Democracy player 0.9
Last February, the Participatory Culture Foundation
announced
its existence with the launch of the "Democracy" player, billed as "the
world's first comprehensive open source Internet TV system." Many Linux
users may be excused for not trying out the program at that time; despite
being a GPL-licensed program, Democracy had not been ported to the Linux
platform.
That situation has now changed; on September 11, Democracy 0.9
was announced. It runs on Linux, and packages for Debian, Fedora Core,
Gentoo, and Ubuntu are provided; the source is available for everybody
else. Beyond the Linux port, this version promises a polished user
interface, a new playlist capability, Flash video support, and more.
Your editor clearly had no choice; a tool like this simply must be tried
out.
Unfortunately, the Democracy experience is still rather spotty at best. It
requires the installation of a number of proprietary codecs (which is not
particularly surprising, once one thinks about it - the Democracy
developers will have no magic solutions there). The system can be sluggish
to respond, and your editor never was able to get it to display a video in
its own window. It also would not explain why it failed to display
anything, so there was little to be done about it.
But your editor was able to get far enough to realize one important thing:
video display is not really what Democracy is about in the first place.
This tool is really a sort of video feed aggregator for free video content;
it has all the required features for sorting feeds into categories,
collecting votes for interesting videos, using BitTorrent to download
videos in a provider-friendly way, and more. There is also significant support
for people who want to create their own video feeds.
What Democracy and its supporting foundation are trying to do is to get as
many people as possible into the business of creating and distributing
interesting content. The term "Internet TV" is somewhat off the mark -
Democracy will suit couch potatoes just fine, but its real purpose is to
get them off their couches and participating in the process. It is trying
to create a world where video content is free, universal, and compelling - so it
has tools for finding and distributing videos but a distinct lack of DRM support.
This is an important goal - television is too important to leave to the TV
companies. If the Democracy system can help to bring more free content
into existence, it will have done a good thing. Some progress in that
direction has been made: there are, it is said, some
600 channels of free content available now, and, doubtless, more to come.
The current code has real promise; it looks like a capable system for
discovering, distributing, and managing interesting video content. If they
can get past
the remaining troublesome issues, the Democracy hackers will have created
a valuable tool indeed.
Comments (13 posted)
cdrecord - how the distributors are responding
One month ago, LWN ran
an article
about the cdrtools license change and resulting controversy. The
biggest issue remains the distribution of binary versions of the
mkisofs utility. This tool is licensed under the GPL, and has
copyrights held by a number of authors. The current version, however,
requires the libscg library - which is now distributed under Sun's CDDL
license. Since the GPL and the CDDL are mutually incompatible, it is hard
to see how mkisofs can be distributed legally.
That situation has not changed in the last month; cdrtools author Jörg
Schilling appears to be determined to go forward with the license change.
What has happened, however, is that a number of distributors have responded
to the change - though not all have responded in the same way. Here is a
summary of what the distributors are doing:
- Debian was the first distributor to notice the license problem,
and the Debian developers have reacted quickly. It now appears that
etch will ship with cdrkit, a new project based
on a version of cdrtools from before the license change. The Debian
maintainers are actively pushing forward with this project, and they
have approached other distributors to see if they want to help.
- Fedora has dropped back to the 2.01 release, which predates
the most controversial license changes. That change allows them to
get the Fedora Core 6 release out without excess worry or delay
while the longer-term plan is worked out. That process appears to be
going slowly, with the Fedora cdrtools maintainer not yet
participating in the discussion.
Meanwhile, Fedora has also slipped a version of libburn into the Extras
repository.
- Gentoo has taken an interesting approach. Since Gentoo
distributes in source form, the developers have concluded that they
need not worry about this issue. There is no combination of
mkisofs and libscg until the end user builds a binary - and
the user has the right to do that. As long as those binaries are
not distributed, licensing does not come into play. Thus, Gentoo
ships the (relicensed) 2.01.01-a11 release.
That said, the Gentoo developers have also put cdrkit into their distribution, and
it looks like that is what they plan to support going into the future.
- Mandriva has made no public statements about the license change
at all. The recently announced
Mandriva 2007 release candidate contains version 2.01.01-a11, which
includes the relicensed code.
- Slackware has no recent cdrtools-related entries in the current
changelog. The upcoming Slackware 11 release appears to be
poised to ship version 2.01.
- SUSE's response, so far, is
"We'll look into cdrkit." The current "factory" OpenSUSE
tree contains version 2.01.
- Ubuntu currently has 2.01.01-a3 (which predates the license
change) in the repository for the
upcoming "edgy" release; cdrkit has not yet made an appearance there.
