LWN.net Logo

LWN.net Weekly Edition for August 16, 2007

MySQL stops distributing Enterprise Server source code

By Jake Edge
August 15, 2007

In announcing changes to the way it does its releases, MySQL AB, the company behind the MySQL database, probably knew what element would be the most controversial. Listed last of five changes was the plan to no longer be distribute Enterprise Server source code. Very quickly noticed by members of the MySQL community, then by the wider free software community, it caused a bit of an uproar. A Slashdot headline, later reworded, proclaimed "MySQL Closing Off Its Source", which was easily enough to fan the flames. A closer look reveals that not all that much has changed, MySQL is trying to find ways to have a free software product that generates revenue – a difficult balancing act.

The roots of the problem go back to the split of MySQL into two products: Enterprise Server and Community Server. That change was announced in October 2006 and was an attempt by MySQL AB to separate the needs of the "community" from those of their commercial, "enterprise" customers. The words chosen were, perhaps, a bit distasteful; one would think that all MySQL users are members of the community, the real distinction they were trying to make is: paying vs. non-paying.

At the time of that split, there was talk that MySQL AB was turning its back on free software, "going corporate" as it were. In fact, the company has kept up its side of the bargain, releasing its code under the GPL. It has also worked with the Free Software Foundation on GPLv3; upcoming MySQL releases might very well be covered by that license. Its biggest sin, in some eyes, has been the unwillingness to forgo making a profit.

The change that caused the latest stink is more subtle, as it just changes the Community Server development process. But, as a seemingly unnecessary part of that change, the Enterprise Server source tarballs will no longer be available on the the ftp.mysql.com site. The source will be distributed to customers who buy the Enterprise Server, but will no longer be accessible – from MySQL AB – by the community at large.

The company evidently wants to make a sharp distinction between the two releases, which is what led them to restrict the source code. Various Linux distributions have been using the Enterprise source, rather than the the Community source, to build MySQL packages and the company would rather not see that. Kaj Arnö, VP of Community Relations for MySQL AB, puts it this way:

What we do intend is related to positioning: MySQL Community Server is for our users, MySQL Enterprise Server is for our paying customers. We want people to associate MySQL Enterprise Server with a commercial relationship to MySQL as a company.

It seems a rather drastic step, likely to induce community annoyance, for very little gain. The marginal cost of maintaining another copy of the tarball should be nearly zero. In addition, Arnö has acknowledged that the source will still be available to anyone who truly wants it. Folks like DorsalSource are already planning to provide source and binary versions of the Enterprise products as they are released.

GPL compliance, always a confusing topic, was at the heart of a lot of the complaints about withdrawing the source. The company is complying with the license by providing the source code to their Enterprise customers with the binary distribution. Given that they hold the copyright for the entire package, by requiring contributors to assign their copyrights, they could make other license arrangements with their customers, but choose to stick with the GPL.

The other, less controversial changes announced were largely codifying the current Community release practices. One of those practices, leaving new features and bug fixes out of the community releases, at least until the next major release, seems contrary to the intent for the Community Server. When it was set up, it was to be the testbed for the Enterprise Server, but that role has clearly fallen by the wayside.

There are legitimate differences between large, enterprise-class customers (who are more likely to pay for support) and the rest of the universe of MySQL users. One wants stable releases, on a fixed schedule, that have been extensively tested in real-world installations. The other wants new features and bug fixes more quickly, even if they have not yet had extensive testing. Unfortunately, it seems like MySQL AB may be confused about which group of users needs each style of release.

A parallel is often drawn between the split that Red Hat made between Fedora and Red Hat Enterprise Linux (RHEL), but while the original reasoning seems to be the same, the implementation is rather different. For reasons that are not entirely clear, Enterprise Server gets monthly "hotfix" releases that often seem to contain fixes that are out of place for a stable release. Often, the changes have not yet been released in a community version, so they have only been tested in MySQL AB's labs.

This is very different from the Fedora/RHEL model as the frequency of releases between community and enterprise has been reversed. In the Red Hat model, features (new packages) are released first in Fedora, vetted by the community, then released in an RHEL release sometime later, typically much later. It is hard to see what benefit monthly releases provide to a "stable" product. An exception must be made for security fixes, but those should not wait until the next scheduled release anyway.

MySQL AB seems to see things differently, one must hope that they are right, and that they understand precisely what their customers want. It would be a tragedy for MySQL AB to falter; they are a free software company that does an enormous amount of work on the database software that is used freely by millions. Thankfully, even if that did happen, MySQL the software package, would continue, perhaps at a slower pace. That, in many ways, sums up what MySQL AB, or any company that uses a free license, gives to their users, paying or non-paying, the ability to keep using and extending the software even if the company fails.

