LWN.net Logo

Advertisement

E-Commerce & credit card processing - the Open Source way!

Advertise here

LWN.net Weekly Edition for July 19, 2007

Apple buys cups

One of the more strongly discussed bits of news over the last week is the announcement that Apple has bought CUPS (the Common Unix Printing system) and hired Michael Sweet, the project's primary developer. Indeed, this deal happened back in February; it just took a little while for the people involved to get around to telling the rest of the world about it. There is a great deal of concern over what this deal might mean, though most of it is probably unnecessary. Still, there are some lessons to be learned here.

CUPS is an important part of our core infrastructure. Those of us who can think back to the days of trying to create lpr input and output filters to make a specific printer work can only be thankful that CUPS came along. It could easily be said that lpr lasted at least ten years longer than it should have, but, over that time, there were no real attempts to create a viable alternative. Projects like LPRng were mostly trying to create a slightly better version of the same thing. Then, there was the print system which Sun inflicted on users of early Solaris releases (who, as your editor can attest, were already suffering enough as it was); replacing that system with some version of lpr was a common thing to do. It took CUPS to implement contemporary printing protocols, support current hardware, and generally make the life of printer administrators easier - though, as any administrator who has lost a day to an obscure printer problem will say, things could get a lot better yet.

CUPS has always been a corporate-owned free software project, meaning that it carries all of the potential problems that any other such project has. When a single company owns a project it can strongly control its development direction, take the code private, grant license exemptions at will, abruptly sell the code to somebody else, and so on. Many companies which own projects do many of these things. Dealing with corporations has its risks; it has often been said that the corporate personality is best compared to that of a schizophrenic adolescent. Even so, such relationships have worked out well for the free software community with very few exceptions.

In this case, the ownership of CUPS has been passed from Easy Software Products (ESP) to Apple. Since contributors to CUPS are required to assign the copyrights to their work, ESP was entirely within its rights to make this sale. There are few constraints on what Apple can do with this externally-contributed code in the future; if it chooses, the company could certainly treat the code in ways that the original authors would not like. This risk is inherent in the transfer of copyrights; any free software developer who is contemplating signing a copyright transfer agreement should always think hard about who the receiving party is and what they could do in the future. The usual rule for dealing with companies - assume the person you negotiated the deal with will be immediately replaced by somebody who hates you - applies in this sort of situation.

The worst thing that Apple can do, in any case, is to take future releases of CUPS private. The current, GPL-licensed releases will remain available and free. Should this happen, the community will have to pick up from the last free version and create a fork; it certainly would not be the first time such an action proved to be necessary. For now, though, the announcement of the sale says "CUPS will still be released under the existing GPL2/LGPL2 licensing terms, and I [Mr. Sweet] will continue to develop and support CUPS at Apple." Given that certain aspects of CUPS development - supporting hundreds of printers, for example - are best done in the community setting, it is not hard to believe that this state of affairs could continue indefinitely.

Apple just might create enhanced versions of CUPS for its own operating system or as a commercial product. The company has already published a GPL exception policy allowing proprietary derived products to be made from CUPS - as long as they are distributed exclusively for Apple's operating systems. So Apple's version of CUPS might have shinier widgets or a few more printer drivers. Not the best of situations, but it is not all that different from the rights Sun gives itself with the OpenOffice.org code base. OpenOffice.org lacks features, fonts, and clip art found in StarOffice, but few OpenOffice.org users have complained that they felt cheated. Companies like MySQL make a nice living selling GPL exceptions to GPL-licensed code, including code contributed by outsiders.

The real threat, perhaps, is that Mr. Sweet will find himself carrying a lot of Apple-specific responsibilities (his statement in the sale announcement carefully did not say how much he would continue working on CUPS) and that the rate of outside contributions might slow as developers worry about what Apple might do. That could significantly slow the rate at which CUPS moves forward, to the community's cost.

One other potential problem is the CUPS trademark policy which has been announced by Apple. It requires permission to use the CUPS name with any derived product; a distributor who applies any patches at all, even security fixes, would be affected by this policy. The good news here is that, if this policy becomes a problem, the name of the print system could be changed to "mugs" or some such and few users would even notice.

On the other hand, what this deal might do is bring more resources to the development of CUPS and contributions from a company which, for all its faults, is known to pay a great deal of attention to the end user's experience. Development could speed up and head in directions which make CUPS easier to use than it is now. That would be an outcome which would be hard to complain about.

Comments (24 posted)

A Tokyo trip report

The free software community is truly global in scope - we are all over the world. A casual visitor might be forgiven for thinking otherwise, though: the people found on our mailing lists and in our code repositories are, to a great extent, based in Europe or North America. There is no shortage of talented developers elsewhere, but they are hard to see; they do not participate in our community at anywhere near the same level. We are clearly weaker as a result.

One attempt to improve this situation can be found in the Linux Foundation Japan Symposium, held a few times each year in Tokyo. This event was started by OSDL, and is being continued by the Linux Foundation. The idea [Symposium
sign] is to bring a few community developers over for a couple of days and have them talk with Japanese developers about what the community is up to and how they can be a part of it. Your editor was lucky enough to be invited to the July meeting where, between encounters with sushi, sake, and Japanese beer, he was able to get some interesting work done.

First, though, was an encounter with the Yokohama Linux Users Group, which had invited your editor to come talk seeing as he was in the neighborhood anyway. YLUG meetings, as it turns out, look much like LUG meetings just about anywhere: a couple dozen or so technical guys show up to hear somebody talk about free software. The beer and dinner (and more beer) gathering afterward was special, though; if more user groups included that sort of event, attendance at meetings would doubtless go up.

The symposium itself began with presentations from your editor and Paul Menage, author of the process containers patch. One of the important features of this event is that it includes simultaneous translators; said translators were somewhat dismayed by your editor's habit of changing his talks (and slides) right up to the point where the laptop gets plugged in at the podium. Their presence is important, though: it allows attendees to follow the talks without having to struggle with a foreign language; they can also ask questions in Japanese and still have the presenters understand them.

As it happens, language issues, while not on the formal agenda, were a big issue at this event. It is easy fall into the trap of believing that anybody who is sufficiently well educated to be part of our development community will, naturally, have learned the English language along the way. The truth of the matter is that there are many languages one could invest time in learning, English is a hard language (especially for those whose native language is far removed from English), and that many people who might have studied English for years have never really had a chance to use it enough to become truly proficient. English really is an obstacle for many potential contributors to our community. It slows down many developers, makes others afraid to participate in public forums, and blocks some entirely.

One step which is being taken to improve this situation is the translation of a number of core kernel development documents into Japanese. The documents of interest are primarily process-oriented - those which tell prospective developers how the community works and how to get patches accepted. Translation of serious technical documentation would require quite a bit more work and would be hard to keep up to date, so that is less likely to happen. Japanese versions of the documentation seem unlikely to go into the kernel repository itself, so they will have to be hosted elsewhere; they should, in any case, provide a useful resource for Japanese developers hoping to begin with the kernel.

The translators got to work in the opposite direction for a while as Akinobu Mita discussed his work on the fault injection framework. At any event designed to increase community involvement it is important to highlight the efforts of local people who have been successful; Mita-san's work, which makes it possible to find problems in difficult-to-test error recovery paths, is an important contribution to the kernel development toolkit. He has, recently, been posting fixes to a long series of bugs found through the use of fault injection, making the kernel more stable for everybody.

[your editor] The afternoon included a panel session which, among other things, covered the kernel development process. One of the key points in your editor's talk on that process is that code must be posted early; if a company insists that code pass through all of its internal quality assurance processes before being submitted, it is likely to post code which is in need of major changes. It turns out that this can be a problem with Japanese companies; one developer talked about "stone-headed managers" who are deathly afraid that somebody will post something which embarrasses or shames the company. Strange as it seems, the stone-headed manager problem is not confined to Japan; there is little to be done except to continue to try to educate those managers - or wait until they get promoted to a level where they are no longer a problem.

The second day consisted of smaller sessions where developers from Linux Foundation member companies could talk about their work and get questions answered. Fault injection was on the agenda again, as were various virtualization topics and the translation issue. Closing statements were made, and the event shut down until next time - scheduled for November.

The key to building a community and keeping it together is good communication. By bringing in community developers, the Japan Symposium certainly succeeds in raising the level of communication with the Japanese community. There is no better way to learn about how a community works than to talk with those who are in the middle of it. This series of events might just be part of why contributions from Japan appear to be on the rise. A less obvious but equally important point is this: communication goes both ways. Any speaker who attends this event can only go away smarter, having learned something about how the wider world sees free software. That, too, can only be a good thing.

