LWN.net Logo

LWN.net Weekly Edition for December 14, 2006

Playing with the OLPC

The One Laptop Per Child project is likely to be familiar to most LWN readers by now. An important milestone on this project's plan for the creation of low-cost educational systems is the production of "BTest-1" systems. The project has manufactured on the order of 1000 laptops and distributed them to testers worldwide as a way of, hopefully, shaking out the remaining hardware issues and making a start on the software side of the equation. Some systems have even been shipped to Microsoft so that some sort of Windows port can be done; this move has upset some OLPC supporters, but when the designers of the laptop said they planned to make a 100% open system, they meant it.

Your editor was lucky enough to receive one of these systems, after having been put through the indignity of seeing everybody else's "I got my laptop" posts first. There has not been a great deal of time to play with it yet, but your editor has had the chance to form some first impressions. The OLPC XO (or whatever it is eventually called) is going to be a nice system.

Back in July, we interviewed Jim Gettys about this system; one of the questions we asked was how they planned to keep adults from stealing the laptops from the children for their own purposes. Jim answered:

First, we intend that the systems be instantly recognizable as kid's systems, not only so that kids like them and value them more and take care of them carefully, but also so that adults with machines in their possession may be asked questions about whether they should have the machine.

Even with this in mind, most people who see an OLPC for the first time are surprised by just how small it is. Understanding sets in for real when one attempts to use the keyboard; the small keys will work for a small child, [OLPC layout] but, for your fat-fingered editor, it is very much a hunt-and-peck device. There will be very few adults who will be able to type comfortably on this system. With the size of the device and its bright colors, they will also look decidedly silly in the attempt. This machine is clearly for kids.

Another way to make adults look silly is to hand the laptop to one of them and suggest that they open it. Your editor has performed this experiment several times now, and has not yet seen anybody succeed. Most people try pushing on the green square that looks like a latch, but which is, in reality, the hinge. The secret is to lift up the two "ears," which happen to be the wireless network antennas, and open the top toward the handle. Anybody attempting to use a crowbar should be stopped immediately.

The display can rotate 180 degrees and be closed over the keyboard, putting the device into "ebook" mode. There is no touchscreen on the device, so the only controls available in this mode are the eight buttons (four arrows and four which, for now, look like Sony game controller buttons) next to the display.

On the software side, the test system is running a pared-down version of the Fedora Core distribution. The kernel is essentially 2.6.19-rc2 with a fair set of patches (some since merged into the mainline) to support the OLPC hardware. Many of the basic utilities are there, and there is a Python interpreter available. But anybody looking for a C compiler, OpenOffice.org, emacs, Wesnoth, etc. will not find them. The system has little space (512MB of flash storage) and even less memory, so a lot of larger applications will never find space there.

The BTest-1 release notes make it clear that the process of putting together the software is just beginning; the focus, until now, has been on getting the hardware working. So many of the provided "activities" are present only in a preliminary form, and others are not there at all yet. It is not, according to the release notes, time to test the device on children (though your editor's children disagree rather strongly). Certainly the adults are starting to have fun with the system; your editor was gratified by this brief posting on video conferencing on the OLPC using the telepathy package.

Running software on the test system drives home a point the project has been making for some time: much of the software we run now is far too bloated and slow. With a suitable amount of attention to resource use, the OLPC hardware is powerful enough to accomplish a wide variety of tasks - web browsing, document editing, video conferencing, and more. But, with the wrong software, the system will just sit there and thrash. So one of the primary goals for the OLPC software team in the coming months will be to put the system's applications on a diet until they fit comfortably on this small system. This work will benefit us all in the end; some of the work aimed at slimming down the Gecko rendering engine can already be found in Firefox 2.

Beyond that, however, this project is setting up to put millions of Linux-based laptops into the hands of children worldwide. These systems will include mesh networking and cameras; this is a combination which is likely to lead to interesting things to see on video sharing sites - and serious news channels. The laptop will be wide open, with the "view source" functionality built in. There are many people who question this project and whether the countries involved might better spend their resources on clean water, sanitation, and so on. Those are legitimate questions which cannot be simply brushed off. But one should also consider what those kids will be able to do given better access to knowledge, communications, and a platform they can hack to their own ends. It is going to be interesting to watch.