Comments (3 posted)

A bad day for the SCO Group

By Jonathan Corbet
August 11, 2007
Sometimes, a little reminiscing is called for. Think back to March 7, 2003, when the SCO Group, once a Linux distributor named Caldera, filed its initial complaint against IBM:

Prior to IBM's involvement, Linux was the software equivalent of a bicycle. UNIX was the software equivalent of a luxury car. To make Linux of necessary quality for use by enterprise customers, it must be re-designed so that Linux also becomes the software equivalent of a luxury car. This re-design is not technologically feasible or even possible at the enterprise level without (1) a high degree of design coordination, (2) access to expensive and sophisticated design and testing equipment; (3) access to UNIX code, methods and concepts; (4) UNIX architectural experience; and (5) a very significant financial investment.

IBM, by providing those things, was alleged to have misappropriated SCO's property, breached contracts, and generally ruined SCO's day. At the core of these allegations was the claim that IBM had funneled SCO's Unix code into Linux - up to one million lines' worth. IBM fought back strongly, and, over time, it became clear that no large-scale copying of Unix code into Linux had happened - in fact, almost no copying had happened at all.

IBM continues to argue its case, but an interesting thing happened in May, 2003, when Novell issued a press release claiming that it, rather than SCO, was the owner of the Unix copyrights.

Importantly, and contrary to SCO's assertions, SCO is not the owner of the UNIX copyrights. Not only would a quick check of U.S. Copyright Office records reveal this fact, but a review of the asset transfer agreement between Novell and SCO confirms it. To Novell's knowledge, the 1995 agreement governing SCO's purchase of UNIX from Novell does not convey to SCO the associated copyrights. We believe it unlikely that SCO can demonstrate that it has any ownership interest whatsoever in those copyrights.

According to Novell, all of SCO's attempts to sell "Linux licenses," and the lawsuit too, were built on a false foundation. SCO was suing over copyrights it did not even own. An interesting little detail that came out later on was that Novell, in selling the Unix licensing business to the Santa Cruz Operation ("old SCO"), had retained the right to waive any claims against Unix licensees; Novell proceeded to exercise that right by requiring SCO to drop its claims against IBM.

SCO, of course, responded by suing Novell. Over the years, the suit grew into a complicated mess of claims and counterclaims upon which was built a series of motions for summary judgments. On August 11, the court, under Judge Dale Kimball, ruled on those motions [PDF]. The result was almost certainly the end of the SCO saga.

In short, Judge Kimball ruled on several issues:

  • Novell never transferred the copyrights to Unix to the Santa Cruz Operation or anybody else. The reasoning which leads to this conclusion is quite long, involving sifting through a great deal of evidence and testimony. But the end result is straightforward: the SCO Group does not own the Unix copyrights. SCO had been asking for a "slander of title" judgment against Novell and an injunction requiring Novell to effect the actual transfer of copyrights; both of those motions were dismissed as a result of this ruling.

  • SCO claimed that Novell had acted outside of "good faith and fair dealing" by acting to waive the claims against IBM. But the relevant law says that, if you sign a contract with another party which explicitly empowers you to perform a specific action, you cannot be acting in bad faith if you do what the contract says you can do. So this claim, too, was dismissed.

  • Novell filed its own slander-of-title claims, which SCO had tried to dispose of via a summary judgment motion. That motion was denied, and Novell still has an open case which it can argue at trial.

  • SCO argues that some of the language in the original asset purchase agreement constitutes a non-compete agreement on Novell's part. Yet another motion from Novell asked to dismiss SCO's claims that Novell is violating its non-compete agreements by selling Linux. Several approaches were taken, but Judge Kimball ruled against them all, keeping SCO's non-compete claims alive: "The court also concludes that, to the extent that SCO has a copyright to enforce, SCO can simultaneously pursue both a copyright infringement claim and a breach of contract claim based on the non-compete restrictions in the license back of the Licensed Technology under APA and the TLA."

  • SCO had tried to argue that Novell was not empowered to waive its claims against IBM (and Sequent, which was purchased by IBM) because the specific licenses at issue were not covered by the agreement. The court disagreed. In short: "...SCO is obligated to recognized Novell's waiver of SCO's claims against IBM and Sequent."

  • The (complex) deal with old SCO required that all Unix license revenues be passed back to Novell; Novell would then tip 5% of those revenues back to SCO as an administrative fee. When Sun and Microsoft bought their high-profile licenses, however, SCO kept the cash. So Novell asked for a judgment to the effect that SCO owed money. Novell also expressed the reasonable fear that SCO might just blow its remaining cash before Novell could get its hands on it, so it asked the court to seize the money immediately.

