LinuxConf.eu wrapup
By Jonathan Corbet
September 12, 2007
The very first LinuxConf Europe
event was held in Cambridge, UK, in the first week of September. This
conference is the result of a cooperation between the UK Unix User Group and the German Unix User Group; it is, in a sense, a
combination of the UKUUG and Linux-Kongress events held in previous years.
Talks by Dirk Hohndel and Michael Kerrisk were published
last week. Here is a summary of some other LCE events.
Power management remains the focus of a great deal of attention. Arjan van
de Ven started off a set of power-related talks with an overview of where
the problems are. His biggest point is that software is a critical part of
the power consumption picture; contemporary hardware provides a number of
power-saving features, but software has a tendency to defeat them. Many of
the ways in which this happens have been covered here before, so there is
no need to repeat them. The core lesson here is that transitions between
power states are expensive, so it is important that hardware components,
once put into a power-saving state, be allowed to stay there for some time.
In the case of the CPU, idle periods of 20ms to 50ms are needed for
effective power savings. Past kernels have rather defeated that goal,
though, by receiving a clock interrupt every 1-10ms. The dynamic tick
patches have finally fixed that problem, making it possible for longer
sleeps to happen. But then user space comes along and ruins things. Since
the advent of PowerTop, though,
improvements have been coming quickly. Many distributions now consume at
least 30% less power in typical laptop use.
Things may be getting better, but Matthew Garrett started the following
session by noting that Linux still sucks - at least, it sucks power. This
is a problem, he says, because getting half the battery lifetime as Windows
on the same hardware is really embarrassing. Systems
are still waking up far too much; the problems exist in both kernel and
user space.
On the kernel side, the usual culprits - device drivers - are a big part of
the problem. There are quite a few drivers which poll their hardware -
sometimes up to 100 times every second. In some cases this cannot be
avoided; the hardware may be broken in a way which requires this kind of
polling. But in other cases the polling can be made smarter - such as
turning it off when the device is not in use. There is still work to be
done in this area.
User-space applications remain a problem. People tracking down wakeups
often blame the X server, but the real trouble is usually the applications
which are causing X to wake up. There is a tool in the works which will
identify the real source of X wakeups; this is a good thing: once problems
are identified they are usually fixed pretty quickly. Polling for vertical
retrace periods (so that the display can be updated without artifacts)
seems to be a particular problem; some API work is being done to make it
easier to avoid this polling. Evidently there are also some applications
which repeatedly ask the server if a particular extension is available;
since the set of extensions does not change while the server is running,
there is little point in doing this.
There are some interesting things which can be done to better use the
power-saving features of the hardware. For example, some framebuffers can
compress the video data into a dedicated memory area, then drive the video
from the compressed data. This technique reduces video memory bandwidth,
saving power (up to half a watt) in the process. An interesting
consequence is that the amount of power saved is dependent on how well the
screen's contents compress - a user's choice of background wallpaper will
affect their power usage.
Finally, there is a lot to be gained if device drivers can communicate more
information to user space, making polling unnecessary. Applications which
poll for changes to the audio volume are an example here; if the sound
system simply told them that the volume had been adjusted, they could
update their displays and go back to sleep.
Jörn Engel gave a talk on the death of hard disks. His core point is
that flash-based storage is faster, requires less power, makes less noise,
and is more robust than rotating storage. It is also more expensive, for
now, but flash is getting cheaper much more quickly. Jörn projects
that flash-based drives will become more economical than hard drives
between 2012 and 2019, depending on which drives one looks at.
Flash makes life easier in a number of ways; the lack of seek delays, for
example, means that much of the trouble the kernel goes to in scheduling of
block I/O operations can be eliminated. On the other hand, flash has
challenges of its own: it is not quite the random-access array of blocks
that one would like. In particular, writing to flash requires dealing with
wear-leveling issues, erase operations, and more.
