Resisting the binary blob
Last week, LWN pointed at
a software
review claiming that Fedora Core 6 was so bad that the whole
distribution should simply be shut down. The failing which led to such a
dire prescription was a lack of proprietary software. According to the
reviewer:
I appreciate the fact that distributions like Fedora Core are still
focused on free-as-in-rights software, but today's Web content
requires more proprietary browser plugins than yesterday's did, and
today's hardware is increasingly designed to be dependent on
proprietary binary blobs in the form of firmware and driver
packages... Users do not want to hear reasons and excuses for why
the operating environment doesn't work with their favorite Web
sites or computer hardware -- all they know is that it doesn't
work, and making it work is not a simple or obvious process.
This reviewer is not the only one to express this point of view; there
would appear to be a rising chorus out there calling on Linux distributors
to load up their systems with proprietary code. Some distributors have
heeded this call, as witnessed by (for example) Ubuntu's decision to
include more binary drivers by default in its next release.
It's not too hard to see where this pressure is coming from. A prospective
user with a problematic laptop will be happier with a distribution which
"just works." Most of the people who truly care about free software are
likely to be using a free system already, so it is easy to imagine
that the next wave of users will be less concerned - at the outset - about software freedom.
So they will gravitate toward a system which does what they want to do
(running on closed hardware, playing patent-encumbered media, etc.) without
concerning themselves much about the provenance of the software they are
using.
The fact that many of these users worry little about software freedom now
does not mean that they will never care, however. Very few of us were born
knowing that free software is a better solution, that using free software
is an important part of being free in general. Just like most of us have
learned, over time, that saving some of the money we earn, while perhaps
being inconvenient in the short term, brings long-term benefits, we have
also learned that using free software - and helping to improve that
software - is better in the long term. Certainly some subset of the new
users coming to Linux will come to understand this fact as well.
But it will not matter how well these users understand the fine points of
software freedom if, by the time they have figured it out, there are no
free operating systems for them to run. If we want free systems then, we
have to build and use free systems now. There can be a place for a binary
blob which enables a specific bit of hardware to work; your editor would
argue that running such a blob is not an inherently immoral act. But it is
not necessarily a wise act, and a distribution which quietly installs such
blobs on an unsuspecting user's system in the name of "it just works" is
not necessarily doing that user any favors.
As a thought experiment, consider how things might have gone if the Linux
community had accepted the "just works (most of the time)" non-free Java
implementation that Sun made available. Linux distributors, rather than
put large amounts of work into making Java code work with free
alternatives, could have simply shipped Sun's version. Had they done so,
would we have (the promise of) a GPL-licensed Java from Sun now? If we
simply accept proprietary drivers in the name of "it just works," when,
exactly, do we think free drivers will become available?
So criticism of Fedora - or any other distributor which sticks to free
software principles - is, at best, misplaced. There are proprietary
systems out there for people who want to run them, but Linux is about free
software. It makes no sense to try to push proprietary code onto a
distribution which has set a goal of being 100% free, and it is silly to
criticize such a distribution for containing only free software. We
should, instead, be appreciative of the vast amount of work that has gone
into giving us a 100% free system - and help to improve that system.
Along these lines, it becomes natural to wonder why the Free Software
Foundation has not recognized the work done by the Fedora Project to make
its distribution entirely free. Instead, the FSF has put its energy into
promoting obscure distributions like gNewSense and UTUTO. It seems that the
Fedora developers and the FSF have been talking about recognition for
Fedora, resulting in the posting of this message
from Richard Stallman. It covers a number of issues, including
firmware, fonts, patents, and more. One sticking point, it would seem, is
this:
We can certainly go through the [Fedora packaging] guidelines. We
have not yet done so, but we know of one problem in the current
policy: it says that packages can be included which qualify as open
source but not as free software. In other words, not all packages
need to meet the definition of free software.
Given the people involved with Fedora, and the work that has been done to
eliminate packages with problematic licensing, your editor has no qualms in
saying that Fedora is a truly free distribution. It is unfortunate that
the work which has gone into the creation of this distribution is not as widely recognized as it should be. If we want to promote free software, and if we want to live in a world where we can use exclusively free software, we
should not hesitate to acknowledge the work of those who have built free
systems, and who have not given in to those pushing for the addition of
proprietary code. They are doing the work we so very much want to see
done, and we are far richer for it.
Comments (131 posted)
Some notes on free Java
The free software community would appear to have developed a winning strategy for
bringing semi-proprietary code under a free license. Just create a project
to reimplement that code, and name the project "Harmony." About the time
that the Harmony project starts to make some real progress, the original
code base will be relicensed to the GPL, and everybody will be happy.
This approach worked well with the first Harmony project, which was created to
make a free version of the then-proprietary Qt library. In September,
2000, Trolltech finally made Qt available under the GPL. More recently, a
Project Harmony set out to
create a free Java implementation. A year and a half later, Sun
Microsystems finally let go, and has promised to release Java as free
software - and under the GPL at that.
Clearly some serious thought needs to be put into picking an appropriate
target for the next Harmony project.
Actually, the "Harmony" name may not become available for a while yet; a
quick look at the mailing list shows that, unlike the previous Harmony
project, the current Harmony developers are continuing full-speed with
their work. One might well wonder why, given that the "real" Java code is
now promised to the community. It may be partly a matter of momentum, and
partly waiting until the code actually becomes available (it will be a few
months yet). Sun's interesting choice of the GPL also appears to be
relevant. The Harmony project, being under the Apache umbrella, is using
the Apache license, which is not compatible with the GPL. So the Harmony
developers will not be able to make use of Sun's code in their project. If
they want an Apache-licensed Java, they will have to continue to work to
create it themselves.
There appears to be some concern within Harmony that Sun will require
copyright assignments from those who would contribute to the GPL code base,
and that, in turn, would allow Sun to make use of contributed code in
proprietary projects. There are Harmony developers who are unwilling to
contribute under those conditions. It has also been suggested
in the Harmony camp that Sun might use patents to enforce Java
compatibility. So Harmony may well continue for a while.
Another project which will be affected by this release is GNU Classpath.
Unlike Harmony, however, Classpath uses a "GPL plus exception" license
which allows the use of the library in proprietary applications. Sun's
choice of the GPL makes life easy for the Classpath developers - especially
since Sun adopted the same exception. But it does leave open the question
of whether Classpath is needed at all. The real answer there probably
depends on the shape of the actual code release; there may be parts of the
"real" Java class library which Sun is unable to release, and which might
then be substituted from Classpath. It also seems that Classpath has
managed to build a dynamic and effective development community; the desire
to continue to develop in that environment may keep Classpath going for a
while yet.
Many pixels have been expended in attempts to analyze Sun's choice of the
GPL. Most likely, Sun went with the GPL because (1) the response to
the CDDL has been lukewarm at best, and (2) experience shows that
GPL-licensed code is relatively resistant to the creation of incompatible
forks. Sun's ostensible reason for resisting free licensing all these
years was a fear of incompatible versions, so fork resistance should have
been on their minds. Also worthy of note is the fact that Sun has
specified that it is using version 2 of the GPL. A switch to GPLv3
seems likely once the license is final (see Jonathan
Schwartz's weblog), but Sun is not committing to that ahead of time.
Sun has made some hints that Solaris might move over to the GPL as well.
This would be a significant change, as it would allow Solaris code to find
its way into the Linux kernel. There must be useful code within Solaris,
even if some of the more interesting parts (the ZFS filesystem, say) would
be a major challenge to port.
In any case, Sun's freeing of Java is a significant - if a bit overdue -
gift to the community. It will enable the Java language to become a
first-class citizen within Linux distributions and make a powerful language
fully available to free software developers. Sun certainly cannot be
faulted for failing to contribute in recent years. Soon, it will be up to
the community to take this code and do great things with it.
Comments (17 posted)
Open Firmware is now free
A full twenty years ago, Mitch Bradley sat down to write the firmware
(BIOS) code for Sun's upcoming SPARCstation line. The resulting code, then
called OpenBoot, shipped on SPARC systems for years, and found its way into
other vendors' computers as well. Mr. Bradley eventually left Sun to
continue to work with this code, now called Open Firmware. It has proved
to be useful for system manufacturers who found it to be a quick way to get
their hardware going. Twenty years later, he is still at it at his company,
FirmWorks.