    Here, the court decided that the licenses sold to Sun and Microsoft did indeed come, at least partially, under the agreement and that SCO should have paid Novell. "Because SCO failed to do so, it breached its fiduciary duty to Novell under the APA and is liable for conversion." In U.S. legal talk, "conversion" means something very close to "theft." The court refused to set up a "constructive trust" establishing Novell's rights to SCO's funds, though, because it did not know how much money is owed. It seems that a portion of the licensing fees might relate SCO's own work and thus would not fall under the agreement with Novell. Until that portion is quantified, there is "a question of fact" on how much Novell is entitled to, and summary judgments cannot be made when there are questions of fact.

This judgment changes the entire game. Much of SCO's case against IBM is now gone - before IBM really even got a chance to defend itself. There has been no copying of SCO's "valuable intellectual property" - it would appear that SCO does not have much of that. SCO's claims that IBM had violated its Unix license agreements have always been tenuous, but they may now become moot, since Novell has exercised its now-clear right to waive any claims based on that agreement. SCO might still be able to push forward its claims that IBM treated it badly with regard to the Monterey initiative. That's far removed from the $5 billion jackpot the company had gone for, though - and it is totally irrelevant to the Linux community.

It is worth remembering that there is a large pile of summary judgment motions pending in SCO v. IBM as well - and that they are before the same judge. It makes sense for Judge Kimball to have resolved the copyright ownership issue first. But the IBM motions have been outstanding for many months and are due for action. What happens there will be interesting; Judge Kimball may settle or moot many of them based on the Novell ruling. That would be a welcome result, but it would fail to provide a definitive answer to some interesting questions - like whether the Unix license agreements, prior to being waived by Novell, truly prohibited IBM from contributing work like read-copy-update or the JFS filesystem to Linux. Even so, IBM has some interesting motions - the GPL violation charges, for example - which will still need to be resolved in their own merits.

SCO might just file an appeal as an attempt to stay any judgments which would bring an end to the IBM case. It is hard to see such an appeal as anything more than (yet another) delaying tactic, though. Given that SCO's lawyers have already seen all the revenue they will earn from this case, their enthusiasm for such a course might just be a little bit low.

Meanwhile, Red Hat had filed suit in August, 2003, seeking to clear the title to its own products and to put an end to the SCO campaign. That case was put on hold pending the results of the IBM case. If Red Hat wanted to, it would appear that a case could now be made for moving that suit forward: Red Hat's products clearly are not infringing upon any intellectual property rights that SCO might own. At this point, though, that would be mostly an exercise in tying up loose ends. Few people have worried about the propriety of the Linux code base for some time, and SCO's anti-Linux campaign was effectively stopped some time ago.

It may take a while to see where all the pieces land, but the SCO affair is, for all practical purposes, over. We, the Linux community, were incredibly lucky here, as painful and expensive as this whole series of events was. Given the success of Linux, it was certain that somebody, somewhere, was going to try to make a grab for it. What happened was that we were attacked by an opponent which was so inept, so lacking in any sort of real cause, and so misguided in its choice of targets that we would have been hard-put to lose. In the process, we took a hard look at where our code comes from, found that we have what must be one of the most legitimate code bases around, and tightened up our procedures anyway. The chances of there being another copyright-based attack of any note have dropped to almost zero. SCO has left us stronger than we were before.

As we put the SCO case behind us, there remains one interesting question: now that Novell is unquestionably the owner of the Unix copyrights, what will it do with them? The commercial value of those copyrights must be near zero at this point - Linux and the BSDs have free code which is better. About the only value left is FUD value - and the SCO case has shown that those copyrights are not worth much in that area either. Still, Novell could provide a more than fitting end to this episode, and perhaps begin to rebuild its standing in the free software community, by releasing the Unix code under a free license - probably a permissive license - and closing the proprietary Unix era forevermore.

Comments (39 posted)

Getting started with Git

By Jake Edge
August 15, 2007

New jobs always come with learning "opportunities"; this one was no different in that respect. Once this long-time vi bigot learned enough emacs to create a daily security update, the big learning challenge was Git. I have used many different revision control systems along the way, starting with sccs, through RCS and CVS, to subversion – and a dash of mercurial. Git is fundamentally different than all of those – though mercurial is close – its learning curve is steep, its usage model is radically different.

One of the major differences is that Git is a distributed revision (or version) control system, while most of the others are centralized. In a distributed system there is no central repository that everyone uses to put their changes into, there are, instead, numerous repositories, each residing on a developer's machine. Typically, those developer repositories have been "cloned" from a master repository somewhere. Each developer then owns their repository; they can make changes, commit them, make branches, tag releases, etc. – all without ever contacting the master repository. When they are ready to share their changes, they either "push" them into a repository, or, more likely, ask a repository owner to "pull" changes from a specific branch of their repository.

