Playing with the OLPC
The
One Laptop Per Child project is likely
to be familiar to most LWN readers by now. An important milestone on this
project's plan for the creation of low-cost educational systems is the
production of "BTest-1" systems. The project has manufactured on the order
of 1000 laptops and distributed them to testers worldwide as a way of,
hopefully, shaking out the remaining hardware issues and making a start on
the software side of the equation. Some systems have even been shipped to
Microsoft so that some sort of Windows port can be done; this move has
upset some OLPC supporters, but when the designers of the laptop said they
planned to make a 100% open system, they meant it.
Your editor was lucky enough to receive one of these systems, after having
been put through the indignity of seeing everybody else's "I got my laptop"
posts first. There has not been a great deal of time to play with it yet,
but your editor has had the chance to form some first impressions. The
OLPC XO (or whatever it is eventually called) is going to be a nice system.
Back in July, we interviewed Jim
Gettys about this system; one of the questions we asked was how they
planned to keep adults from stealing the laptops from the children for
their own purposes. Jim answered:
First, we intend that the systems be instantly recognizable as
kid's systems, not only so that kids like them and value them more
and take care of them carefully, but also so that adults with
machines in their possession may be asked questions about whether
they should have the machine.
Even with this in mind, most people who see an OLPC for the first time are
surprised by just how small it is. Understanding sets in for real when one
attempts to use the keyboard; the small keys will work for a small child,
![[OLPC layout]](/images/ns/olpc-layout.jpg)
but, for your fat-fingered editor, it is very much a hunt-and-peck device.
There will be very few adults who will be able to type comfortably on this
system. With the size of the device and its bright colors, they will also
look decidedly silly in the attempt. This machine is clearly for kids.
Another way to make adults look silly is to hand the laptop to one of them
and suggest that they open it. Your editor has performed this experiment
several times now, and has not yet seen anybody succeed. Most people try
pushing on the green square that looks like a latch, but which is,
in reality, the hinge. The secret is to lift up the two "ears," which
happen to be the wireless network antennas, and open the top toward the
handle. Anybody attempting to use a crowbar should be stopped immediately.
The display can rotate 180 degrees and be closed over the keyboard, putting
the device into "ebook" mode. There is no touchscreen on the device, so
the only controls available in this mode are the eight buttons (four arrows
and four which, for now, look like Sony game controller buttons) next to
the display.
On the software side, the test system is running a pared-down version of
the Fedora Core distribution. The kernel is essentially 2.6.19-rc2 with a
fair set of patches (some since merged into the mainline) to support the OLPC
hardware. Many of the basic utilities are there, and there is a Python
interpreter available. But anybody looking for a C compiler,
OpenOffice.org, emacs, Wesnoth, etc. will not find them. The system has
little space (512MB of flash storage) and even less memory, so a lot of
larger applications will never find space there.
The BTest-1 release
notes make it clear that the process of putting together the software
is just beginning; the focus, until now, has been on getting the hardware
working. So many of the provided "activities" are present only in a
preliminary form, and others are not there at all yet. It is not,
according to the release notes, time to test the device on children (though
your editor's children disagree rather strongly). Certainly the adults are
starting to have fun with the system; your editor was gratified by this brief
posting on video conferencing on the OLPC using the telepathy package.
Running software on the test system drives home a point the project has
been making for some time: much of the software we run now is far too
bloated and slow. With a suitable amount of attention to resource use, the
OLPC hardware is powerful enough to accomplish a wide variety of tasks -
web browsing, document editing, video conferencing, and more. But, with
the wrong software, the system will just sit there and thrash. So one of
the primary goals for the OLPC software team in the coming months will be
to put the system's applications on a diet until they fit comfortably on
this small system. This work will benefit us all in the end; some of the
work aimed at slimming down the Gecko rendering engine can already be found
in Firefox 2.