As of this week, however, one aspect of Mr. Bradley's job has changed: he
is now working with free software. Between code releases by Sun
Microsystems and FirmWorks, the entire Open Firmware system is now free.
Most of it is available under the BSD or MIT license; it can be browsed on the
net or obtained from the Subversion repository at
svn://openbios.org/openfirmware.
Open Firmware is an interesting system. At its core, it is an interpreter
for the Forth language; most of the higher-level functionality is
implemented in Forth and run on the interpreter. That will make the Open
Firmware source relatively opaque for those of us who are not accustomed to
working in stack-based languages; Open Firmware will certainly have the
only ext2 filesystem code which looks like this:
: ext2fsfread ( addr count 'fh -- #read )
drop
dup bsize > abort" Bad size for ext2fsfread"
file-size lblk# bsize * - ( addr count rem )
umin swap ( actual addr )
lblk# read-file-block ( actual )
dup 0> if lblk#++ then ( actual )
The use of Forth does help to keep the Open Firmware code compact and
quick, however. This system can work with several different filesystems,
perform TCP/IP networking (including functioning as an HTTP server or
client), work with USB devices, and drive a wide range of devices in
general. And it all fits in about 350KB of flash, with the ability
to shoehorn it into 256KB if need be.
Open Firmware can also be useful for debugging hardware issues. The Forth
interpreter is available at the system console, allowing a sufficiently
clued developer to poke at device registers directly and see what happens.
This feature is especially useful when trying to bring up new hardware
which is displaying unexpected behavior. As Mr. Bradley has been heard
to say:
I find that a certain amount of foot shooting is necessary,
especially when dealing with new, possibly-broken hardware with
dubious documentation. Interactivity at the lowest level lets you
get all the foot-shooting done quickly, and more importantly, lets
you examine the wounds in great detail.
Open Firmware is a foot-shooting tool of substantial power.
The Open Firmware code was widely used, even when it was a proprietary
product. This code will be even more widely distributed soon. Back in
October, the One Laptop Per Child project announced that it would be adopting Open
Firmware for its systems. LinuxBIOS will remain on those systems as the
low-level BIOS, but Open Firmware will be the code which performs boot
loading and presents the firmware-level interface to the user. The OLPC
decision was based on smaller size, greater speed, and greater flexibility
of the Open Firmware code. Once Open Firmware set on the path toward a
free release, OLPC's decision was relatively easy.
In the future, the now-free nature of Open Firmware may cause it to appear
on a number of new systems, in places where a proprietary BIOS would have
been found before. As a result, a part of our systems which has
traditionally been proprietary and closed might just become open and free.
So, while many of us may never work with this code directly, we'll likely
benefit from its freedom anyway.
Comments (13 posted)
LWN comes out early next week
Thursday, November 23, is the Thanksgiving holiday in the U.S. As has
become traditional, LWN will be published one day early next week so that
we all have time to join our families and begin the task of serious
eating. We'll return to the normal schedule the following week.
Comments (2 posted)
Page editor: Jonathan Corbet
Security
November: the month of kernel bugs
November 15, 2006
This article was contributed by Jake Edge.
A security researcher has proclaimed November to be the 'Month of Kernel
Bugs' (MoKB) and is releasing one bug each day to highlight unreported
issues with various kernels. The
associated web site currently has
six separate Linux bugs listed as well as bugs for MacOS, FreeBSD, Solaris
and Windows. The project was first
announced on the bugtraq
mailing list along with a tool that can fuzz various Linux filesystems.
The Linux bugs described are all filesystem related; they were found using the
fsfuzzer tool to generate various kinds of improperly formatted filesystem
data and to feed it to the Linux filesystem code. This leads to various
kinds of kernel problems, mostly crashes. Bugs have been found in several
different filesystem types: ext2, ext3, iso9660, cramfs, and squashfs.
The vulnerability found for cramfs actually exists in the zlib decompression
code and could potentially lead to arbitrary code execution.
While these bugs are fairly serious, they are also fairly difficult to exploit.