Another reason for the steep learning curve is that Git started out as a fairly low-level tool, just providing the "plumbing" for version control. The intent was to add more user-friendly interfaces to the plumbing, so-called porcelain, as time went on. As Git matured, the porcelain has moved in with the plumbing, so the core Git package has had many of the rough edges filed off, but it is still lower-level than most other revision control systems. In my Git learning journey, I found a number of helpful sites, that can help get users up to speed rather quickly.

For users who want to learn Git so they can look at Linux kernel source, the best starting point is Jeff Garzik's "The Kernel Hackers' Guide to Git". It provides a quick overview of the commands needed to grab a copy of Linus's kernel tree, make branches from it, commit to it, and keep it up to date. The main missing piece is on using tags, which is how different versions of the kernel are represented in the repository.

If managing a project with Git is in the cards, the right starting point is: "A tutorial introduction to git". This covers the basics of setting up a repository to hold a project and importing the project's code. It also has sections on many of the tasks that a repository user will need to commit their changes, create branches for parallel lines of development, follow the history of changes, and collaborate with others. The second part of the tutorial covers some of the internal workings of Git: the object database and the index file.

Those coming to Git from another version control system may want to look at the tutorials specific to their tool. CVS and subversion have their own tutorials, each geared towards users converting from those centralized version control systems. The "git for CVS users" page is a bit terse, often referring to the tutorial above, but it does provide some of the basics a CVS user will need. The "Git - SVN Crash Course" on the other hand is fairly in-depth coverage, presenting the exact Git equivalents for a large number of svn commands and concepts.

Once the basics have been mastered, it is time for the serious reference material, which is where the Git User's Manual comes into play. It contains multiple chapters covering every facet of Git, including a detailed look at the internals of Git, its storage formats and the like. When trying to do something more complicated than is covered in the narrowly focused tutorials, the User's Manual is the place to go.

Git commands are typically invoked from the command line as subcommands of the git command: git commit for example. When trying to track down the most serious reference material of all, though, using an alternate syntax to refer to the Git subcommands is required: man git-commit for example. From the command line, man git is a good starting point; the same information, with nice clicky links, is also available here.

With these reference materials at hand, it should be fairly straightforward to get up and running with Git. For me, at least, there is still a lot to learn, but with these sites available, I am mastering more of it each time I dive in. If still more information is needed, the GitWiki and its documentation page are the next places to try.

Comments (10 posted)

Page editor: Jonathan Corbet

Security

Exploiting races in system call wrappers

By Jake Edge
August 15, 2007

A technique that is often used by security software, and has historically been a source of security holes, has once again been shown to be exploitable on many systems. Research recently presented by Robert N.M. Watson at the USENIX Workshop on Offensive Technologies (WOOT07) demonstrates race conditions in software that uses "system call wrapping" (or "hooking"). The race conditions can be exploited to circumvent the protections that the software is supposed to provide. Well behaved Linux software is not vulnerable, but other free operating systems do allow, and even encourage, the practice.

There are several different ways to implement wrappers, but at the core, they are kernel code that intercepts system calls from all applications, running their own code before and after the real system call. The wrapper code can see and modify all of the arguments being passed to and from the system call. This technique can be used to enforce various policies on the use of the system calls, denying or sharply restricting access. Logging, for audit trail purposes, all system call activity is another way the wrappers could be used.

Anti-virus or intrusion detection and prevention are the kinds of applications that use system call wrapping. Intercepting all calls to open(), for example, checking the file for viruses or illegal access and if so, returning an error, are the kinds of tasks that system call wrappers are used for. Notable users of system call wrappers are the OpenBSD and NetBSD Systrace facility, the Generic Software Wrappers Toolkit and the CerbNG firewall for FreeBSD.

Thus, intercepting system calls is a technique that is useful, but not without hazards. These recent vulnerabilities are endemic to the technique, not tied to a specific implementation. They exploit that bugaboo of system programmers everywhere: the race condition. Specifically, they are time-of-check-to-time-of-use (TOCTTOU) or other, similar, bugs.

A TOCTTOU exploit abuses the gap in time between the test for a condition and the use of an object that passes the test. If the object is changed in that gap, the restrictions that were supposed to be enforced by the test can be bypassed. The classic example is a setuid() program that tests a file for legal access by the real user before opening it. If the user replaces the file with a symlink to a file they can't legally access after the test, but before the open(), they have circumvented the security check.

Two similar race conditions have been identified for applications using system call wrappers: time-of-audit-to-time-of-use (TOATTOU) and time-of-replacement-to-time-of-use (TORTTOU). In both cases, the data that gets passed to the system call is manipulated. For TOATTOU, it is done to obscure the data from any auditing or logging that might be done, covering the tracks of an exploit from an intrusion detection application for example. In the TORTTOU case, if the data passed into the system call is changed by the wrapper, to implement "jail" functionality for instance, the exploit changes it back before the system call is made.