Beyond that, however, this project is setting up to put millions of
Linux-based laptops into the hands of children worldwide. These systems
will include mesh networking and cameras; this is a combination which is
likely to lead to interesting things to see on video sharing sites - and
serious news channels. The laptop will be wide open, with the "view source"
functionality built in. There are many people who question this project
and whether the countries involved might better spend their resources on
clean water, sanitation, and so on. Those are legitimate questions which
cannot be simply brushed off. But one should also consider what those kids
will be able to do given better access to knowledge, communications, and a
platform they can hack to their own ends. It is going to be interesting to
watch.
Comments (24 posted)
The next document format battleground
Recent weeks have seen a great deal of debate over Microsoft's OpenXML
document format. This format, which is headed for standard status, is a
complex beast. Some have questioned whether it will ever be able to create
independent implementations of OpenXML which are truly interoperable with
each other. Others ask whether it is right for the free software community
to even try. To many members of our community, the right path is to
encourage the use of OpenDocument, which already has standard status and
implementations in free software. Why get onto another document format
treadmill when a better solution is already available?
These questions are valid, they deserve full consideration. But they may
also, to an extent, be missing the real point. It is entirely possible
that the document format battles are done; even if OpenXML is not a perfect
standard, it is far more open than its predecessors. While
Microsoft is not inclined to make life easy for those who would
interoperate with its file formats, the company may well have realized that
obscure formats have outlived their usefulness as a way of maintaining
desktop domination. This might just be a battle we have won, even if the
victory is rather more messy than we would like.
Before we charter an aircraft carrier for our "mission accomplished" party,
however, it is worth reflecting on different forms this fight could take in
the future. Cory Doctorow gave us a good hint in this
InformationWeek article on "information rights management." IRM is a
feature touted by Microsoft for a few years now which has the potential to
complicate life considerably in the future.
IRM offers some interesting features to people who are worried about the
information they put into their documents, presentations, and
spreadsheets. With IRM, the document owner can specify exactly who can
read a particular file, and under what conditions. Access can have an
expiration time attached to it - or it can be revoked at any time. Actions
like printing can be restricted. For anybody who feels the need to control
information, these features cannot fail to be appealing.
But these features only work if the client plays along, and free software
clients have not always distinguished themselves in this area. Or, rather,
they have distinguished themselves very well by serving the needs of their
users. Even if a programmer implements the "this document can only be
printed once" flag, somebody else, perhaps after having lost their one
printing opportunity
to a particularly nasty paper jam, will hack it out. Clearly, Microsoft
must prevent the creation of free applications which can read IRM-protected
documents or it will be unable to live up to the promises it has made for
that technology.
Microsoft has a couple of weapons at its disposal (beyond pure obscurity)
which can be used against any potential free IRM implementation. One is
the DMCA, which, in the US (and countries which have implemented similar
laws), can be employed against those who bypass access restriction
mechanisms. Anybody who posted code that, say, allowed the user to cut and
paste text out of an IRM-protected document would likely face an unpleasant
reception in the US. They would be in a situation much like that faced by
Dmitry Sklyarov, who bypassed similar restrictions in PDF files, a few
years ago.
Of course, the Sklyarov case did not necessarily work to Adobe's advantage
in the end, and Microsoft might wish to avoid a similar storm of bad
publicity. So, as Cory's article points out, Microsoft might pursue a
different option: the use of the trusted computing module (TPM)
increasingly being built into new computers. With the remote attestation
feature of the TPM, it is possible to refuse to pass decryption keys to any
system which cannot be shown to be running approved software. This system
would be quite tight and hard to defeat - it might just work. And it would
no longer matter how "open" the document format is.
The full remote attestation scenario requires the cooperation of the entire
system, starting with a "secure" BIOS which initializes the TPM properly.
Most systems do not currently operate in this mode, so the realization of
this threat will not happen in the immediate future. One should not,
however, forget that the TPM has been designed to support just this mode of
operation. It does not take all that much paranoia to imagine that these
capabilities will not go unused forever. "Trusted computing" has yet to
touch most of us, but we ignore it at great risk. Among other things, it
could make the current discussion of open document formats entirely moot.
