LWN.net Logo

LWN.net Weekly Edition for August 30, 2007

The Grumpy Editor encounters Firebug

By Jonathan Corbet
August 28, 2007
Part of the LWN Grumpy Editor series.
Those who have been paying close attention may have noticed a number of changes to the LWN site over the last few weeks. Most of those changes are not visible; our quaint early-90's table-oriented HTML is slowly giving away to a more contemporary design which makes use of the features of cascading style sheets. This sort of work involves a lot of change-and-reload cycles in an effort to figure out why something is not rendering as your editor intended. CSS is a powerful but sometimes obscure technology. One tool your editor wishes he had stumbled across earlier is Firebug, a Firefox extension designed to help with just this sort of work.

Firebug can be thought of as a sort of interactive debugger for HTML and CSS. It is not an authoring tool; it is assumed that content is being created by other means. It is, instead, a way of figuring out why things look the way they do and how to make them come out better.

[html inspector] To that end, Firebug includes an interactive HTML inspector. It's a sort of "view source" window, but done in a much more useful way. By using the "inspect element" option in the Firefox content menu, a web developer can find the HTML for a specific item in a hurry. The display of the document tree is hierarchical, making it easy to see how elements relate to each other. Editing of element attributes is a matter of clicking on them and entering new values; numeric attributes can also be adjusted up and down with the arrow keys. As a result, it is easy to make quick HTML changes and immediately see what the results are.

It is also possible to edit the text contained within the elements, but the interface is somewhat awkward. But this is not a functionality which really matters anyway; Firebug is about markup and rendering, not the content itself.

Positioning the mouse over an element in the HTML inspector highlights the corresponding part of the displayed document. This feature can be useful in correlating the two windows, but it also leads to extensive flashing and blinking as the mouse moves through the window. Something a little less distracting and gaudy would be more to your editor's taste.

The HTML inspector also features a pane which shows the stylesheet entries relevant to the element of interest. The entire cascade is shown, with overridden attributes marked. As a result, it is easy to see where all of the rendering parameters for an element are coming from. Anybody who has worked with CSS for a while knows that the combination of selection rules and cascading can lead to mysterious effects at times. The CSS display removes the mystery, making the source of strange behavior obvious. Once again, CSS parameters can be tweaked on the fly, making it easy to adjust attributes until things fit together just right. One shortcoming here is that adding new attributes does not appear to work in any useful way; it seems that attempts have been made to support this functionality, but your editor was unable to make it work.

[Layout display] There is a separate "layout" display which shows how the various parts of the CSS box model come together in the rendering of a specific element. The values of the margin, border, and padding attributes can all be adjusted on the fly, and a set of rules shows how each plays into the final positioning of the element on the page. Your editor, who has often used the old trick of turning on borders to see how an element has been placed, likes this display better: it separates out the effect of the various attributes and does not, in itself, change the rendering. So questions like "where is that extra white space coming from?" are easily answered. One complaint here is that changing the border parameters is pointless if border style is none (which is the default); it would be nice to be able to play with border styles in the same place.

Finally, there is a mode for playing with stylesheets as a whole. In this mode, the entire stylesheet is available and attributes can be tweaked to see what their effect is on the page as a whole. There is a toggle for every attribute allowing it to be turned off. New attributes can be added - that feature seems to work on this screen. What is missing is any way to save the results of changes.

[Timings display] For those who are concerned with page load times, there is a mode which shows, in bar-graph form, just how long each component of the page took to load. It is possible, in each case, to look at the request and response headers associated with that loading. This feature is probably not one which will be heavily used by most web developers, but it can be useful if a specific page is loading slowly for any reason.

LWN is not a site which makes much use of Javascript, so your editor has not played with the Javascript-specific features of Firebug. Those features look impressive, though. There is a complete interactive debugger, a profiler, a DOM inspector, and more. The HTML inspector, unlike the Firefox "view source" feature, shows what the document's HTML looks like after it has been mangled by Javascript code. All told, it looks like a nice package for those doing that kind of work.

"View source" has always been a fundamental part of how web pages are designed. So it is not surprising that Firebug supports this mode of operation very well. But trying to figure out how a CSS designer got a specific effect from the standard "view source" screens is, with modern pages, often a painful experience. Firebug takes a lot of the pain away by making it easy to look at specific elements and the CSS declarations which affect them. In general, Firebug is a tool which gives a highly useful view into just how the browser is rendering a document. It has become an important part of your editor's toolbox.