Comments (24 posted)

The next document format battleground

Recent weeks have seen a great deal of debate over Microsoft's OpenXML document format. This format, which is headed for standard status, is a complex beast. Some have questioned whether it will ever be able to create independent implementations of OpenXML which are truly interoperable with each other. Others ask whether it is right for the free software community to even try. To many members of our community, the right path is to encourage the use of OpenDocument, which already has standard status and implementations in free software. Why get onto another document format treadmill when a better solution is already available?

These questions are valid, they deserve full consideration. But they may also, to an extent, be missing the real point. It is entirely possible that the document format battles are done; even if OpenXML is not a perfect standard, it is far more open than its predecessors. While Microsoft is not inclined to make life easy for those who would interoperate with its file formats, the company may well have realized that obscure formats have outlived their usefulness as a way of maintaining desktop domination. This might just be a battle we have won, even if the victory is rather more messy than we would like.

Before we charter an aircraft carrier for our "mission accomplished" party, however, it is worth reflecting on different forms this fight could take in the future. Cory Doctorow gave us a good hint in this InformationWeek article on "information rights management." IRM is a feature touted by Microsoft for a few years now which has the potential to complicate life considerably in the future.

IRM offers some interesting features to people who are worried about the information they put into their documents, presentations, and spreadsheets. With IRM, the document owner can specify exactly who can read a particular file, and under what conditions. Access can have an expiration time attached to it - or it can be revoked at any time. Actions like printing can be restricted. For anybody who feels the need to control information, these features cannot fail to be appealing.

But these features only work if the client plays along, and free software clients have not always distinguished themselves in this area. Or, rather, they have distinguished themselves very well by serving the needs of their users. Even if a programmer implements the "this document can only be printed once" flag, somebody else, perhaps after having lost their one printing opportunity to a particularly nasty paper jam, will hack it out. Clearly, Microsoft must prevent the creation of free applications which can read IRM-protected documents or it will be unable to live up to the promises it has made for that technology.

Microsoft has a couple of weapons at its disposal (beyond pure obscurity) which can be used against any potential free IRM implementation. One is the DMCA, which, in the US (and countries which have implemented similar laws), can be employed against those who bypass access restriction mechanisms. Anybody who posted code that, say, allowed the user to cut and paste text out of an IRM-protected document would likely face an unpleasant reception in the US. They would be in a situation much like that faced by Dmitry Sklyarov, who bypassed similar restrictions in PDF files, a few years ago.

Of course, the Sklyarov case did not necessarily work to Adobe's advantage in the end, and Microsoft might wish to avoid a similar storm of bad publicity. So, as Cory's article points out, Microsoft might pursue a different option: the use of the trusted computing module (TPM) increasingly being built into new computers. With the remote attestation feature of the TPM, it is possible to refuse to pass decryption keys to any system which cannot be shown to be running approved software. This system would be quite tight and hard to defeat - it might just work. And it would no longer matter how "open" the document format is.

The full remote attestation scenario requires the cooperation of the entire system, starting with a "secure" BIOS which initializes the TPM properly. Most systems do not currently operate in this mode, so the realization of this threat will not happen in the immediate future. One should not, however, forget that the TPM has been designed to support just this mode of operation. It does not take all that much paranoia to imagine that these capabilities will not go unused forever. "Trusted computing" has yet to touch most of us, but we ignore it at great risk. Among other things, it could make the current discussion of open document formats entirely moot.

Comments (16 posted)

Steps in the Fedora transition

The recent Fedora Summit reached a number of conclusions about the future of the project. These include the elimination of the distinction between Fedora Core and Fedora Extras and the extension of the support period for Fedora releases to approximately 13 months. Since then, various parts of the project have tried to figure out what is really going to happen. It is beginning to appear that a few things, at least, are coming into focus.

When changes of this magnitude are in store, one's thoughts immediately turn to the most important topic: what will be the project's new name? Quite a few possibilities were discussed, including Fedora Union (not everybody liked the acronym) and Fedora Freedom (which, it seems, brings unwelcome associations with "freedom fries" to a fair number of people). After weeks of discussion, it would appear that people are converging on (...drum roll...) "Fedora." Who would have guessed?

