mozilla products have multiple vulnerabilities
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2006-3081
|
| Created: | June 23, 2006 |
Updated: | July 18, 2006 |
| Description: |
Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before
5.1.6 allows remote authorized users to cause a denial of service (crash)
via a NULL second argument to the str_to_date function. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
ntp: uses wrong gid
| Package(s): | ntp |
CVE #(s): | CAN-2005-2496
|
| Created: | August 26, 2005 |
Updated: | August 11, 2006 |
| Description: |
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update. |
| Alerts: |
|
Comments (none posted)
openmotif: buffer overflows
| Package(s): | openmotif |
CVE #(s): | CVE-2005-3964
|
| Created: | December 29, 2005 |
Updated: | July 27, 2006 |
| Description: |
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
OpenSSH: double shell expansion
| Package(s): | openssh |
CVE #(s): | CVE-2006-0225
|
| Created: | January 23, 2006 |
Updated: | July 20, 2006 |
| Description: |
OpenSSH has a double shell expansion vulnerability in local to local and
remote to remote copy with scp. |
| Alerts: |
|
Comments (none posted)
shadow: privilege escalation
| Package(s): | passwd shadow |
CVE #(s): | |
| Created: | July 6, 2006 |
Updated: | July 12, 2006 |
| Description: |
Ilja van Sprundel discovered that passwd, when called with the -f, -g,
or -s option, did not check the result of the setuid() call. On
systems that configure PAM limits for the maximum number of user
processes, a local attacker could exploit this to execute chfn |