Manufacturers have done their best to paper over these issues through the
use of translation layers which make a flash array look like a simple disk
drive. These layers make it easier to use flash with existing software,
but there are problems: performance is not always what one would like, and
there can be hidden caches which delay the persistent storage of data. So
Jörn has a request to the flash manufacturers: give us direct access
to the flash array, without translation layers, and let us figure out how
to best support it.
Chris Mason is not waiting for flash to take over; instead, he is working
on the next-generation Linux filesystem for rotating disks. The result, Btrfs, was the subject of
Chris's talk at LCE. LWN covered
Btrfs last June.
Chris's motivation is the fact that disks are, for all practical purposes,
getting slower - the time required to read an entire disk is growing. Most
systems still store large numbers of small files, leading to a lot of
wasted space. Btrfs tries to address these issues and provide a number of
interesting features as well. It is extent-based, resulting in more
efficient storage of larger files. Small files are packed into the
filesystem tree itself, eliminating the internal fragmentation experienced
by a number of other filesystems. It has indexed directories, data and
metadata checksums, efficient snapshots, sequence numbers in objects
(facilitating quick and easy incremental backups), an online filesystem
checker in the works, and more.
The directories are actually indexed twice. One index is there for fast
filename lookup; the other one, instead, lets the readdir() system
call return files in inode-number order, speeding filesystem traversals.
Extended attributes are stored as directory entries. Every file has a
backpointer to its containing directory - and, yes, multiply-linked files
have backpointers to all of the directories in which they are found.
Perhaps the most fun part of the talk was the plots Chris has generated
from various benchmark runs. The limiting factor on filesystem performance
is generally disk seeks; it is important to minimize disk head movement.
In general, ext3 tends to move the disk head all over the platter during
benchmark runs while Btrfs and XFS do better. Chris noted that better
writeback clustering in the virtual memory subsystem would help ext3.
More benchmark plots (some animated) can be found in the Btrfs
benchmark and Seekwatcher pages.
Toward the end, Chris was asked whether performance slows down when the
disk gets full. The answer was "no" because the system crashes instead.
That's a good reminder that Btrfs remains an early-stage development; the
on-disk format has not even been finalized yet. But the production version
of Btrfs is certainly something to look forward to.
Back in 2000, the British Computer Society awarded its Lovelace Medal to
Linus Torvalds. In 2007, the society finally caught up with him to deliver
the medal - though, as speaker Dr. David Hartley noted, they probably were
almost as quick as the post office would have been. As is typically the
case, Linus seemed somewhat embarrassed by the attention.
LinuxConf Europe intends to be a conference on a truly European scale. To
that end, next year's event will likely move to Germany; the details were
not yet finalized to the point that the location could be announced at this
year's conference, though. LCE, helped by the kernel summit, has gotten
this institution off to a good start; your editor is looking forward to
next year's edition.
Comments (15 posted)
Changes ahead for Python
By Jake Edge
September 12, 2007
With its first
alpha just released, Python 3.0 (aka Python 3000 or Py3k) is
making progress, though a final release is still a year off. Py3k overhauls
the language core, removing inconsistencies and other "warts", without
maintaining compatibility with the 2.x version. Various standard Python
idioms go by the wayside and it will take some getting used to.
One of the driving forces for Py3k is to handle unicode strings in a uniform
way. In the 2.x series, unicode handling has bugs, especially when mixing
encoded and unencoded text. The Py3k solution is to separate strings,
which contain decoded text, and byte-strings which are binary data into two
distinct types, str and bytes. Those types cannot be
combined without converting one via the encode() and decode()
methods. The drawback to this change is explained in the
What's New in
Python 3.0 document:
This means that pretty much all code that
uses Unicode, encodings or binary data in any way has to change.
This also leads to a distinction that needs to be made when handling
files. Files are either binary or text files, with text files requiring an
encoding to be specified when they are opened. If the wrong type or
encoding is given, I/O to the file may fail.
One very visible change – perhaps the most controversial –
is eliminating
the print statement, moving it to a function.
The change is being made
mostly for consistency, as there is no other language statement like
print, but it also adds additional features. One can now specify
a separator, line ending, and file directly, there is no need for the
print >>sys.stderr, "error" syntax, instead that becomes
print("error", file=sys.stderr).
As the "What's new" document points out:
Initially, you'll be finding yourself typing the old print x a lot in
interactive mode. Time to retrain your fingers to type print(x) instead!
Another area that has changed significantly is the dict methods.
The keys(), items(), and values() methods no longer
return lists, so code that treats them that way will fail. They now return
something called a "view" that references the dict directly,
producing values as they are needed, much like an iterator. In addition, the
has_key() boolean method has been removed, the in operator
should be used instead.
There are lots of smaller changes that will catch the unwary. Many of the
features removed have been deprecated for some time, but, for programmers who
don't follow Python language development closely, they may surprise. The
raise statement has different syntax, integer division no longer
truncates, instead it returns a float (with // used to get the old
behavior), xrange() has been removed, and so on. It adds up to a
substantial pile of things to deal with when moving existing code to Python 3.
The migration from 2.x is being assisted by the development of Python
2.6, which is slated for release in April 2008. It will provide a Py3k
warnings mode that complains at runtime when a feature is being used in a
way that is incompatible. It will also have many of the new features enabled,
either as __future__ imports or just added into the language if it
doesn't conflict with 2.x syntax. The 2to3 tool is also being
developed to translate 2.6 constructs into their 3.0 equivalents. The
Python Enhancement Proposal (PEP) governing the Py3k plan (PEP 3000) gives an overview of how code
can be maintained to run on both 2.6 and 3.0. It sounds somewhat painful,
but incompatible language changes are never easy.
There is still plenty of work to be done, the final release of 3.0 is
currently scheduled for August 2008. One of the bigger remaining chunks is
a reorganization of the standard library namespace.
PEP 3108 lays out the
changes to be made, including removing older, unsupported, or rarely used
modules, renaming modules to conform to the naming standard, merging the C
and Python implementations of modules (i.e. cPickle goes away and is
replaced with pickle). It cleans up what had become a bit of a mess
over time.
All of these changes have not come about without some objections, both
from those who think another incompatible "upgrade" is not warranted to
those who think Py3k
doesn't go far enough. One area that is not being changed, but is a source of frustration for some,
is the "global interpreter lock" (GIL), which only allows one thread at a
time to operate on any Python objects or call out to C language extensions.
Especially with the advent of multi-core and multi-CPU systems, the lock is
very restrictive, serializing most of the core language processing.
Guido van Rossum, Benevolent Dictator for Life (BDFL) of the Python
language has been very open about addressing these concerns on his All Things
Pythonic weblog. That doesn't mean he plans to change things,
especially with regards to the GIL, but he puts together a well
reasoned defense, mostly concerning the performance of the language
with finer-grained locks. He is clearly not much of a fan of
multi-threaded programming with its attendant race conditions, deadlocks,
and other issues, but he is not opposed to efforts to remove the GIL
either. As he points out, it is not inherent in the Python language, but
is an attribute of the current language implementation, other
implementations (Jython, IronPython) do not have the GIL.
There are fundamental changes in Python 3, it will be interesting to see
how quickly it is adopted after being released. People learning Python
won't need to learn Py3k for another two years or so, according to van
Rossum, and should, instead, concentrate on 2.x (which means 2.5 until April).
The unicode handling rework will probably be enough to get the increasing
number of localized programs updated, but the rest of the changes are not
terribly compelling. It is likely that there will be Python 2.x programs
around for a long time to come.
Comments (11 posted)
Fedora reaching out to new niches
By Jake Edge
September 12, 2007
Purpose-built Fedora distributions, called "spins", are a recent
addition to that community in an attempt to reach additional users. The
idea is to use tools like Revisor to create a custom
collection of software that work well together for a particular set of
tasks. This collection can then be installed or run from a live CD,
providing an easy means to have the right collection of tools immediately,
rather than after a lengthy yum install pass.
