LWN.net Logo

LWN.net Weekly Edition for December 13, 2007

The Grumpy Editor's video journey, part 1

By Jonathan Corbet
December 12, 2007
Part of the LWN Grumpy Editor series
Your editor has never been a big fan of video cameras. They have a very strong observer effect - they distort the social dynamics of events where they are present. It is also sad to see vacationers who, on the rare occasions when they get out, capture their every step on video; even when they leave the house, they watch their lives on television. So your editor has a strong preference for old-style, organic video memory.

The fact of the matter, however, is that your editor does not always get the final vote, especially in any area related to the raising of children. So your editor's household contains two video cameras - one ancient, one less so - and a set of tapes with no end of priceless memories. Alcohol may have dimmed the experience of some of those early musical performances and such, but video tapes are forever.

Except, of course, that they are not. In particular, the older camera, being the only device in the house which can play those old 8mm analog tapes, is starting to make some very strange noises. The kind of noises which generally come just before an extended session dedicated to the extrication of a terminally crinkled tape which has just been firmly wrapped around and embedded within a surprising amount of severely-jammed helical scan hardware. The spouse and the grandparents have all let it be known that this is not an acceptable course of events, so your editor has been tasked with saving all of this legacy data.

One could, of course, go to a local merchant who, for an amount of money obtainable via an hour or two of consulting work, would transfer this data safely to some sort of optical digital media, where it would be guaranteed to survive for at least a few months. Or one could spend an order of magnitude more time figuring out how to do the work on a Linux system without the intervention of said merchant. Needless to say, your editor never thought twice - something which explains a number of difficult situations in which he has found himself over the years.

This article is the first of (probably) three which describe your editor's odyssey through the hazards of video processing on Linux. The topic this time around is the capture of video data - how does one get imagery from a video tape onto a disk drive? The second segment will look at video editing, turning a disk full of home movies into something moderately more professional in appearance. Then the final installment will go into DVD authoring, otherwise known as the process of getting all that old footage into the hands (and players) of the grandparents.

The older camera is an analog-only device, necessitating the use of some sort of analog-to-digital conversion on the way into the computer. As it happens, your editor is in possession of a Hauppauge WinTV PVR-250 card which, one would think, is ideally suited to this task. Hauppauge is known for working with the free software community, with the effect that its hardware is well supported by the IVTV driver which, after a long development process, was merged into the 2.6.22 kernel. So, one would think, grabbing the data from this device should be easy. And it is, though it took your editor some time to figure out how.

As it turns out, there are very few video capture applications for Linux. And there is nothing which is really aimed at people trying to bring in data from analog cameras. One could use a PVR system like MythTV or Freevo for this purpose, but they are not really intended for this use case. Your editor, who has been through the process of setting up MythTV in the past, chose not to take this approach.

One possible candidate was dvgrab, a tool which is part of the Kino project. This tool, however, is intended for use with FireWire-attached video cameras - we will see how well it works in that mode shortly. There is also a -v4l2 option which claims to capture via Video4Linux2, seemingly ideal for this purpose. Alas, dvgrab is written to use the V4L2 streaming mode, and, amazingly, the IVTV driver does not support that mode. So dvgrab refuses to work with the Hauppauge devices. A look at the code suggests that convincing it to use the V4L2 read/write mode should not be too hard, but that was beyond the scope of your editor's ambitions at this time.

As an aside, this sort of glitch seems to be a common problem with the Video4Linux2 API. V4L2 is well suited to letting applications drive video hardware to the very fullest extent of its capabilities, but that flexibility comes at the cost of forcing quite a bit of complexity onto the application side. A truly flexible V4L2 application must be prepared to cope with a wide variety of hardware and to operate in very different ways depending on what it finds. Most application developers do not make that effort, with the result that incompatibilities between applications and specific video devices are distressingly common. The V4L2 API is, in some ways, similar to the approach taken by X11, with some similar results: there was a long period where many applications performed badly when the display was not running in an 8-bit pseudocolor mode. X11 has worked out in the end; hopefully the same will happen with V4L2.

