| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for October 19, 2006
Free gadgets need free software
Your editor has occasionally taken time to write about Rockbox, a GPL-licensed firmware system for portable music players. One might think that such articles result from an attempt to disguise time spent playing with gadgets as real work - and not be entirely off the mark. But an incident this week shows why running free software on devices like music players is important.Creative makes some nice players, including the "Zen Vision:M." It includes a large color screen, significant storage, and an FM radio. Like many such devices, it is able to connect the FM radio to that storage space and record radio programs. There are any number of reasons why this feature is useful; one may want to record a radio interview featuring a colleague, timeshift a program for later listening, or grab the DJ's talk to help identify an interesting song for later purchase. This capability certainly is not anything new; people have been hooking up their tape recorders to radios for decades.
As of firmware version 1.50.02, however, the Zen Vision:M player can no longer record from its FM radio. An "upgrade" for the Zen MicroPhoto removes the FM recorder feature from that device as well. In both cases, the hardware retains the FM recorder capability, but the new firmware takes it away. It is hard to imagine that legions of Creative customers have been clamoring for the removal of a useful feature from their expensive devices. Instead, this crippling of the hardware has been done to meet the demands of a different group of people: our friends in the entertainment industry.
Fortunately for current owners of this hardware, there does not appear to be any mechanism built into the player which forces a change to the newer version. It would not be entirely surprising to see forced-upgrade requirements built into future players, however, especially as the notion of "trusted content paths" gains ground. The gadget you thought you owned may turn into a different device tomorrow, and there is little that you can do about it.
Unless, of course, that gadget is running free software. Rockbox users do not have to deal with this sort of trouble; if somebody were to remove the FM recorder feature, somebody else would just patch it back in. Rockbox users enjoy a tangible level of freedom which has been taken away from people running proprietary firmware on their players.
This is an important point. Your editor is appalled by the number of AC adapters he must carry whenever he travels - we have a number of gadgets which, increasingly, we see as being entirely indispensable. The functions handled by those gadgets can only grow over time; we will become increasingly dependent upon them for our work, our communications, and our leisure. Whose interests will those gadgets serve? If others control the software on those gadgets, that software will be distorted to serve their interests; the Creative firmware "upgrade" is a strikingly clear example of just how that process can work. If we want to control our gadgets, it behooves us to only purchase those which can run free software.
[A postscript for those who are interested in what's up with Rockbox. The project abandoned its plans for a 3.0 release some months ago; the feature freeze was hurting development without bringing solutions to the final remaining problems. So development has been going full-steam ahead, with (usually stable) daily builds available for those who want the latest features. Support for iRiver H10, most iPods, and iAudio X5 players has been added; early-stage work is proceeding on iRiver IFP790 and Toshiba Gigabeat players. The port to the Sandisk Sansa e200 has recently overcome some significant hurdles and may start to make significant progress in the near future. Unfortunately, there appears to be no effort to port to the Creative players at this time.]
What does it mean to join the Software Freedom Conservancy?
Recently, it was announced that the Mercurial project, a software revision control program used by projects like Xen and ALSA, among others, has become a member of the Software Freedom Conservancy. Some people may be wondering: What is the Software Freedom Conservancy? How do you become a member? Why would you want to? What does the Conservancy do? Who besides Mercurial are members? And what does it mean to be a member?First of all, the Software Freedom Conservancy is fairly new, founded in March of this year. It is a specialized legal project spun out of the Software Freedom Law Center, which provides pro bono legal representation and other law-related services to protect and advance Free and Open Source Software. The distinctive purpose of the Conservancy, which exists as an entity distinct from the Software Freedom Law Center, is to provide administrative and financial services to its members so they can take advantage of the benefits of being a corporate entity, without having to take on the filing, record-keeping and legal work necessary for nonprofits, by coming under the Conservancy's corporate umbrella. Wine, Samba, InkScape, BusyBox, uCLibc, SurveyOS, and Libbraille are also member projects of the Conservancy.
I asked Karen M. Sandler, Counsel at the Software Freedom Law Center, first about the Software Freedom Law Center. Who gets accepted as a client by the Software Freedom Law Center and what does it mean for a project? Her explanation:
Once a software project is accepted as a client of SFLC, SFLC is able to provide legal representation to that project. That could mean assistance with licensing, helping the project to form as a nonprofit corporate entity or providing representation to assist with the resolution of a dispute, depending on the needs of the client.
In Mercurial's case, for example, in addition to joining the Conservancy, it has also retained SFLC as its legal counsel.
But what about the Conservancy? What are the advantages of becoming a member? There are certain benefits that flow from the corporate form, such as limiting ones personal liability. The Conservancy is in the process of applying for federal tax-exempt status, which would then allow the Conservancy's member projects to also receive tax deductible donations. The Conservancy files a single tax return that covers all the member projects, and it handles other corporate and tax related issues on behalf of its members.
The question which may come into your mind at this point is: couldn't a project do all that itself? Yes, it could. But let me give you an idea of what is involved. The paperwork in setting up a state nonprofit corporation, applying for federal tax-exempt status, then actually running the corporation is quite daunting in the US. There is corporate record-keeping ongoing, not to mention a panoply of laws one must abide by or risk losing the corporate structure. Just as one small example, here's the page of forms to set up as a nonprofit in New York State. There are even regulations on how the filings must be presented. See § 150.1 on this page, which lists all the i's to dot and t's to cross if you are a New York corporation. And of course you need to be familiar not only with the state's Not-for-Profit Corporation Law (NPC), but also the Business Corporation Law (BCL) and the General Business Law (GBL), all of which you can find on the New York State Legislature page, by clicking on the bottom link, Laws of New York. Why government agencies make it so hard to link to information is one of life's little mysteries, but many of them do, so I can't link to the laws themselves. You'll have to find them for yourself.
Then, if you want people who send you donations to be able to get a tax deduction, you have to apply on the federal level under Internal Revenue Code Section 501(c)(3) and you need to satisfy certain requirements. You can find the booklet on how to apply for federal nonprofit status on this IRS page. Look on the list for Form 1023 and Inst 1023, the instruction booklet. That's just to apply. You can't mingle your personal funds with the corporate funds, for one thing, so you'll need to set up a separate corporate account. The language in your corporate charter and bylaws must satisfy certain regulations on the federal level, and of course laws and regulations are forever changing, so you have to keep up to date.
Here's a sample of bylaws. See how much fun it is to read them. You'll notice that you need a board of directors and officers, and that the secretary, for example, has multiple record keeping duties to fulfill. Want the position? No? Do you have a really good buddy willing to spend the rest of his life doing such tasks? Most programmers would rather have root canal surgery. But even if you are willing, it's time taken away from coding, and the odds of getting it wrong without legal direction are, in my view, in the fairly-likely-to-certain range. Then there's taxes, and of course there are special forms and regulations for nonprofits.
The Conservancy does all of that paperwork for its members, so developers working on member projects can devote their time to coding instead of having to master all the legal aspects to becoming and acting as a corporation.
Another service it can provide is fund management. It can advise and help set up a project to accept donations. The assets are held by the Conservancy on behalf of its members, each in its own account, and it disburses them as the project wishes, in accordance with IRS regulations, of course. Copyrights and trademarks can also be held by the Conservancy, again on behalf of the project. If your project has several members, the Conservancy provides a vehicle through which copyright ownership in the project can be unified, which makes enforcement easier. This is an optional service, however. And any member can leave the Conservancy at any time, if it wishes to form their own independent tax exempt nonprofit. The Conservancy provides its services free.
If you want to find out if your project qualifies for membership, you can contact the Conservancy. There are, of course, certain requirements -- your project must be developing free and open source software, for example, and it must be consistent with the Conservancy's tax-exempt purposes and financial requirements imposed by the IRS.
What if you can't get your project accepted and you have a legal issue? Perhaps there is a licensing question but you don't know any lawyers, or the ones you know have no clue about FOSS licenses, and your question requires that type of specialized knowledge? I asked Sandler what a project or developer in such a circumstance can do to find a competent lawyer, and here's her answer:
The Software Freedom Conservancy might not be a useful option for all projects, but, in many cases, it has some valuable services to offer. And the price is right.
An empty legacy
By the time you read this, the long-awaited, slightly-delayed Fedora Core 6 release may be available. Then again, maybe not. But it should be out sometime soon, really. This distribution, once it is released, will come with excellent security support from the Fedora Project - for ten months or so. Once the second Fedora Core 8 test release is available, this shiny new Fedora Core 6 distribution will be cut off and handed over to the Fedora Legacy project.A look at the Fedora Legacy wiki page yields this text:
The project has helpfully provided some yum configurations to make getting the updates as easy as possible. The promised "effective supported lifetime" should be a great comfort for users who do not want to upgrade their systems every six months or so.
There's only one little problem: Fedora Legacy has yet to provide a single update for Fedora Core 4, which was transferred to the project in July. In fact, Fedora Legacy has not provided any updates, for any of the distributions it claims to support, since July - an outage of almost three months. During this period, vulnerabilities have been reported in a small number of packages:
alsaplayer, apache (2), bind, binutils (2), clamav, firefox (3 sets), freetype gdb (2), gcc, gnupg (2), gnutls, gzip, imagemagick (3), kdebase (2), kernel (4), krb5, lesstif, libtiff, mailman, mysql (3), ntp, openldap, openoffice.org, openssh (2), openssl (2), perl, php (5), ppp, python, ruby, sendmail (2), squirrelmail, streamripper, sudo, thunderbird (3 sets), wireshark (2), xinit, xpdf, x.org (2)
The above list is just a subset of the actual reported vulnerabilities. But the point should be clear: any useful Fedora Core 4 system will be running a fair number of the above packages - and they all contain known security problems. It would be nice to close those holes, but no FC4 updates are available. Any system administrator who still believed that Fedora Legacy would help to keep older Fedora Core systems secure should, by now, be having second thoughts.
Fedora Legacy was created with the idea that the user community would help to produce updates for packages affected by security problems. The community has clearly failed to step up to that task. It would appear that Fedora users - at least, those who could help with security updates - are so interested in staying on the leading edge that they upgrade long before any Fedora release loses support. Other users who care will have moved on to other distributions - paid or free - which offer security support for a longer period of time.
Fedora Core 1 was released almost exactly three years ago, meaning that we have about three years of experience with Fedora Legacy. Perhaps the time has come to ask the question: is there any point in continuing to pretend that Fedora Legacy is a viable, successful project? Perhaps the Fedora Project should consider ending Fedora Legacy before its web pages convince anybody else that they can safely defer upgrading unsupported systems. The Fedora Project makes no apologies for its support policy, and there is no reason why it should. But there is also no reason to maintain the illusion of an option for longer-term support which does not actually exist.
Page editor: Jonathan Corbet
Security
Netlabel: CIPSO labeling for Linux
Current kernel level security mechanisms, such as SELinux, are focused strictly on securing local resources and are not concerned with communicating any security information to other machines on the network. The NetLabel project aims to change that by providing packet labeling capabilities for the kernel. The initial implementation, with support for Common IP Security Option (CIPSO) labeling has been included into the 2.6.19 kernel.CIPSO is an IETF draft that has been adopted by a number of vendors and is one of several network labeling standards that are used by 'trusted' operating systems. In order to interoperate with these systems and to replace them, Linux needs to be able to provide the same capabilities.
At its core, CIPSO is an agreement between systems on a set of labels (or tags) describing the security level or context of the process that is sending the packets. CIPSO users define a 'domain of interpretation' (DOI) that governs the interpretation of those tags so that both ends of the conversation can determine if the other process has the authorization necessary to do that communication. The DOI and labels are placed into the options portion of every IP packet that is sent and, based on those values, security requirements can be enforced at the kernel level. If a process attempts to communicate outside of its authorized scope, the kernel can drop the packet.
NetLabel is a mechanism to put CIPSO information into outgoing packets and to examine incoming packets for their tags. It uses the Linux Security Module (LSM) hooks to implement the labeling and checking. It also interfaces with SELinux to provide label information based on the SELinux context. Incoming sockets get a context that is based on the CIPSO tag and the context of the listening socket. In this way, access to specific services can be restricted to remote processes with the proper authorization.
Management of NetLabel is handled through the netlink socket interface; user space tools to configure it are available from the project page. The complexity of configuring NetLabel and SELinux is likely to be daunting to the uninitiated, but for those installations that already use CIPSO, it should be relatively straightforward.
NetLabel's design goals include a well contained implementation that uses existing kernel hooks as well as minimal performance impact when enabled but not configured. By running the gauntlet of kernel developers and getting included into the kernel, NetLabel has likely met both of those goals. The current implementation provides minimal CIPSO support, just one tag type and none of the configuration parameters, but support for this additional functionality is planned as is support for additional labeling protocols.
CIPSO and NetLabel are not for everyone, in fact, they are likely to be much less widely adopted than SELinux. CIPSO only works on very strictly controlled networks as there is nothing in the specification that prevents unauthorized machines from claiming authorization; the system and router configuration must prevent that kind of behavior. In addition, it provides yet another configuration challenge for administrators to get through before their systems will perform correctly. But for those installations that do need it, this work and its future additions should be very well received.
Security news
Local root exploit in NVidia driver
A locally-exploitable buffer overflow in the binary-only NVidia video driver has been disclosed on the mailing lists; there is also an exploit in circulation. This problem may have been known since 2004; NVidia acknowledged it back in July, but it remains unfixed. It has been reported that the beta versions of the drivers do contain the fix.
New vulnerabilities
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2006-4182 CVE-2006-5295 | ||||||||||||
| Created: | October 18, 2006 | Updated: | October 24, 2006 | ||||||||||||
| Description: | Clamav contains an integer overflow vulnerability in its handling of portable executable (PE) files, with a code-execution exploit being possible. There is also a denial-of-service vulnerability in the handling of compressed HTML files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdelibs: integer overflow
| Package(s): | kdelibs | CVE #(s): | CVE-2006-4811 | |||||||||||||||||||||||||||
| Created: | October 18, 2006 | Updated: | March 5, 2007 | |||||||||||||||||||||||||||
| Description: | The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-4623 | ||||||
| Created: | October 18, 2006 | Updated: | November 14, 2007 | ||||||
| Description: | The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. | ||||||||
| Alerts: |
| ||||||||
libksba: parsing failure
| Package(s): | libksba | CVE #(s): | CVE-2006-5111 | ||||||
| Created: | October 17, 2006 | Updated: | October 18, 2006 | ||||||
| Description: | A parsing failure was discovered in the handling of X.509 certificates that contained extra trailing data. Malformed or malicious certificates could cause services using libksba to crash, potentially creating a denial of service. | ||||||||
| Alerts: |
| ||||||||
php: restriction bypass
| Package(s): | php | CVE #(s): | CVE-2006-4625 CVE-2006-5178 | ||||||
| Created: | October 18, 2006 | Updated: | October 18, 2006 | ||||||
| Description: | The ini_restore() function in PHP versions through 4.4.4 and 5.1.6 can be used to bypass safe_mode and init_basedir restrictions.
Also: race condition in PHP's handling of the symlink() function can enable hostile code to bypass open_basedir restrictions. | ||||||||
| Alerts: |
| ||||||||
xinit: race condition
| Package(s): | xinit | CVE #(s): | CVE-2006-5214 | |||||||||
| Created: | October 17, 2006 | Updated: | August 9, 2007 | |||||||||
| Description: | A race condition allows local users to see error messages generated during another user's X session. This could allow potentially sensitive information to be leaked. | |||||||||||
| Alerts: |
| |||||||||||
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | |||||||||||||||
| Created: | August 9, 2006 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
awstats: input sanitizing
| Package(s): | awstats | CVE #(s): | CVE-2006-3681 CVE-2006-3682 | |||
| Created: | October 10, 2006 | Updated: | October 11, 2006 | |||
| Description: | awstats did not fully sanitize input, which was passed directly to the user's
browser, allowing for an XSS attack. If a user was tricked into following a
specially crafted awstats URL, the user's authentication information could be
exposed for the domain where awstats was hosted. (CVE-2006-3681)
awstats could display its installation path under certain conditions. However, this might only become a concern if awstats is installed into an user's home directory. (CVE-2006-3682) | |||||
| Alerts: |
| |||||
bind: denial of service
| Package(s): | bind | CVE #(s): | CVE-2006-4095 CVE-2006-4096 | |||||||||||||||||||||||||||
| Created: | September 7, 2006 | Updated: | February 1, 2007 | |||||||||||||||||||||||||||
| Description: | Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned. An INSIST failure can be triggered by sending a large number of recursive queries. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
binutils: buffer overflow
| Package(s): | binutils | CVE #(s): | CVE-2005-4807 | ||||||
| Created: | August 17, 2006 | Updated: | October 19, 2006 | ||||||
| Description: | The GNU assembler (gas) in binutils is vulnerable to a buffer overflow. If a user can be tricked into assembling a specially crafted file with gcc or gas, arbitrary code can be executed with the privileges of the user. | ||||||||
| Alerts: |
| ||||||||
busybox: insecure password generation
| Package(s): | busybox | CVE #(s): | CVE-2006-1058 | |||||||||
| Created: | May 5, 2006 | Updated: | May 2, 2007 | |||||||||
| Description: | The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time. | |||||||||||
| Alerts: |
| |||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
capi4hylafax: missing input sanitizing
| Package(s): | capi4hylafax | CVE #(s): | CVE-2006-3126 | ||||||
| Created: | September 1, 2006 | Updated: | October 18, 2006 | ||||||
| Description: | Lionel Elie Mamane discovered a security vulnerability in capi4hylafax, tools for faxing over a CAPI 2.0 device, that allows remote attackers to execute arbitrary commands on the fax receiving system. | ||||||||
| Alerts: |
| ||||||||
cheesetracker: buffer overflow
| Package(s): | cheesetracker | CVE #(s): | CVE-2006-3814 | |||||||||
| Created: | September 4, 2006 | Updated: | October 27, 2006 | |||||||||
| Description: | Luigi Auriemma discovered a buffer overflow in the loading component of cheesetracker, a sound module tracking program, which could allow a maliciously constructed input file to execute arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
cscope: buffer overflows
| Package(s): | cscope | CVE #(s): | CVE-2006-4262 | ||||||
| Created: | October 2, 2006 | Updated: | October 23, 2006 | ||||||
| Description: | Will Drewry of the Google Security Team discovered several buffer overflows in cscope, a source browsing tool, which might lead to the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ffmpeg: buffer overflows
| Package(s): | ffmpeg | CVE #(s): | CVE-2006-4799 CVE-2006-4800 | |||
| Created: | September 14, 2006 | Updated: | May 28, 2007 | |||
| Description: | the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges. | |||||
| Alerts: |
| |||||
freeradius: several vulnerabilities
| Package(s): | freeradius | CVE #(s): | CVE-2005-4745 CVE-2005-4746 | ||||||
| Created: | August 8, 2006 | Updated: | April 24, 2007 | ||||||
| Description: | Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service. | ||||||||
| Alerts: |
| ||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gcc: file overwrite vulnerability
| Package(s): | gcc | CVE #(s): | CVE-2006-3619 | ||||||||||||
| Created: | September 6, 2006 | Updated: | March 14, 2008 | ||||||||||||
| Description: | The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gdb: buffer overflow
| Package(s): | gdb | CVE #(s): | CVE-2006-4146 | ||||||||||||
| Created: | September 15, 2006 | Updated: | June 12, 2007 | ||||||||||||
| Description: | A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gdm: improper file permissions
| Package(s): | gdm | CVE #(s): | CVE-2006-1057 | |||||||||||||||
| Created: | April 19, 2006 | Updated: | May 2, 2007 | |||||||||||||||
| Description: | The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
gzip: multiple vulnerabilities
| Package(s): | gzip | CVE #(s): | CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | September 19, 2006 | Updated: | June 1, 2007 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-4535 CVE-2006-4538 | |||||||||||||||||||||
| Created: | September 18, 2006 | Updated: | December 3, 2007 | |||||||||||||||||||||
| Description: | Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538) | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service by memory consumption
| Package(s): | kernel | CVE #(s): | CVE-2006-2936 | |||||||||||||||
| Created: | July 17, 2006 | Updated: | November 14, 2007 | |||||||||||||||
| Description: | The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-2935 CVE-2006-4145 CVE-2006-3745 | ||||||||||||||||||||||||
| Created: | September 1, 2006 | Updated: | November 14, 2007 | ||||||||||||||||||||||||
| Description: | Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: denial of service
| Package(s): | libgd2 | CVE #(s): | CVE-2006-2906 | |||||||||||||||
| Created: | June 14, 2006 | Updated: | January 16, 2007 | |||||||||||||||
| Description: | Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libmms: buffer overflows
| Package(s): | libmms | CVE #(s): | CVE-2006-2200 | |||||||||||||||||||||
| Created: | July 6, 2006 | Updated: | December 25, 2006 | |||||||||||||||||||||
| Description: | Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 | CVE #(s): | CVE-2006-4197 | ||||||||||||||||||
| Created: | August 30, 2006 | Updated: | October 23, 2006 | ||||||||||||||||||
| Description: | Several buffer overflows have been discovered in the libmusicbrainz CD index library. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
libpng: buffer overflow
| Package(s): | libpng | CVE #(s): | CVE-2006-3334 | |||||||||
| Created: | July 19, 2006 | Updated: | November 17, 2006 | |||||||||
| Description: | In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow. | |||||||||||
| Alerts: |
| |||||||||||
libvncserver: authentication bypass
| Package(s): | libvncserver | CVE #(s): | CVE-2006-2450 | |||||||||
| Created: | August 4, 2006 | Updated: | March 19, 2007 | |||||||||
| Description: | LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server. | |||||||||||
| Alerts: |
| |||||||||||
libwmf: integer overflow