The concept itself is not new, there are many distributions targeted at a
particular subset of users. Typically, other popular distributions (Debian
and Ubuntu in particular) have been used as the basis for them. The Fedora
project is embracing the idea, pulling together a list of the spins and
elevating at least two to the status of "official spins". The idea is to
appeal to those who don't want to be bothered with tracking down,
installing, and configuring the tools needed for their task; instead it is
all packaged for them.
Starting with Fedora 7, two official releases of the distribution are
available, one for each of the dominant desktops. For Fedora 8, there will
also be a developer
spin, which has the explicit goal of attracting more Fedora
developers. It will include Eclipse, perhaps other integrated development
environments (IDEs), gcc and friends, emacs, SystemTap,
and other developer tools. Other ideas, such as a working Xen virtual
machine and targeting web developers, have been discussed as well.
The other official spin for Fedora 8 is the Fedora
Electronic Lab (FEL). This project pulls together the tools for
electronic design and configures them to work well together. A wide variety
of software for circuit simulation, hardware development in VHDL and
Verilog, Very Large Scale Integration (VLSI) design, and embedded systems
development are included. Universities are high on the list of target
audiences, with the FEL website claiming 250 universities already using
Fedora; attracting more is one of the goals.
Several other spins are being worked on as well, not "officially", but
there does seem to be some serious work going into them. The Security
LiveCD is a Fedora 7 based spin for security auditing and testing. It
contains all of the tools that an administrator or security researcher
might need to do forensic analysis of a rooted machine, check a network for
vulnerable hosts, or do penetration testing. Since it can be booted
directly from a read-only device, risks of infection from any malware are
eliminated. Any machine can be quickly turned into a security workstation
by using a distribution like this.
Another ambitious project is the Fedora
Art Studio. This spin not only collects the tools into one package, it
also pulls in content likely to be useful to artists, desktop publishers,
animators, and other creative folks. There are collections of clip art,
fonts, textures, brushes, and so on, all with free licenses. There are
also tutorials included to get people up to speed on the various packages.
Plans are to include default Firefox bookmarks for useful sites as well.
Other spins are listed on the site, ranging from the Creative
Commons LiveContent spin (covered by LWN here) to a SystemTap live CD.
The Fedora wiki has various Howtos on remixing
and rebranding
Fedora, as well as using the Live CD
tools. Most people who want to build a custom spin will start by using
the Revisor GUI
tool, which provides options for installation, live or virtualization
(for Xen or KVM virtual machines) media for CDs, DVDs, USB thumb drives and
more. The project has clearly put a lot of time and effort into making it
as easy as possible to create new spins from the large repository of Fedora
software.
It remains to be seen if any of these spins become popular, but it may be a
good way to introduce new users to Fedora. It is unlikely that power users
will find a spin that covers all of what they use, but they just might find
one that serves as a good starting point. They can either customize their
own spin from there or use the usual repository tools to grab whatever
extras they need. For a distribution that, until recently, had a
reputation for not working with the community, this effort may go a long
way towards erasing that history.
Comments (2 posted)
LWN advertising update II
LWN recently tried a new (for us) form of advertising, known as
"in-text" advertising – ads that pop up from highlighted keywords in
an article. When we announced
the change, it was obvious from the comments that it was a tad
unpopular. Truth to tell, they started getting on our nerves more as
time went on; they didn't seem quite so annoying when running it on our
development systems. We have discontinued the ads; they will not be coming back.
A lot of good points were made in the comments, we appreciate the time you
took to make them. Our readers are (obviously) very important to us; your
opinions on what works and what doesn't are always carefully considered.
There were also several interesting suggestions made, we will be pondering
those as we make plans.
We do want to dispel one concern that we heard. We are not under an
imminent threat of going under. We are proceeding with
the plan we laid out in May: working on the revenue side of the business
while producing the same quality of content you have come to expect. There
will be other experiments along the way; some will fail, hopefully some
will succeed as well.
Comments (87 posted)
Page editor: Jonathan Corbet
Security
Eavesdropping on Tor traffic
By Jake Edge
September 12, 2007
A Swedish security researcher, Dan Egerstad, recently highlighted a
flaw in the way many folks are using Tor,
a tool for internet anonymity. He said that he had captured user names and
passwords for at least 1000 email accounts, posting
the details for 100 of those. Ten days after the initial disclosure,
he followed
up with information on how he captured the data.
Tor (aka The Onion Router) is a system designed to hide the source and
destination of internet traffic by routing it through a few intermediate
nodes. Software is available for most operating systems and can run in
either client or server mode. The Tor network consists of many server
nodes that can route this traffic, but it also has special nodes, called
"exit nodes" that are the endpoints for traffic within the Tor network.
Exit nodes are the ones that actually talk to the server the client was
trying to reach, thus they see any traffic exactly as it will be presented
to the destination.
A Tor client picks a random path through the network, using a directory
server to get a list of active nodes. For each hop along that path, it
negotiates a separate session key. It encrypts the packet data, along with
a destination address, once per node in the path, building up a packet with
multiple layers of encrypted information. Each layer can only be
decrypted by the proper intermediate node. Each intermediate node only
knows about its predecessor, the destination, and the key, so with more than
a few nodes, the source and ultimate destination are hidden. The exit node
is the last layer of the onion, what it decrypts is the data bound for the
destination.
Running an exit node for Tor has some risks associated with it, as all
traffic that goes to a destination site appears to originate from the exit
node host. If the destination gets attacked by a
denial of service or other exploit, the exit node operator would seem to be
the guilty party. For this reason, Tor servers can determine whether or not they are
willing to be exit nodes. What Egerstad did was to volunteer five servers
as exit nodes and monitor the traffic that went by.
What his exit nodes saw was the traffic bound for various servers, much of
it in the clear. He collected authentication for email servers from many
users, with the ones he released being embassy workers and members of human
rights organizations. He monitored the POP3 and IMAP protocols,
specifically looking for keywords associated with governments. By looking
at those two protocols, he not only was able to capture passwords, his exit
nodes also saw all of the email stream by as it was delivered to the users.
This should come as no real surprise, unencrypted email protocols are a
security hazard; they should probably go the way of telnet,
and be banished from internet usage. What is more surprising, but perhaps
shouldn't be, is that people are using Tor to retrieve their email. Tor is
not supposed to be a complete privacy solution, and it is not
presented that way, but the difference between anonymity and privacy seem
to have gotten lost.
It is a near certainty that others are doing just what Egerstad did.
Governments and criminals – though it can be hard to distinguish
between the two at times – both have an interest in monitoring this
kind of traffic. Egerstad lists a number of suspicious exit nodes in the
Tor network, any or all of which could be scanning the cleartext traffic
that streams by.
In some ways, Tor is really no different than the myriad routers that
internet traffic passes through; each of those presents a point where
traffic could be intercepted. Tor is better in that regard, perhaps,
because all but the last leg (which, of course, traverses any number of
routers) are encrypted. If an encrypted protocol, SSL or an ssh
tunnel for example, were used end-to-end, Egerstad's monitoring would not
have worked. With proper certificate/key handling, no intermediate node, Tor
or router, can decrypt the traffic.
It is a bit ironic that one would use a service meant to provide
anonymity to log in to a system using credentials that are intended to
restrict access to a particular user. It is a bit like renting a room at
the No-Tell Motel using your credit card. Presumably, the users had Tor
installed and running for other reasons and either didn't know or forgot to
turn it off when retrieving their email. Perhaps their email client
helpfully retrieves their email every few minutes without their
intervention.
It should be noted that Tor does not do anything above the protocol
level to anonymize traffic. Cookies, browser identification strings and
other information can be used to identify who is using the connection to
anyone with access to the traffic. Obviously, logging in makes that
even easier. Another known threat to anonymity using Tor, even with
end-to-end encryption, is timing analysis. If someone can monitor the
timing of the packets at the client and those at
the server, they can make a statistical correlation between the two.
Tor achieved another kind of notoriety, recently, as some of the storm worm spam started pushing
it as a solution for internet anonymity. Unfortunately, users who followed
the link landed on a fake
Tor download page. Downloading the software did not result in any
increase in their privacy, it simply installed one of the storm worm
variants. It is certainly not the publicity that Tor wanted, but it could,
perhaps, lead a few users to the real Tor. It is a dubious honor, but the
storm worm herders must believe that the Tor name has some credibility in
order to use it this way.
Tor is an excellent tool for what it does, but it certainly is not a
solution to all internet communication privacy issues. As with most
things, users need to understand what they are doing before they can gain
the benefits of Tor. By managing the higher level identifying information
correctly (perhaps by using
something like Privoxy), one
can use internet services anonymously with a reasonable level of comfort.
Using end-to-end encryption makes it that much better.
Comments (5 posted)
New vulnerabilities
eggdrop: stack-based buffer overflow
| Package(s): | eggdrop |
CVE #(s): | CVE-2007-2807
|
| Created: | September 7, 2007 |
Updated: | January 7, 2008 |
| Description: |
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message. |
| Alerts: |
|
Comments (none posted)
gforge: missing input sanitizing
| Package(s): | gforge |
CVE #(s): | CVE-2007-3913
|
| Created: | September 7, 2007 |
Updated: | September 12, 2007 |
| Description: |
Sumit I. Siddharth discovered that Gforge, a collaborative development
tool, performs insufficient input sanitizing, which allows SQL injection. |
| Alerts: |
|
Comments (none posted)
jffnms: multiple vulnerabilities
| Package(s): | jffnms |
CVE #(s): | CVE-2007-3189
CVE-2007-3190
CVE-2007-3191
CVE-2007-3192
|
| Created: | September 12, 2007 |
Updated: | September 12, 2007 |
| Description: |
jffnms, a web-based network management system, suffers from a cross-site scripting vulnerability, multiple SQL injection vulnerabilities, and an authentication bypass problem. |
| Alerts: |
|
Comments (none posted)
lighttpd: buffer overflow
| Package(s): | lighttpd |
CVE #(s): | CVE-2007-4727
|
| Created: | September 12, 2007 |
Updated: | October 8, 2007 |
| Description: |
From the Fedora advisory: Lighttpd (1.4.17 and earlier) is prone to a header overflow when using the mod_fastcgi extension,
this can lead to arbitrary code execution in the fastcgi application. |
| Alerts: |
|
Comments (none posted)
openssh: inappropriate use of trusted cookies
| Package(s): | gnome-ssh-askpass openssh |
CVE #(s): | CVE-2007-4752
|
| Created: | September 11, 2007 |
Updated: | August 25, 2008 |
| Description: |
OpenSSH in versions prior
4.7 could use a trusted X11 cookie if the creation of an untrusted
cookie failed. |
| Alerts: |
|
Comments (none posted)
phpmyadmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2006-6942
CVE-2006-6944
CVE-2007-1325
CVE-2007-1395
CVE-2007-2245
|
| Created: | September 10, 2007 |
Updated: | October 18, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1325:
The PMA_ArrayWalkRecursive function in libraries/common.lib.php
does not limit recursion on arrays provided by users, which allows
context-dependent attackers to cause a denial of service (web
server crash) via an array with many dimensions.
CVE-2007-1395:
Incomplete blacklist vulnerability in index.php allows remote
attackers to conduct cross-site scripting (XSS) attacks by
injecting arbitrary JavaScript or HTML in a (1) db or (2) table
parameter value followed by an uppercase </SCRIPT> end tag,
which bypasses the protection against lowercase </script>.