Comments (26 posted)

Ruminations on software freedom

By Jake Edge
August 29, 2007

The failure of Microsoft's anti-piracy servers over the weekend would seem an easy entree to some Redmond-bashing, but there are far more important issues to consider. It is sometimes easy to forget about the "freedom" in free software, but that is exactly what protects the users of Linux and other free systems from this kind of misfeature. Using proprietary, closed source software with a decidedly one-sided license agreement is not wrong, per se, but should be considered carefully – not just entered into blindly as is often the case.

With a name that seems like the straight line of a joke, Windows Genuine Advantage (WGA) is the "service" that Microsoft uses to attempt to detect and semi-disable copies of Windows that it concludes have been illegally installed. Each copy checks in with a remote server, sending over some hardware and software profile information to determine if it is properly licensed. Any number of things could happen to a "pirated" copy, but currently XP users get a popup that alerts them to their piracy, while Vista users get some – supposedly non-critical – features disabled. All of which might be reasonable for a truly pirated copy, but for users who are properly licensed, it is annoying, at best, to be treated as a criminal.

For approximately 19 hours starting on Friday 24 August, the WGA servers were not working correctly; some 12,000 machines that checked in with them during that time were marked, incorrectly in the vast majority of cases, as pirated. The first responses from Microsoft technical support indicated that it might be several days before the service was back: "kindly try to validate again on Tuesday 28 Aug 2007." In fact, the WGA team identified and fixed the problem in less than a day, but it highlights that the default or failsafe condition for WGA is "pirated." Vista users were particularly incensed as they had to endure reduced functionality of their fully legal copies of the software.

The reactions of some users to the WGA blog posting announcing the fix were rather telling. Thanking Microsoft for fixing the problem – which they, of course, created – so quickly and over a weekend, while writing off any angry users as cranks, makes it seem that everyone should be thankful that they have any software at all. Many users are willing to cede control of their software to the vendor.

Microsoft is not alone in the practice of software and hardware validation, many copy protection and license key schemes depend on some kind of matching between the key and the hardware it is licensed for. Other vendors snoop on their users, in the interests of cheating prevention in games for example, and report back to central servers. Skype was recently found to root around in Firefox profiles for unknown (possibly benign) reasons. It comes down to a question of who controls the system, both hardware and software, that one has purchased.

The control issue comes in other forms as well. Proprietary data formats are one of the current battlefields. It is rather amazing that folks will pay lots of money to lock up their data in a format that they will probably be unable to read in ten years time; unless they periodically convert it to use the latest format. So-called Digital Rights Management (DRM) is yet another control scheme that imposes restrictions, determined by the vendor, on books, videos, music, and the like. These restrictions are not arbitrary, the sellers try to optimize their income by imposing constraints that won't chase away the majority of their customers.

There are tradeoffs here, folks are generally willing to trade their freedom for the latest whiz-bang software feature or a copy of the latest movie. They rarely think of it in those terms, however. The copyright owners may be within their rights to try to get buyers to agree to their terms; so far, they have largely been successful. There are hopeful signs that people are waking up, recognizing these schemes – DRM, proprietary formats, anti-piracy authentication, etc. – for what they are, an unabashed attempt to control as much as they can get away with.

It will be very interesting to watch how the "iPod generation" reacts when the iPod is no longer the music player of choice. All of the music that they "bought" from iTunes will not play elsewhere. Apple will, in all likelihood, make it as hard as possible to migrate to another player, even if their market dominance in digital music players has passed. Users will be left with no choice but to "buy" the music again, which is great for the record companies, but not so much for the users.

Google Video users ran into the same problem recently, their DRM-infected videos were to stop playing after 15 August. After initially mishandling the revocation, along with a poorly received refund plan, Google has since relented, offering a full refund and extending the life of the videos until February 2008. With luck, users who have been bitten by these schemes will demand DRM-free versions when they make their second purchase.

Users of free software and open formats are largely immune to this kind of silliness. There is no "Linux Genuine Advantage" server running in Linus Torvalds' basement, checking to make sure we are properly licensed. Even the commercial Linux vendors, whose livelihood depends on support subscriptions, cannot get away with enforcing WGA-like schemes; free software can be rewritten, legally, to avoid them. Red Hat, Novell or others cannot reduce your functionality or hold your data hostage, there is no lock-in.