Comments (16 posted)
Steps in the Fedora transition
The recent Fedora Summit reached a number of conclusions about the future
of the project. These include the elimination of the distinction between
Fedora Core and Fedora Extras and the extension of the support period for
Fedora releases to approximately 13 months. Since then, various parts of
the project have tried to figure out what is really
going to happen. It is beginning to appear that a few things, at least,
are coming into focus.
When changes of this magnitude are in store, one's thoughts immediately
turn to the most important topic: what will be the project's new name?
Quite a few possibilities were discussed, including Fedora Union (not
everybody liked the acronym) and Fedora Freedom (which, it seems, brings
unwelcome associations with "freedom fries" to a fair number of people).
After weeks of discussion, it would appear that people are converging on
(...drum roll...) "Fedora." Who would have guessed?
So when will the next Freedom Fries Fedora release be?
According to a recently-posted schedule
proposal, Fedora 7 will come out on April 24, 2007. That
date seems to be driven by the Red Hat Summit, which starts on May 9;
the Fedora folks would like to have something to show off at that event.
On this schedule, the first test release would be on January 30, just
before the next FUDcon, which appears set for February 2 to 4.
Assuming the schedule does not slip, it should be possible to hand out
Fedora 7 disks to Red Hat Summit attendees.
The only problem is that Fedora schedules have been known to slip at
times. This realization has led to a discussion on what went wrong, and
how schedule slips might be avoided this time around. There were a number
of issues that came up toward the end of the Fedora Core 6 effort,
some of which would have been hard to anticipate and avoid. One of the
biggest issues, however, was the fact that Xen didn't work. Fedora kernel
maintainer Dave Jones has some choice words
about Xen, along with a grim prognosis about the potential for future
problems. It rather appears
that Fedora might be best served by dropping Xen altogether, but that is
unlikely to happen in the short term. Red Hat Enterprise Linux needs to
have Xen (after all, Novell ships it), and Fedora is where these
technologies get much of their early testing.
That said, there seems to be a fair amount of sympathy for the idea of
simply dropping features with problems that threaten to delay the release.
Hopefully the Fedora developers won't have to make any such choices this
time around, but, should something come up, it will be interesting to see
how they respond.
Another open question is what happens to the Fedora Legacy project. Nobody
has really taken the step of officially shutting it down. Jesse Keating
has walked away from it, however, and few
people seem to see much reason for keeping it going. There are
users who would like to see more than 13 months of security support for
Fedora releases, but the subset of those users who are willing to help
Fedora Legacy provide that support is quite small.
Meanwhile, the project did (on December 12) put this note onto its web page:
The current model for supporting maintenance distributions is being
re-examined. In the meantime, we are unable to extend support to
older Fedora Core releases as we had planned. As of now, Fedora
Core 4 and earlier distributions are no longer being maintained.
Given that the project only managed one Fedora Core 4 update ever, one
could argue that the situation has not changed much. But at least it is
now clear. What is less clear is how the various hosting companies which
offer Fedora Core 4 servers have kept them secure so far, and what
they intend to do now.
Finally, the project still has not come to a final resolution on what to do about
RPM. The subject was apparently discussed at
the December 12 board meeting, but no communications are, as of
this writing, available. With luck, we'll hear from the project on this
topic before
too long. Infrastructure like RPM is too important to leave in a limbo
state for this long.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
Another kernel core dump security issue
December 13, 2006
This article was contributed by Jake Edge.
When a security bug is found in the kernel, a patch is usually available
within hours; the kernel developers rightly take these things very seriously.
Once the patch is available, the stable team typically releases a new kernel
within a week or so and this is one of the big advantages of open source.
Once in a while, however, a bug that has been fixed previously can creep
back into the source, open or closed, and is known as a 'regression'.