Another possibility was mencoder, a tool which is packaged with mplayer. Your editor does not doubt that mencoder is capable of acquiring a video stream from this device, converting it into any format one could imagine, and, while it's at it, changing the camera angle and improving the musical talents of the children being filmed. But anybody who has read the mplayer/mencoder man page knows that it is a masterpiece of its kind - a work written to a length that less verbose authors (Neal Stephenson, say) could only dream about - though Stephenson does do a better job of keeping the plot moving.

The length of the manual reflects the complexity of the tool. A typical mencoder command seems to run to about four terminal lines - and that's for a relatively wide terminal. An example from the mencoder documentation reads like this:

    mencoder -oac lavc -ovc lavc -of mpeg -mpegopts format=xsvcd  -vf \
             scale=480:480,harddup -srate 44100 -af lavcresample=44100 -lavcopts \
             vcodec=mpeg2video:mbd=2:keyint=18:vrc_buf_size=917:vrc_minrate=600:\
             vbitrate=2500:vrc_maxrate=2500:acodec=mp2:abitrate=224 \
	     -ofps 30000/1001 -o movie.mpg movie.avi

The end result is that nobody who has not developed significant expertise in video technology, codecs, formats, and more will be able to create one of these commands. Mencoder is a highly capable tool, but approaching it for a task like this is reminiscent of trying to get to the corner store starting with a build-your-own-automobile kit. There are just too many pieces (incomprehensible pieces at that) to put together.

Then, there is transcode. The man page for this utility formats up to a good 50 pages, so it is not the simplest tool either. This problem space, it would appear, forces the creation of complex interfaces. Transcode has a V4L2 input module, which should do the trick, but, like the dvgrab version, it requires streaming I/O capability. So transcode, too, fails to work for this purpose; your editor is starting to think that it might be time to hack a bit on the IVTV driver.

Another candidate was cinelerra - a video editing tool which we will see again in future installments. Your editor tried cinelerra on a few different platforms, using both binary distributions and building from source. Suffice to say that building cinelerra from source is not something to attempt when one is short on time or short on temper. Cinelerra has a record mode, but it requires the V4L2 streaming capability. Of course, it does not bother to check whether that feature is available or not, with the result that attempts to record video yield only silent blackness. Cinelerra is a vastly powerful editing tool, but it was not usable for this task.

So how did your editor finally succeed in getting the analog video data to disk? The first step was to locate the highly-useful v4l2-ctl application which, seemingly, is only available from the V4L-DVB code repository. This tool provides command-line access to the extensive set of V4L2 ioctl() calls, enabling detailed configuration of the device. In particular, your editor made use of it to switch the device to its composite video input.

The second step, then, is decidedly low-tech:

    cp /dev/video priceless-video-data.mpg

The end result is a file containing just the video and audio data desired, in a form which, as it turns out, can be burned directly to DVD. There is no preview of incoming data, no computer-based camera control, no little flashing counters. But it works.

[Kino] The current state of the art for video camcorders is to provide digital data via an IEEE 1394 (FireWire) port. When one has this sort of device, life is rather easier - though it seems that there really is only one game in town. That game is kino - a video editing tool - and its associated dvgrab tool. Either tool will work for capture from a digital video device. They can control the camera, split the incoming data into scenes, and generally make the process painless. Technology does actually get better sometimes. Kino and dvgrab will only store data in the DV format, necessitating a transcoding operation before writing DVDs, but that is a minor difficulty.

Your editor has learned a few things from this process. One is that the IVTV driver needs some work. But the real lesson is that working with video data under Linux involves dealing with a level of complexity that is far beyond what most people have any desire to understand. And this complexity hits hardest at the very front end: trying to get video data onto the system and into a workable format. Your editor suspects that most people who run into this wall quickly give up and buy a proprietary system for this kind of work. In other words, there's a whole world full of creative people doing interesting things with video, and Linux, despite having many of the basic capabilities these people need, is not an option for them.