In his paper, "Exploiting Concurrency Vulnerabilities in System Call Wrappers" (PDF), Watson shows techniques to reliably exploit the race conditions in a variety of packages that use system call wrappers. On both single and multi-processor systems, mechanisms were found to exploit the time gap – because system calls, especially with wrappers, are not atomic operations.

For single processor systems, one of his examples used data that had its last byte on a swapped-out page. While the kernel is sleeping, awaiting the page to be swapped in, another process can change the data that has already been read. For multiprocessor systems, the windows are typically smaller, but it is not necessary to arrange for the kernel to sleep, a thread on a different processor can be used to alter the data. The main problem in that case is synchronizing with the kernel process so that the exploit knows when to change the data. Watson found several synchronization methods, one very simple one just spins waiting for the data to change and changes it back, effecting a TORTTOU exploit.

For these and other reasons, Linux does not export its system call table and actively discourages programmers from taking this approach. There are no real solutions to the problems Watson has identified unless the system call wrapping technique is abandoned. The two solutions he has suggested are either moving to a "message passing" architecture for system calls or to integrate the security checks into the kernel itself. He specifically mentions the Linux Security Modules approach as one that alleviates the system call wrapper race.

It is unfortunate that there are still many uses of system call wrapping in today's free operating systems. While the specific problems that Watson describes may not have been known, wrappers as a source of security bugs certainly have been. It is a seductive technique, one that seems simple to implement and foolproof, but it is clearly fraught with peril. The BSD family needs to find other ways to implement their security applications as do any Linux vendors who have ignored the kernel developers and continued to use the wrapping technique.

Comments (8 posted)

New vulnerabilities

dovecot: privilege escalation

Package(s):dovecot CVE #(s):CVE-2007-4211
Created:August 15, 2007 Updated:May 21, 2008
Description: From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions."
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Fedora FEDORA-2007-664 2007-08-20
rPath rPSA-2007-0161-1 2007-08-14

Comments (none posted)

libarchive: pax extension header vulnerabilities

Package(s):libarchive CVE #(s):CVE-2007-3641 CVE-2007-3644 CVE-2007-3645
Created:August 9, 2007 Updated:February 27, 2008
Description: libarchive, a library for manipulating different streaming archive formats, has a number of pax extension header vulnerabilities. These may be used to cause a denial of service or for the execution of arbitrary code.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Debian DSA-1455-1 2008-01-08
Gentoo 200708-03 2007-08-08

Comments (none posted)

qtpfsgui: arbitrary code execution

Package(s):qtpfsgui CVE #(s):CVE-2007-2956
Created:August 13, 2007 Updated:August 15, 2007
Description: There is a boundary error in Qtpfsgui and pfstools when reading the header of a Radiance RGBE (*.hdr) file within the "readRadianceHeader()" function in src/fileformat/rgbeio.cpp (Qtpfsgui) or src/Fileformat/rgbeio.cpp (pfstools) which can lead to arbitrary code execution.
Alerts:
Fedora FEDORA-2007-1581 2007-08-13

Comments (none posted)

squirrelmail: arbitrary code execution

Package(s):squirrelmail CVE #(s):CVE-2005-1924 CVE-2006-4169
Created:August 13, 2007 Updated:August 15, 2007
Description: There is a vulnerability in the squirrelmail G/PGP plugin:

An authenticated user could use the plugin to execute arbitrary code on the server, or a remote attacker could send a specially crafted e-mail to a SquirrelMail user, possibly leading to the execution of arbitrary code with the privileges of the user running the underlying web server. Note that the G/PGP plugin is disabled by default.

Alerts:
Gentoo 200708-08 2007-08-11

Comments (1 posted)

terminal: arbitrary code execution

Package(s):terminal CVE #(s):CVE-2007-3770
Created:August 13, 2007 Updated:December 19, 2007
Description: A vulnerability was found in the Xfce terminal program:

Lasse Karkkainen discovered that the function terminal_helper_execute() in file terminal-helper.c does not properly escape the URIs before processing.