So when will the next Freedom Fries Fedora release be? According to a recently-posted schedule proposal, Fedora 7 will come out on April 24, 2007. That date seems to be driven by the Red Hat Summit, which starts on May 9; the Fedora folks would like to have something to show off at that event. On this schedule, the first test release would be on January 30, just before the next FUDcon, which appears set for February 2 to 4. Assuming the schedule does not slip, it should be possible to hand out Fedora 7 disks to Red Hat Summit attendees.

The only problem is that Fedora schedules have been known to slip at times. This realization has led to a discussion on what went wrong, and how schedule slips might be avoided this time around. There were a number of issues that came up toward the end of the Fedora Core 6 effort, some of which would have been hard to anticipate and avoid. One of the biggest issues, however, was the fact that Xen didn't work. Fedora kernel maintainer Dave Jones has some choice words about Xen, along with a grim prognosis about the potential for future problems. It rather appears that Fedora might be best served by dropping Xen altogether, but that is unlikely to happen in the short term. Red Hat Enterprise Linux needs to have Xen (after all, Novell ships it), and Fedora is where these technologies get much of their early testing.

That said, there seems to be a fair amount of sympathy for the idea of simply dropping features with problems that threaten to delay the release. Hopefully the Fedora developers won't have to make any such choices this time around, but, should something come up, it will be interesting to see how they respond.

Another open question is what happens to the Fedora Legacy project. Nobody has really taken the step of officially shutting it down. Jesse Keating has walked away from it, however, and few people seem to see much reason for keeping it going. There are users who would like to see more than 13 months of security support for Fedora releases, but the subset of those users who are willing to help Fedora Legacy provide that support is quite small.

Meanwhile, the project did (on December 12) put this note onto its web page:

The current model for supporting maintenance distributions is being re-examined. In the meantime, we are unable to extend support to older Fedora Core releases as we had planned. As of now, Fedora Core 4 and earlier distributions are no longer being maintained.

Given that the project only managed one Fedora Core 4 update ever, one could argue that the situation has not changed much. But at least it is now clear. What is less clear is how the various hosting companies which offer Fedora Core 4 servers have kept them secure so far, and what they intend to do now.

Finally, the project still has not come to a final resolution on what to do about RPM. The subject was apparently discussed at the December 12 board meeting, but no communications are, as of this writing, available. With luck, we'll hear from the project on this topic before too long. Infrastructure like RPM is too important to leave in a limbo state for this long.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

Another kernel core dump security issue

December 13, 2006

This article was contributed by Jake Edge.

When a security bug is found in the kernel, a patch is usually available within hours; the kernel developers rightly take these things very seriously. Once the patch is available, the stable team typically releases a new kernel within a week or so and this is one of the big advantages of open source. Once in a while, however, a bug that has been fixed previously can creep back into the source, open or closed, and is known as a 'regression'. This week's 2.6.19.1 kernel release has a fix for something that looks an awful lot like a regression, but technically is not.

Back in July, LWN described a security problem in the then-current 2.6.17 kernel. The issue was that local users could configure their processes to write core dump files in directories that they did not have write permissions for. As the article described, this could be trivially exploited for local privilege escalation; in short, a local root hole.

This bug was fixed by the following patch:

    --- a/kernel/sys.c
    +++ b/kernel/sys.c
    @@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, un
                            error = current->mm->dumpable;
                            break;
                    case PR_SET_DUMPABLE:
    -                       if (arg2 < 0 || arg2 > 2) {
    +                       if (arg2 < 0 || arg2 > 1) {
                                    error = -EINVAL;
                                    break;
                            }
which prevented processes from setting the dumpable flag to two. That flag governs whether core dumps are produced by the process; the special value of two reflects an ability to dump core with root privileges, quite possibly to directories that the user cannot normally write to. The code did guard against overwriting existing files, for security reasons, but did not consider the implications of allowing user processes to effectively write anywhere.

The code which handles the dumpable flag lives in fs/exec.c in the aptly named do_coredump() function:

    if (mm->dumpable == 2) {        /* Setuid core dump mode */
            flag = O_EXCL;          /* Stop rewrite attacks */
            current->fsuid = 0;     /* Dump root private */
    }

and further down, flag is used as part of the filp_open() call:

    file = filp_open(corename, O_CREAT|2|O_NOFOLLOW|O_LARGEFILE|flag, 0600);

At the end of September, a patch by Andi Kleen was applied to allow core dumps to be piped to a userspace process. This patch had been, according to Andi, "hanging around for a long time" and lacked the flag in the call to filp_open(). The patch made it into 2.6.19-rc1 kernel and from there into 2.6.19.

The impact of the bug is relatively low as a root user would have to set the dumpable flag to two via /proc/sys/fs/suid_dumpable. This would allow user processes to write core dumps anywhere, which is as designed, but also would allow them to overwrite existing files, which is not. It probably is not very common that admins need to configure things that way, but it certainly is not completely outside the realm of possibility either.

As described in the patch, Alexey Dobriyan used a list of warnings gathered from compiling the kernel. The warnings were grepped for 'was set but never used' and the first entry in the list pointed to this problem. The kernel produces enough warnings that problems like this tend to be obscured in a sea of bogus or overly picky warnings.

This particular bug is not technically a regression as there never was a bug that allowed this behavior until it was introduced in the patch. It has been assigned CVE-2006-6304 (as of this writing, it is just a reserved CVE with no information).

It is great to see folks scrutinizing warnings and looking for bugs in the kernel, this is just the kind of thing that the 'many eyes make all bugs shallow' theory is referring to. It would be nice to see a kernel regression test suite that contained test cases for bugs that have previously been fixed as that kind of thing might have caught this bug. It is a difficult problem, however, and keeping up with the number of bug fix patches would be daunting. Perhaps a regression suite that focused on security fixes would be a good place to start.

Comments (9 posted)

New vulnerabilities

clamav: missing sanity checks

Package(s):clamav CVE #(s):CVE-2006-5874
Created:December 11, 2006 Updated:December 14, 2006
Description: Stephen Gran discovered that malformed base64-encoded MIME attachments can lead to denial of service through a null pointer dereference.
Alerts:
Mandriva MDKSA-2006:230 2006-12-13
Debian DSA-1232-1 2006-12-09

Comments (none posted)

enemies-of-carlotta: input sanitizing

Package(s):enemies-of-carlotta CVE #(s):CVE-2006-5875
Created:December 13, 2006 Updated:December 13, 2006
Description: It would seem that enemies-of-carlotta, a mailing list manager, does not check email addresses before passing them to a shell.
Alerts:
Debian DSA-1236-1 2006-12-13

Comments (none posted)

gnupg: stack overwrite

Package(s):gnupg CVE #(s):CVE-2006-6235
Created:December 12, 2006 Updated:March 13, 2007
Description: A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory.
Alerts:
Fedora FEDORA-2007-316 2007-03-12
Fedora FEDORA-2007-315 2007-03-12
SuSE SUSE-SA:2006:075 2006-12-13
Mandriva MDKSA-2006:228 2006-12-11

Comments (3 posted)

kdegraphics: stack overflow

Package(s):kdegraphics CVE #(s):CVE-2006-6297
Created:December 12, 2006 Updated:January 13, 2007
Description: A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as used by konqueror, digikam, and other KDE image browsers, allows remote attackers to cause a denial of service (stack consumption) via a crafted EXIF section in a JPEG file, which results in an infinite recursion.
Alerts:
Gentoo 200701-05 2007-01-12
Mandriva MDKSA-2006:227 2006-12-11

Comments (none posted)

l2tpns: buffer overflow

Package(s):l2tpns CVE #(s):CVE-2006-5873
Created:December 8, 2006 Updated:December 13, 2006
Description: Rhys Kidd discovered a vulnerability in l2tpns, a layer 2 tunneling protocol network server, which could be triggered by a remote user to execute arbitrary code.
Alerts:
Debian DSA-1230-1 2006-12-08

Comments (none posted)

libmodplug: boundary errors

Package(s):libmodplug CVE #(s):CVE-2006-4192
Created:December 11, 2006 Updated:September 28, 2007
Description: Luigi Auriemma has reported various boundary errors in load_it.cpp and a boundary error in the "CSoundFile::ReadSample()" function in sndfile.cpp. A remote attacker can entice a user to read crafted modules or ITP files, which may trigger a buffer overflow resulting in the execution of arbitrary code with the privileges of the user running the application.
Alerts:
Ubuntu USN-521-1 2007-09-27
Mandriva MDKSA-2007:001 2007-01-02
Gentoo 200612-04 2006-12-10