It would be surprising if Ubuntu failed to follow Debian's lead on
this, however.
The overall picture that results is that, while a number of distributors
are taking overt action in response to the cdrtools licensing issues,
others appear to be waiting until things settle - and a final 2.01.01
release is made. Only one of the distributors listed above (Mandriva)
looks set, at the moment, to distribute a version of cdrtools released
under the new license.
For years, there has been occasional talk of forking the cdrtools package.
It has remained talk, however; CD burning can be a tricky task, and, as a
result, cdrtools is not a trivial package to take on. It now appears
likely that this fork will happen at last; the licensing changes
have given the distributors (at least those most concerned with these
issues) little choice. The real remaining question, then, would be: just
how many forks will result? No distributor has an interest in taking on
the full maintenance of a package like this, so the incentives should be in
place to bring everybody together on a single CD burning utility.
Comments (4 posted)
Where have all the reviewers gone?
One of the often-proclaimed advantages of the free software development
model is that of peer review. Our code, we claim, is better because it has
been reviewed and improved by a variety of people beyond the original
author(s). Reviewers, with their unique perspective, will find bugs and
generally help new code fit properly into an existing project. This review
process is seen as being so important that a number of projects will not
accept code until it has been picked over by other developers.
So reviewers are a fundamental part of the process. They are also, it
seems, somewhat scarce. Consider a couple of examples:
- In the kernel space, the reiser4 filesystem has been held up for some
time. There are many reasons for that delay, but one of those has been the
lack of a thorough review by somebody who understands the Linux
virtual filesystem layer well. Greg Kroah-Hartman, in his OLS
keynote, said, more generally: "The big problem ... is
we really only have
a very small group of people reviewing code in the kernel
community."
- The PostgreSQL developers have been engaged in a lengthy discussion on
the upcoming 8.2 release, why it is taking as long as it is, and why
this release appears (to them) to have little in the way of exciting
new features. The conversation has touched on various aspects of that
project's development process; there are many things for those
developers to think about. One of them, though, as expressed by one of the participants, is:
"...the real problem seems to be we do not have enough patch
reviewers."
If we truly believe that code review is a crucial part of the free software
process (and, for the most part, it is likely that we do believe this),
then the idea that projects are being slowed by the lack of reviewers is a
bit worrying. At best, a reviewer shortage will be a bottleneck in the
process; a worse possibility is that some projects will simply decide to do
without.
Reviewers serve a number of purposes. They can often immediately spot that
bug that the developer has stared at for hours without finding. If the
code is hard to understand, the reviewers will be the first to notice. If the
associated documentation is incorrect or (as is more often the case)
absent, the reviewers will notice that as well. When code appears to have
been written using some sort of specialized, non-public knowledge,
reviewers can inquire as to its provenance. Coding style issues, API
misuse, inefficient algorithms, use of outdated interfaces, and more can be
caught in the review process before the code hits the project's mainline.
Reviewers really do increase a project's code quality and long-term
maintainability.
The problem is that code review can be a difficult, tiring, and thankless
job. Human nature being what it is, people will often show less than the
appropriate amount of gratitude when a reviewer points out their mistakes
in public. This is especially true if the code has problems which will
require significant amounts of work to fix. The reviewer did not create
these problems, he or she is simply the messenger with the bad news. So
reviewers tend to get grumpy, especially when they see the same mistakes
being made over and over again.
Developers get credit for their work, in various forms. It is a rare
project release, however, which publicly acknowledges those who reviewed
the code. Given that writing code is not only a more visible activity, but
it also tends to be more fun than reviewing code written by others, it is
not surprising that many developers choose to concentrate on their own
work.
Finally, reviewing code can be intimidating - especially if the patch of
interest has a Big Name behind it. Many potential reviewers may feel that
they simply do not have the standing to poke at other peoples' work. The
fact is, however, that even people with a relatively small amount of
experience can provide useful reviews, and learn from the process. From
Greg's OLS keynote:
When you are learning to play an instrument, you don't start out
writing full symphonies on your own, you spend years reading other
peoples scores, and learning how things are put together and work
and interact. Only later do you start writing your own music, small
tunes, and then, if you want, working up to bigger pieces. The same
goes for programming. You can learn a lot from reading and
understanding other people's code. Study the things posted, and ask
why things are done specific ways, and point out problems that you
have noticed.
If we want to create the best free systems we can, we must ensure that the
review portion of the process does not get slighted. To that end, people
who have the requisite skills would do well to dedicate a bit of their time
to reviewing code in a project that interests them. Buy a reviewer a beer,
and forgive them if they tell you, in front of hundreds or thousands of
developers, that your work is best suited for a place in the project's "bad
examples" repository. Listen to what the reviewers say, respond to it, and
thank them. The result will be better software for all of us.
Comments (21 posted)
Page editor: Jonathan Corbet
Security
Security news
Syndicated Malware
September 13, 2006
This article was contributed by Jake Edge.
Syndicated content, from blogs, news sites and the like is a popular way
to track these websites, but also provides a vector for malware.
Really
Simple Syndication (RSS) and
Atom
are the two formats used to provide
syndicated content and there are a variety of web-based and standalone
clients that can read RSS/Atom feeds and display them to users. These
clients often do not have proper filtering of the content provided and can
be susceptible to various attacks.
Both RSS and Atom are XML-based formats that contain various elements of the
content that is being syndicated -- title, description, story link, etc.
A client
program, often known as an 'aggregator' allows the user to subscribe to
various feeds and will check periodically for new content. The aggregator
then displays that information and the user can choose content items to look
at more closely. Because much of the content is from websites, aggregators
typically interpret HTML content in the feed data for display. This
provides the means for attacks.
Malicious content, for
cross-site
scripting (XSS) or
cross-site
request forgery (XSRF) can be inserted into one of the textual
portions of the feed data. If the aggregator does not sufficiently filter
the received data, it may expose the user to the malware. Web-based
aggregators are particularly susceptible as they run in a browser with
all of the normal browser capabilities, but standalone clients often include
browser-like rendering or will start a browser to follow feed links.
While it is certainly possible, it is probably unlikely that feed providers
will directly put malware in their feeds; it is too easy to track them down.
A much more likely scenario is feeds that syndicate user generated content,
like comment feeds on blogs or sites like LWN (syndication information
here). Depending on the filtering
that the site does, it may be able to propagate malware within its syndication
content. A malicious user could, anonymously at many sites, post a comment
that contained malware and effectively co-opt that site into spreading it.
A popular site could potentially spread this malware very widely, even if
only a small percentage of its users' aggregators were affected.
In addition, many popular sites are 're-syndicated', their feeds are included
in the feeds of aggregation sites. A security site, for instance, might
display the feeds of several other security sites and include that content
in their own feed. This provides for a virus-like propagation where a
malicious user
can inject content once and have it start showing up in multiple feeds.
Some sites will also collect up mailing list entries
or descriptions of new content available on peer-to-peer networks and
add them to their syndication feed. This provides even more ways for
someone to anonymously inject malware.
Bob Auger presented his
findings
(PDF) on this subject at Black Hat 2006 conference. He provides several
examples of plausible malware attack scenarios as well as examples of RSS and
Atom data that demonstrate these techniques.
The potential for malicious content in any data that originates from
elsewhere really cannot be overstated. The tools we use on a day to day
basis need to be aware of this potential and act appropriately. It may
seem like security articles tediously repeat the same 'filter input data'
mantra over and over, but, here is yet another place where proper filtering
has been overlooked.
Comments (1 posted)
New vulnerabilities
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
|
| Created: | September 13, 2006 |
Updated: | October 5, 2006 |
| Description: |
Security issues were discovered in the Adobe Flash Player. It may be
possible to execute arbitrary code on a victim's machine if the victim
opens a malicious Adobe Flash file. |
| Alerts: |
|
Comments (none posted)
isakmpd: programming error
| Package(s): | isakmpd |
CVE #(s): | CVE-2006-4436
|
| Created: | September 13, 2006 |
Updated: | September 13, 2006 |
| Description: |
A flaw has been found in isakmpd, OpenBSD's implementation of the
Internet Key Exchange protocol, that caused Security Associations to be
created with a replay window of 0 when isakmpd was acting as the
responder during SA negotiation. This could allow an attacker to
re-inject sniffed IPsec packets, which would not be checked against the
replay counter. |
| Alerts: |
|
Comments (none posted)
mailman: several vulnerabilities
| Package(s): | mailman |
CVE #(s): | CVE-2006-2941
CVE-2006-3636
|
| Created: | September 8, 2006 |
Updated: | October 23, 2006 |
| Description: |
A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)
Several cross-site scripting (XSS) issues were found in Mailman. An
attacker could exploit these issues to perform cross-site scripting attacks
against the Mailman administrator. (CVE-2006-3636) |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
xorg-x11: privilege escalation
| Package(s): | xorg-x11 xfree86 |
CVE #(s): | CVE-2006-3739
CVE-2006-3740
|
| Created: | September 12, 2006 |
Updated: | December 14, 2006 |
| Description: |
iDefense reported two integer overflow
flaws in the way the X.org server processed CID font files. A malicious
authorized client could exploit this issue to cause a denial of service
(crash) or potentially execute arbitrary code with root privileges on the
X.org server. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
AlsaPlayer: multiple buffer overflows
| Package(s): | alsaplayer |
CVE #(s): | CVE-2006-4089
|
| Created: | August 28, 2006 |
Updated: | September 19, 2006 |
| Description: |
AlsaPlayer contains three buffer overflows: in the function that handles
the HTTP connections, the GTK interface, and the CDDB querying mechanism.