Free software and open formats provide freedom, which is easy to overlook when using them on a day-to-day basis. One can feel very secure that a file created using OpenOffice.org or Gimp today will be readable by something – those applications may be long gone – in 50 or 100 years. Assuming that the data stored on our backup media today can be retrieved in the distant future (and that may be a big assumption), the documents, music, pictures, etc. that were stored there will undoubtedly be retrievable. If someone can find compatible hardware, distribution Live CDs will boot and run, without authenticating anywhere. Proprietary and closed format users have no such assurance.

Comments (21 posted)

A first look at the OpenMoko Neo 1973

By Jake Edge
August 29, 2007
Neo Picture

The hubbub over the iPhone is old news now, unlocking it from AT&T is the big story these days. Another phone – one which may actually deliver what many were hoping for with the iPhone – arrived in the LWN laboratories a few weeks ago: an OpenMoko Neo 1973. The phone, pictured at right (Apple's large handed model was not available), is compact and reasonably light; it looks very different from other cell phones. The hardware seems to be working fairly well at this point, but the software is lagging, which is likely to delay the consumer launch, currently slated for October.

This device is the first to run the OpenMoko software platform. Because it is the first, it is being called the "OpenMoko phone," but the company, OpenMoko, Inc., is clearly hoping to have other manufacturers use the software platform on their own hardware. Their business model is quite different from most in the consumer electronics world as they are very open about their hardware specs as well as their product roadmap. An unlocked phone running free software is obviously their goal; no doubt they would like theirs to be successful, but they are doing everything they can to see that the overall goal is reached.

The Neo hardware is fairly powerful, a 266MHz ARM processor with 128M of RAM and 64M of flash for running Linux and the applications. For additional storage, it has a Micro SD slot, tucked underneath the Subscriber Identity Module (SIM) slot; both live underneath the standard Nokia battery. The back plate is rather easy to remove to get to the battery compartment, though it seems unlikely to pop open unexpectedly; the hardware design seems quite well thought out.

There are several connectivity options, starting with the quad-band GSM radio, which allows it to use cellular networks throughout most of the world. The radio also supports General Packet Radio Service (GPRS) for (slow) data connections, as long as the carrier and contract support it. Bluetooth 2.0 and USB 1.1 round out the communications choices. For the development hardware, there is no charger, USB from a host provides the battery recharging.

There is a GPS receiver in the phone, unfortunately one with a closed-source driver that is not distributed with the phone. There are efforts underway to reverse-engineer the binary driver and produce a free alternative. Once that is done, GPS applications can be written to take advantage of the device.

The touchscreen display is a sharp, 2.8-inch diagonal active matrix at 480x640 resolution which is reasonably easy to see in full sunlight (as long as you tilt it out of the glare). The Neo comes with a combination pen, mini-flashlight and laser pointer to be used as the stylus, which is a useful combination, though leaving ink behind on the screen seems a bit worrisome. There are only two buttons on the phone, one for power and one auxiliary (AUX), both flush with the case to prevent accidental button hits.

OpenMoko older OpenMoko newer

Software is going to make or break any phone project and OpenMoko seems a bit behind in that area. They just announced a complete overhaul of the user interface to be easier to use with fingers, rather than a stylus, and to incorporate what has been learned while using the real Neo hardware. Much of the software was written using emulators; what is easy on a monitor with a mouse is not necessarily so easy on a touchscreen using fingers, particularly when the screen is recessed, making the edges harder to use. The older startup screen is shown on the left, the newer to the right.

Some of the major applications (dialer, contacts, calendar, etc.) have been ported to the new interface (called 2007.2), but there is still a lot of work to do. Both old and new interfaces suffered from poor response and some application and UI crashes. The applications themselves are very rudimentary, probably too simple for what cell phone users expect, but they are a good start.

OpenMoko Contacts
application

Actually connecting and registering with a cellular network was a manual process in the most recent build. Once some fiddling was out of the way, though, the phone could make and receive calls. Audio quality was mediocre and there seems to be some kind of echo cancellation problem for the audio at the other end. Those kinds of problems need to be high on the developers' priority list, without rock-solid basic phone functionality, consumers will be uninterested.