Comments (none posted)

madwifi-ng: buffer overflow

Package(s):madwifi-ng CVE #(s):CVE-2006-6332
Created:December 11, 2006 Updated:December 13, 2006
Description: Laurent Butti, Jerome Raznieski and Julien Tinnes reported a buffer overflow in the encode_ie() and the giwscan_cb() functions from ieee80211_wireless.c. A remote attacker could send specially crafted wireless WPA packets containing malicious RSN Information Headers (IE) that could potentially lead to the remote execution of arbitrary code as the root user.
Alerts:
SuSE SUSE-SA:2006:074 2006-12-11
Gentoo 200612-09 2006-12-10

Comments (none posted)

ruby: denial of service

Package(s):ruby CVE #(s):CVE-2006-6303
Created:December 7, 2006 Updated:December 21, 2006
Description: The Ruby CGI library, cgi.rb, does not properly detect boundaries in MIME multipart content. A remote attacker can use this to cause a denial of service.
Alerts:
OpenPKG OpenPKG-SA-2006.040 2006-12-21
Gentoo 200612-21 2006-12-20
Ubuntu USN-394-1 2006-12-08
Mandriva MDKSA-2006:225 2006-12-06

Comments (none posted)

squirrelmail: multiple cross-site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CVE-2006-6142
Created:December 11, 2006 Updated:January 31, 2007
Description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the mailto parameter in webmail.php, the session and delete_draft parameters in compose.php, and unspecified vectors involving "a shortcoming in the magicHTML filter."
Alerts:
Red Hat RHSA-2007:0022-01 2007-01-31
Fedora FEDORA-2007-089 2007-01-17
Fedora FEDORA-2007-088 2007-01-17
Debian DSA-1241-1 2006-12-25
rPath rPSA-2006-0231-1 2006-12-12
Mandriva MDKSA-2006:226 2006-12-11

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

apache-mod_auth_kerb: off-by-one error

Package(s):apache-mod_auth_kerb CVE #(s):CVE-2006-5989
Created:November 24, 2006 Updated:January 23, 2007
Description: An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows remote attackers to cause a denial of service (crash) via a crafted Kerberos message that triggers a heap-based buffer overflow in the component array.
Alerts:
Gentoo 200701-14 2007-01-22
Debian DSA-1247-1 2007-01-08
Red Hat RHSA-2006:0746-01 2006-12-06
Fedora FEDORA-2006-1341 2006-11-29
Mandriva MDKSA-2006:218 2006-11-23

Comments (none posted)

asterisk: arbitrary code execution

Package(s):asterisk CVE #(s):CVE-2006-5444
Created:October 19, 2006 Updated:December 6, 2006
Description: The Asterisk telephony PBX application has a heap overflow vulnerability in the skinny channel driver. A remote attacker can use this to arbitrarily execute code with the privileges of the Asterisk user. See this vulnerability report for more information.
Alerts:
Debian DSA-1229-1 2006-12-06
SuSE SUSE-SA:2006:069 2006-11-16
Gentoo 200610-15 2006-10-30
OpenPKG OpenPKG-SA-2006.024 2006-10-19

Comments (none posted)

avahi: sender id check

Package(s):avahi CVE #(s):CVE-2006-5461
Created:November 13, 2006 Updated:December 20, 2006
Description: Steve Grubb discovered that netlink messages were not being checked for their sender identity. This could lead to local users manipulating the Avahi service.
Alerts:
Ubuntu USN-380-2 2006-12-14
Fedora FEDORA-2006-1340 2006-12-11
Fedora FEDORA-2006-1339 2006-11-28
Gentoo 200611-13 2006-11-20
Mandriva MDKSA-2006:215 2006-11-20
Ubuntu USN-380-1 2006-11-11

Comments (1 posted)

bind: denial of service

Package(s):bind CVE #(s):CVE-2006-4095 CVE-2006-4096
Created:September 7, 2006 Updated:February 1, 2007
Description: Bind has two denial of service vulnerabilities.

Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.

An INSIST failure can be triggered by sending a large number of recursive queries.

Alerts:
Fedora FEDORA-2007-164 2007-01-31
Gentoo 200609-11 2006-09-15
Slackware SSA:2006-257-01 2006-09-15
Fedora FEDORA-2006-966 2006-09-11
Debian DSA-1172-1 2006-09-09
Mandriva MDKSA-2006:163 2006-09-08
rPath rPSA-2006-0166-1 2006-09-08
Ubuntu USN-343-1 2006-09-07
OpenPKG OpenPKG-SA-2006.019 2006-09-07

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dovecot: index cache file handling error

Package(s):dovecot CVE #(s):CVE-2006-5973
Created:November 29, 2006 Updated:May 8, 2007
Description: The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable.
Alerts:
Fedora FEDORA-2006-1504 2006-12-27
Fedora FEDORA-2006-1396 2006-12-18
rPath rPSA-2006-0220-1 2006-11-30
Ubuntu USN-387-1 2006-11-28

Comments (none posted)

elinks: arbitrary file access

Package(s):elinks CVE #(s):CVE-2006-5925
Created:November 16, 2006 Updated:February 1, 2007
Description: The elinks text-mode browser has an arbitrary file access vulnerability in the Elinks SMB protocol handler. If a user can be tricked into visiting a specially crafted web page, arbitrary files may be read or written with the user's permissions.
Alerts:
Gentoo 200701-27 2007-01-30
OpenPKG OpenPKG-SA-2006.043 2006-12-26
Debian DSA-1240-1 2006-12-21
Gentoo 200612-16 2006-12-14
Debian DSA-1228-1 2006-12-05
Debian DSA-1226-1 2006-12-03
Fedora FEDORA-2006-1278 2006-11-21
Fedora FEDORA-2006-1277 2006-11-21
Mandriva MDKSA-2006:216 2006-11-20
Red Hat RHSA-2006:0742-01 2006-11-15

Comments (none posted)

ffmpeg: buffer overflows

Package(s):ffmpeg CVE #(s):CVE-2006-4799 CVE-2006-4800
Created:September 14, 2006 Updated:May 28, 2007
Description: the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200609-09 2006-09-13

Comments (2 posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 2007-04-23
Debian DSA-1145-1 2006-08-08

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

ftpd: privilege escalation

Package(s):ftpd CVE #(s):CVE-2006-5778
Created:November 10, 2006 Updated:February 14, 2007
Description: Ftpd is vulnerable to a privilege escalation attack, an incorrect seteuid() call can be used by an FTP user to gain unauthorized access to files or directories.
Alerts:
Gentoo 200611-05:02 2006-11-10
Debian DSA-1217-1 2006-11-20
Gentoo 200611-05 2006-11-10

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gdb: buffer overflow

Package(s):gdb CVE #(s):CVE-2006-4146
Created:September 15, 2006 Updated:June 12, 2007
Description: A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
Alerts:
Red Hat RHSA-2007:0469-01 2007-06-11
Red Hat RHSA-2007:0229-02 2007-05-01
Ubuntu USN-356-1 2006-10-02
Fedora FEDORA-2006-975 2006-09-14

Comments (none posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gnupg: buffer overflow

Package(s):gnupg CVE #(s):CVE-2006-6169
Created:November 30, 2006 Updated:December 11, 2006
Description: GnuPG has a buffer overflow vulnerability. If a user can be tricked into running gpg interactively on a specially crafted message, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200612-03:02 2006-12-10
Gentoo 200612-03 2006-12-10
Debian DSA-1231-1 2006-12-09
Slackware SSA:2006-340-01b 2006-12-08
OpenPKG OpenPKG-SA-2006.037 2006-12-08
Ubuntu USN-393-2 2006-12-07
Ubuntu USN-393-1 2006-12-07
Slackware SSA:2006-340-01 2006-12-07
rPath rPSA-2006-0227-1 2006-12-06
Fedora FEDORA-2006-1406 2006-12-06
Fedora FEDORA-2006-1405 2006-12-06
Red Hat RHSA-2006:0754-01 2006-12-06
Trustix TSLSA-2006-0068 2006-12-01
Mandriva MDKSA-2006:221 2006-11-30
rPath rPSA-2006-0224-1 2006-11-30
Ubuntu USN-389-1 2006-11-29

