On Novell and Microsoft
Depending on who is commenting, the recently
announced
agreement between Microsoft and Novell is either the ultimate victory or
the beginning of the end for Linux. If there is anything that is clear
about this new arrangement, it's that nobody really understands what it
means yet. Perhaps, in the end, it means less than most people hope or
fear.
Parts of the agreement are reasonably easy to understand. Microsoft will
now officially recommend SUSE Linux to its customers who are determined to
run something other than Windows on some of their machines. Microsoft will
also hand out "coupons" for Novell support. A joint
"research center" will be set up to work on projects of interest to both
companies; virtualization, network management, and document formats are on
the list of topics to be addressed. Among other things, this work could
result in better support for documents in Microsoft formats, an area of
active interest for many years.
The part of the agreement which has attracted the most attention, however,
is the patent deal. This is also the hardest part to understand, and its
real implications may take years to become clear. These seem to be the
relevant points:
- The two companies have entered into a "covenant not to sue" each others'
paying customers for patent violations. So SUSE (but not OpenSUSE)
users should be free of the fear
of being hauled into court by Microsoft's lawyers, and Windows users
need no longer stay awake at nights worrying about a legal attack from
Novell.
- The companies are making patent royalty payments to each other. It
appears that the net cash flow is in Novell's direction, because there
are more Windows products shipped than SUSE products. But the fact
remains: Microsoft has succeeded in collecting a tax on every SUSE
Linux distribution supported by Novell.
- Microsoft has made a promise not to sue individual developers for
patent violations - sort of.
The text
of the covenant not to sue has been posted. It would appear to cover
Novell's paid customers for their particular use of SUSE Linux. It's not
clear that the term "use" extends to the ways some of us "use" Linux -
distributing it to others, for example. Microsoft can tweak or terminate
the agreement at any time "pursuant to the terms of the Patent Cooperation
Agreement between Novell and Microsoft that was publicly announced on
November 2, 2006"; of course, the terms of that agreement are not publicly
available. The agreement is currently slated to end in 2012, however.
To some, this agreement represents a total sell-out of Linux users by
Novell. To others, it is simply Novell trying to eliminate a specific
source of FUD against its customers. How it will really play out remains
to be seen.
Novell insists that it has not licensed any patents from Microsoft
- that the "covenant not to sue" is an entirely different thing. It is
somewhat hard to believe that a courtroom would come to the same
conclusion, especially given the fact that royalty payments are being
made. The distinction may become very important to Novell. Many observers
have pointed out section 7 of the GNU General Public License:
If you cannot distribute so as to satisfy simultaneously your
obligations under this License and any other pertinent obligations,
then as a consequence you may not distribute the Program at
all. For example, if a patent license would not permit royalty-free
redistribution of the Program by all those who receive copies
directly or indirectly through you, then the only way you could
satisfy both it and this License would be to refrain entirely from
distribution of the Program.
What this text means is that, if Microsoft is asserting patents against
GPL-licensed code, Novell cannot distribute that code to its customers just
because it has a "license" from Microsoft. There is some suspicion that
Novell is trying to use the "covenant not to sue" as a way of weaseling out
of this restriction, but it is difficult to imagine such a strategy
succeeding. If Novell's customers cannot redistribute Linux, then Novell
cannot distribute it to them.
So, should Microsoft ever go after a user of GPL-licensed code, Novell will
find itself in a difficult position. Either distribution of
the code in question in the lawsuit must be stopped, creating potential
problems for Novell's customers, or Novell can continue distribution under
its non-license with Microsoft, inviting suits from copyright holders.
Either way, a Microsoft patent suit against Linux would not be a
comfortable experience for Novell, even with this agreement in place.
Adding to the non-license claim, Novell's Kurt Garloff told LWN:
Like before, Novell does not acknowledge that any software it ships
actually does infringe on a patent. As soon as Novell would
determine that GPL software is affected by a MS patent, Novell
would change the software to avoid/work around being affected by
the patent.
This is a clear position which contains all the right words. It is still
hard to square the claim that no patents have been acknowledged with the
royalty payments, however. If Novell acknowledges no patent infringements,
what, exactly, is it paying royalties on? Perhaps it is just naked
protection money for its customers. Or, perhaps, this is a concession
Novell had to make to obtain the royalty stream from Microsoft.