CVE-2007-2245:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via (1) the
fieldkey parameter to browse_foreigners.php or (2) certain input
to the PMA_sanitize function.
CVE-2006-6942:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary HTML or web script via (1) a comment
for a table name, as exploited through (a) db_operations.php,
(2) the db parameter to (b) db_create.php, (3) the newname parameter
to db_operations.php, the (4) query_history_latest,
(5) query_history_latest_db, and (6) querydisplay_tab parameters to
(c) querywindow.php, and (7) the pos parameter to (d) sql.php.
CVE-2006-6944:
phpMyAdmin allows remote attackers to bypass Allow/Deny access rules
that use IP addresses via false headers.
|
| Alerts: |
|
Comments (none posted)
qgit: arbitrary code execution
| Package(s): | qgit |
CVE #(s): | CVE-2007-4631
|
| Created: | September 10, 2007 |
Updated: | October 8, 2007 |
| Description: |
Not only does QGit construct a predictable file name here, and doesn't check if
the files already exist, which can be leveraged into information leak or
arbitrary file overwrite in case they're symlinks, but later on executes one of
them. This is not just problem when /tmp is mounted with noexec option, but
might be exploited into arbitrary code execution under time-dependent race
condition. |
| Alerts: |
|
Comments (none posted)
samba: incorrect group assignment
| Package(s): | samba |
CVE #(s): | CVE-2007-4138
|
| Created: | September 12, 2007 |
Updated: | November 15, 2007 |
| Description: |
From the Samba advisory: When the rfc2307 or sfu nss_info plugin has been enabled, in
the absence of either the RFC2307 or SFU primary group attribute,
Winbind will assign a primary group ID of 0 to the domain user
queried using the getpwnam() C library call. |
| Alerts: |
|
Comments (1 posted)
wordpress: privilege bypass
| Package(s): | wordpress |
CVE #(s): | |
| Created: | September 12, 2007 |
Updated: | September 12, 2007 |
| Description: |
Wordpress 2.2.3 has been released to fix a security problem. The project has not gone out of its way to describe this problem, but, from the fixed bug list, one concludes that it is possible for users without the requisite privileges to post arbitrary HTML. |
| Alerts: |
|
Comments (none posted)
xorg-server: local privilege escalation
| Package(s): | xorg-server |
CVE #(s): | CVE-2007-4730
|
| Created: | September 10, 2007 |
Updated: | January 24, 2008 |
| Description: |
Aaron Plattner discovered a buffer overflow in the Composite extension
of the X.org X server, which can lead to local privilege escalation. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
aide: checksum errors
| Package(s): | aide |
CVE #(s): | CVE-2007-3849
|
| Created: | September 4, 2007 |
Updated: | September 5, 2007 |
| Description: |
Advanced Intrusion Detection Environment (AIDE) is a file integrity checker
and intrusion detection program. A flaw was discovered in the way file
checksums were stored in the AIDE database. A packaging flaw in the Red Hat
AIDE rpm resulted in the file database not containing any file checksum
information. This could prevent AIDE from detecting certain file
modifications. |
| Alerts: |
|
Comments (none posted)
apache2: information disclosure
| Package(s): | apache |
CVE #(s): | CVE-2007-1862
|
| Created: | June 20, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users." |
| Alerts: |
|
Comments (2 posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-3304
CVE-2006-5752
|
| Created: | June 27, 2007 |
Updated: | February 18, 2008 |
| Description: |
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752) |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2007-3372
|
| Created: | June 28, 2007 |
Updated: | September 18, 2007 |
| Description: |
Avahi is vulnerable to a local denial of service that can be caused by
making an erroneous call to the assert() function. |
| Alerts: |
|
Comments (none posted)
bochs: buffer overflow
| Package(s): | bochs |
CVE #(s): | CVE-2007-2893
|
| Created: | July 20, 2007 |
Updated: | November 19, 2007 |
| Description: |
A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in
iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users
of the guest operating system to write to arbitrary memory locations and
gain privileges on the host operating system via vectors that cause TXCNT
register values to exceed the device memory size, aka "RX Frame heap
overflow." |
| Alerts: |
|
Comments (none posted)
centericq: buffer overflows
| Package(s): | centericq |
CVE #(s): | CVE-2007-3713
|
| Created: | July 20, 2007 |
Updated: | December 17, 2007 |
| Description: |
Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow
remote attackers to execute arbitrary code via unspecified vectors. NOTE:
the provenance of this information is unknown; the details are obtained
solely from third party information. NOTE: this might overlap
CVE-2007-0160. |
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2007-4510
CVE-2007-4560
|
| Created: | September 3, 2007 |
Updated: | February 13, 2008 |
| Description: |
Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510:
It was discovered that the RTF and RFC2397 parsers can be tricked
into dereferencing a NULL pointer, resulting in denial of service.