Comments (none posted)

gv: stack-based buffer overflow

Package(s):gv CVE #(s):CVE-2006-5864
Created:November 20, 2006 Updated:April 9, 2007
Description: Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header.
Alerts:
Gentoo 200704-06 2007-04-06
Gentoo 200703-24 2007-03-26
Debian DSA-1243-1 2006-12-28
Debian DSA-1214-2 2006-12-27
Mandriva MDKSA-2006:229 2006-12-13
rPath rPSA-2006-0230-1 2006-12-12
Fedora FEDORA-2006-1438 2006-12-11
Fedora FEDORA-2006-1437 2006-12-11
Ubuntu USN-390-3 2006-12-06
Ubuntu USN-390-2 2006-12-06
Mandriva MDKSA-2006:214-1 2006-12-04
Ubuntu USN-390-1 2006-11-30
Gentoo 200611-20 2006-11-24
Debian DSA-1214-1 2006-11-20
Mandriva MDKSA-2006:214 2006-11-17

Comments (none posted)

gzip: multiple vulnerabilities

Package(s):gzip CVE #(s):CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
Created:September 19, 2006 Updated:June 1, 2007
Description: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash.

Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code.

Alerts:
Fedora FEDORA-2007-557 2007-05-31
Gentoo 200611-24 2006-11-28
Fedora-Legacy FLSA:211760 2006-11-13
Fedora FEDORA-2006-989 2006-10-10
SuSE SUSE-SA:2006:056 2006-09-26
Gentoo 200609-13 2006-09-23
Trustix TSLSA-2006-0052 2006-09-22
Mandriva MDKSA-2006:167 2006-09-20
Slackware SSA:2006-262-01 2006-09-20
OpenPKG OpenPKG-SA-2006.020 2006-09-20
Debian DSA-1181-1 2006-09-19
rPath rPSA-2006-0170-1 2006-09-19
Ubuntu USN-349-1 2006-09-19
Red Hat RHSA-2006:0667-01 2006-09-19

Comments (1 posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

imagemagick: buffer overflows

Package(s):imagemagick CVE #(s):CVE-2006-5868
Created:November 28, 2006 Updated:February 16, 2007
Description: Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Red Hat RHSA-2007:0015-01 2007-02-15
Mandriva MDKSA-2006:223 2006-12-01
Ubuntu USN-386-1 2006-11-28

Comments (1 posted)

ImageMagick: buffer overflows

Package(s):ImageMagick CVE #(s):CVE-2006-5456
Created:October 31, 2006 Updated:March 8, 2007
Description: Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c.
Alerts:
Slackware SSA:2007-066-06 2007-03-08
rPath rPSA-2007-0029-1 2007-02-08
rPath rPSA-2006-0218-1 2006-11-27
Gentoo 200611-19 2006-11-24
Fedora FEDORA-2006-1285 2006-11-22
Fedora FEDORA-2006-1286 2006-11-22
Debian DSA-1213-1 2006-11-19
SuSE SUSE-SA:2006:066 2006-11-14
Gentoo 200611-07 2006-11-13
Ubuntu USN-372-1 2006-11-01
Mandriva MDKSA-2006:193 2006-10-30

Comments (2 posted)

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriva MDKSA-2006:198 2006-11-06
Ubuntu USN-376-2 2006-11-06
Ubuntu USN-376-1 2006-11-03

Comments (none posted)

kdelibs: integer overflow

Package(s):kdelibs CVE #(s):CVE-2006-4811
Created:October 18, 2006 Updated:March 5, 2007
Description: The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code.
Alerts:
Gentoo 200703-06 2007-03-04
Gentoo 200611-02 2006-11-06
Red Hat RHSA-2006:0725-01 2006-11-01
Debian DSA-1200-1 2006-10-30
Slackware SSA:2006-298-01 2006-10-26
rPath rPSA-2006-0195-2 2006-10-18
Mandriva MDKSA-2006:186 2006-10-19
rPath rPSA-2006-0195-1 2006-10-18
Red Hat RHSA-2006:0720-01 2006-10-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4623
Created:October 18, 2006 Updated:November 14, 2007
Description: The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data.
Alerts:
Ubuntu USN-489-1 2007-07-19
rPath rPSA-2006-0194-1 2006-10-17