One of the criticisms of this deal centers on the implicit acknowledgment
of patent problems in Linux. Companies pursuing patent shakedowns often
use the existence of paying licensees as evidence in their favor. If,
however, Novell has in truth not licensed (or obtained "covenants not to
sue") on any specific patents, then the value of Novell as evidence,
especially in court, will be small.
A separate - and very interesting - question remains: how, exactly, does
Novell's "covenant not to sue" affect the patents which Novell donated to
the Open Invention
Network (OIN)? Those patents are at the core of OIN's deterrent power,
and it is the promise of protection from OIN which
enabled the inclusion of Mono-based software into the Fedora Core
distribution. If Novell's non-license covers those patents, then OIN's
credibility as a deterrent to lawsuits by Microsoft will take a large hit.
Your editor was unable to get an answer from Novell on this question in
this article's time frame (getting answers from lawyers takes time). It
would seem, however, from an inexpert reading, that the relevant patents
have been truly assigned to OIN, and are no longer Novell's to non-license
to anybody. If that reading is correct, then OIN's position is just as
strong as it was before.
That question has not been settled, however, and there is a lot of concern
in the community. The Fedora Project is actively considering the future of
Mono in its distribution - one of many interesting decisions that project
will be making in the near future.
Finally, there is the matter of Microsoft's promise not to sue individual
developers. Anybody who is interested should just go read the
text of the promise. As long as individual developers stay in their
own basements and don't try to do anything rash - like distribute their
code - they will be safe. For anybody who is trying to actually be a part
of the free software development community, however, Microsoft's promise
has no value at all. There is no point, even, in getting worked up about the
fact that Microsoft reserves the right to change its promise
at any time. For individual developers, nothing has changed at all.
In fact, for most of us, nothing has really changed. Software patent suits
were a serious threat before, and they are still a serious threat. Some
argue that Novell's agreement has made a patent attack from Microsoft more
likely (Steve Ballmer's latest FUD
is often quoted), but that is not at all clear. It is hard to see
Microsoft suing Linux users; those whose pockets are deep enough to make
them worth suing are certainly Microsoft customers too. A patent suit
against another Linux distributor would leave Novell in a seriously
uncomfortable position, and likely shatter this new partnership. The
threat is there, certainly, just like it was before.
To your editor's eye, the deal looks like the following. Novell, despite
trying to do a lot of the right things, finds itself a distant second in
the corporate Linux market. Red Hat has proved hard to beat, and the entry
of Oracle into this market - supporting Red Hat's distribution - seems
unlikely to help. In this context, the deal with Microsoft must look like it
has some real advantages: it might help SUSE Linux to achieve the best
interoperability with Microsoft products, bring in a few more sales,
provide a new royalty revenue stream, and eliminate a source of FUD which
might just, still, be bothering a few potential customers. All of these
could help to solidify Novell's position in the market, for a while at
least.
So, the claims that Novell has sold out Linux for its own advancement are
probably overblown - assuming that OIN retains its power. Most of the
community will probably be unaffected, and, if we're really lucky, we might
get a bit of code out of the deal. What Novell has done to itself will
take longer to work out. Walking into Microsoft's embrace has not always
led to long-term joy for the companies involved. On the other hand, some
sort of engagement between Microsoft and Linux must happen at some point;
it is not as if Microsoft will simply vanish. Novell has taken that step;
whether it turns out to be a good thing (for Novell, and for the community)
is something we will have to see over time.
Comments (63 posted)
Big decisions loom for Fedora
The Fedora Project is in one of those relatively rare periods where the
deadlines have passed, the distribution has been shipped, and no new
deadlines have yet been set. Now is the time when participants in the
project can engage in a bit of introspection, and that's exactly what is
going on. Over the next week or so, decisions will be made which could
significantly change the way this project works.
For some background, readers may want to look at this posting from Thorsten Leemhuis and Max
Spevack's state of Fedora note. The developers
involved with Fedora seem to think that the Fedora Core 6 process went
well, and that, as a result, FC6 is a solid distribution. They are
justifiably proud of their work. That said, there are a number of issues
on the Fedora developers' minds, and a number of changes which, seemingly,
need to be made.