OpenMoko terminal

For a Linux user, it is unarguably cool to be able to ssh into your phone and poke around in the guts of the system. By using USB networking, a simple ifconfig on the host allows connections to the phone. Logging in as root puts you into a shell with BusyBox installed for many of the standard Linux utilities. By configuring the host as a gateway, the phone can access the internet (presumably via GPRS as well). This allows the use of Ipkg to update the phone software in the same way that apt-get and friends are used. There is also a terminal application, shown at right, which provides a root prompt on the screen, though making it bring up an on-screen keyboard was not obvious.

This phone clearly has a lot of potential, but it also has a long way to go to reach the polish that the iPhone is rumored to have. Its strongest feature, though, that it is not tied to any particular carrier, might be enough to carry it in the early going. In addition, carriers will not be able to lock out "foreign" ringtones or only allow their games and applications to be installed. OpenMoko, both the company and the software, are truly trying to live up to their Matrix-inspired slogan: "Free your phone".

Hopefully, the OpenMoko company has the resources to carry it through for a while, until the software catches up with the hardware. If not, though, the software is free, some other company could pick up where they left off. That would be unfortunate, as we look forward to following the development closely; we don't want to wait another year or more for a free (as in freedom) phone. We will keep you updated as things progress.

Comments (54 posted)

Page editor: Jonathan Corbet

Security

Storm worm gains strength

By Jake Edge
August 29, 2007

Spam rates are rising, rapidly, with a lot of the blame being placed on the "storm worm." The worm is targeted at PCs, to build an enormous botnet for purposes that can only be speculated upon. Estimates of the size of the botnet vary, but it is probably fair to say that millions of machines are infected. Interestingly, the techniques used to propagate the worm are evolving and some defense mechanisms are emerging.

The storm worm has been with us since January, its name stems from the subject of the earliest emails that propagated it, attacking in multiple waves of spam since then. It uses the simplest of all infection techniques: tricking recipients into running a program. Those programs, which, from all reports, only run on Windows, then install various kinds of malware, including programs to connect the machine to a massive botnet.

At its root, the storm worm uses various "social engineering" tactics to convince people to either open an executable in the email or to visit a website and download software from there. Several different messages have been tried recently, electronic greeting cards, welcome messages from various "groups" (Wine Lovers, Poker Players, etc.) and the most recent, that claims to be a pointer to a YouTube video that shows you or your family. These messages have been pumped out at enormous rates by the botnet as it tries to grow bigger.

Some defensive behavior has been noted as well. When infected machines are scanned for vulnerabilities or malware, they sometimes react by calling in a distributed denial-of-service (DDoS) attack on the scanning machine. The main concern is for academic networks that sit directly on the internet, machines behind firewalls are generally protected, unless a significant part of the botnet also lives there.

These evolving tactics and defensive measures are not being implemented for fun, the botnet herders probably have a plan for using such a huge botnet, the only question is: for what? The most likely explanation is for DDoS attacks on targeted sites, quite possibly to get paid to stop, which is also known as extortion. They presumably also get paid to send spam – other than that used to increase their size – but extorting money from sites that depend on traffic is probably much more lucrative.

Unlike other botnets, storm's does not rely on a single central server that can be shut down, destroying the botnet. Instead it uses peer-to-peer technology, distributing its command and control infrastructure throughout the network, making it much more difficult to combat. That coupled with the furious spamming and defensive responses makes this the most robust botnet we have seen yet.

While this particular attack does not appear to affect Linux users directly, we should not be resting on our laurels. Linux users likely have a higher clue level, overall, than Windows users, but that level is dropping. As Ubuntu and other desktop, newbie-oriented distributions gain ground, the average computer literacy of the Linux community drops. There is no defense, other than educating users, against folks who download random things and run them on their computer. If the storm botnet herders decide they need even more machines for their plan for total world domination, they might just turn to Linux.

Comments (18 posted)

New vulnerabilities

bugzilla: several vulnerabilities

Package(s):bugzilla CVE #(s):
Created:August 28, 2007 Updated:August 29, 2007
Description: This Bugzilla security advisory covers several vulnerabilities in Bugzilla 2.20.4, 2.22.2, and 3.0.
Alerts:
Fedora FEDORA-2007-1853 2007-08-27

Comments (1 posted)

id3lib: insecure tmpfile creation

Package(s):id3lib CVE #(s):CVE-2007-4460
Created:August 27, 2007 Updated:October 2, 2007
Description: The RenderV2ToFile function in tag_file.cpp in id3lib (aka libid3) 3.8.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file whose name is constructed from the name of a file being tagged.
Alerts:
Debian DSA-1365-3 2007-10-02
Gentoo 200709-08 2007-09-15
Mandriva MDKSA-2007:180 2007-09-12
Debian DSA-1365-2 2007-09-09
Debian DSA-1365-1 2007-09-01
Fedora FEDORA-2007-1774 2007-08-23

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2007-4367 CVE-2007-3929 CVE-2007-3142 CVE-2007-3819
Created:August 23, 2007 Updated:February 27, 2008
Description: The Opera browser has multiple vulnerabilities. The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript. A freed pointer in the BitTorrent support may be accessed, this can be used for malicious code execution. The browser is vulnerable to several memory read protection errors. There are URI display errors that can be used to trick users into visiting arbitrary web sites.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
SuSE SUSE-SA:2007:050 2007-08-30
Gentoo 200708-17 2007-08-22

Comments (none posted)

pam_ssh: authentication restriction bypass

Package(s):pam_ssh CVE #(s):CVE-2007-0844
Created:August 27, 2007 Updated:August 29, 2007
Description: The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase.
Alerts:
Fedora FEDORA-2007-1793 2007-08-23

Comments (none posted)

po4a: information leak

Package(s):po4a CVE #(s):CVE-2007-4462
Created:August 27, 2007 Updated:September 14, 2007
Description: This update fixes a potential security problem (information leak) due to use of predictable name in /tmp.
Alerts:
Gentoo 200709-04 2007-09-13
Fedora FEDORA-2007-1763 2007-08-23

Comments (none posted)

star: directory traversal vulnerability

Package(s):star CVE #(s):CVE-2007-4134
Created:August 28, 2007 Updated:October 23, 2007
Description: Star saves many files together into a single tape or disk archive, and can restore individual files from the archive. Star supports ACL. Version 1.5a84 fixes a directory traversal vulnerability.
Alerts:
Gentoo 200710-23 2007-10-22
Foresight FLEA-2007-0051-1 2007-09-06
Red Hat RHSA-2007:0873-01 2007-09-04
Fedora FEDORA-2007-1852 2007-08-27

Comments (none posted)

sylpheed: format string vulnerability

Package(s):sylpheed CVE #(s):CVE-2007-2958
Created:August 28, 2007 Updated:October 26, 2007
Description: Ulf Harnhammar (Secunia Research) has discovered a format string vulnerability in sylpheed and claws-mail in inc_put_error() function in src/inc.c when displaying POP3 error reply. The problem can be exploited by malicious POP3 server via specially crafted POP3 server replies containing format specifiers. See this Secunia advisory for more information.
Alerts:
Gentoo 200710-29 2007-10-25
Fedora FEDORA-2007-2009 2007-09-04
Fedora FEDORA-2007-1841 2007-08-27

Comments (none posted)

tar: symlink path traversal vulnerability

Package(s):tar CVE #(s):CVE-2007-4131
Created:August 23, 2007 Updated:December 28, 2007
Description: The tar utility has a symlink path traversal vulnerability involving extracted archives. Maliciously created tar archives can be used to write arbitrary data to files that the tar user has write access to.
Alerts:
Debian DSA-1438-1 2007-12-28
Gentoo 200709-09 2007-09-15
Mandriva MDKSA-2007:173 2007-09-04
Fedora FEDORA-2007-683 2007-08-30
SuSE SUSE-SR:2007:018 2007-08-31
Fedora FEDORA-2007-1890 2007-08-29
Ubuntu USN-506-1 2007-08-28
rPath rPSA-2007-0172-1 2007-08-25
Foresight FLEA-2007-0049-1 2007-08-27
Red Hat RHSA-2007:0860-01 2007-08-23

Comments (none posted)

wordpress: cross-site scripting

Package(s):wordpress CVE #(s):CVE-2007-4139
Created:August 29, 2007 Updated:August 29, 2007
Description: Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php.
Alerts:
Fedora FEDORA-2007-1885 2007-08-29

Comments (none posted)

xterm: local user unauthorized access

Package(s):xterm CVE #(s):CVE-2007-2797
Created:August 27, 2007 Updated:November 15, 2007
Description: Previous versions of the xterm package assigned incorrect ownership and write permissions to pseudo-terminal devices, permitting local users to direct output to other users' xterm sessions.
Alerts:
Red Hat RHSA-2007:0701-02 2007-11-15
rPath rPSA-2007-0169-1 2007-08-23
Foresight FLEA-2007-0048-1 2007-08-23

Comments (1 posted)

Updated vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2007-2214 2007-09-18
rPath rPSA-2007-0182-1 2007-09-14
Ubuntu USN-499-1 2007-08-16
Red Hat RHSA-2007:0662-01 2007-07-13
Red Hat RHSA-2007:0557-01 2007-07-13
Fedora FEDORA-2007-615 2007-07-12
Mandriva MDKSA-2007:142 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:140 2007-07-04
Fedora FEDORA-2007-617 2007-07-02
rPath rPSA-2007-0136-1 2007-06-27
Red Hat RHSA-2007:0556-01 2007-06-26
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0532-01 2007-06-26

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

Asterisk: two SIP denial of service vulnerabilities

Package(s):Asterisk CVE #(s):CVE-2007-1561 CVE-2007-1594
Created:April 3, 2007 Updated:August 27, 2007
Description: The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code.
Alerts:
Debian DSA-1358-1 2007-08-26
SuSE SUSE-SA:2007:034 2007-06-06
Gentoo 200704-01 2007-04-02

Comments (none posted)

avahi: denial of service

Package(s):avahi CVE #(s):CVE-2007-3372
Created:June 28, 2007 Updated:September 18, 2007
Description: Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function.
Alerts:
Mandriva MDKSA-2007:185 2007-09-17
Foresight FLEA-2007-0030-1 2007-06-28

Comments (none posted)

bochs: buffer overflow

Package(s):bochs CVE #(s):CVE-2007-2893
Created:July 20, 2007 Updated:November 19, 2007
Description: A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow."
Alerts:
Gentoo 200711-21 2007-11-17
Fedora FEDORA-2007-1778 2007-08-23
Debian DSA-1351-1 2007-08-07
Fedora FEDORA-2007-1153 2007-07-19

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

centericq: buffer overflows

Package(s):centericq CVE #(s):CVE-2007-3713
Created:July 20, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160.
Alerts:
Debian DSA-1433-1 2007-12-16
Debian-Testing DTSA-55-1 2007-09-03
Fedora FEDORA-2007-1160 2007-07-19

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200708-04 2007-08-09
Mandriva MDKSA-2007:150 2007-07-25
Debian DSA-1340-1 2007-07-24

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

gpdf: integer overflow

Package(s):cups poppler xpdf CVE #(s):CVE-2007-3387
Created:July 31, 2007 Updated:November 28, 2007
Description: The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more.
Alerts:
Fedora FEDORA-2007-3390 2007-11-20
Fedora FEDORA-2007-3308 2007-11-20
Gentoo 200710-20 2007-10-18
Gentoo 200710-08 2007-10-09
Gentoo 200709-12 2007-09-19
Fedora FEDORA-2007-685 2007-08-30
Debian-Testing DTSA-54-1 2007-08-22
Fedora FEDORA-2007-669 2007-08-13
Fedora FEDORA-2007-644 2007-08-13
Debian DSA-1357-1 2007-08-19
Mandriva MDKSA-2007:162 2007-08-14
Mandriva MDKSA-2007:165 2007-08-15
Foresight FLEA-2007-0046-1 2007-08-14
Fedora FEDORA-2007-1614 2007-08-15
Mandriva MDKSA-2007:164 2007-08-14
Mandriva MDKSA-2007:163 2007-08-14
Foresight FLEA-2007-0045-1 2007-08-14
Foresight FLEA-2007-0044-1 2007-08-14
Mandriva MDKSA-2007:158 2007-08-13
Mandriva MDKSA-2007:160 2007-08-13
Mandriva MDKSA-2007:161 2007-08-13
Mandriva MDKSA-2007:159 2007-08-13
Fedora FEDORA-2007-1594 2007-08-13
Debian DSA-1355-1 2007-08-13
Slackware SSA:2007-222-05 2007-08-13
Slackware SSA:2007-222-02 2007-08-13
Fedora FEDORA-2007-1547 2007-08-10
Fedora FEDORA-2007-1541 2007-08-10
Debian DSA-1354-1 2007-08-13
rPath rPSA-2007-0154-1 2007-08-10
SuSE SUSE-SR:2007:016 2007-08-10
Ubuntu USN-496-2 2007-08-07
Debian DSA-1352-1 2007-08-07
Debian DSA-1350-1 2007-08-06
Debian DSA-1349-1 2007-08-05
Debian DSA-1348-1 2007-08-04
Debian DSA-1347-1 2007-08-04
SuSE SUSE-SR:2007:015 2007-08-03
Ubuntu USN-496-1 2007-08-03
Red Hat RHSA-2007:0731-01 2007-08-01
Red Hat RHSA-2007:0735-01 2007-07-30
Red Hat RHSA-2007:0732-01 2007-07-30
Red Hat RHSA-2007:0729-01 2007-07-30
Red Hat RHSA-2007:0730-01 2007-07-30
Red Hat RHSA-2007:0720-01 2007-07-30

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dovecot: privilege escalation

Package(s):dovecot CVE #(s):CVE-2007-4211
Created:August 15, 2007 Updated:May 21, 2008
Description: From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions."
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Fedora FEDORA-2007-664 2007-08-20
rPath rPSA-2007-0161-1 2007-08-14

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

emacs21: denial of service

Package(s):emacs21 CVE #(s):CVE-2007-2833
Created:June 21, 2007 Updated:August 29, 2007
Description: The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images".
Alerts:
Ubuntu USN-504-1 2007-08-28
rPath rPSA-2007-0133-1 2007-06-25
Mandriva MDKSA-2007:133 2007-06-21
Debian DSA 1316-1 2007-06-21

Comments (none posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

evolution-data-server: malicious server arbitrary code execution

Package(s):evolution-data-server CVE #(s):CVE-2007-3257
Created:June 18, 2007 Updated:November 7, 2007
Description: From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."
Alerts:
Gentoo 200711-04 2007-11-06
Gentoo 200707-03 2007-07-02
SuSE SUSE-SA:2007:042 2007-07-05
Debian DSA-1325-1 2007-06-29
Fedora FEDORA-2007-594 2007-06-27
Fedora FEDORA-2007-595 2007-06-27
Mandriva MDKSA-2007:136 2007-06-26
Red Hat RHSA-2007:0510-01 2007-06-25
Red Hat RHSA-2007:0509-01 2007-06-25
Debian DSA-1321-1 2007-06-23
Ubuntu USN-475-1 2007-06-21
Fedora FEDORA-2007-0464 2007-06-16

Comments (1 posted)

file: integer overflow

Package(s):file CVE #(s):CVE-2007-2799
Created:June 1, 2007 Updated:October 19, 2007
Description: Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file.
Alerts:
Gentoo 200710-19 2007-10-18
Debian DSA-1343-2 2007-09-25
Debian DSA-1343-1 2007-07-31
SuSE SUSE-SA:2007:040 2007-07-04
Fedora FEDORA-2007-0836 2007-07-03
Fedora FEDORA-2007-538 2007-06-11
Fedora FEDORA-2007-541 2007-06-11
Ubuntu USN-439-2 2007-06-11
Mandriva MDKSA-2007:114 2007-06-05
Gentoo 200705-25 2007-05-31

Comments (3 posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Debian DSA-1529-1 2008-03-24
Gentoo 200707-01 2007-07-01

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2007-3844 CVE-2007-3845
Created:August 1, 2007 Updated:February 20, 2008
Description:

A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845)

Alerts:
Mandriva MDVSA-2007:047 2007-02-19
Fedora FEDORA-2007-3414 2007-11-16
Fedora FEDORA-2007-3431 2007-11-16
Red Hat RHSA-2007:0981-01 2007-10-19
Red Hat RHSA-2007:0980-01 2007-10-19
Red Hat RHSA-2007:0979-01 2007-10-19
Debian DSA-1391-1 2007-10-19
Gentoo 200708-09 2007-08-14
rPath rPSA-2007-0157-1 2007-08-10
Slackware SSA:2007-215-01 2007-08-06
Debian DSA-1346-1 2007-08-04
Debian DSA-1345-1 2007-08-04
Debian DSA-1344-1 2007-08-03
Foresight FLEA-2007-0040-1 2007-08-03
Slackware SSA:2007-213-01 2007-08-02
Mandriva MDKSA-2007:152 2007-08-01
Foresight FLEA-2007-0039-1 2007-08-01
Ubuntu USN-493-1 2007-07-31

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla seamonkey thunderbird CVE #(s):CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871
Created:June 4, 2007 Updated:August 29, 2007
Description: Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-2867, CVE-2007-2868)

A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869)

Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362)

A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871)

Alerts:
Ubuntu USN-469-2 2007-08-29
SuSE SUSE-SA:2007:036 2007-06-27
Mandriva MDKSA-2007:131 2007-06-20
Gentoo 200706-06 2007-06-19
Foresight FLEA-2007-0027-1 2007-06-20
Fedora FEDORA-2007-0544 2007-06-18
Mandriva MDKSA-2007:126-1 2007-06-16
Mandriva MDKSA-2007:126 2007-06-15
Slackware SSA:2007-165-01 2007-06-15
Debian DSA-1308-1 2007-06-14
Mandriva MDKSA-2007:120 2007-06-12
Mandriva MDKSA-2007:119 2007-06-12
Debian DSA-1305-1 2007-06-13
Debian DSA-1306-1 2007-06-12
Debian DSA-1300-1 2007-06-07
Ubuntu USN-469-1 2007-06-05
Slackware SSA:2007-152-02 2007-06-04
Ubuntu USN-468-1 2007-06-01

Comments (3 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:May 12, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Debian DSA-1574-1 2008-05-12
Debian DSA-1534-2 2008-04-24
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-1 2008-03-28
Debian DSA-1532-1 2008-03-27
Mandriva MDVSA-2007:047 2007-02-19
Ubuntu USN-503-1 2007-08-24
Slackware SSA:2007-222-04 2007-08-13
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-205-02 2007-07-25
Slackware SSA:2007-205-01 2007-07-25
Foresight FLEA-2007-0033-1 2007-07-24
Debian DSA-1339-1 2007-07-23
Debian DSA-1338-1 2007-07-23
Fedora FEDORA-2007-1181 2007-07-20
Fedora FEDORA-2007-1180 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-642 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
rPath rPSA-2007-0148-1 2007-07-20
Ubuntu USN-490-1 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Fedora FEDORA-2007-1159 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1155 2007-07-19
Red Hat RHSA-2007:0724-01 2007-07-18
Red Hat RHSA-2007:0723-01 2007-07-18
Red Hat RHSA-2007:0722-01 2007-07-18
Fedora FEDORA-2007-1143 2007-07-18
Fedora FEDORA-2007-1144 2007-07-18
Fedora FEDORA-2007-1142 2007-07-18
Fedora FEDORA-2007-1138 2007-07-18

Comments (none posted)

flac123: arbitrary code execution

Package(s):flac123 CVE #(s):CVE-2007-3507
Created:July 13, 2007 Updated:October 22, 2007
Description: A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length.
Alerts:
Gentoo 200709-06 2007-09-14
Fedora FEDORA-2007-1045 2007-07-12

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gd: buffer overflow

Package(s):gd CVE #(s):CVE-2007-0455
Created:February 7, 2007 Updated:February 28, 2008
Description: The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Ubuntu USN-473-1 2007-06-11
OpenPKG OpenPKG-SA-2007.016 2007-05-18
Trustix TSLSA-2007-0007 2007-02-13
Fedora FEDORA-2007-150 2007-02-12
Fedora FEDORA-2007-149 2007-02-12
rPath rPSA-2007-0028-1 2007-02-08
Mandriva MDKSA-2007:038 2006-02-06
Mandriva MDKSA-2007:036 2006-02-06
Mandriva MDKSA-2007:035 2006-02-06

Comments (2 posted)

gd: multiple vulnerabilities

Package(s):gd CVE #(s):CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Created:August 6, 2007 Updated:July 22, 2008
Description: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified remote attack vectors and impact. (CVE-2007-3472)

The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473)

Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3474)

The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. (CVE-2007-3475)

Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. (CVE-2007-3476)

The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. (CVE-2007-3477)

Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. (CVE-2007-3478)

Alerts:
Debian DSA-1613-1 2008-07-22
Red Hat RHSA-2008:0146-01 2008-02-28
SuSE SUSE-SR:2007:015 2007-08-03
Fedora FEDORA-2007-692 2007-09-18
Fedora FEDORA-2007-2055 2007-09-07
Foresight FLEA-2007-0052-1 2007-09-06
rPath rPSA-2007-0176-1 2007-09-05
Trustix TSLSA-2007-0024 2007-08-10
Gentoo 200708-05 2007-08-