| Package(s): | libwmf | CVE #(s): | CVE-2006-3376 | |||||||||||||||||||||||||||
| Created: | July 13, 2006 | Updated: | November 6, 2006 | |||||||||||||||||||||||||||
| Description: | libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
mailman: several vulnerabilities
| Package(s): | mailman | CVE #(s): | CVE-2006-2941 CVE-2006-3636 | |||||||||||||||||||||
| Created: | September 8, 2006 | Updated: | October 23, 2006 | |||||||||||||||||||||
| Description: | A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)
Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scripting attacks against the Mailman administrator. (CVE-2006-3636) | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
maxdb: arbitrary code execution
| Package(s): | maxdb | CVE #(s): | CVE-2006-4305 | |||
| Created: | October 5, 2006 | Updated: | October 11, 2006 | |||
| Description: | Version 7.5.00 of the MaxDB database has a vulnerability in the WebDBM frontend. Insufficient input sanitization is performed on data passed to the frontend, resulting in the possible execution of arbitrary code. | |||||
| Alerts: |
| |||||
mono: symlink vulnerability
| Package(s): | mono | CVE #(s): | CVE-2006-5072 | |||||||||||||||
| Created: | October 4, 2006 | Updated: | December 1, 2006 | |||||||||||||||
| Description: | The mono System.CodeDom.Compiler classes suffer from a temporary file symlink vulnerability which could be used to overwrite files, or, in this case, even inject arbitrary code into a running mono application. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | mozilla firefox thunderbird | CVE #(s): | CVE-2006-4565 CVE-2006-4566 CVE-2006-4571 CVE-2006-4253 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 15, 2006 | Updated: | November 14, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Two flaws were found in the way Firefox/Thunderbird processed certain regular
expressions. A malicious web page/HTML email could crash the browser or
possibly execute arbitrary code as the user running
Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)
A number of flaws were found in Firefox/Thunderbird. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4571) A flaw was found in the handling of JavaScript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4253) A flaw was found in the Firefox/Thunderbird auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567) Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568) Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mutt: IMAP namespace buffer overflow
| Package(s): | mutt | CVE #(s): | CVE-2006-3242 | |||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2006 | Updated: | October 24, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently check the validity of namespace strings. If an user connects to a malicious IMAP server, that server could exploit this to crash mutt or even execute arbitrary code with the privileges of the mutt user. See this Secunia advisory for more information. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
MySQL: privilege violations
| Package(s): | mysql | CVE #(s): | CVE-2006-4031 CVE-2006-4226 | ||||||||||||||||||
| Created: | August 25, 2006 | Updated: | April 3, 2007 | ||||||||||||||||||
| Description: | MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
nss: signature forgery vulnerability
| Package(s): | nss | CVE #(s): | CVE-2006-4340 | |||||||||
| Created: | September 15, 2006 | Updated: | October 18, 2006 | |||||||||
| Description: | Daniel Bleichenbacher recently described an implementation error in RSA signature verification. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that which would be incorrectly verified by the NSS library. | |||||||||||
| Alerts: |
| |||||||||||
openldap: security bypass
| Package(s): | openldap | CVE #(s): | CVE-2006-4600 | |||||||||||||||
| Created: | September 29, 2006 | Updated: | June 12, 2007 | |||||||||||||||
| Description: | slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org | CVE #(s): | CVE-2006-2198 CVE-2006-2199 CVE-2006-3117 | ||||||||||||||||||||||||||||||||||||
| Created: | June 30, 2006 | Updated: | January 4, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
OpenSSH: denial of service
| Package(s): | openssh | CVE #(s): | CVE-2006-4925 CVE-2006-5052 | ||||||||||||||||||
| Created: | October 6, 2006 | Updated: | November 15, 2007 | ||||||||||||||||||
| Description: | packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
openssh: remote denial of service
| Package(s): | openssh | CVE #(s): | CVE-2006-4924 CVE-2006-5051 |
| Created: | September 27, 2006 | Updated: | November 15, 2006 |
| Description: | Openssh 4.4 fixes some security issues, including a pre-authentication denial of service, an unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. | ||