Comments (31 posted)

IBM pledges patent peace for interoperability

IBM's recent patent pledge significantly lowers the bar for using their patents to implement software standards. Rather than specifying particular patents, IBM chose more than 150 different standards for interoperability, pledging not to assert any of their patents that are required to implement the standards. Along with the carrot of that pledge, there is also an implied stick for companies that might consider litigating over their own patents that are required to produce the standard.

Software patents are generally problematic, but those which encumber technology standards can be especially so. When companies come together to form standards bodies, they have often agreed that implementations of the standard would be able to license any patents required, under so-called reasonable and non-discriminatory (RAND) terms. "Reasonable" is in the eye of the beholder, of course, and RAND terms have been used to lock out smaller companies from implementing patented standards along the way. Free and open source implementations are usually locked out, because "reasonable" terms almost always include royalties. Thus, RAND terms are usually discriminatory against free software.

This has led some organizations, notably the World Wide Web Consortium (w3c), to move to an agreement that patents required to implement their standards be licensed on a royalty-free basis. This simplifies things, but requires some amount of bureaucracy as standards participants need to list relevant patents and create documents that state the nature of the royalty-free license.

IBM's move circumvents all of that, by pledging not to assert patent claims against any implementation of the listed standards. The pledge not only covers free implementations, but competitive, commercial, closed source versions as well. The patents themselves do not need to be researched or listed as the pledge covers any that IBM has. It should be noted that this only applies to implementing the standards listed; IBM is not giving carte blanche to use their patented technology.

The only caveat is that IBM will revoke the pledge for any implementor who asserts patent claims on a covered implementation - against IBM or any other party. For any of the standards listed, IBM is thus creating a "patent shield" for anyone who plays fairly, with the implication that unfair play - in the form of patent attacks - may be met with similar attacks from the rather extensive IBM patent portfolio.

Because it is a pledge - not a license or agreement - projects or organizations that want to be covered by it need do nothing. There is no paperwork to file or license text to comply with. They will need to refrain from engaging their patent lawyers to attack others implementing the standards; this should be a constraint that most free software projects can live with. It is rather refreshing to see a company make a pledge that could plausibly reduce the amount of billable lawyer time required by technology companies. Patent lawyers may not agree, of course.

The list of standards that are covered by the pledge is an impressive array of technologies, mostly web standards along with OASIS document format standards. The FAQ accompanying the pledge states that IBM will be evaluating additional standards for inclusion in the list. They clearly believe widely implemented standards are good for their customers:

IBM is making this Pledge to encourage broad adoption of open specifications for software interoperability. Broad implementation of these specifications can dramatically improve our customers' ability to communicate data within and between their enterprises.

There is clearly a public relations aspect to this pledge, but one gets the sense that IBM truly does want to simplify the software patent landscape. They have, perhaps, the largest patent portfolio in the world, but they can also see the mess that software patents, especially patent trolls, are causing. If other companies make similar pledges, definite progress will have been made, at least for interoperability. Since it appears that software patents will be with us for a long time to come, at least in the US, any step forward should be cause for at least a bit of celebration.

Comments (21 posted)

Page editor: Jonathan Corbet

Security

SE-PostgreSQL uses SELinux for database security

Security Enhanced Linux (SELinux) adds layers of security on top of the traditional discretionary access control (DAC) offered by UNIX-like systems to provide more fine-grained control over the operating system objects and data. The Security Enhanced PostgreSQL (SE-PostgreSQL) project seeks to provide the same kinds of fine-grained access controls to the PostgreSQL database engine, integrating those policies with SELinux. SE-PostgreSQL has just released its 1.0 beta and is encouraging users to report any bugs before the final 1.0 release.

Traditionally, database systems use a permissions model that is similar to, but separate from, the underlying operating system permissions. Users are created within the database and granted access to various database capabilities, some of which they can pass on to others (which is a feature of DAC). In addition, database management systems (DBMS) have a privileged user that bypasses all of the permissions checks. For a system running SELinux, this situation is less than desirable, as most, if not all, of the carefully crafted policies, for restricting data access, are ignored by the DBMS. SE-PostgreSQL works with SELinux to apply its policies on top of the DBMS permissions, allowing the administrator the fine-grained access control, afforded by SELinux, within PostgreSQL.

SELinux relies upon "security contexts", which are attached to each object in the operating system: files, directories, sockets, processes, users, etc. These contexts are permanently attached to the various objects and the SELinux policies then dictate how the contexts interact and what kind of operations are allowed to be performed. More information about SELinux and its enforcement mechanisms can be found on the project's webpage as well as in this introductory LWN article.