Comments (none posted)

kernel: bridging code buffer overflow

Package(s):kernel CVE #(s):CVE-2006-5751
Created:December 6, 2006 Updated:January 3, 2007
Description: A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix.
Alerts:
Mandriva MDKSA-2007:002 2007-01-02
SuSE SUSE-SA:2006:079 2006-12-21
Fedora FEDORA-2006-1471 2006-12-18
Fedora FEDORA-2006-1470 2006-12-18
Ubuntu USN-395-1 2006-12-13
Debian DSA-1233-1 2006-12-10
rPath rPSA-2006-0226-1 2006-12-06

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:December 3, 2007
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Alerts:
Red Hat RHSA-2007:1049-01 2007-12-03
Mandriva MDKSA-2006:182 2006-10-11
Red Hat RHSA-2006:0689-01 2006-10-05
Debian DSA-1184-2 2006-09-26
Debian DSA-1184-1 2006-09-25
Debian DSA-1183-1 2006-09-25
Ubuntu USN-347-1 2006-09-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4572 CVE-2006-4997
Created:November 6, 2006 Updated:January 17, 2007
Description: Some vulnerabilities were discovered in the Linux 2.6 kernel:

There are possibly exploitable bugs in the netfilter for IPv6 code. (CVE-2006-4572)

The ATM subsystem of the Linux kernel could allow a remote attacker to cause a Denial of Service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed. (CVE-2006-4997)

Alerts:
Red Hat RHSA-2007:0013-01 2007-01-17
Red Hat RHSA-2007:0012-01 2007-01-17
Debian DSA-1237-1 2006-12-17
rPath rPSA-2006-0204-1 2006-11-09
Mandriva MDKSA-2006:197 2006-11-03

Comments (none posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-5757
Created:November 13, 2006 Updated:November 14, 2007
Description: From the MOKB-05-11-2006 advisory: "The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. When performing a read operation on a corrupted ISO9660 fs stream, the isofs_get_blocks() function will enter an infinite loop when __find_get_block_slow() callback from sb_getblk() fails ("due to various races between file io on the block device and getblk")."
Alerts:
Fedora FEDORA-2007-599 2007-06-21
Fedora FEDORA-2006-1223 2006-11-12
Fedora FEDORA-2006-1221 2006-11-10

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

koffice: integer overflow

Package(s):koffice CVE #(s):CVE-2006-6120
Created:November 30, 2006 Updated:February 20, 2007
Description: The KOffice office suite has an integer overflow vulnerability. If an attacker can trick a user into opening a specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or possibly execute arbitrary code with the user's privileges.
Alerts:
Red Hat RHSA-2007:0010-01 2007-02-20
Slackware SSA:2006-357-04 2006-12-25
Gentoo 200612-05 2006-12-10
Mandriva MDKSA-2006:222 2006-12-01
Ubuntu USN-388-1 2006-11-29

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libgsf: heap buffer overflow

Package(s):libgsf CVE #(s):CVE-2006-4514
Created:November 30, 2006 Updated:January 11, 2007
Description: The GNOME library libgsf, which is used for writing structured file formats, has a heap buffer overflow that can be exploited for the purpose of executing arbitrary code.
Alerts:
Red Hat RHSA-2007:0011-01 2007-01-11
SuSE SUSE-SA:2006:076 2006-12-14
rPath rPSA-2006-0232-1 2006-12-14
Gentoo 200612-13 2006-12-12
Fedora FEDORA-2006-1417 2006-12-07
Fedora FEDORA-2006-1399 2006-12-05
Ubuntu USN-391-1 2006-12-04
Mandriva MDKSA-2006:220 2006-11-30
Debian DSA-1221-1 2006-11-30

Comments (none posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Alerts:
Slackware SSA:2006-357-05 2006-12-25
Gentoo 200607-07 2006-07-20
Mandriva MDKSA-2006:121 2006-07-12
Mandriva MDKSA-2006:117-1 2006-07-12
Ubuntu USN-315-1 2006-07-12
Mandriva MDKSA-2006:117 2006-07-06