An attacker could exploit the first vulnerability by enticing a user to
load a malicious URL resulting in the execution of arbitrary code with the
permissions of the user running AlsaPlayer. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
audacious: buffer overflow
| Package(s): | audacious |
CVE #(s): | CVE-2006-3581
CVE-2006-3582
|
| Created: | August 2, 2006 |
Updated: | September 13, 2006 |
| Description: |
Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. |
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2005-4807
|
| Created: | August 17, 2006 |
Updated: | October 19, 2006 |
| Description: |
The GNU assembler (gas) in binutils is vulnerable to a buffer overflow.
If a user can be tricked into assembling a specially crafted file with
gcc or gas, arbitrary code can be executed with the privileges of the user. |
| Alerts: |
|
Comments (3 posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
capi4hylafax: missing input sanitizing
| Package(s): | capi4hylafax |
CVE #(s): | CVE-2006-3126
|
| Created: | September 1, 2006 |
Updated: | October 18, 2006 |
| Description: |
Lionel Elie Mamane discovered a security vulnerability in capi4hylafax,
tools for faxing over a CAPI 2.0 device, that allows remote attackers to
execute arbitrary commands on the fax receiving system. |
| Alerts: |
|
Comments (none posted)
cheesetracker: buffer overflow
| Package(s): | cheesetracker |
CVE #(s): | CVE-2006-3814
|
| Created: | September 4, 2006 |
Updated: | October 27, 2006 |
| Description: |
Luigi Auriemma discovered a buffer overflow in the loading component
of cheesetracker, a sound module tracking program, which could allow a
maliciously constructed input file to execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gtetrinet: buffer overflows
| Package(s): | gtetrinet |
CVE #(s): | CVE-2006-3125
|
| Created: | August 30, 2006 |
Updated: | September 6, 2006 |
| Description: |
A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ImageMagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-3743
CVE-2006-3744
|
| Created: | September 6, 2006 |
Updated: | September 26, 2006 |
| Description: |
The latest set of buffer overflow vulnerabilities in ImageMagick can be found in the Sun Raster and XCF decoders. |
| Alerts: |
|
Comments (2 posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | September 8, 2006 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 |
CVE #(s): | CVE-2006-4197
|
| Created: | August 30, 2006 |
Updated: | October 23, 2006 |
| Description: |
Several buffer overflows have been discovered in the libmusicbrainz CD index library. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | November 17, 2006 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2006-4380
CVE-2006-4389
|
| Created: | September 1, 2006 |
Updated: | September 6, 2006 |
| Description: |
MySQL before 4.1.13 allows local users to cause a denial of service
(persistent replication slave crash) via a query with multiupdate and
subselects. (CVE-2006-4380)
There is a bug in the MySQL-Max (and MySQL) init script where the script
was not waiting for the mysqld daemon to fully stop. This impacted the
restart behavior during updates, as well as scripted setups that
temporarily stopped the server to backup the database files. |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | October 9, 2006 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
openssl: insufficient signature checking
| Package(s): | openssl |
CVE #(s): | CVE-2006-4339
|
| Created: | September 5, 2006 |
Updated: | November 15, 2006 |
| Description: |
Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google
Security discovered that the OpenSSL library did not sufficiently check the
padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3
(which is widely used for CAs). This could be exploited to forge signatures
without the need of the secret key. |
| Alerts: |
|
Comments (none posted)
openttd: denial of service
| Package(s): | openttd |
CVE #(s): | CVE-2006-1998
CVE-2006-1999
|
| Created: | September 6, 2006 |
Updated: | September 6, 2006 |
| Description: |
A flaw in the openttd error handling code leaves the system vulnerable to a remote denial of service attack. Version 0.4.8 fixes the problem. |
| Alerts: |
|
Comments (none posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CVE-2006-4020
|
| Created: | August 22, 2006 |
Updated: | September 21, 2006 |
| Description: |
A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via argument
swapping which incremented an index past the end of an array and triggered
a buffer over-read. |