Other than iso9660, it is rare that a Linux user will mount a filesystem
generated by some external, potentially malicious, entity. USB flash drives
might provide a vector for exploiting some of these bugs, but
users are hopefully savvy enough to be wary of mounting them if they do
not know where they came from. Administrators may also remove the ability
for regular users to mount filesystems, especially on sensitive machines
such as servers.
Kernel bugs that allow arbitrary code execution are particularly serious
because they can provide a way to completely take over the system. If an
attacker can convince someone to mount a specially crafted cramfs image,
they may be able to cause all manner of mayhem with that system. Attacks
targeted at a specific person or company would seem to be the biggest
concern as it would be somewhat difficult to use as a vector for a
widespread infection; the logistics of distributing thousands of USB
keychains to create a Linux botnet would be daunting. The money that could
be earned by renting out the botnet, however, might be enough for some,
especially if they could find a way to do it anonymously.
Two of the reported bugs against Windows wireless drivers would seem to be
of little interest to Linux users, but, unfortunately, that is not the case.
As mentioned
here, Ndiswrapper is often used
to provide Linux 'support' for many wireless adapters and, as Dave Jones
points out,
this makes Linux potentially vulnerable as well. It may be that the vendors
release a fix promptly, but until they do, users of those drivers are
vulnerable to attack. And, in any case, propagating a fix in a Windows
network driver to a substantial portion of its users is not a simple thing
to do.
The MoKB announcement mentions the possibility of 'silent fixes' of these
problems; at least so far, that does not seem to be happening. Silent fixes
are ones that fix a security problem, but in some way obfuscate the
security implications of the fix (or, at least, are not accompanied by a
security advisory). Proprietary vendors are well known for
this kind of behavior, but one would hope open source developers are more,
well, open about those kinds of things. The only fix that seems to have
made its way into the kernel so far is for a an ext3/ext4 bug that was
found prior to the MoKB. It was clearly described as a crash in the patch
and the fsfuzzer tool was referenced. It did not specifically mention it
as a security problem, but opinions differ on whether denial of service
that is not caused externally should be considered a security issue.
While the fixes are not silent, they also do not seem to be very high on
anyone's priority list, either. So far, there do not seem to be patches for
any of the MoKB reported issues posted to the linux kernel mailing list.
The zlib inflate issue, with its memory corruption potential, would seem like
one that should be fixed relatively soon even if its exploit potential is low.
So far, MoKB has produced some interesting bugs, especially on other operating
systems. We will be keeping an eye out for any others that might have a
bigger impact on Linux users and for fixes going into the kernel. November
is only half over.
Comments (10 posted)
New vulnerabilities
avahi: sender id check
| Package(s): | avahi |
CVE #(s): | CVE-2006-5461
|
| Created: | November 13, 2006 |
Updated: | December 20, 2006 |
| Description: |
Steve Grubb discovered that netlink messages were not being checked for
their sender identity. This could lead to local users manipulating the
Avahi service. |
| Alerts: |
|
Comments (1 posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2006-5779
|
| Created: | November 10, 2006 |
Updated: | December 1, 2006 |
| Description: |
openldap has a denial of service vulnerability. Remote attackers can
create special LDAP Bind requests to trigger a libldap assertion
failure. |
| Alerts: |
|
Comments (none posted)
pdns: buffer overflow
| Package(s): | pdns |
CVE #(s): | CVE-2006-4251
|
| Created: | November 15, 2006 |
Updated: | November 16, 2006 |
| Description: |
The PowerDNS nameserver suffers from a buffer overflow which can be exploited to cause a denial of service, with the potential for the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
trac: cross-site request forgery
| Package(s): | trac |
CVE #(s): | CVE-2006-5848
CVE-2006-5878
|
| Created: | November 13, 2006 |
Updated: | December 13, 2006 |
| Description: |
It was discovered that Trac, a wiki and issue tracking system for
software development projects, performs insufficient validation against
cross-site request forgery, which might lead to an attacker being able
to perform manipulation of a Trac site with the privileges of the
attacked Trac user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
asterisk: arbitrary code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2006-5444
|
| Created: | October 19, 2006 |
Updated: | December 6, 2006 |
| Description: |
The Asterisk telephony PBX application has a heap overflow vulnerability
in the skinny channel driver. A remote attacker can use this to
arbitrarily execute code with the privileges of the Asterisk user.
See this
vulnerability report
for more information. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
ingo1: missing input sanitizing
| Package(s): | ingo1 |
CVE #(s): | CVE-2006-5449
|
| Created: | November 3, 2006 |
Updated: | November 27, 2006 |
| Description: |
It was discovered that the Ingo email filter rules manager performs
insufficient escaping of user-provided data in created procmail rules
files, which allows the execution of arbitrary shell commands. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: insecure password control
| Package(s): | libpam-ldap |
CVE #(s): | CVE-2006-5170
|
| Created: | November 3, 2006 |
Updated: | December 21, 2006 |
| Description: |
Steve Rigler discovered that the PAM module for authentication against
LDAP servers processes PasswordPolicyReponse control messages incorrectly,
which might lead to an attacker being able to login into a suspended
system account. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | November 17, 2006 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libX11: file descriptor leak
| Package(s): | libX11 |
CVE #(s): | CVE-2006-5397
|
| Created: | November 7, 2006 |
Updated: | November 8, 2006 |
| Description: |
The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and
1.0.3 opens a file for reading twice using the same file descriptor, which
causes a file descriptor leak that allows local users to read files
specified by the XCOMPOSEFILE environment variable via the duplicate file
descriptor. |
| Alerts: |
|
Comments (1 posted)
linux-restricted-modules: nVidia driver vulnerability
| Package(s): | linux-restricted-modules |
CVE #(s): | CVE-2006-5379
|
| Created: | November 6, 2006 |
Updated: | January 11, 2007 |
| Description: |
Derek Abdine discovered that the NVIDIA Xorg driver did not correctly
verify the size of buffers used to render text glyphs. When displaying
very long strings of text, the Xorg server would crash. If a user were
tricked into viewing a specially crafted series of glyphs, this flaw
could be exploited to run arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
mono: symlink vulnerability
| Package(s): | mono |
CVE #(s): | CVE-2006-5072
|
| Created: | October 4, 2006 |
Updated: | December 1, 2006 |
| Description: |
The mono System.CodeDom.Compiler classes suffer from a temporary file symlink vulnerability which could be used to overwrite files, or, in this case, even inject arbitrary code into a running mono application. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CVE-2006-4565
CVE-2006-4566
CVE-2006-4571
CVE-2006-4253
CVE-2006-4567
CVE-2006-4568
CVE-2006-4569
|
| Created: | September 15, 2006 |
Updated: | November 14, 2006 |
| Description: |
Two flaws were found in the way Firefox/Thunderbird processed certain regular
expressions. A malicious web page/HTML email could crash the browser or
possibly execute arbitrary code as the user running
Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)
A number of flaws were found in Firefox/Thunderbird. A malicious web
page/HTML email could crash the browser or possibly execute arbitrary code
as the user running Firefox/Thunderbird. (CVE-2006-4571)
A flaw was found in the handling of JavaScript timed events. A malicious
web page could crash the browser or possibly execute arbitrary code as the
user running Firefox/Thunderbird. (CVE-2006-4253)
A flaw was found in the Firefox/Thunderbird auto-update verification
system. An attacker who has the ability to spoof a victim's DNS could get
Firefox to download and install malicious code. In order to exploit this
issue an attacker would also need to get a victim to previously accept an
unverifiable certificate. (CVE-2006-4567)
Firefox did not properly prevent a frame in one domain from injecting
content into a sub-frame that belongs to another domain, which facilitates
website spoofing and other attacks (CVE-2006-4568)
Firefox did not load manually opened, blocked popups in the right domain
context, which could lead to cross-site scripting attacks. In order to
exploit this issue an attacker would need to find a site which would frame
their malicious page and convince the user to manually open a blocked
popup. (CVE-2006-4569) |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
openldap: security bypass
| Package(s): | openldap |
CVE #(s): | CVE-2006-4600
|
| Created: | September 29, 2006 |
Updated: | June 12, 2007 |
| Description: |
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN). |
| Alerts: |
|