CVE-2007-4560:
It was discovered clamav-milter performs insufficient input
sanitizing, resulting in the execution of arbitrary shell commands.
|
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
gpdf: integer overflow
| Package(s): | cups poppler xpdf |
CVE #(s): | CVE-2007-3387
|
| Created: | July 31, 2007 |
Updated: | November 28, 2007 |
| Description: |
The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. |
| Alerts: |
|
Comments (1 posted)
dovecot: privilege escalation
| Package(s): | dovecot |
CVE #(s): | CVE-2007-4211
|
| Created: | August 15, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions." |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server |
CVE #(s): | CVE-2007-3257
|
| Created: | June 18, 2007 |
Updated: | November 7, 2007 |
| Description: |
From the GNOME
bugzilla: "The "SEQUENCE" value in the GData of the IMAP code
(camel-imap-folder.c) is converted from a string using strtol. This allows
for negative values. The imap_rescan uses this value as an int. It checks
for !seq and seq>summary.length. It doesn't check for seq <
0. Although seq is used as the index of an array." |
| Alerts: |
|
Comments (1 posted)
fetchmail: denial of service
| Package(s): | fetchmail |
CVE #(s): | CVE-2007-4565
|
| Created: | September 5, 2007 |
Updated: | September 26, 2007 |
| Description: |
fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP. |
| Alerts: |
|
Comments (none posted)
file: integer overflow
| Package(s): | file |
CVE #(s): | CVE-2007-2799
|
| Created: | June 1, 2007 |
Updated: | October 19, 2007 |
| Description: |
Colin Percival from FreeBSD reported that the previous fix for the
file_printf() buffer overflow introduced a new integer overflow. A remote
attacker could entice a user to run the file program on an overly large
file (more than 1Gb) that would trigger an integer overflow on 32-bit
systems, possibly leading to the execution of arbitrary code with the
rights of the user running file. |
| Alerts: |
|
Comments (3 posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845) |
| Alerts: |
|
Comments (none posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | May 12, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
|
Comments (none posted)
flac123: arbitrary code execution
| Package(s): | flac123 |
CVE #(s): | CVE-2007-3507
|
| Created: | July 13, 2007 |
Updated: | October 22, 2007 |
| Description: |
A stack-based buffer overflow in the local__vcentry_parse_value function in
vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows
user-assisted remote attackers to execute arbitrary code via a large
comment value_length. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gallery2: multiple unspecified vulnerabilities
| Package(s): | gallery2 |
CVE #(s): | CVE-2007-4650
|
| Created: | September 5, 2007 |
Updated: | November 9, 2007 |
| Description: |
Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow
attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items
via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked
items" in (a) WebDAV and (b) Reupload modules. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gd: multiple vulnerabilities
| Package(s): | gd |
CVE #(s): | CVE-2007-3472
CVE-2007-3473
CVE-2007-3474
CVE-2007-3475
CVE-2007-3476
CVE-2007-3477
CVE-2007-3478
|
| Created: | August 6, 2007 |
Updated: | July 22, 2008 |
| Description: |
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service |