This week's 2.6.19.1 kernel
release has a fix for something
that looks an awful lot like a regression, but technically is not.
Back in July, LWN described
a security problem in the then-current 2.6.17 kernel. The issue was that
local users could configure their processes to write core dump files in
directories that they did not have write permissions for. As the article
described, this could be trivially exploited for local privilege escalation;
in short, a local root hole.
This bug was fixed by the following patch:
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, un
error = current->mm->dumpable;
break;
case PR_SET_DUMPABLE:
- if (arg2 < 0 || arg2 > 2) {
+ if (arg2 < 0 || arg2 > 1) {
error = -EINVAL;
break;
}
which prevented processes from setting the
dumpable flag to two. That flag
governs whether core dumps are produced by the process; the special
value of two reflects an ability to dump core with root privileges, quite
possibly to directories that the user cannot normally write to. The code
did guard against overwriting existing files, for security reasons, but
did not consider the implications of allowing user processes to effectively
write anywhere.
The code which handles the dumpable flag lives in fs/exec.c in the
aptly named do_coredump() function:
if (mm->dumpable == 2) { /* Setuid core dump mode */
flag = O_EXCL; /* Stop rewrite attacks */
current->fsuid = 0; /* Dump root private */
}
and further down, flag is used as part of the filp_open()
call:
file = filp_open(corename, O_CREAT|2|O_NOFOLLOW|O_LARGEFILE|flag, 0600);
At the end of September, a
patch by Andi Kleen was
applied to allow core dumps to be piped to a userspace process. This
patch had been, according to Andi, "hanging around for a long time" and
lacked the flag
in the call to filp_open(). The patch made it into 2.6.19-rc1
kernel and from there into 2.6.19.
The impact of the bug is relatively low as a root user would have to set
the dumpable flag to two via
/proc/sys/fs/suid_dumpable. This would allow user processes to write
core dumps anywhere, which is as designed, but also would allow them to
overwrite existing files, which is not. It probably is not very common
that admins need to configure things that way, but it certainly is not
completely outside the realm of possibility either.
As described in the patch, Alexey Dobriyan
used a list of warnings
gathered from compiling the kernel. The warnings were grepped for
'was set but never used' and the first entry in the list pointed to this
problem. The kernel produces enough warnings that problems like this tend
to be obscured in a sea of bogus or overly picky warnings.
This particular bug is not technically a regression as there never was a bug
that allowed this behavior until it was introduced in the patch. It has been
assigned
CVE-2006-6304
(as of this writing, it is just a reserved CVE with no information).
It is great to see folks scrutinizing warnings and looking for bugs in the
kernel, this is just the kind of thing that the 'many eyes make all bugs
shallow' theory is referring to.
It would be nice to see a kernel regression test suite that contained
test cases for bugs that have previously been fixed as that kind of thing
might have caught this bug. It is a difficult problem, however, and keeping
up with the number of bug fix patches would be daunting. Perhaps a regression
suite that focused on security fixes would be a good place to start.
Comments (9 posted)
New vulnerabilities
clamav: missing sanity checks
| Package(s): | clamav |
CVE #(s): | CVE-2006-5874
|
| Created: | December 11, 2006 |
Updated: | December 14, 2006 |
| Description: |
Stephen Gran discovered that malformed base64-encoded MIME attachments
can lead to denial of service through a null pointer dereference. |
| Alerts: |
|
Comments (none posted)
enemies-of-carlotta: input sanitizing
| Package(s): | enemies-of-carlotta |
CVE #(s): | CVE-2006-5875
|
| Created: | December 13, 2006 |
Updated: | December 13, 2006 |
| Description: |
It would seem that enemies-of-carlotta, a mailing list manager, does not check email addresses before passing them to a shell. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
kdegraphics: stack overflow
| Package(s): | kdegraphics |
CVE #(s): | CVE-2006-6297
|
| Created: | December 12, 2006 |
Updated: | January 13, 2007 |
| Description: |
A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as
used by konqueror, digikam, and other KDE image browsers, allows remote
attackers to cause a denial of service (stack consumption) via a crafted
EXIF section in a JPEG file, which results in an infinite recursion. |
| Alerts: |
|
Comments (none posted)
l2tpns: buffer overflow
| Package(s): | l2tpns |
CVE #(s): | CVE-2006-5873
|
| Created: | December 8, 2006 |
Updated: | December 13, 2006 |
| Description: |
Rhys Kidd discovered a vulnerability in l2tpns, a layer 2 tunneling
protocol network server, which could be triggered by a remote user to
execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | September 28, 2007 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
madwifi-ng: buffer overflow
| Package(s): | madwifi-ng |
CVE #(s): | CVE-2006-6332
|
| Created: | December 11, 2006 |
Updated: | December 13, 2006 |
| Description: |
Laurent Butti, Jerome Raznieski and Julien Tinnes reported a buffer
overflow in the encode_ie() and the giwscan_cb() functions from
ieee80211_wireless.c. A remote attacker could send specially crafted
wireless WPA packets containing malicious RSN Information Headers (IE) that
could potentially lead to the remote execution of arbitrary code as the
root user. |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby |
CVE #(s): | CVE-2006-6303
|
| Created: | December 7, 2006 |
Updated: | December 21, 2006 |
| Description: |
The Ruby CGI library, cgi.rb, does not properly detect
boundaries in MIME multipart content. A remote attacker can
use this to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple cross-site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-6142
|
| Created: | December 11, 2006 |
Updated: | January 31, 2007 |
| Description: |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0
through 1.4.9 allow remote attackers to inject arbitrary web script or HTML
via the mailto parameter in webmail.php, the session and delete_draft
parameters in compose.php, and unspecified vectors involving "a shortcoming
in the magicHTML filter." |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache-mod_auth_kerb: off-by-one error
| Package(s): | apache-mod_auth_kerb |
CVE #(s): | CVE-2006-5989
|
| Created: | November 24, 2006 |
Updated: | January 23, 2007 |
| Description: |
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows
remote attackers to cause a denial of service (crash) via a crafted
Kerberos message that triggers a heap-based buffer overflow in the
component array. |
| Alerts: |
|
Comments (none posted)
asterisk: arbitrary code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2006-5444
|
| Created: | October 19, 2006 |
Updated: | December 6, 2006 |
| Description: |
The Asterisk telephony PBX application has a heap overflow vulnerability
in the skinny channel driver. A remote attacker can use this to
arbitrarily execute code with the privileges of the Asterisk user.
See this
vulnerability report
for more information. |
| Alerts: |
|
Comments (none posted)
avahi: sender id check
| Package(s): | avahi |
CVE #(s): | CVE-2006-5461
|
| Created: | November 13, 2006 |
Updated: | December 20, 2006 |
| Description: |
Steve Grubb discovered that netlink messages were not being checked for
their sender identity. This could lead to local users manipulating the
Avahi service. |
| Alerts: |
|
Comments (1 posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | February 1, 2007 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnupg: buffer overflow
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6169
|
| Created: | November 30, 2006 |
Updated: | December 11, 2006 |
| Description: |
GnuPG has a buffer overflow vulnerability. If a user can be tricked
into running gpg interactively on a specially crafted message,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: bridging code buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2006-5751
|
| Created: | December 6, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libgsf: heap buffer overflow
| Package(s): | libgsf |
CVE #(s): | CVE-2006-4514
|
| Created: | November 30, 2006 |
Updated: | January 11, 2007 |
| Description: |
The GNOME library libgsf, which is used for writing structured file
formats, has a heap buffer overflow that can be exploited for the
purpose of executing arbitrary code. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
![[OLPC layout]](http://wiki.laptop.org/go/Image:Drawing75c.jpg)