To that end, the Fedora Project Board will be meeting on November 7.
The real discussion, however, will happen at a special "Fedora Summit"
happening from November 11 through the 15th. It is a closed affair,
featuring Max Spevack, Greg DeKoenigsberg, Bill Nottingham, Chris Blizzard,
Warren Togami, Dave Jones, Jeremy Katz, Jesse Keating, and perhaps various
others at times. This group of people will try to make a plan for the
development of Fedora Core 7 and the future organization of the
project.
Since its inception, Fedora has been criticized for not being as open to
the community as its early PR had led people to hope. Much progress has been
made in that direction over the last year or so, but much remains to be
done. Greg DeKoenigsberg is quite clear
that making the project more open is a priority, and that the time has
come:
We've got a lot of work to do inside the fenceline, though.
Honestly, a lot of that work requires the disentanglement of Fedora
and RHEL -- we need the ability to innovate freely in Fedora
without adversely impacting RHEL. We didn't really have that
opportunity in the FC6 timeframe.
But now we do.
From the resulting discussion, it would appear that one significant
decision has already been made, at least in principle: the Fedora Core
distribution, as such, will be abolished. Fedora Extras has been
sufficiently successful that it increasingly looks like the model for
Fedora as a whole in the future. There does not appear to be any dissent
to this idea; the hot topic, instead, seems to be how the new distribution
will be named. "Fedora Linux" appears to be the leading choice at the
moment.
But, then, nobody has really gotten down to discussing - in public, at
least - how the new, more open Fedora will work. There will still have to
be a decision-making mechanism, a way for setting the goals and priorities
for the project. Red Hat is still picking up most of the tab for work on
Fedora, so there are still likely to be limits to how much latitude the
company is willing to give the project to set its own priorities. A good
place to start might be to establish the Fedora Steering Committee - first
promised in 2003 - with a significant number of outside contributors and
let it provide some direction (in the open) for the project as a whole.
Another topic for the discussion is the future of the Fedora Legacy
project, which was discussed
here last month. It appears that the project has finally come to see
Fedora Legacy - or its absence - as a problem. How that problem will be
solved is far from clear at this point, however.
Another nagging problem is the ongoing maintenance of rpm; that, too, looks
like it may be addressed by the board meeting and the summit.
Then there are issues like the ongoing lack of a Fedora live CD. Desktop
support is getting more attention, though it is hard to see how Fedora can
address many of the complaints in this area (lack of official Java, flash
support, etc.) while remaining true to its "free software only" rules.
Making a source code management system available to the wider community
remains on the "to do" list. And so on.
In other words, Fedora has a lot of work to do, still, before it becomes a
truly open, community project. Nothing illustrates that better than the
fact that the directions and priorities for the next Fedora release will be
set in closed board and summit meetings. What seems different now is that
the project insiders appear more determined than ever to get this work
done. For all that Fedora is a great distribution, it needs its community
to continue to grow and reach its potential. Given all that needs to be
done to become more open to its community, Fedora is likely to still be
very much a work in progress by the time the Fedora Linux 7 (or
whatever it is called) is released. But, then, that is true of a great
many free software projects.
Comments (17 posted)
Review: Linux Administration Handbook, Second Edition
Your editor is often asked if he would be willing to be a technical
reviewer for an upcoming Linux-oriented book. Such requests are almost
always turned down. Technical review is an important task, but it takes
vast amounts of time and the compensation is mostly measured in karma
points. It is a hard task to squeeze in. Evi Nemeth, however, earned
special consideration many years ago when she allowed LWN's co-founders to
do their Data Structures homework on the University of Colorado's lone VAX
11/780 - on
![[cover]](/images/ns/grumpy/lah.png)
the condition that they learn C. She also let your editor make some
"fixes" (long since lost, mercifully) to the memory management system on
the early BSD release running on that VAX. So, when Evi and company asked
for help reviewing the second edition of the
Linux Administration
Handbook, your editor agreed to do it.
This was not a trivial task; the Handbook now weighs in at a full 1000
pages. It is derived from the classic Unix Administration Handbook,
which was the definitive administration manual for its times. The second
iteration is an attempt to bring the book up to date with the current Linux
state of the art, an attempt which is not 100% successful. The fact
remains, however, that the Linux Administration Handbook remains
unmatched for its combination of clear writing, technical depth, and
extensive experience in all aspects of system and network management.
A glance through the table of contents shows that some audiences will get
more out of the Handbook than others. The chapters on DNS
and electronic mail administration are over 100 pages - each. Networking
is covered in detail, from how to wire up an RJ-45 connector through Samba
administration. Backups, printing, process management, the bootstrap
process, and so on are all addressed. There is also a lot of accumulated
wisdom on dealing with users, working with vendors, managing system
administration groups, tracking problems, etc. If you are charged with
managing mostly server-oriented systems, this book has almost everything
you need.
The second edition updates the Handbook in a number of ways. Ubuntu
"Dapper" and Fedora Core 5 have been added to the list of covered
distributions; they join RHEL 4.3, SUSE Linux Enterprise 10.2, and
Debian Testing (to be Etch) as of last September. Bacula is now covered in
detail (and much of the Amanda discussion has been taken out). The
electronic mail chapter - while still centered mostly on sendmail - now has
a reasonable section on postfix. The security chapter has been filled out
with the latest tools. And so on.
As your editor can well attest, however, bringing a book up to the current
state of Linux is a hard task - and it never stays current for long.
Still, at times, the Linux Administration Handbook shows its age a
little too much. Back in the days of VAXen and early Unix workstations, we
all got very good at dealing with serial ports and making terminals talk.
But how many of us need a chapter on that subject now? The security
chapter passes over SELinux entirely - a major shortcoming. As far as the
authors are concerned, udev seems not to exist - it is only
mentioned in passing. But how does one manage a contemporary system without
an understanding of udev? There's plenty of information on how deeply
Ethernet hubs can be cascaded, but wireless networking is passed over
almost entirely.
There is also almost no discussion of contemporary desktops. The
Handbook authors avoid graphical administration tools in favor of
really understanding (and being able to script) the system at a lower
level, and this is good. But an administrator in this century should have
a sense for how the desktop goes together and how to configure things to
give users the experience and capabilities they need. The second edition
does add a badly-needed chapter on the X Window System, but it leaves the
upper parts of the desktop untouched.
So the second edition of the Linux Administration Handbook is not
perfect. But, for a large part of the system administration space, this
book has the best combination of "how to do it" (technical details) and
"how you should do it" (what works well in the real world). It is still
the first place your editor looks when the man page falls short. If your
job requires keeping Linux systems running, especially if it's in a larger
environment, you probably need this book on your shelf.
Comments (9 posted)
Page editor: Jonathan Corbet
Security
Rainbow tables for password cracking
November 8, 2006
This article was contributed by Jake Edge.
An announcement about a
new site offering free 'rainbow tables' on the bugtraq mailing list sparked
our interest; what are these tables and what can they be used for? It
turns out that rainbow tables are
the result of pre-computing various one-way hash functions to facilitate
decrypting them. In effect, the right set of tables makes a one-way hash
function reversible for certain inputs and the inputs of interest are
passwords.
Many applications use one-way hash functions (such as MD5 or SHA1) to store
passwords because they hide the password value from prying eyes, but it is
easy to compare hashed passwords when a user logs in. This relies on the fact that it is
difficult to reverse the hash function and produce the original password,
but the application can just apply the hash function to the password presented
and compare the output to the stored hash. Operating systems, database
management systems, web and other applications often use this method to
store their users' passwords.
For those that might want to crack a password, a straightforward, but
very time consuming method would be to brute force it. Generate the
hashed values for each string in the password search space and compare
it to the hashed value of interest; when they match, the password is
cracked. If one needed to crack passwords regularly, it might make sense
to store the password to hash mappings so that it would just take a
lookup to find any previously cracked password. The storage requirements
of that kind of table, for any plausible set of potential passwords
(say 1-8 alphanumeric characters) are huge. Rainbow tables are a way to
reduce the storage requirements substantially while still preserving much
of the speed benefits of using a lookup table.
To create a rainbow table, you must first come up with a reduction function
that takes a hash as input and maps it to a password in the search space.
You then start with a password and repeatedly hash and reduce it several
thousand times creating a chain of passwords. You discard all but the first
and last password and store that pair. To reverse a particular hash
value, you reduce the hash value and look for that password as the end
of one of the chains. If you do not find it, then you hash and reduce again.
Once you find a matching end of the chain, you use the first password to
recreate the chain and the cracked password is the second to last in the
chain.
This ingenious scheme comes from a
paper
presented at the CRYPTO 2003 conference. The paper is a bit dense if you
are unfamiliar with the references cited, so the author has a simplified
explanation
as well.
Rainbow tables are specific to a particular hash algorithm and password
search space and that is where the free rainbow tables
site comes in handy.
There are currently two tables available there, one for MD5 and one for the
older Windows DES-based password algorithm. The MD5 version is 36Gb in size
and will crack 99.9% of lowercase alphanumeric passwords that are eight
characters or less in length. The site also has links to other sites with
tables as well as to the
Project RainbowCrack
site which has source for various programs to generate and use the tables.
The best defense against rainbow tables is 'salt', which has been a part
of UNIX passwords since near the beginning of time (UNIX epoch time anyway).
Salt is a random string that is added to the password before hashing it and
then stored with the password. Linux MD5 passwords store the salt between two
dollar signs in the password field in /etc/shadow. This random
string effectively multiplies the number of tables required to do a dictionary
lookup by the number of individual salt values available.
Even just eight bits of salt (and Linux uses much more than that) would require
nine terabytes of rainbow table.
While this technique is not particularly effective at recovering OS passwords
(at least on Linux), there are quite a number of web applications that
store straight MD5 passwords without any salt (and some, sadly,
store plaintext passwords). Other applications may do that as well.
If the password hashes become exposed via a
SQL injection or other flaw,
rainbow tables could be just the ticket to breaking into those systems.
Comments (7 posted)
New vulnerabilities
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
ingo1: missing input sanitizing
| Package(s): | ingo1 |
CVE #(s): | CVE-2006-5449
|
| Created: | November 3, 2006 |
Updated: | November 27, 2006 |
| Description: |
It was discovered that the Ingo email filter rules manager performs
insufficient escaping of user-provided data in created procmail rules
files, which allows the execution of arbitrary shell commands. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
libpam-ldap: insecure password control
| Package(s): | libpam-ldap |
CVE #(s): | CVE-2006-5170
|
| Created: | November 3, 2006 |
Updated: | December 21, 2006 |
| Description: |
Steve Rigler discovered that the PAM module for authentication against
LDAP servers processes PasswordPolicyReponse control messages incorrectly,
which might lead to an attacker being able to login into a suspended
system account. |
| Alerts: |
|
Comments (none posted)
libX11: file descriptor leak
| Package(s): | libX11 |
CVE #(s): | CVE-2006-5397
|
| Created: | November 7, 2006 |
Updated: | November 8, 2006 |
| Description: |
The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and
1.0.3 opens a file for reading twice using the same file descriptor, which
causes a file descriptor leak that allows local users to read files
specified by the XCOMPOSEFILE environment variable via the duplicate file
descriptor. |
| Alerts: |
|
Comments (1 posted)
Mozilla products: multiple vulnerabilities
| Package(s): | thunderbird firefox seamonkey |
CVE #(s): | CVE-2006-5463
CVE-2006-5747
CVE-2006-5748
CVE-2006-5464
|
| Created: | November 8, 2006 |
Updated: | December 11, 2006 |
| Description: |
Numerous vulnerabilities have been found in the Mozilla JavaScript and HTML
rendering code, leading to possible remote code execution attacks. This CERT advisory contains details. |
| Alerts: |
|
Comments (none posted)
openssh: privilege separation issue
| Package(s): | openssh |
CVE #(s): | CVE-2006-5794
|
| Created: | November 8, 2006 |
Updated: | April 5, 2007 |
| Description: |
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities." |
| Alerts: |
|
Comments (none posted)
php: buffer overflows
| Package(s): | php |
CVE #(s): | CVE-2006-5465
|
| Created: | November 3, 2006 |
Updated: | November 15, 2006 |
| Description: |
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used) |
| Alerts: |
|
Comments (none posted)
postgresql: several vulnerabilities
| Package(s): | postgresql-8.1 |
CVE #(s): | CVE-2006-5540
CVE-2006-5541
CVE-2006-5542
|
| Created: | November 3, 2006 |
Updated: | November 8, 2006 |
| Description: |
Michael Fuhr discovered an incorrect type check when handling unknown
literals. By attempting to coerce such a literal to the ANYARRAY type, a
local authenticated attacker could cause a server crash. (CVE-2006-5541)
Josh Drake and Alvaro Herrera reported a crash when using aggregate
functions in UPDATE statements. A local authenticated attacker could
exploit this to crash the server backend. This update disables this
construct, since it is not very well defined and forbidden by the SQL
standard. (CVE-2006-5540)
Sergey Koposov discovered a flaw in the duration logging. This could cause
a server crash under certain circumstances. (CVE-2006-5542) |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2006-5466
|
| Created: | November 6, 2006 |
Updated: | August 28, 2007 |
| Description: |
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
texinfo: buffer overflow
| Package(s): | texinfo |
CVE #(s): | CVE-2006-4810
|
| Created: | November 8, 2006 |
Updated: | November 27, 2006 |
| Description: |
Texinfo contains a buffer overflow which could be exploited (via a specially-crafted info file) to run arbitrary code. |
| Alerts: |
|
Comments (none posted)
thttpd: insecure temporary files
| Package(s): | thttpd |
CVE #(s): | CVE-2006-4248
|
| Created: | November 3, 2006 |
Updated: | December 1, 2006 |
| Description: |
Marco d'Itri discovered that thttpd, a small, fast and secure webserver,
makes use of insecure temporary files when its logfiles are rotated,
which might lead to a denial of service through a symlink attack. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark ethereal |
CVE #(s): | CVE-2006-4574
CVE-2006-4805
CVE-2006-5468
CVE-2006-5469
CVE-2006-5740
|
| Created: | November 3, 2006 |
Updated: | November 14, 2006 |
| Description: |
There are multiple vulnerabilities in Wireshark (formerly Ethereal):
- Off-by-one error in the MIME Multipart dissector in Wireshark 0.10.1
through 0.99.3 allows remote attackers to cause a denial of service
(crash) via certain vectors that trigger an assertion error related to
unexpected length values. CVE-2006-4574
- epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu)
in Wireshark 0.9.8 through 0.99.3 allows remote attackers to cause a
denial of service (memory consumption and crash) via an encoded XOT
packet that produces a zero length value when it is decoded.
CVE-2006-4805
- Unspecified vulnerability in the HTTP dissector in Wireshark 0.99.3
allows remote attackers to cause a denial of service (crash) via
unspecified vectors. CVE-2006-5468
- Unspecified vulnerability in the WBXML dissector in Wireshark 0.10.11
through 0.99.3 allows remote attackers to cause a denial of service
(crash) via certain vectors that trigger a null dereference.
CVE-2006-5469
- Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.3
allows remote attackers to cause a denial of service (crash) via a
crafted LDAP packet. CVE-2006-5740
|
| Alerts: |
|
Comments (none posted)
wv: integer overflow
| Package(s): | wv |
CVE #(s): | CVE-2006-4513
|
| Created: | November 2, 2006 |
Updated: | December 7, 2006 |
| Description: |
The wv library has an integer overflow vulnerability in the DOC
file parser. If a user can be tricked into opening a maliciously
crafted MSWord file, a remote attacker can execute arbitrary code
with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
asterisk: arbitrary code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2006-5444
|
| Created: | October 19, 2006 |
Updated: | December 6, 2006 |
| Description: |
The Asterisk telephony PBX application has a heap overflow vulnerability
in the skinny channel driver. A remote attacker can use this to
arbitrarily execute code with the privileges of the Asterisk user.
See this
vulnerability report
for more information. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | November 17, 2006 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|