In a standard PostgreSQL installation, a Linux user can present the credentials (username and password) of any database user and perform the database operations allowed for that user. Using SE-PostgreSQL, SELinux security contexts are associated with each table, row and column of the database. The SELinux policy arbitrator in the kernel is consulted for each database operation and they are either allowed or denied based on the combination of the user context and the database object context. The PostgreSQL user must still have the ability to perform the requested action as the PostgreSQL permissions are checked before the SELinux policies are even consulted. This two-tiered permissions system is probably unnecessary, so SE-PostgreSQL could completely replace the database permissions in secure installations.

Because security contexts are attached to objects in the operating system, SE-PostgreSQL can alleviate a common problem with data migrating from the filesystem into the database. If filesystem data that requires an elevated level of security is inserted into a database table, that row will inherit the security context of the data. This will prevent users or processes with lower access capabilities from accessing it. Also, depending on the security context of the user querying the database, certain columns or rows may not be available and SE-PostgreSQL intercepts the queries and results, filtering them appropriately. Users will be able to see the query results they are allowed to access and no others.

Another related project is PostgreSQL Access Control Extension (PGACE), which provides an interface for PostgreSQL to use the facilities of a secure operating system. This allows SE-PostgreSQL to use the SELinux facilities, but will also allow PostgreSQL to use the Trusted Solaris or other security-oriented operating system facilities. It is meant to provide a common framework of hooks that PostgreSQL can call to determine whether to permit or deny access. It is similar in spirit to the Linux Security Modules (LSM) interface which allows different security implementations to be used by the kernel.

The development of SE-PostgreSQL was supported by the Exploratory Software Project of Japan's Information-Technology Promotion Agency. This project is aimed at funding young developers with new ideas and SE-PostgreSQL would certainly qualify. For security conscious companies using SELinux and PostgreSQL, a look at this project should be high on the list.

Comments (2 posted)

Security news

Samsung printer drivers open up the system

A LinuxFR reader has sent out an alert (in French) about the Samsung SCX-4200 printer driver for Linux. It appears that the driver author had some trouble with the Linux permission model; the response was to make a few applications run setuid root. A quick look at the install script shows that the affected programs are xsane, xscanimage, and the major OpenOffice.org components. The script also replaces some CUPS executables and does some other fun things. This seems like code to avoid for anybody wanting to run a remotely secure system.

Comments (22 posted)

HP joins the RHEL5 security certification party

HP announced yesterday that it has been awarded Evaluation Assurance Level 4 (EAL4+) security certification for Red Hat Enterprise Linux 5 (RHEL5) running on various server and workstation platforms. HP/RHEL5 is certified with the same set of protection profiles used by in the earlier IBM/RHEL5 certification. "HP has been awarded EAL4+, the highest level of assurance for an unmodified, commercial operating system, for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile, and Role-Based Access Control Protection Profile for Red Hat Enterprise Linux 5 on HP Integrity, ProLiant and BladeSystem platforms as well as select workstations and desktops."

Comments (none posted)

New vulnerabilities

curl: insufficient verification methods

Package(s):curl CVE #(s):CVE-2007-3564
Created:July 17, 2007 Updated:July 19, 2007
Description: The GnuTLS certificate verification methods implemented in Curl did not check for expiration and activation dates. When performing validations, tools using libcurl3-gnutls would incorrectly allow connections to sites using expired certificates.
Alerts:
Debian DSA-1333 2007-07-18
Ubuntu USN-484-1 2007-07-17

Comments (2 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:May 12, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Debian DSA-1574-1 2008-05-12
Debian DSA-1534-2 2008-04-24
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-1 2008-03-28
Debian DSA-1532-1 2008-03-27
Mandriva MDVSA-2007:047 2007-02-19
Ubuntu USN-503-1 2007-08-24
Slackware SSA:2007-222-04 2007-08-13
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-205-02 2007-07-25
Slackware SSA:2007-205-01 2007-07-25
Foresight FLEA-2007-0033-1 2007-07-24
Debian DSA-1339-1 2007-07-23
Debian DSA-1338-1 2007-07-23
Fedora FEDORA-2007-1181 2007-07-20
Fedora FEDORA-2007-1180 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-642 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
rPath rPSA-2007-0148-1 2007-07-20
Ubuntu USN-490-1 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Fedora FEDORA-2007-1159 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1155 2007-07-19
Red Hat RHSA-2007:0724-01 2007-07-18
Red Hat RHSA-2007:0723-01 2007-07-18
Red Hat RHSA-2007:0722-01 2007-07-18
Fedora FEDORA-2007-1143 2007-07-18
Fedora FEDORA-2007-1144 2007-07-18
Fedora FEDORA-2007-1142 2007-07-18
Fedora FEDORA-2007-1138 2007-07-18

Comments (none posted)

flac123: arbitrary code execution

Package(s):flac123 CVE #(s):CVE-2007-3507
Created:July 13, 2007 Updated:October 22, 2007
Description: A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length.
Alerts:
Gentoo 200709-06 2007-09-14
Fedora FEDORA-2007-1045 2007-07-12

Comments (none posted)

flash-plugin: input validation flaw

Package(s):flash-plugin CVE #(s):CVE-2007-3456
Created:July 12, 2007 Updated:August 10, 2007
Description: The Firefox flash-plugin module has an input validation flaw involving the display of certain content. If a user can be tricked into opening a specially crafted Adobe Flash file, it may be possible to execute arbitrary code.
Alerts:
Gentoo 200708-01 2007-08-08
Foresight FLEA-2007-0032-1 2007-07-20
SuSE SUSE-SA:2007:046 2007-07-19
Red Hat RHSA-2007:0696-01 2007-07-12

Comments (none posted)

LedgerSMB: authentication bypass

Package(s):LedgerSMB CVE #(s):
Created:July 18, 2007 Updated:July 18, 2007
Description: The problem occurs because of a flaw in the redirect code which was replaced in order to support additional environments. The redirection code in this case can be accessed through the login module and tricked into providing access without proper authentication.
Alerts: (No alerts in the database for this vulnerability)

Comments (none posted)

mysql: multiple vulnerabilities

Package(s):mysql CVE #(s):CVE-2007-3780
Created:July 17, 2007 Updated:November 27, 2007
Description: MySQL Community Server before v5.0.45 has multiple vulnerabilities. See the MySQL Community Server 5.0.45 release announcement for details.
Alerts:
Debian DSA-1413-1 2007-11-26
Ubuntu USN-528-1 2007-10-11
Red Hat RHSA-2007:0894-01 2007-09-10
Mandriva MDKSA-2007:177 2007-09-06
Red Hat RHSA-2007:0875-01 2007-08-30
Gentoo 200708-10 2007-08-16
rPath rPSA-2007-0143-1 2007-07-17

Comments (none posted)

tomcat: cross-site scripting

Package(s):tomcat CVE #(s):CVE-2007-2449 CVE-2007-2450
Created:July 17, 2007 Updated:March 28, 2008
Description: Some JSPs within the 'examples' web application did not escape user provided data. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks (CVE-2007-2449).

Note: it is recommended the 'examples' web application not be installed on a production system.

The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450).

Alerts:
SuSE SUSE-SR:2008:007 2008-03-28
Fedora FEDORA-2008-1603 2008-02-13
Fedora FEDORA-2008-1467 2008-02-13
Debian DSA-1468-1 2008-01-20
Mandriva MDKSA-2007:241 2007-12-10
Fedora FEDORA-2007-3474 2007-11-17
Fedora FEDORA-2007-3456 2007-11-17
Red Hat RHSA-2007:0569-01 2007-07-17

Comments (1 posted)

xnview: buffer overflow

Package(s):xnview CVE #(s):CVE-2007-2194
Created:July 12, 2007 Updated:July 18, 2007
Description: The XnView image processing utility is vulnerable to a stack-based buffer overflow due to improper handling of XPM image files. If an attacker can trick a user into viewing a specially crafted image file, it may be possible to execute code with the privileges of the user.
Alerts:
Gentoo 200707-06 2007-07-11

Comments (none posted)

X.org: temp file vulnerability

Package(s):X.org CVE #(s):CVE-2007-3103
Created:July 12, 2007 Updated:July 31, 2007
Description: The X.Org X11 xfs font server has a temp file vulnerability in the startup script. A local user can modify the permissions of the script in order to elevate their local privileges.
Alerts:
Debian DSA-1342-1 2007-07-30
rPath rPSA-2007-0141-1 2007-07-17
Foresight FLEA-2007-0031-1 2007-07-12
Red Hat RHSA-2007:0520-01 2007-07-12
Red Hat RHSA-2007:0519-01 2007-07-12

Comments (none posted)

Updated vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2007-2214 2007-09-18
rPath rPSA-2007-0182-1 2007-09-14
Ubuntu USN-499-1 2007-08-16
Red Hat RHSA-2007:0662-01 2007-07-13
Red Hat RHSA-2007:0557-01 2007-07-13
Fedora FEDORA-2007-615 2007-07-12
Mandriva MDKSA-2007:142 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:140 2007-07-04
Fedora FEDORA-2007-617 2007-07-02
rPath rPSA-2007-0136-1 2007-06-27
Red Hat RHSA-2007:0556-01 2007-06-26
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0532-01 2007-06-26

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

Asterisk: two SIP denial of service vulnerabilities

Package(s):Asterisk CVE #(s):CVE-2007-1561 CVE-2007-1594
Created:April 3, 2007 Updated:August 27, 2007
Description: The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code.
Alerts:
Debian DSA-1358-1 2007-08-26
SuSE SUSE-SA:2007:034 2007-06-06
Gentoo 200704-01 2007-04-02

Comments (none posted)

avahi: denial of service

Package(s):avahi CVE #(s):CVE-2007-3372
Created:June 28, 2007 Updated:September 18, 2007
Description: Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function.
Alerts:
Mandriva MDKSA-2007:185 2007-09-17
Foresight FLEA-2007-0030-1 2007-06-28

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-2650
Created:June 5, 2007 Updated:July 20, 2007
Description: A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file.
Alerts:
Fedora FEDORA-2007-1154 2007-07-19
Debian DSA-1320-1 2007-06-23
Gentoo 200706-05 2007-06-15
Trustix TSLSA-2007-0020 2007-06-08
SuSE SUSE-SA:2007:033 2007-06-06
Mandriva MDKSA-2007:115 2007-06-04

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dar: weak cryptography

Package(s):dar CVE #(s):CVE-2007-3528
Created:July 6, 2007 Updated:July 11, 2007
Description: From the National Vulnerability Database: "The blowfish mode in DAR before 2.3.4 uses weak Blowfish-CBC cryptography by (1) discarding random bits by the blowfish::make_ivec function in libdar/crypto.cpp that results in predictable and repeating IV values, and (2) direct use of a password for keying, which makes it easier for context-dependent attackers to decrypt files."
Alerts:
Fedora FEDORA-2007-0904 2007-07-05

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

emacs21: denial of service

Package(s):emacs21 CVE #(s):CVE-2007-2833
Created:June 21, 2007 Updated:August 29, 2007
Description: The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images".
Alerts:
Ubuntu USN-504-1 2007-08-28
rPath rPSA-2007-0133-1 2007-06-25
Mandriva MDKSA-2007:133 2007-06-21
Debian DSA 1316-1 2007-06-21

Comments (none posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

evolution-data-server: malicious server arbitrary code execution

Package(s):evolution-data-server CVE #(s):CVE-2007-3257
Created:June 18, 2007 Updated:November 7, 2007
Description: From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."
Alerts:
Gentoo 200711-04 2007-11-06
Gentoo 200707-03 2007-07-02
SuSE SUSE-SA:2007:042 2007-07-05
Debian DSA-1325-1 2007-06-29
Fedora FEDORA-2007-594 2007-06-27
Fedora FEDORA-2007-595 2007-06-27
Mandriva MDKSA-2007:136 2007-06-26
Red Hat RHSA-2007:0510-01 2007-06-25
Red Hat RHSA-2007:0509-01 2007-06-25
Debian DSA-1321-1 2007-06-23
Ubuntu USN-475-1 2007-06-21
Fedora FEDORA-2007-0464 2007-06-16

Comments (1 posted)

pop mail man-in-the-middle attacks

Package(s):evolution thunderbird mutt fetchmail CVE #(s):CVE-2007-1558
Created:May 8, 2007 Updated:August 7, 2007
Description: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail.
Alerts:
Fedora FEDORA-2007-1447 2007-08-06
rPath rPSA-2007-0127-1 2007-06-19
Foresight FLEA-2007-0026-1 2007-06-18
rPath rPSA-2007-0122-1 2007-06-14
Red Hat RHSA-2007:0385-01 2007-06-07
rPath rPSA-2007-0114-1 2007-06-04
Mandriva MDKSA-2007:113 2007-06-04
Red Hat RHSA-2007:0386-01 2007-06-04
Fedora FEDORA-2007-0001 2007-06-01
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-550 2007-05-31
Fedora FEDORA-2007-551 2007-05-31
Red Hat RHSA-2007:0401-01 2007-05-30
Fedora FEDORA-2007-539 2007-05-30
Fedora FEDORA-2007-540 2007-05-30
Red Hat RHSA-2007:0344-01 2007-05-30
Mandriva MDKSA-2007:107 2007-05-19
Mandriva MDKSA-2007:105 2007-05-17
Red Hat RHSA-2007:0353-01 2007-05-17
Fedora FEDORA-2007-484 2007-05-07
Fedora FEDORA-2007-485 2007-05-07

Comments (none posted)

fail2ban: log injection vulnerability

Package(s):fail2ban CVE #(s):
Created:June 22, 2007 Updated:July 30, 2007
Description: fail2ban 0.8 is susceptible to a log injection vulnerability. See this ossec.net entry for more information.
Alerts:
Gentoo 200707-13 2007-07-28
Fedora FEDORA-2007-0621 2007-06-21

Comments (none posted)

fail2ban: denial of service

Package(s):fail2ban CVE #(s):CVE-2006-6302
Created:February 16, 2007 Updated:July 30, 2007
Description: fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address.
Alerts:
Gentoo 200702-05 2007-02-16

Comments (3 posted)

file: integer overflow

Package(s):file CVE #(s):CVE-2007-2799
Created:June 1, 2007 Updated:October 19, 2007
Description: Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file.
Alerts:
Gentoo 200710-19 2007-10-18
Debian DSA-1343-2 2007-09-25
Debian DSA-1343-1 2007-07-31
SuSE SUSE-SA:2007:040 2007-07-04
Fedora FEDORA-2007-0836 2007-07-03
Fedora FEDORA-2007-538 2007-06-11
Fedora FEDORA-2007-541 2007-06-11
Ubuntu USN-439-2 2007-06-11
Mandriva MDKSA-2007:114 2007-06-05
Gentoo 200705-25 2007-05-31

Comments (3 posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Debian DSA-1529-1 2008-03-24
Gentoo 200707-01 2007-07-01

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla seamonkey thunderbird CVE #(s):CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871
Created:June 4, 2007 Updated:August 29, 2007
Description: Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-2867, CVE-2007-2868)

A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869)

Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362)

A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871)

Alerts:
Ubuntu USN-469-2 2007-08-29
SuSE SUSE-SA:2007:036 2007-06-27
Mandriva MDKSA-2007:131 2007-06-20
Gentoo 200706-06 2007-06-19
Foresight FLEA-2007-0027-1 2007-06-20
Fedora FEDORA-2007-0544 2007-06-18
Mandriva MDKSA-2007:126-1 2007-06-16
Mandriva MDKSA-2007:126 2007-06-15
Slackware SSA:2007-165-01 2007-06-15
Debian DSA-1308-1 2007-06-14
Mandriva MDKSA-2007:120 2007-06-12
Mandriva MDKSA-2007:119 2007-06-12
Debian DSA-1305-1 2007-06-13
Debian DSA-1306-1 2007-06-12
Debian DSA-1300-1 2007-06-07
Ubuntu USN-469-1 2007-06-05
Slackware SSA:2007-152-02 2007-06-04
Ubuntu USN-468-1 2007-06-01

Comments (3 posted)

freetype: arbitrary code execution

Package(s):freetype CVE #(s):CVE-2007-2754
Created:May 24, 2007 Updated:July 19, 2007
Description: The Freetype font rendering library versions 2.3.4 and below has an integer sign error. Remote attackers may be able to create a specially crafted TrueType Font file with a negative n_points value that will cause an integer overflow and heap-based buffer overflow, allowing the execution of arbitrary code.
Alerts:
Debian DSA-1334 2007-07-18
SuSE SUSE-SA:2007:041 2007-07-04
Fedora FEDORA-2007-561 2007-06-18
Mandriva MDKSA-2007:121 2007-06-13
Foresight FLEA-2007-0025-1 2007-06-13
Red Hat RHSA-2007:0403-01 2007-06-11
Debian DSA-1302-1 2007-06-10
Fedora FEDORA-2007-0033 2007-06-01
Ubuntu USN-466-1 2007-05-30
Gentoo 200705-22 2007-05-30
Trustix TSLSA-2007-0019 2007-05-25
rPath rPSA-2007-0108-1 2007-05-23
Foresight FLEA-2007-0020-1 2007-05-21
OpenPKG OpenPKG-SA-2007.018 2007-05-24

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gd: buffer overflow

Package(s):gd CVE #(s):CVE-2007-0455
Created:February 7, 2007 Updated:February 28, 2008
Description: The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Ubuntu USN-473-1 2007-06-11
OpenPKG OpenPKG-SA-2007.016 2007-05-18
Trustix TSLSA-2007-0007 2007-02-13
Fedora FEDORA-2007-150 2007-02-12
Fedora FEDORA-2007-149 2007-02-12
rPath rPSA-2007-0028-1 2007-02-08
Mandriva MDKSA-2007:038 2006-02-06
Mandriva MDKSA-2007:036 2006-02-06
Mandriva MDKSA-2007:035 2006-02-06

Comments (2 posted)

gd: denial of service

Package(s):gd CVE #(s):CVE-2007-2756
Created:June 14, 2007 Updated:February 28, 2008
Description: Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Slackware SSA:2007-178-01 2007-06-27
SuSE SUSE-SR:2007:013 2007-06-22
Mandriva MDKSA-2007:124 2007-06-13
Mandriva MDKSA-2007:123 2007-06-13
Mandriva MDKSA-2007:122 2007-06-13

Comments (none posted)

gfax: insecure temporary files

Package(s):gfax CVE #(s):CVE-2007-2839
Created:July 6, 2007 Updated:July 11, 2007
Description: Steve Kemp from the Debian Security Audit project discovered that gfax, a GNOME frontend for fax programs, uses temporary files in an unsafe manner which may be exploited to execute arbitrary commands with the privileges of the root user.
Alerts:
Debian DSA-1329-1 2007-07-05

Comments (none posted)

gimp: multiple vulnerabilities

Package(s):gimp CVE #(s):CVE-2007-2949
Created:June 28, 2007 Updated:February 27, 2008
Description: The gimp image editor has several vulnerabilities, including a problem where it can open PSD files with excessive dimensions and a possible stack overflow in the Sunras loader.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Red Hat RHSA-2007:0513-01 2007-09-26
Mandriva MDKSA-2007:170 2007-08-23
Slackware SSA:2007-222-01 2007-08-13
Foresight FLEA-2007-0038-1 2007-08-01
Gentoo 200707-09 2007-07-25
Fedora FEDORA-2007-627 2007-07-16
Debian DSA-1335-1 2007-07-18
Fedora FEDORA-2007-1099 2007-07-16
Fedora FEDORA-2007-1044 2007-07-12
rPath rPSA-2007-0138-1 2007-07-11
Ubuntu USN-480-1 2007-07-04
Fedora FEDORA-2007-618 2007-06-27
Fedora FEDORA-2007-619 2007-06-27
Fedora FEDORA-2007-0725 2007-06-27

Comments (none posted)

HelixPlayer: arbitrary code execution

Package(s):HelixPlayer CVE #(s):CVE-2007-3410
Created:June 27, 2007 Updated:September 17, 2007
Description: A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410)
Alerts:
Gentoo 200709-05 2007-09-14
Red Hat RHSA-2007:0841-01 2007-08-17
Fedora FEDORA-2007-0756 2007-06-29
Red Hat RHSA-2007:0605-01 2007-06-27

Comments (1 posted)

horde-kronolith: local file inclusion

Package(s):horde-kronolith CVE #(s):CVE-2006-6175
Created:January 17, 2007 Updated:March 7, 2008
Description: Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user).
Alerts:
Gentoo 200701-11 2007-01-16

Comments (none posted)

ImageMagick: integer overflows

Package(s):imagemagick CVE #(s):CVE-2007-1797
Created:April 4, 2007 Updated:April 17, 2008
Description: Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
Alerts:
Red Hat RHSA-2008:0165-01 2008-04-16
Red Hat RHSA-2008:0145-01 2008-04-16
Fedora FEDORA-2007-1340 2007-07-30
Mandriva MDKSA-2007:147 2007-07-20
Ubuntu USN-481-1 2007-07-10
Gentoo 200705-13 2007-05-10
Fedora FEDORA-2007-414 2007-04-17
Fedora FEDORA-2007-413 2007-04-05
rPath rPSA-2007-0064-1 2007-04-04

Comments (none posted)

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriv