Looking forward to Fedora 7
LWN readers will, by now, be well familiar with the fact that the Fedora
universe is changing. There will be no more Fedora Core releases, and the
repository known as Fedora Extras is going away. In their place will be a
combined distribution known simply as Fedora, with the next release being
called Fedora 7. The Fedora community is busily trying to figure out
just what that release is going to look like.
Bill Nottingham posted a discussion
document on January 4. It keeps the previously-discussed
schedule, with the first test release happening on January 30 and
general availability of Fedora 7 on April 26. There's a long
list of objectives for
this release, some of which are:
- Improving the speed of the boot and shutdown processes. "While
Xerxes appreciates that he can grab a cup of coffee while waiting for
his Fedora system to boot, it becomes annoying when he is not actually
thirsty." There are a number of ideas on how this speedup can
be effected, none of which appear to involve switching to Upstart. There is talk of replacing
init, but nobody appears to own that task currently; it seems
unlikely to happen for Fedora 7.
- CodecBuddy
- a recognition that not all content can currently be found in free
formats. The idea is that the software would detect an attempt to
play a file in an unsupported format and respond with an educational session on
why free formats are better. Should the user not respond by
immediately deleting all MP3 files, CodecBuddy will offer a pointer to
available codecs whenever Red Hat Legal allows.
- Encrypted
filesystem support, though which encryption technology will be
used has not been decided yet.
- Fast
user switching - being able to move between different accounts
while retaining the current desktop status of each. Making this
feature work in a secure and robust way is not trivial.
- The creation of a desktop "spin" of the distribution. That leads to a
few related issues - see below.
- Firewire
support that actually works. "Requires rewriting the kernel
firewire stack. No biggie."
- Support for the KVM virtualization API. KVM appears to be the future
of Linux virtualization, so distributions will need to pick it up.
What will happen to Xen support is unclear; Xen is unpopular with some
of the Fedora folks, but is high on the Red Hat list.
- Support for the new parallel
ATA drivers, moving away from the old IDE subsystem. The PATA
drivers are an improvement, but they will cause drives to be renamed,
leading to potential system chaos. Fedora systems have used the
mount-by-label feature for some time, so most installed systems should
handle the change without trouble.
- The addition
of Nouveau, the reverse-engineered NVidia driver. Whether this
driver will be ready by the time Fedora 7 needs it remains to be
seen, however.
- Speeding up Yum and RPM. That, alone, should justify the cost of an
upgrade to Fedora 7.
There's much more on the list, but the above should be enough to give a
sense for what is going on. The Fedora developers would like to improve
their distribution in a number of significant ways, and in a very short
period of time.
Most of the desired changes are uncontroversial. The creation of a desktop
version of the distribution, however, has been the subject of a fair amount
of discussion. The Fedora distribution has traditionally been fairly
strongly tied to the GNOME desktop. As Fedora tries to expand its
community, though, there is a stronger set of voices calling for support of
a KDE version of Fedora as well. Nobody seems to oppose that idea, but
there is still a shortage of consensus on how it should be done.
As often seems to happen in community discussions, the Fedora developers
have gotten hung up on a relatively unimportant issue: naming. Current
plans call for the GNOME-based version of the distribution to be named
"Fedora Desktop," while the KDE-based version would be "Fedora KDE." The
KDE users, who were under the impression that they had a desktop too, think
that this naming goes against the idea of KDE being an equal citizen.
Others claim that "Fedora Desktop" is meant to be a combination of the
"best of breed" desktop software, most of which just happens to come from
the GNOME project. They hold out the possibility of a separate "Fedora
GNOME" version for GNOME purists; it would feature tools like AbiWord,
Gnumeric, and Epiphany, which currently have failed to qualify for the
"best of breed" designation. This idea doesn't seem to make the KDE
community feel much better.
Jeff Spaleta has posted a call for peace on
this issue, saying:
But more importantly in the near term. the fact that there is going to
be a KDE spin is a fundamentally important step in terms of opening
the process for community involvement. How about we, as engaged and
proactive community members, focus on making the technical side of
that happen. Whether the Desktop spin is called the Desktop spin or
the 'Office Professional Workforce of Doom' spin its trivially
unimportant compared to helping Rex get the KDE spin out the door.
On the technical side, the biggest disagreement would appear to be over
whether Firefox should be included. There has also been some discussion of
OpenOffice.org and Evolution. In each case, there seems to be some
tension between a "pure" KDE system and a desire to include applications
that some users are likely to want. Since the unwanted presence (or
absence) of any of these tools is relatively easy to correct after
installation, one assumes that a solution will be found that everybody is
able to live with.
This kind of discussion is not new in the free software community, but it
is relatively new to Fedora. As this distribution opens up and accepts
more input from outside of Red Hat, there is no doubt that it will get more
opinions as well. How these newcomers are accommodated will have a big
effect on how successful a more community-oriented Fedora will be. We should
see some concrete signs of how well the community is working sometime
around late April.
Comments (22 posted)
Second Life releases some code
There is a wide variety of online role-playing games on the net.
Second Life is unique among them,
however, and not just for the lack of quests to fulfill or monsters to
kill. In the Second Life environment, "residents" can lease "property" and
create interesting artifacts through the use of a built-in scripting
language. The environment has proved free and powerful enough to bring
together hundreds of thousands of people, many of whom have engaged in
large-scale acts of world building. Second Life has shown what can happen
when the tools of creation are available to all, but it remains a
proprietary service running on proprietary software.
As of January 8, however, Second Life has become a little less proprietary.
Linden Lab, the company which owns Second Life, has announced the
release of the Second Life viewer application under version 2 of the
GPL. The viewer is the client which runs on the user's system; it is a
significant chunk of code. Its release should enable interested developers
to enhance the Second Life experience - and, perhaps, stabilize the Linux
client somewhat.
The way is not yet clear for an entirely free Second Life client, however,
as the released code depends on a number of libraries shipped in binary
form. Interestingly, many of those libraries (cURL, expat, Mesa,
ogg/vorbis, openssl, zlib, etc.) are free software; it is not clear why
Linden feels the need to ship its own copies of them. There are a couple
of proprietary libraries in there as well, however. Linden hopes to either
relicense or route around those libraries in the near future; a quick
glance by your editor suggests that this objective should not be too hard
to achieve. The Second Life client would appear to be almost free.
Those who would hack on the client code must sign a
contributor agreement [PDF] before contributing any changes back. This
agreement is essentially a copyright transfer; it allows Linden to do
anything it wants with the code. Linden offers
commercial licensing terms, so contributors should be sure that they
have no objections to that use of their code.
The freeing of this code is a good thing; it brings the free software world
that much closer to being a first-participant in the creation of
interesting virtual worlds. It is only a beginning, however. The bulk of
the logic which implements Second Life lives on the server side, and that
code remains proprietary. Imagine if the original WWW browsers had been
released into a world where a single company owned the only web server;
that is, to a first approximation, where we stand with Second Life at this
time. As long as this state of affairs persists, Second Life will remain
just another proprietary service.
Linden has some
grand visions for how Second Life could grow:
A lot of the Second Life development work currently in progress is
focused on building the Second Life Grid - a vision of a globally
interconnected grid with clients and servers published and managed
by different groups. Expect many changes and updates in the coming
months in support of this architecture.
Now that sounds like fun, but it will only reach its potential if
the server code is free. Linden continues to make noises - but no promises
- about freeing this code. The freeing of the client is a good start; it
shows that Linden is serious about involving the community. Releasing the
server code will require a rather larger leap of faith on Linden's part,
however; the server is where the company makes its money. Let's hope that
Linden can find a way to take that leap.
Comments (5 posted)
Hardware that Just Works
For whatever reason, there has recently been increase in the number of
corporate LWN subscribers who want to receive information by fax. Your
editor, having long seen facsimile as a sort of quaint technology for
people who don't have email access, has never kept a fax machine around;
there just hasn't been much call for it. Recently, however, wandering over
to the local mailbox outlet to send faxes has become somewhat tiresome -
and time consuming. The printer was showing signs of old age as well, so
it seemed it was time to get a new toy in the form of
one of those all-in-one devices which can print, scan, copy, and, yes, send
faxes.
A long stint as a system administrator was enough to teach your editor that
the management of printers ranks high on the list of Truly Obnoxious
Tasks. For whatever reason, making printers work properly has always been
painful, whether one is connecting a dot-matrix line printer to a VAX or a
contemporary inkjet to a Linux system. So your editor approached the task
with some trepidation, and with a fair amount of advance research. To this
end, the linuxprinting.org site, which was merged into the Free
Standards Group last year, remains an invaluable resource.
Your editor ended up with an HP OfficeJet device which performs all of the
required functions. It may yet be convinced to wash the dishes as well,
though it seems that feature is not yet well supported under Linux.
Everything else is, however. Printing Just Works. Scanning with xsane
Just Works. Overall, it is a very nice device, and making it work with
Linux was just about painless.
A great deal of credit is due to HP, which has made free drivers available
for its hardware. Thanks to this openness on HP's part, its hardware is
fully supported on Linux systems and can be used to its full potential.
That policy just resulted in another sale for HP, and, probably, many
others. It behooves us to be sure that HP hears that feedback from its
Linux customers. If manufacturers understand that supporting Linux means
more sales, they will support Linux.
Credit is also due to the HPLIP
project, which has packaged HP's drivers with a significant amount of
support code. HPLIP integrates well with CUPS, which has done a great deal to
civilize printing on free systems. Finally, the distributors have done a
lot of work to make the setup of new printers easy. All of this work has
transformed an administrator's job; when your editor thinks back to writing
lpd output filters for a new device, he feels an immediate need for a
strong drink. Now it has become necessary to find a new excuse for
drinking.
Congratulations to all of those who have managed to bring
about such an improvement over a few short years.
Comments (36 posted)
linux.conf.au
The seventh edition of
linux.conf.au
starts on January 15 in Sydney. Over the years, linux.conf.au has
become one of the most vibrant, interesting, and just plain fun free
software events on the planet.
This year's program looks
likely to continue the trend. LWN editor Jonathan Corbet is lucky enough
to be speaking at
the event; come and say "hi" if you're in the area.
Comments (1 posted)
Page editor: Jonathan Corbet
Security
Tracing behind the firewall
January 10, 2007
This article was contributed by Jake Edge.
A new tool, 0trace, that can sometimes
peek through a firewall and provide information about the hosts and addresses
living behind it was recently
released. The tool itself is in a rough, proof-of-concept form,
but it can provide interesting results that are likely unexpected by
the network administrator. A bit of a look at how 0trace accomplishes
this feat requires a bit of firewall background as well.
Many firewalls use
Network
Address Translation (NAT) to multiplex multiple internal computers over
one external, routable, IP address. When an internal host makes a
connection to the outside world,
the NAT device rewrites the addresses in the packets so that the external
host believes it is talking to the firewall itself rather than the
actual host (which is typically in the private, unroutable IP space).
In order to do that, the NAT device records information about the connection:
the IP addresses for the internal and external hosts as well as port
information. It is this established connection table that 0trace exploits
in order to do its work.
The basic scheme is much the same as traceroute in that 0trace
sends packets with increasing time-to-live (TTL) values and listens to
the ICMP "time exceeded" responses to determine the hosts that the packet
has traversed. The difference is that 0trace uses an established connection
to piggyback its probes on. Because many NAT implementations do not closely
examine packets that are associated with an established connection, those
responses, even from internal hosts, are forwarded along.
Users of traceroute are familiar with the '*' character that gets
printed when there is no response from one of the hops; tracing a
route these days typically ends in a series of hops without a response
resulting in several rows of '* * *'. These are often
systems that are behind
firewalls which filter out the probe packets that
traceroute sends because they are not associated with a
connection that it knows about. The example in the announcement shows
0trace output from a scan of www.ebay.com with several internal IP addresses
past the point where the traceroute output stops.
In order to run 0trace, one must first establish a connection with the host
of interest. Using telnet to port 80 is one way to go about that;
once the connection is established, the 0trace shell script is run. That script
sets up a tcpdump to grab the traffic to and from the supplied
IP address and then waits. The user
must generate some traffic at this point and typing 'GET / HTTP/1.0'
(followed by one return) is a good way to do that. 0trace analyzes the
TCP packet dump to retrieve the sequence and ack numbers from the
conversation; the shell script then passes those off to the 0trace C program
(sendprobe). Using proper sequence/ack numbers from the established
connection further disguises the 0trace traffic as a legitimate part of
the conversation.
This technique is not new and the author, Michal Zalewski, credits a number
of other people in the announcement and ensuing thread, but this is likely
the first public implementation. The implementation is very dependent on
the exact format of tcpdump output and is rather fragile because
of that, but it is an interesting proof-of-concept. Zalewski invites
interested people to improve upon it. Using it against hosts without their
permission might be considered illegal in some jurisdictions; one should
exercise care before using it. It does
show a weakness in current NAT implementations that will likely need to be
addressed.
Comments (8 posted)
New vulnerabilities
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2006-6870
|
| Created: | January 5, 2007 |
Updated: | January 15, 2007 |
| Description: |
A flaw was discovered in Avahi's handling of compressed DNS packets. If
a specially crafted reply were received over the network, the Avahi
daemon would go into an infinite loop, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
drupal: code injection
| Package(s): | drupal |
CVE #(s): | |
| Created: | January 9, 2007 |
Updated: | January 9, 2007 |
| Description: |
A failure to properly sanitize arguments allows an attacker to inject code into a Drupal system (advisory). There is also a denial of service vulnerability exploitable by users with the ability to post content on the site (advisory). |
| Alerts: |
|
Comments (none posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 9, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
geoip: path traversal
| Package(s): | geoip |
CVE #(s): | CVE-2007-0159
|
| Created: | January 10, 2007 |
Updated: | January 24, 2007 |
| Description: |
Geoip fails to do sanity checking on returned filenames, opening up a path traversal vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
krb5: uninitialized pointers
| Package(s): | krb5 |
CVE #(s): | CVE-2006-6143
CVE-2006-3084
|
| Created: | January 10, 2007 |
Updated: | January 25, 2007 |
| Description: |
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
openoffice.org: integer overflows
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-5870
|
| Created: | January 4, 2007 |
Updated: | January 13, 2007 |
| Description: |
The OpenOffice.org WMF file processor has several integer overflow bugs.
Maliciously crafted WMF files can be used to cause OpenOffice.org to
execute arbitrary code when the files are opened by a user. |
| Alerts: |
|
Comments (none posted)
proftpd: denial of service
| Package(s): | proftpd |
CVE #(s): | CVE-2005-4816
|
| Created: | January 9, 2007 |
Updated: | January 9, 2007 |
| Description: |
The proftpd FTP server is vulnerable to a denial of service attack when Radius authentication is in use. |
| Alerts: |
|
Comments (none posted)
wordpress: SQL injection
| Package(s): | wordpress |
CVE #(s): | |
| Created: | January 9, 2007 |
Updated: | January 9, 2007 |
| Description: |
Stefan Esser discovered an SQL injection vulnerability in wordpress exploitable through the use of different character sets. |
| Alerts: |
|
Comments (none posted)
X.org: integer overflows
| Package(s): | xorg, xorg-server |
CVE #(s): | CVE-2006-6101
CVE-2006-6102
CVE-2006-6103
|
| Created: | January 10, 2007 |
Updated: | March 8, 2007 |
| Description: |
A number of integer overflows have turned up in the X.org server. Some of these overflows involve calls to alloca(), and thus make corruption of the stack relatively easy. This vulnerability is exploitable by anybody who can make a connection to the server, meaning that it is a local root exploit in most settings. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache-mod_auth_kerb: off-by-one error
| Package(s): | apache-mod_auth_kerb |
CVE #(s): | CVE-2006-5989
|
| Created: | November 24, 2006 |
Updated: | January 23, 2007 |
| Description: |
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows
remote attackers to cause a denial of service (crash) via a crafted
Kerberos message that triggers a heap-based buffer overflow in the
component array. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cacti: multiple vulnerabilities
| Package(s): | cacti |
CVE #(s): | CVE-2006-6799
|
| Created: | January 1, 2007 |
Updated: | January 26, 2007 |
| Description: |
The network monitoring and graphing frontend Cacti has three vulnerabilities.
The cmd.php script allows command line usage and is also installed in a
web-accessible location. The cmd.php input is insufficiently sanitized,
a passed-in URL can be used to inject arbitrary SQL code.
The cmd.php script can be used by a remote attacker to execute arbitrary
shell commands via improperly sanitized results from SQL queries. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dbus: denial of service
| Package(s): | dbus |
CVE #(s): | CVE-2006-6107
|
| Created: | December 15, 2006 |
Updated: | February 12, 2007 |
| Description: |
Unspecified vulnerability in the match_rule_equal function in bus/signals.c
in D-Bus before 1.0.2 allows local applications to remove match rules for
other applications and cause a denial of service (lost process messages). |
| Alerts: |
|
Comments (none posted)
denyhosts: denial of service
| Package(s): | denyhosts |
CVE #(s): | CVE-2006-6301
|
| Created: | January 3, 2007 |
Updated: | January 3, 2007 |
| Description: |
A botched regular expression allows a remote attacker to add arbitrary hosts to the denyhosts blacklist, causing those hosts to be unable to make ssh connections to the target system. |
| Alerts: |
|
Comments (2 posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | February 1, 2007 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
elog: multiple vulnerabilities
| Package(s): | elog |
CVE #(s): | CVE-2006-5063
CVE-2006-5790
CVE-2006-5791
CVE-2006-6318
|
| Created: | December 28, 2006 |
Updated: | January 3, 2007 |
| Description: |
elog, a web-based electronic logbook has multiple vulnerabilities that
may lead to arbitrary code execution.
Log entry editing in HTML has a cross-site scripting vulnerability.
A number of format string vulnerabilities may be used for the execution of
arbitrary code. There are cross-site scripting vulnerabilities related to
the creation of new logbook entries.
There is insufficient error handling in config the file parsing that may be used for a denial of service attack. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
kdegraphics: stack overflow
| Package(s): | kdegraphics |
CVE #(s): | CVE-2006-6297
|
| Created: | December 12, 2006 |
Updated: | January 13, 2007 |
| Description: |
A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as
used by konqueror, digikam, and other KDE image browsers, allows remote
attackers to cause a denial of service (stack consumption) via a crafted
EXIF section in a JPEG file, which results in an infinite recursion. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: bridging code buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2006-5751
|
| Created: | December 6, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