Alerts:
Fedora FEDORA-2007-4368 2007-12-15
Fedora FEDORA-2007-4385 2007-12-15
Debian DSA-1393-1 2007-10-23
Fedora FEDORA-2007-1620 2007-08-15
Ubuntu USN-497-1 2007-08-14
Gentoo 200708-07 2007-08-11

Comments (none posted)

xvid: array indexing vulnerabilities

Package(s):xvid CVE #(s):CVE-2007-3329
Created:August 9, 2007 Updated:August 15, 2007
Description: The Xvid video codec has a number of array indexing vulnerabilities. It may be possible for an attacker to maliciously create a video that causes the execution of arbitrary code.
Alerts:
Gentoo 200708-02 2007-08-08

Comments (none posted)

Updated vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2007-2214 2007-09-18
rPath rPSA-2007-0182-1 2007-09-14
Ubuntu USN-499-1 2007-08-16
Red Hat RHSA-2007:0662-01 2007-07-13
Red Hat RHSA-2007:0557-01 2007-07-13
Fedora FEDORA-2007-615 2007-07-12
Mandriva MDKSA-2007:142 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:140 2007-07-04
Fedora FEDORA-2007-617 2007-07-02
rPath rPSA-2007-0136-1 2007-06-27
Red Hat RHSA-2007:0556-01 2007-06-26
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0532-01 2007-06-26

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

Asterisk: two SIP denial of service vulnerabilities

Package(s):Asterisk CVE #(s):CVE-2007-1561 CVE-2007-1594
Created:April 3, 2007 Updated:August 27, 2007
Description: The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code.
Alerts:
Debian DSA-1358-1 2007-08-26
SuSE SUSE-SA:2007:034 2007-06-06
Gentoo 200704-01 2007-04-02

Comments (none posted)

avahi: denial of service

Package(s):avahi CVE #(s):CVE-2007-3372
Created:June 28, 2007 Updated:September 18, 2007
Description: Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function.
Alerts:
Mandriva MDKSA-2007:185 2007-09-17
Foresight FLEA-2007-0030-1 2007-06-28

Comments (none posted)

bind: DNS cache poisoning

Package(s):bind CVE #(s):CVE-2007-2926
Created:July 24, 2007 Updated:August 20, 2007
Description: A flaw was found in the way BIND generates outbound DNS query ids. If an attacker is able to acquire a finite set of query IDs, it becomes possible to accurately predict future query IDs. Future query ID prediction may allow an attacker to conduct a DNS cache poisoning attack, which can result in the DNS server returning incorrect client query data.
Alerts:
Gentoo 200708-13 2007-08-18
SuSE SUSE-SA:2007:047 2007-08-01
Trustix TSLSA-2007-0023 2007-07-28
Slackware SSA:2007-207-01 2007-07-27
rPath rPSA-2007-0149-1 2007-07-27
Fedora FEDORA-2007-647 2007-07-26
Debian DSA-1341-2 2007-07-25
Mandriva MDKSA-2007:149 2007-12-31
Debian DSA-1341-1 2007-07-25
Ubuntu USN-491-1 2007-07-25
OpenPKG OpenPKG-SA-2007.022 2007-07-25
Fedora FEDORA-2007-1247 2007-07-24
Red Hat RHSA-2007:0740-01 2007-07-24

Comments (none posted)

bochs: buffer overflow

Package(s):bochs CVE #(s):CVE-2007-2893
Created:July 20, 2007 Updated:November 19, 2007
Description: A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Alerts:
Gentoo 200711-21 2007-11-17
Fedora FEDORA-2007-1778 2007-08-23
Debian DSA-1351-1 2007-08-07
Fedora FEDORA-2007-1153 2007-07-19

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

centericq: buffer overflows

Package(s):centericq CVE #(s):CVE-2007-3713
Created:July 20, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160.
Alerts:
Debian DSA-1433-1 2007-12-16
Debian-Testing DTSA-55-1 2007-09-03
Fedora FEDORA-2007-1160 2007-07-19

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200708-04 2007-08-09
Mandriva MDKSA-2007:150 2007-07-25
Debian DSA-1340-1 2007-07-24

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

gpdf: integer overflow

Package(s):cups poppler xpdf CVE #(s):CVE-2007-3387
Created:July 31, 2007 Updated:November 28, 2007
Description: The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more.
Alerts:
Fedora FEDORA-2007-3390 2007-11-20
Fedora FEDORA-2007-3308 2007-11-20
Gentoo 200710-20 2007-10-18
Gentoo 200710-08 2007-10-09
Gentoo 200709-12 2007-09-19
Fedora FEDORA-2007-685 2007-08-30
Debian-Testing DTSA-54-1 2007-08-22
Fedora FEDORA-2007-669 2007-08-13
Fedora FEDORA-2007-644 2007-08-13
Debian DSA-1357-1 2007-08-19
Mandriva MDKSA-2007:162 2007-08-14
Mandriva MDKSA-2007:165 2007-08-15
Foresight FLEA-2007-0046-1 2007-08-14
Fedora FEDORA-2007-1614 2007-08-15
Mandriva MDKSA-2007:164 2007-08-14
Mandriva MDKSA-2007:163 2007-08-14
Foresight FLEA-2007-0045-1 2007-08-14
Foresight FLEA-2007-0044-1 2007-08-14
Mandriva MDKSA-2007:158 2007-08-13
Mandriva MDKSA-2007:160 2007-08-13
Mandriva MDKSA-2007:161 2007-08-13
Mandriva MDKSA-2007:159 2007-08-13
Fedora FEDORA-2007-1594 2007-08-13
Debian DSA-1355-1 2007-08-13
Slackware SSA:2007-222-05 2007-08-13
Slackware SSA:2007-222-02 2007-08-13
Fedora FEDORA-2007-1547 2007-08-10
Fedora FEDORA-2007-1541 2007-08-10
Debian DSA-1354-1 2007-08-13
rPath rPSA-2007-0154-1 2007-08-10
SuSE SUSE-SR:2007:016 2007-08-10
Ubuntu USN-496-2 2007-08-07
Debian DSA-1352-1 2007-08-07
Debian DSA-1350-1 2007-08-06
Debian DSA-1349-1 2007-08-05
Debian DSA-1348-1 2007-08-04
Debian DSA-1347-1 2007-08-04
SuSE SUSE-SR:2007:015 2007-08-03
Ubuntu USN-496-1 2007-08-03
Red Hat RHSA-2007:0731-01 2007-08-01
Red Hat RHSA-2007:0735-01 2007-07-30
Red Hat RHSA-2007:0732-01 2007-07-30
Red Hat RHSA-2007:0729-01 2007-07-30
Red Hat RHSA-2007:0730-01 2007-07-30
Red Hat RHSA-2007:0720-01 2007-07-30

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

emacs21: denial of service

Package(s):emacs21 CVE #(s):CVE-2007-2833
Created:June 21, 2007 Updated:August 29, 2007
Description: The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images".
Alerts:
Ubuntu USN-504-1 2007-08-28
rPath rPSA-2007-0133-1 2007-06-25
Mandriva MDKSA-2007:133 2007-06-21
Debian DSA 1316-1 2007-06-21

Comments (none posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

evolution-data-server: malicious server arbitrary code execution

Package(s):evolution-data-server CVE #(s):CVE-2007-3257
Created:June 18, 2007 Updated:November 7, 2007
Description: From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."
Alerts:
Gentoo 200711-04 2007-11-06
Gentoo 200707-03 2007-07-02
SuSE SUSE-SA:2007:042 2007-07-05
Debian DSA-1325-1 2007-06-29
Fedora FEDORA-2007-594 2007-06-27
Fedora FEDORA-2007-595 2007-06-27
Mandriva MDKSA-2007:136 2007-06-26
Red Hat RHSA-2007:0510-01 2007-06-25
Red Hat RHSA-2007:0509-01 2007-06-25
Debian DSA-1321-1 2007-06-23
Ubuntu USN-475-1 2007-06-21
Fedora FEDORA-2007-0464 2007-06-16

Comments (1 posted)

file: integer overflow

Package(s):file CVE #(s):CVE-2007-2799
Created:June 1, 2007 Updated:October 19, 2007
Description: Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file.
Alerts:
Gentoo 200710-19 2007-10-18
Debian DSA-1343-2 2007-09-25
Debian DSA-1343-1 2007-07-31
SuSE SUSE-SA:2007:040 2007-07-04
Fedora FEDORA-2007-0836 2007-07-03
Fedora FEDORA-2007-538 2007-06-11
Fedora FEDORA-2007-541 2007-06-11
Ubuntu USN-439-2 2007-06-11
Mandriva MDKSA-2007:114 2007-06-05
Gentoo 200705-25 2007-05-31

Comments (3 posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Debian DSA-1529-1 2008-03-24
Gentoo 200707-01 2007-07-01

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2007-3844 CVE-2007-3845
Created:August 1, 2007 Updated:February 20, 2008
Description:

A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845)

Alerts:
Mandriva MDVSA-2007:047 2007-02-19
Fedora FEDORA-2007-3414 2007-11-16
Fedora FEDORA-2007-3431 2007-11-16
Red Hat RHSA-2007:0981-01 2007-10-19
Red Hat RHSA-2007:0980-01 2007-10-19
Red Hat RHSA-2007:0979-01 2007-10-19
Debian DSA-1391-1 2007-10-19
Gentoo 200708-09 2007-08-14
rPath rPSA-2007-0157-1 2007-08-10
Slackware SSA:2007-215-01 2007-08-06
Debian DSA-1346-1 2007-08-04
Debian DSA-1345-1 2007-08-04
Debian DSA-1344-1 2007-08-03
Foresight FLEA-2007-0040-1 2007-08-03
Slackware SSA:2007-213-01 2007-08-02
Mandriva MDKSA-2007:152 2007-08-01
Foresight FLEA-2007-0039-1 2007-08-01
Ubuntu USN-493-1 2007-07-31

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla seamonkey thunderbird CVE #(s):CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871
Created:June 4, 2007 Updated:August 29, 2007
Description: Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-2867, CVE-2007-2868)

A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869)

Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362)

A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871)

Alerts:
Ubuntu USN-469-2 2007-08-29
SuSE SUSE-SA:2007:036 2007-06-27
Mandriva MDKSA-2007:131 2007-06-20
Gentoo 200706-06 2007-06-19
Foresight FLEA-2007-0027-1 2007-06-20
Fedora FEDORA-2007-0544 2007-06-18
Mandriva MDKSA-2007:126-1 2007-06-16
Mandriva MDKSA-2007:126 2007-06-15
Slackware SSA:2007-165-01 2007-06-15
Debian DSA-1308-1 2007-06-14
Mandriva MDKSA-2007:120 2007-06-12
Mandriva MDKSA-2007:119 2007-06-12
Debian DSA-1305-1 2007-06-13
Debian DSA-1306-1 2007-06-12
Debian DSA-1300-1 2007-06-07
Ubuntu USN-469-1 2007-06-05
Slackware SSA:2007-152-02 2007-06-04
Ubuntu USN-468-1 2007-06-01

Comments (3 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:May 12, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Debian DSA-1574-1 2008-05-12
Debian DSA-1534-2 2008-04-24
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-1 2008-03-28
Debian DSA-1532-1 2008-03-27
Mandriva MDVSA-2007:047 2007-02-19
Ubuntu USN-503-1 2007-08-24
Slackware SSA:2007-222-04 2007-08-13
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-205-02 2007-07-25
Slackware SSA:2007-205-01 2007-07-25
Foresight FLEA-2007-0033-1 2007-07-24
Debian DSA-1339-1 2007-07-23
Debian DSA-1338-1 2007-07-23
Fedora FEDORA-2007-1181 2007-07-20
Fedora FEDORA-2007-1180 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-642 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
rPath rPSA-2007-0148-1 2007-07-20
Ubuntu USN-490-1 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Fedora FEDORA-2007-1159 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1155 2007-07-19
Red Hat RHSA-2007:0724-01 2007-07-18
Red Hat RHSA-2007:0723-01 2007-07-18
Red Hat RHSA-2007:0722-01 2007-07-18
Fedora FEDORA-2007-1143 2007-07-18
Fedora FEDORA-2007-1144 2007-07-18
Fedora FEDORA-2007-1142 2007-07-18
Fedora FEDORA-2007-1138 2007-07-18

Comments (none posted)

flac123: arbitrary code execution

Package(s):flac123 CVE #(s):CVE-2007-3507
Created:July 13, 2007 Updated:October 22, 2007
Description: A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length.
Alerts:
Gentoo 200709-06 2007-09-14
Fedora FEDORA-2007-1045 2007-07-12

Comments (none posted)

flash-plugin: input validation flaw

Package(s):flash-plugin CVE #(s):CVE-2007-3456
Created:July 12, 2007 Updated:August 10, 2007
Description: The Firefox flash-plugin module has an input validation flaw involving the display of certain content. If a user can be tricked into opening a specially crafted Adobe Flash file, it may be possible to execute arbitrary code.
Alerts:
Gentoo 200708-01 2007-08-08
Foresight FLEA-2007-0032-1 2007-07-20
SuSE SUSE-SA:2007:046 2007-07-19
Red Hat RHSA-2007:0696-01 2007-07-12

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gd: buffer overflow

Package(s):gd CVE #(s):CVE-2007-0455
Created:February 7, 2007 Updated:February 28, 2008
Description: The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Ubuntu USN-473-1 2007-06-11
OpenPKG OpenPKG-SA-2007.016 2007-05-18
Trustix TSLSA-2007-0007 2007-02-13
Fedora FEDORA-2007-150 2007-02-12
Fedora FEDORA-2007-149 2007-02-12
rPath rPSA-2007-0028-1 2007-02-08
Mandriva MDKSA-2007:038 2006-02-06
Mandriva MDKSA-2007:036 2006-02-06
Mandriva MDKSA-2007:035 2006-02-06

Comments (2 posted)

gd: multiple vulnerabilities

Package(s):gd CVE #(s):CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Created:August 6, 2007 Updated:July 22, 2008
Description: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified remote attack vectors and impact. (CVE-2007-3472)

The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)

Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3474)

The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. (CVE-2007-3475)

Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. (CVE-2007-3476)

The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. (CVE-2007-3477)

Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. (CVE-2007-3478)

Alerts:
Debian DSA-1613-1 2008-07-22
Red Hat RHSA-2008:0146-01 2008-02-28
SuSE SUSE-SR:2007:015 2007-08-03
Fedora FEDORA-2007-692 2007-09-18
Fedora FEDORA-2007-2055 2007-09-07
Foresight