LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
Vulnerabilities and alerts in 2002
One of the advantages to having a site built on a real database is that you can use it to generate nifty tables. When we ran a list of vulnerabilities and alerts one year ago, the whole thing was generated by hand. Life is easier this time around....at least, if you're not concerned with keeping your systems secure. The following table, which covers the second half of 2002, contains 119 separate vulnerabilities, and well over 300 alerts. As much as we like to say that free software is more secure, the table below makes it clear that it is not anywhere near secure enough.
On the other hand, it's worth pointing out that almost none of the vulnerabilities listed below have, to our knowledge, been exploited on any kind of scale. Most of these problems have been found (and fixed) by developers proactively auditing the code; in general, the fixes seem to get out to most users in time to avoid widespread problems. Many of these vulnerabilities are, most likely, relatively hard to exploit.
The table reveals some of the limitations of our security database. If a vulnerability has no alerts from a particular distributor, it does not necessarily mean that said distributor never got around to fixing the problem. In many cases, the distributor did not ship a vulnerable version of the affected program, and thus did not need to put out an update.
New vulnerabilities
bladeenc - improper input verification
| Package(s): | bladeenc | CVE #(s): | ||||
| Created: | February 5, 2003 | Updated: | February 5, 2003 | |||
| Description: | Versions 0.94.2 (and prior) of the Blade MP3 encoder contain an input validation vulnerability which can lead to arbitrary code execution; see this advisory for details. | |||||
| Alerts: |
| |||||
courier - missing input sanitizing
| Package(s): | courier | CVE #(s): | CAN-2003-0040 | |||
| Created: | January 30, 2003 | Updated: | February 5, 2003 | |||
| Description: | The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module. Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine. An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability. The MySQL auth module is not affected. | |||||
| Alerts: |
| |||||
kernel - Multiple vulnerabilities in version 2.4.18 of the kernel
| Package(s): | kernel | CVE #(s): | CAN-2003-0001 CAN-2003-0018 | |||
| Created: | February 4, 2003 | Updated: | February 5, 2003 | |||
| Description: | Vulnerabilities have been found in version 2.4.18 of the kernel.
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0001 to this issue. A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and later that can create a limited information leak where any user on the system with write privileges to a file system can read information from that file system (from previously deleted files), and can create minor file system corruption (easily repaired by fsck). Red Hat Linux in its default configuration is not affected by this bug, because the ext3 file system (the default file system in Red Hat Linux 7.2 and later) does not support the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18 kernels have this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0018 to this issue. | |||||
| Alerts: |
| |||||
krb5 - vulnerability in Kerberos ftp client
| Package(s): | krb5 ftp netkit | CVE #(s): | CAN-2003-0041 | ||||||
| Created: | January 31, 2003 | Updated: | February 21, 2003 | ||||||
| Description: | Kerberos is a network authentication system.
A problem has been found in the Kerberos ftp client. When retrieving a file with a filename beginning with a pipe character, the ftp client will pass the filename to the command shell in a system() call. This could allow a malicious ftp server to write to files outside of the current directory or execute commands as the user running the ftp client. The Kerberos ftp client runs as the default ftp client when the Kerberos package krb5-workstation is installed on a Red Hat Linux distribution. | ||||||||
| Alerts: |
| ||||||||
qt-dcgui: file leaking
| Package(s): | qt-dcgui | CVE #(s): | ||||
| Created: | February 4, 2003 | Updated: | February 5, 2003 | |||
| Description: | All versions of qt-dcqui prior to 0.2.2 have a major security vulnerability
in the directory parser. This bug allows a remote attacker to download
files outside the sharelist. It's recommended that you upgrade the
packages immediatly.
Read the full announcment at: http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html | |||||
| Alerts: |
| |||||
slocate - buffer overflow
| Package(s): | slocate | CVE #(s): | CAN-2003-0056 | |||||||||||||||
| Created: | February 5, 2003 | Updated: | May 8, 2003 | |||||||||||||||
| Description: | version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Updated vulnerabilities
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 | CVE #(s): | CAN-2002-1378 CAN-2002-1379 | |||||||||||||||||||||
| Created: | December 6, 2002 | Updated: | February 21, 2003 | |||||||||||||||||||||
| Description: | OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries (openldap2-devel package) have been fixed. Since there is no workaround possible except shutting down the LDAP server, an update is strongly recommended. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
BIND8: Multiple vulnerabilities
| Package(s): | bind | CVE #(s): | CAN-2002-1219 CAN-2002-1220 CAN-2002-1221 | |||||||||||||||||||||||||||
| Created: | November 13, 2002 | Updated: | March 6, 2003 | |||||||||||||||||||||||||||
| Description: | Three new vulnerabilities have been found in version 8 of the Berkeley
Internet Domain Server; see this
ISS advisory, the CERT Advisory
CA-2002-31, or the November 14 LWN
Security Page for details.
Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups - multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 | ||||||||||||||||||||||||
| Created: | December 30, 2002 | Updated: | February 17, 2003 | ||||||||||||||||||||||||
| Description: | Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges. See the iDEFENSE advisory for more information. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs | CVE #(s): | CAN-2003-0015 | ||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2003 | Updated: | April 7, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server. All users of CVS are advised to upgrade to erratum packages which contain patches to correct the double-free bug. See also this CERT advisory | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 | CVE #(s): | CAN-2003-0039 | ||||||||||||
| Created: | January 28, 2003 | Updated: | April 4, 2003 | ||||||||||||
| Description: | Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s). This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets. The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 |
| Created: | November 7, 2002 | Updated: | February 5, 2004 |
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | ||