The Grumpy Editor encounters Firebug
Those who have been paying close attention may have noticed a number of
changes to the LWN site over the last few weeks. Most of those changes are
not visible; our quaint early-90's table-oriented HTML is slowly giving
away to a more contemporary design which makes use of the features of
cascading style sheets. This sort of work involves a lot of
change-and-reload cycles in an effort to figure out why something is not
rendering as your editor intended. CSS is a powerful but sometimes obscure
technology. One tool your editor wishes he had stumbled across earlier is
Firebug, a Firefox extension
designed to help with just this sort of work.
Firebug can be thought of as a sort of interactive debugger for HTML and
CSS. It is not an authoring tool; it is assumed that content is being
created by other means. It is, instead, a way of figuring out why things
look the way they do and how to make them come out better.
![[html inspector]](/images/ns/grumpy/firebug/html-inspector-sm.png)
To that end, Firebug includes an interactive HTML inspector. It's a sort
of "view source" window, but done in a much more useful way. By using the
"inspect element" option in the Firefox content menu, a web developer can
find the HTML for a specific item in a hurry. The display of the document
tree is hierarchical, making it easy to see how elements relate to each
other. Editing of element attributes is a matter of clicking on them and
entering new values; numeric attributes can also be adjusted up and down
with the arrow keys. As a result, it is easy to make quick HTML changes
and immediately see what the results are.
It is also possible to edit the text contained within the elements, but the
interface is somewhat awkward. But this is not a functionality which
really matters anyway; Firebug is about markup and rendering, not the
content itself.
Positioning the mouse over an element in the HTML inspector highlights the
corresponding part of the displayed document. This feature can be useful
in correlating the two windows, but it also leads to extensive flashing and
blinking as the mouse moves through the window. Something a little less
distracting and gaudy would be more to your editor's taste.
The HTML inspector also features a pane which shows the stylesheet entries
relevant to the element of interest. The entire cascade is shown, with
overridden attributes marked. As a result, it is easy to see where all of
the rendering parameters for an element are coming from. Anybody who has
worked with CSS for a while knows that the combination of selection rules
and cascading can lead to mysterious effects at times. The CSS display
removes the mystery, making the source of strange behavior obvious. Once
again, CSS parameters can be tweaked on the fly, making it easy to adjust
attributes until things fit together just right. One shortcoming here is
that adding new attributes does not appear to work in any useful way; it
seems that attempts have been made to support this functionality, but your
editor was unable to make it work.
![[Layout display]](/images/ns/grumpy/firebug/box-model-sm.png)
There is a separate "layout" display which shows how the various parts of
the CSS box model come together in the rendering of a specific element.
The values of the margin, border, and padding attributes can all be
adjusted on the fly, and a set of rules shows how each plays into the final
positioning of the element on the page. Your editor, who has often used
the old trick of turning on borders to see how an element has been placed,
likes this display better: it separates out the effect of the various
attributes and does not, in itself, change the rendering. So questions
like "where is that extra white space coming from?" are easily answered.
One complaint here is that changing the border parameters is pointless if
border style is none (which is the default); it would be nice to
be able to play with border styles in the same place.
Finally, there is a mode for playing with stylesheets as a whole. In this
mode, the entire stylesheet is available and attributes can be tweaked to
see what their effect is on the page as a whole. There is a toggle for
every attribute allowing it to be turned off. New attributes can be added
- that feature seems to work on this screen. What is missing is any way to
save the results of changes.
![[Timings display]](/images/ns/grumpy/firebug/timings-sm.png)
For those who are concerned with page load times, there is a mode which
shows, in bar-graph form, just how long each component of the page took to
load. It is possible, in each case, to look at the request and response
headers associated with that loading. This feature is probably not one
which will be heavily used by most web developers, but it can be useful if
a specific page is loading slowly for any reason.
LWN is not a site which makes much use of Javascript, so your editor has
not played with the Javascript-specific features of Firebug. Those
features look impressive, though. There is a complete interactive
debugger, a profiler, a DOM inspector, and more. The HTML inspector,
unlike the Firefox "view source" feature, shows what the document's HTML
looks like after it has been mangled by Javascript code. All told,
it looks like a nice package for those doing that kind of work.
"View source" has always been a fundamental part of how web pages are
designed. So it is not surprising that Firebug supports this mode of
operation very well. But trying to figure out how a CSS designer got a
specific effect from the standard "view source" screens is, with modern
pages, often a painful experience. Firebug takes a lot of the pain away by
making it easy to look at specific elements and the CSS declarations which
affect them. In general, Firebug is a tool which gives a highly useful
view into just how the browser is rendering a document. It has become an
important part of your editor's toolbox.
Comments (26 posted)
Ruminations on software freedom
By Jake Edge
August 29, 2007
The failure
of Microsoft's anti-piracy servers over the weekend would seem an easy
entree to some Redmond-bashing, but there are far more important issues to
consider. It is sometimes easy to forget about the "freedom" in free
software, but that is exactly what protects the users of Linux and
other free systems from this kind of misfeature. Using proprietary,
closed source software with a decidedly one-sided license agreement is not
wrong, per se, but should be considered carefully – not just entered
into blindly as is often the case.
With a name that seems like the straight line of a joke, Windows Genuine
Advantage (WGA) is the "service" that Microsoft uses to attempt to detect
and semi-disable copies of Windows that it concludes have been illegally
installed. Each copy
checks in with a remote server, sending over some hardware and software
profile information to determine if it is properly licensed. Any number of
things could happen to a "pirated" copy, but currently XP users get a popup
that alerts them to their piracy, while Vista users get some –
supposedly non-critical – features disabled. All of which might be
reasonable for a truly pirated copy, but for users who are properly licensed,
it is annoying, at best, to be treated as a criminal.
For approximately 19 hours starting on Friday 24 August, the WGA servers
were not working correctly; some 12,000 machines that checked in with
them during that
time were marked, incorrectly in the vast majority of cases, as pirated.
The first responses from Microsoft technical support indicated that it might
be several days before the service was back: "kindly try to validate again
on Tuesday 28 Aug 2007." In fact, the WGA team identified and fixed the
problem in less than a day, but it highlights that the default or failsafe
condition for WGA is "pirated." Vista users were particularly incensed as
they had to endure reduced functionality of their fully legal copies of
the software.
The reactions of some users to the
WGA
blog posting announcing the fix were rather telling. Thanking Microsoft
for fixing the problem – which they, of course, created – so
quickly and over a weekend, while writing off any angry users as cranks,
makes it seem that everyone should be thankful that they have any
software at all. Many users are willing to cede control of their software
to the vendor.
Microsoft is not alone in the practice of software and hardware validation,
many copy protection and license key schemes depend on some kind of
matching between the key and the hardware it is licensed for. Other
vendors snoop on their users, in the interests of cheating prevention in
games for example, and report back to central servers. Skype was recently
found
to root around in Firefox profiles for unknown (possibly benign) reasons.
It comes down to a question of who controls the system, both hardware and
software, that one has purchased.
The control issue comes in other forms as well. Proprietary data formats are
one of the current battlefields. It is rather amazing that folks will
pay lots of money to lock up their data in a format that they will
probably be unable to read in ten years time; unless they periodically
convert it to use the latest format. So-called Digital Rights Management
(DRM) is yet another control scheme that imposes restrictions, determined
by the vendor, on books, videos, music, and the like. These restrictions
are not
arbitrary, the sellers try to optimize their income by imposing constraints
that won't chase away the majority of their customers.
There are tradeoffs here, folks are generally willing to trade their freedom
for the latest whiz-bang software feature or a copy of the latest movie.
They rarely think of it in those terms, however. The copyright owners may
be within their rights to try to get buyers to agree to their terms; so far,
they have largely been successful. There are hopeful signs that people
are waking up, recognizing these schemes – DRM, proprietary formats,
anti-piracy authentication, etc. – for what they are, an unabashed
attempt to control as much as they can get away with.
It will be very interesting to watch how the "iPod generation" reacts when
the iPod is no longer the music player of choice. All of the music that
they "bought" from iTunes will not play elsewhere. Apple will, in all
likelihood, make it as hard as possible to migrate to another player, even
if their market dominance in digital music players has passed. Users will
be left with no choice but to "buy" the music again, which is great for the
record companies, but not so much for the users.
Google Video users
ran
into the same problem recently, their DRM-infected videos were to stop
playing after 15 August. After initially mishandling the revocation, along
with a poorly received refund plan, Google has since relented, offering a
full refund and extending the life of the videos until February 2008.
With luck, users who have been bitten by these schemes will demand DRM-free
versions when they make their second purchase.
Users of free software and open formats are largely immune to this kind of
silliness. There is no "Linux Genuine Advantage"
server running in Linus
Torvalds' basement, checking to make sure we are properly licensed. Even
the commercial Linux vendors, whose livelihood depends on support
subscriptions, cannot get away with enforcing WGA-like schemes; free
software can be rewritten, legally, to avoid them. Red Hat, Novell or
others cannot reduce your functionality or hold your data hostage, there is
no lock-in.
Free software and open formats provide freedom, which is easy to overlook
when using them on a day-to-day basis. One can feel very secure that a
file created using OpenOffice.org or Gimp today will be readable by
something – those applications may be long gone – in 50
or 100 years. Assuming that the data stored on our backup media today can
be retrieved in the distant future (and that may be a big assumption), the
documents, music, pictures, etc. that were stored there will undoubtedly be
retrievable. If
someone can find compatible hardware, distribution Live CDs will boot and
run, without authenticating anywhere. Proprietary and closed format
users have no such assurance.
Comments (21 posted)
A first look at the OpenMoko Neo 1973
By Jake Edge
August 29, 2007
The hubbub over the iPhone is old news now, unlocking it from AT&T
is the big story these days. Another phone – one which may actually deliver what
many were hoping for with the iPhone – arrived in the LWN laboratories a few
weeks ago: an OpenMoko Neo 1973. The phone,
pictured at right (Apple's large
handed model was not available), is compact and reasonably light; it
looks very different from other cell phones. The hardware seems to be
working fairly well at this point, but the software is lagging, which is
likely to delay the consumer launch, currently slated for October.
This device is the first to run the OpenMoko software platform. Because it is the first, it is being called the "OpenMoko phone," but
the company, OpenMoko, Inc., is clearly hoping to have other manufacturers
use the software platform on their own hardware. Their business model is quite
different from most in the consumer electronics world as they are very open
about their hardware specs as well as their product roadmap. An unlocked
phone running free software is obviously their goal; no doubt they would
like theirs to be successful, but they are doing everything they can to see
that the overall goal is reached.
The Neo hardware is fairly powerful, a 266MHz ARM processor with 128M of
RAM and 64M of flash for running Linux and the applications. For
additional storage, it has a Micro SD slot, tucked underneath the
Subscriber Identity Module (SIM) slot; both live underneath the standard
Nokia battery. The back plate is rather easy to remove to get to the
battery compartment, though it seems unlikely to pop open unexpectedly; the
hardware design seems quite well thought out.
There are several connectivity options, starting with the quad-band GSM
radio, which allows it to use cellular networks throughout most of the
world. The radio also supports General Packet Radio Service (GPRS) for
(slow) data connections, as long as the carrier and contract support it.
Bluetooth 2.0 and USB 1.1 round out the communications choices. For the
development hardware, there is no charger, USB from a host provides the
battery recharging.
There is a GPS receiver in the phone, unfortunately one with a
closed-source driver that is not distributed with the phone. There are efforts
underway to reverse-engineer the binary driver and produce a free
alternative. Once that is done, GPS applications can be written to take
advantage of the device.
The touchscreen display is a sharp, 2.8-inch diagonal active matrix at
480x640 resolution which is reasonably easy to see in full sunlight (as
long as you tilt it out of the glare). The Neo comes with a combination
pen, mini-flashlight and laser pointer to be used as the stylus, which is a
useful combination, though
leaving ink behind on the screen seems a bit worrisome. There are only two
buttons on the phone, one for power and one auxiliary (AUX), both flush
with the case to prevent accidental button hits.
Software is going to make or break any phone project and OpenMoko seems a
bit behind in that area. They just announced a complete overhaul of
the user interface to be easier to use with fingers, rather than a stylus,
and to incorporate what has been learned while using the real Neo
hardware. Much of the software was written using emulators; what is easy
on a monitor with a mouse is not necessarily so easy on a touchscreen using
fingers, particularly when the screen is recessed, making the edges harder
to use. The older startup screen is shown on the left, the newer to
the right.
Some of the major applications (dialer, contacts, calendar, etc.) have been
ported to the new interface (called 2007.2), but there is still a lot of
work to do. Both old and new interfaces suffered from poor response and
some application and UI crashes. The applications themselves are very
rudimentary, probably too simple for what cell phone users expect, but they
are a good start.
Actually connecting and registering with a cellular network was a manual
process in the most recent build. Once some fiddling was out of the way,
though, the phone could make and receive calls. Audio quality was mediocre
and there seems to be some kind of echo cancellation problem for the audio
at the other end. Those kinds of problems need to be high on the
developers' priority list, without rock-solid basic phone functionality,
consumers will be uninterested.
For a Linux user, it is unarguably cool to be able to ssh into
your phone and poke around in the guts of the system. By using USB
networking, a simple ifconfig on the host allows connections to
the phone. Logging in as root puts you into a shell with BusyBox installed for many of the
standard Linux utilities. By configuring the host as a gateway, the phone
can access the internet (presumably via GPRS as well). This allows the use
of Ipkg to update the
phone software in the same way that apt-get and friends are used.
There is also a terminal application, shown at right, which provides a root
prompt on the screen, though making it
bring up an on-screen keyboard was not obvious.
This phone clearly has a lot of potential, but it also has a long way to go
to reach the polish that the iPhone is rumored to have. Its strongest
feature, though, that it is not tied to any particular carrier, might be
enough to carry it in the early going. In addition, carriers will not be
able to lock out "foreign" ringtones or only allow their games and
applications to be installed. OpenMoko, both the company and the software,
are truly trying to live up to their
Matrix-inspired slogan: "Free your phone".
Hopefully, the OpenMoko company has
the resources to carry it through for a while, until the software catches
up with the hardware. If not, though, the software is free, some other
company could pick up where they left off. That would be unfortunate, as we
look forward to following the development closely; we don't want to wait
another year or more for a free (as in freedom) phone. We will keep you
updated as things progress.
Comments (54 posted)
Page editor: Jonathan Corbet
Security
Storm worm gains strength
By Jake Edge
August 29, 2007
Spam rates are rising, rapidly, with a lot of the blame being placed on the
"storm worm." The
worm is targeted at PCs, to build an enormous botnet for purposes
that can only be speculated upon. Estimates of the size of the
botnet vary, but it is probably fair to say that millions of machines are
infected. Interestingly, the techniques used to propagate the worm are
evolving and some defense mechanisms are emerging.
The storm worm has been with us since January, its name stems from the
subject of the earliest emails that propagated it, attacking in
multiple waves of spam since then. It uses the simplest of all infection
techniques: tricking recipients into running a program. Those programs,
which, from all reports, only run on Windows, then install various kinds of
malware, including programs to connect the machine to a massive botnet.
At its root, the storm worm uses various "social engineering" tactics to
convince people to either open an executable in the email or to visit a
website and download software from there. Several different messages have
been tried recently, electronic greeting cards, welcome messages from
various "groups" (Wine Lovers, Poker Players, etc.) and the most recent,
that claims to be a pointer to a YouTube video that shows you or your
family. These messages have been pumped out at enormous rates by the
botnet as it tries to grow bigger.
Some defensive
behavior has been noted as well. When infected machines are scanned
for vulnerabilities or malware, they sometimes react by calling in a
distributed denial-of-service (DDoS) attack on the scanning machine.
The main concern is for academic networks that sit directly on the
internet, machines behind firewalls are generally protected, unless a
significant part
of the botnet also lives there.
These evolving tactics and defensive measures are not being implemented
for fun, the botnet herders probably have a plan for using such a huge
botnet, the only question is: for what? The most likely explanation is for
DDoS attacks on targeted sites, quite possibly to get paid to
stop, which is also known as extortion. They presumably also get paid to send spam
– other than that used to increase their size – but extorting
money from sites that depend on traffic is probably much more lucrative.
Unlike other botnets, storm's does not rely on a single central server that
can be shut down, destroying the botnet. Instead it uses peer-to-peer
technology, distributing its command and control infrastructure throughout
the network, making it much more difficult to combat. That coupled with
the furious spamming and defensive responses makes this the most robust
botnet we have seen yet.
While this particular attack does not appear to affect Linux users
directly, we should not be resting on our laurels. Linux users likely have
a higher clue level, overall, than Windows users, but that level is
dropping. As Ubuntu and other desktop, newbie-oriented distributions gain
ground, the average computer literacy of the Linux community drops. There
is no defense, other than educating users, against folks who download
random things and run them on their computer. If the storm botnet herders
decide they need even more machines for their plan for total world
domination, they might just turn to Linux.
Comments (18 posted)
New vulnerabilities
bugzilla: several vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | August 28, 2007 |
Updated: | August 29, 2007 |
| Description: |
This Bugzilla security
advisory covers several vulnerabilities in Bugzilla 2.20.4, 2.22.2, and
3.0. |
| Alerts: |
|
Comments (1 posted)
id3lib: insecure tmpfile creation
| Package(s): | id3lib |
CVE #(s): | CVE-2007-4460
|
| Created: | August 27, 2007 |
Updated: | October 2, 2007 |
| Description: |
The RenderV2ToFile function in tag_file.cpp in id3lib (aka libid3) 3.8.3
allows local users to overwrite arbitrary files via a symlink attack on a
temporary file whose name is constructed from the name of a file being
tagged. |
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | CVE-2007-4367
CVE-2007-3929
CVE-2007-3142
CVE-2007-3819
|
| Created: | August 23, 2007 |
Updated: | February 27, 2008 |
| Description: |
The Opera browser has multiple vulnerabilities.
The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript.
A freed pointer in the BitTorrent support may be
accessed, this can be used for malicious code execution.
The browser is vulnerable to several memory read protection
errors. There are URI display errors that can be used to trick
users into visiting arbitrary web sites. |
| Alerts: |
|
Comments (none posted)
pam_ssh: authentication restriction bypass
| Package(s): | pam_ssh |
CVE #(s): | CVE-2007-0844
|
| Created: | August 27, 2007 |
Updated: | August 29, 2007 |
| Description: |
The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase. |
| Alerts: |
|
Comments (none posted)
po4a: information leak
| Package(s): | po4a |
CVE #(s): | CVE-2007-4462
|
| Created: | August 27, 2007 |
Updated: | September 14, 2007 |
| Description: |
This update fixes a potential security problem (information leak)
due to use of predictable name in /tmp.
|
| Alerts: |
|
Comments (none posted)
star: directory traversal vulnerability
| Package(s): | star |
CVE #(s): | CVE-2007-4134
|
| Created: | August 28, 2007 |
Updated: | October 23, 2007 |
| Description: |
Star saves many files together into a single tape or disk archive,
and can restore individual files from the archive. Star supports ACL.
Version 1.5a84 fixes a directory traversal vulnerability. |
| Alerts: |
|
Comments (none posted)
sylpheed: format string vulnerability
| Package(s): | sylpheed |
CVE #(s): | CVE-2007-2958
|
| Created: | August 28, 2007 |
Updated: | October 26, 2007 |
| Description: |
Ulf Harnhammar (Secunia Research) has discovered a format string
vulnerability in sylpheed and claws-mail in inc_put_error() function in
src/inc.c when displaying POP3 error reply. The problem can be exploited
by malicious POP3 server via specially crafted POP3 server replies
containing format specifiers. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
tar: symlink path traversal vulnerability
| Package(s): | tar |
CVE #(s): | CVE-2007-4131
|
| Created: | August 23, 2007 |
Updated: | December 28, 2007 |
| Description: |
The tar utility has a symlink path traversal vulnerability involving
extracted archives. Maliciously created tar archives can be used to
write arbitrary data to files that the tar user has write access to. |
| Alerts: |
|
Comments (none posted)
wordpress: cross-site scripting
| Package(s): | wordpress |
CVE #(s): | CVE-2007-4139
|
| Created: | August 29, 2007 |
Updated: | August 29, 2007 |
| Description: |
Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. |
| Alerts: |
|
Comments (none posted)
xterm: local user unauthorized access
| Package(s): | xterm |
CVE #(s): | CVE-2007-2797
|
| Created: | August 27, 2007 |
Updated: | November 15, 2007 |
| Description: |
Previous versions of the xterm package assigned incorrect ownership and
write permissions to pseudo-terminal devices, permitting local users to
direct output to other users' xterm sessions. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
apache2: information disclosure
| Package(s): | apache |
CVE #(s): | CVE-2007-1862
|
| Created: | June 20, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users." |
| Alerts: |
|
Comments (2 posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-3304
CVE-2006-5752
|
| Created: | June 27, 2007 |
Updated: | February 18, 2008 |
| Description: |
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752) |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk |
CVE #(s): | CVE-2007-1561
CVE-2007-1594
|
| Created: | April 3, 2007 |
Updated: | August 27, 2007 |
| Description: |
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code. |
| Alerts: |
|
Comments (none posted)
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2007-3372
|
| Created: | June 28, 2007 |
Updated: | September 18, 2007 |
| Description: |
Avahi is vulnerable to a local denial of service that can be caused by
making an erroneous call to the assert() function. |
| Alerts: |
|
Comments (none posted)
bochs: buffer overflow
| Package(s): | bochs |
CVE #(s): | CVE-2007-2893
|
| Created: | July 20, 2007 |
Updated: | November 19, 2007 |
| Description: |
A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in
iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users
of the guest operating system to write to arbitrary memory locations and
gain privileges on the host operating system via vectors that cause TXCNT
register values to exceed the device memory size, aka "RX Frame heap
overflow." |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
centericq: buffer overflows
| Package(s): | centericq |
CVE #(s): | CVE-2007-3713
|
| Created: | July 20, 2007 |
Updated: | December 17, 2007 |
| Description: |
Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow
remote attackers to execute arbitrary code via unspecified vectors. NOTE:
the provenance of this information is unknown; the details are obtained
solely from third party information. NOTE: this might overlap
CVE-2007-0160. |
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
gpdf: integer overflow
| Package(s): | cups poppler xpdf |
CVE #(s): | CVE-2007-3387
|
| Created: | July 31, 2007 |
Updated: | November 28, 2007 |
| Description: |
The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: privilege escalation
| Package(s): | dovecot |
CVE #(s): | CVE-2007-4211
|
| Created: | August 15, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions." |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
emacs21: denial of service
| Package(s): | emacs21 |
CVE #(s): | CVE-2007-2833
|
| Created: | June 21, 2007 |
Updated: | August 29, 2007 |
| Description: |
The emacs21 editor has a denial of service vulnerability.
emacs21 can be made to crash by viewing "certain types of images". |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server |
CVE #(s): | CVE-2007-3257
|
| Created: | June 18, 2007 |
Updated: | November 7, 2007 |
| Description: |
From the GNOME
bugzilla: "The "SEQUENCE" value in the GData of the IMAP code
(camel-imap-folder.c) is converted from a string using strtol. This allows
for negative values. The imap_rescan uses this value as an int. It checks
for !seq and seq>summary.length. It doesn't check for seq <
0. Although seq is used as the index of an array." |
| Alerts: |
|
Comments (1 posted)
file: integer overflow
| Package(s): | file |
CVE #(s): | CVE-2007-2799
|
| Created: | June 1, 2007 |
Updated: | October 19, 2007 |
| Description: |
Colin Percival from FreeBSD reported that the previous fix for the
file_printf() buffer overflow introduced a new integer overflow. A remote
attacker could entice a user to run the file program on an overly large
file (more than 1Gb) that would trigger an integer overflow on 32-bit
systems, possibly leading to the execution of arbitrary code with the
rights of the user running file. |
| Alerts: |
|
Comments (3 posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845) |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird |
CVE #(s): | CVE-2007-1362
CVE-2007-2867
CVE-2007-2868
CVE-2007-2869
CVE-2007-2870
CVE-2007-2871
|
| Created: | June 4, 2007 |
Updated: | August 29, 2007 |
| Description: |
Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user
into opening a malicious web page, an attacker could cause a persistent
denial of service. (CVE-2007-2869)
Nicolas Derouet discovered flaws in cookie handling. By tricking a user
into opening a malicious web page, an attacker could force the browser to
consume large quantities of disk or memory while processing long cookie
paths. (CVE-2007-1362)
A flaw was discovered in the same-origin policy handling of the
addEventListener JavaScript method. A malicious web site could exploit
this to modify the contents, or steal confidential data (such as
passwords), of other web pages. (CVE-2007-2870)
Chris Thomas discovered a flaw in XUL popups. A malicious web site
could exploit this to spoof or obscure portions of the browser UI,
such as the location bar. (CVE-2007-2871) |
| Alerts: |
|
Comments (3 posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | May 12, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
|
Comments (none posted)
flac123: arbitrary code execution
| Package(s): | flac123 |
CVE #(s): | CVE-2007-3507
|
| Created: | July 13, 2007 |
Updated: | October 22, 2007 |
| Description: |
A stack-based buffer overflow in the local__vcentry_parse_value function in
vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows
user-assisted remote attackers to execute arbitrary code via a large
comment value_length. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gd: multiple vulnerabilities
| Package(s): | gd |
CVE #(s): | CVE-2007-3472
CVE-2007-3473
CVE-2007-3474
CVE-2007-3475
CVE-2007-3476
CVE-2007-3477
CVE-2007-3478
|
| Created: | August 6, 2007 |
Updated: | July 22, 2008 |
| Description: |
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure. (CVE-2007-3473)
Multiple unspecified vulnerabilities in the GIF reader in the
GD Graphics Library (libgd) before 2.0.35 allow user-assisted
remote attackers to have unspecified attack vectors and
impact. (CVE-2007-3474)
The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
remote attackers to cause a denial of service (crash) via a GIF image
that has no global color map. (CVE-2007-3475)
Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause
a denial of service (crash and heap corruption) via large color
index values in crafted image data, which results in a segmentation
fault. (CVE-2007-3476)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478) |
| Alerts: |
|