Meanwhile, your editor has a disk full of video imagery - and a healthy appreciation for just how nice the storage explosion of the last few years has been. Now it's just a matter of bashing all of that data into a useful form for grandparental distribution - a process which looks like it might just take a bit of time. Stay tuned for your editor's video editing experience, due to appear on these pages within the next few weeks.

Comments (30 posted)

Specifying codecs for the web

By Jake Edge
December 12, 2007

Audio and video content are increasingly important components of the World Wide Web, which some of us remember, initially, as a text-only experience. Users of free software need not be told that the multimedia aspect of the net can be hard to access without recourse to proprietary tools. So the decisions which are made regarding multimedia support in the next version of the HTML specification are of more than passing interest. A current dispute over the recommended codecs for HTML5 shows just how hard maintaining an interoperable web may be.

In particular, several big players have complained about the inclusion of Ogg Vorbis and Theora into the standard, causing a predictable uproar in the free software community. To many, it looks like a classic free-versus-proprietary standards showdown. In truth, the issue is not clear cut; there are nuances that are difficult to turn into a banner headline. The heart of the problem is patents, but, unexpectedly, it is the Ogg codecs that are claimed to be at risk.

Nokia fired a very public shot at the Ogg family with a position paper [PDF], calling it "proprietary". It is unclear what Nokia hoped to gain with this statement, other than inflaming the community, as Ogg Vorbis and Theora are clearly open codecs, with free reference implementations – just the opposite of proprietary. In addition, unlike most (or all) other codecs, a patent search was done to look for relevant patents for Vorbis and Theora, with the Xiph.Org Foundation claiming that none could be found. Some contend that an exhaustive patent search is essentially impossible, but most codecs (MP3, H.264, etc.) are known to be patent-encumbered, which would seem to make them a poor choice for HTML5.

Ogg, Vorbis, and Theora

Ogg is a container format that can contain multiple chunks of data, typically multimedia data. Ogg is designed so that it can be processed as it is received, rather than having it all available at once, to facilitate streaming. Vorbis is a codec (short for coder-decoder) that encodes audio data at various bitrates. Vorbis is a lossy, compressed format that saves space at the expense of perfect reproduction, much like MPEG-1 Audio Layer 3 aka MP3. Theora is a codec for video data, also lossy, akin to MPEG-4. An Ogg file could contain a mixture of Theora and Vorbis data to handle the video and audio of a particular work, but it is not in any way tied to those formats. An Ogg file could instead contain MP3 and MPEG-4 data or data from any other codec.

The draft of an HTML5 specification under construction by the Web Hypertext Application Working Group (WHATWG) contained, up until this week, a recommendation for the Ogg codecs. Ogg was not required, only listed as something that SHOULD (i.e. not MUST) be implemented by conforming browsers. That recommendation was dropped from the draft this week, replaced with the following:

It would be helpful for interoperability if all browsers could support the same codecs. However, there are no known codecs that satisfy all the current players: we need a codec that is known to not require per-unit or per-distributor licensing, that is compatible with the open source development model, that is of sufficient quality as to be usable, and that is not an additional submarine patent risk for large companies. This is an ongoing issue and this section will be updated once more information is available.

Some of the big browser makers, notably Microsoft and Apple, have said that they will not support Ogg Theora – Vorbis is less of an issue – out of a concern for patents, particularly submarine patents. Ian Hickson, WHATWG spokesperson points to the Eolas and MP3 patent attacks against Microsoft (with damages in excess of a billion dollars) as examples of what the large, deep-pocketed companies are concerned about. If there is a patent covering (or appearing to cover) any of the techniques used in Theora, it is the large companies that are going to be on the hook.

Some in the community believe this move is part of a proprietary lock-in play:

Vorbis provides the perfect escape for proprietary audio prisons. Apple and Nokia are having problems with consumers and authors actually waking up and using free, non-patent-encumbered, widely available, unrestricted, non-proprietary technology. Since Vorbis directly threatens their ability to sell traps, they are extorting your compliance with threats of not supporting the HTML5 spec.

There may be some truth to that, but there are some legitimate problems with Theora as well. The technical complaints tend to compare it to H.264 (the most popular MPEG-4 codec), but that is something of a red herring. Neither the WHATWG, nor the World Wide Web Consortium (W3C) are going to allow a technology known to be licensed only on a royalty basis into HTML5. W3C, which will eventually make the final decision on what goes into HTML5, has a policy of requiring technology to be licensed in a royalty-free (RF) mode before it can be approved for inclusion into a standard.

All members of a particular W3C working group are required to disclose patents they believe to be relevant and to provide them to implementors on an RF basis. There may be relevant patent holders who are not members of the working group, thus not subject to that requirement, but if they have enforced their patent on a particular technology, the W3C will try to find an alternative. There may also be patent trolls waiting for someone with deep pockets to implement something covered by a patent they hold – this is the submarine patent threat.

Apple, Nokia, Microsoft and others have already implemented (and licensed) MPEG-4, so there would be no additional risk to them if that were used as the baseline video codec for the web. Using Theora as an alternative is seen by the larger players as a huge increase in their risk, with no benefit to their customers because there is, for all intents and purposes, no Theora content out there. For free software and smaller companies, the situation is clearly quite different.

The lack of Theora-encoded content is the crux of the matter. There might be lots of whining, but big companies would be forced by their customers to support Theora, patent suit risk or no, if there were interesting content available in only that form. This has led to a call for more Theora content:

Do compelling demos. Release video in Theora format. It may be easy to use a service that provides video for you in exchange for giving them certain rights but if you want your format to succeed, then increased usage is the way.

The WHATWG folks seem to have the needs of free software firmly in mind; certainly the W3C RF policy makes it abundantly clear that a proprietary solution will not be required, or even recommended, for HTML5. The participants on the mailing list, and Hickson, in particular, have been very patient with the onslaught of flamers screaming about the change. The whole HTML5 effort is centered around interoperability for the web, so any technology that will not be implemented by Microsoft and Apple runs directly counter to that goal. WHATWG seems to be between the proverbial rock and hard place.

Several potential solutions are being considered. Possibilities include leaving a video codec recommendation out of HTML5 – not a particularly interoperable solution – or finding a codec that is old enough that any patents covering it must have expired. Another alternative would be to get some other current codec (MPEG-4 for instance) licensed on an RF basis. This issue will undoubtedly be discussed at the W3C Video on the Web Workshop currently being held in San Jose and Brussels. Stay tuned.

Comments (71 posted)

FOSS.in: A conference in transition

December 11, 2007

This article was contributed by Biju Chacko

In the last few years FOSS.in has established itself as one of the largest open source conferences in Asia. This year the organizers re-orientated the conference to address what they see as the Indian open source community's biggest challenge. LWN dropped by the conference to see the changes and get an impression of the results.

FOSS.in was started in 2001 under the name "Linux Bangalore" in the centre of India's software industry. At that time it was difficult to get information about free software in India -- internet access was still not widespread, the software industry was focused on proprietary tools and the publishing industry had not picked up on FOSS yet. Linux Bangalore addressed an untapped market for FOSS education and was an unqualified success from the start.

LB, as it was known, was focused on encouraging the use of free software in India. The content was a mix of tutorials, howtos and advocacy. The conference retained a user orientation for many years -- the only significant developer activity was from the Indian localization community.

By 2005 FOSS had hit the mainstream. The Linux Bangalore organizers began to feel that it needed a greater raison-d'etre than advocacy and popularization. Despite changing its name to FOSS.in to reflect a larger scope, the danger remained that the conference would soon be lost among a host of other sources of open source information.

It was then that the FOSS.in team, led by Atul Chitnis, turned its attention to another problem. The Indian free and open source community had long worried that its level of participation in the open source process was very low in relation to its size. There were very few visible Indian hackers -- India was beginning to develop a reputation of being a nation of FOSS consumers that did not contribute back. This was especially alarming because many sections of the local software industry had wholly moved to free software. The embedded software industry, for example, had discarded proprietary alternatives in favor of Linux. So there was a large base of qualified developers who did not seem to be getting involved.

After a favorable response to the developer oriented tracks in FOSS.in/2005 and 2006, the FOSS.in team decided to refocus the event on encouraging FOSS contributions. The key, they decided, was exposure and communication. They felt that if Indian developers had an opportunity to meet and interact with active contributors they'd be inspired to do more themselves. To this end, they made a number of changes to the format. They added 'Project Days' -- day long tracks on a specific FOSS project. They reduced the usually hectic pace of the conference by reducing the number of talks. This gave the audience more time to talk to speakers between talks. The more leisurely pace encouraged lots of interesting conversations in the corridors. Other facilities -- a "hack centre" containing machines, tents outside the venue and a lounge area -- provided space for corridor conversations and post-talk discussions to develop further.

The results were mixed. Attendance took a major hit. Previous editions averaged about 3000 attendees, this year attendance dropped by over half to about 1200. It was, however, a far more clued-in crowd which did not plague speakers with off-topic questions. There were some complaints that some talks were pitched at a far more basic level than were needed.

The Project Days seemed to have more participation than was originally expected. There were tracks on Debian, Mozilla, Gnome, OpenSolaris, Fedora, KDE, OpenOffice and the IndLinux project. In contrast, energy levels at the main conference seemed muted. This was partly due to the smaller crowds. However, in the opinion of this correspondent, this was partly due to scheduling and content. The tone of a conference is set early on. The conference would have been better served by an initial keynote that was flamboyant and inspiring rather the low-key technical talk by the decidedly non-flamboyant Naba Kumar (the Anjuta lead).

The insistence on purely technical talks provided context and guidance to potential contributors but may have failed communicate the motivation: fun and high ideals. I think it's fair to say that the most effective recruitment tool was when the always entertaining Rusty Russell made a hapless member of the audience create a kernel patch onstage and mail it to LKML.

The success of FOSS.in/2007 may not be measurable. It may be years before the Indian FOSS community is proportional in size to the Indian software industry. There are probably many other factors that will affect this outcome. But the transition of FOSS.in to a true hacker conference can only help this to happen.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

On entropy and randomness

By Jake Edge
December 12, 2007

Linux random number generation (RNG) is often a source of confusion to developers, but it is also a very integral part of the security of the system. It provides random data to generate cryptographic keys, TCP sequence numbers, and the like, so unpredictability as well as very strong random numbers are required. When someone notices a flaw, or a possible flaw in the RNG, kernel hackers take notice.

Recurring universally unique identifiers (UUIDs), as reported by the smolt hardware profiler client program, had some worried about problems in the kernel RNG. As it turns out, the problem exists in the interaction between Fedora 8 LiveCD installations and smolt – essentially the UUID came from the CD – but it sparked a discussion leading to some possible improvements. Along the way, some common misconceptions about kernel RNG were cleared up.

The kernel gathers information from external sources to provide input to its entropy pool. This pool contains bits that have extremely strong random properties, so long as unpredictable events (inter-keypress timings, mouse movements, disk interrupts, etc.) are sampled. It provides direct access to this pool via the /dev/random device. Reading from that device will provide the strongest random numbers that Linux can offer – depleting the entropy pool. When the entropy pool runs low, reads to /dev/random block until there is sufficient entropy.

The alternative interface, the one that nearly all programs should use, is /dev/urandom. Reading from that device will not block. If sufficient entropy is available, it will provide random numbers just as strong as /dev/random, if not, it uses the SHA cryptographic hash algorithm to generate very strong random numbers. Developers often overestimate how strong their random numbers need to be; they also overestimate how easy "breaking" /dev/urandom would be, which leads to programs that, unnecessarily, read /dev/random. Ted Ts'o, who wrote the kernel RNG, puts it this way:

Past a certain point /dev/urandom will start returning results which are cryptographically random. At that point, you are depending on the strength of the SHA hash algorithm, and actually being able to not just to find hash collisions, but being able to trivially find all or most possible pre-images for a particular SHA hash algorithm. If that were to happen, it's highly likely that all digital signatures and openssh would be totally broken.

There is still a bit of hole in all of this: how does a freshly installed system, with little or no user interaction, at least yet, get its initial entropy? When Alan Cox and Mike McGrath started describing the smolt problem, the immediate reaction was to look closely at how the entropy pool was being initialized. While that turned out not to be the problem, it did lead Matt Mackall, maintainer of the kernel RNG, to start thinking about better pool initialization. Various ideas about mixing in data specific to the host, like MAC address and PCI device characteristics were discussed.

As Ts'o points out, that will help prevent things like UUID collisions, but it doesn't solve the problem of predictability of the random numbers that will be generated by these systems.

In order to do that we really do need to improve the amount of hardware entropy we can mix into the system. This is a hard problem, but as more people are relying on these facilities, it's something we need to think about quite a bit more!

Linux provides random numbers suitable for nearly any purpose via /dev/urandom. For the truly paranoid, there is also /dev/random, but developers would do well to forget that device exists for everything but the most critical needs. If one is generating a large key pair, to use for the next century, using some data from /dev/random is probably right. Anything with lower requirements should seriously consider /dev/urandom.

Comments (28 posted)

New vulnerabilities

autofs: insecure default configuration

Package(s):autofs CVE #(s):CVE-2007-5964
Created:December 12, 2007 Updated:January 14, 2008
Description: Versions of the autofs automounter daemon as shipped by Red Hat (and possibly other distributors) are installed with an insecure configuration; in particular, the "hosts" map lacks the "nosuid" option, allowing an attacker who has control over an NFS server to run setuid programs on vulnerable systems.
Alerts:
Mandriva MDVSA-2008:009-1 2007-01-12
Mandriva MDVSA-2008:009 2007-01-11
Fedora FEDORA-2007-4707 2007-12-21
Fedora FEDORA-2007-4469 2007-12-15
Fedora FEDORA-2007-4532 2007-12-15
Red Hat RHSA-2007:1129-01 2007-12-12
Fedora FEDORA-2007-4709 2007-12-21
Red Hat RHSA-2007:1128-01 2007-12-12

Comments (none posted)

e2fsprogs: integer overflows

Package(s):e2fsprogs CVE #(s):CVE-2007-5497
Created:December 7, 2007 Updated:February 12, 2008
Description: Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code.
Alerts:
Foresight FLEA-2008-0005-1 2008-02-11
Fedora FEDORA-2007-4447 2008-01-16
Fedora FEDORA-2007-4461 2008-01-16
Red Hat RHSA-2008:0003-01 2008-01-07
Gentoo 200712-13 2007-12-18
rPath rPSA-2007-0262-1 2007-12-11
Debian DSA-1422 2007-12-07
Mandriva MDKSA-2007:242 2007-12-10
Ubuntu USN-555-1 2007-12-08

Comments (none posted)

emacs: buffer overflow

Package(s):emacs CVE #(s):CVE-2007-6109
Created:December 10, 2007 Updated:May 6, 2008
Description:

From the National Vulnerability Database:

Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line.

Alerts:
Ubuntu USN-607-1 2008-05-06
SuSE SUSE-SR:2008:003 2008-02-07
Mandriva MDVSA-2008:034 2007-02-04
Gentoo 200712-03 2007-12-09

Comments (none posted)

emul-linux-x86-qtlibs: arbitrary code execution

Package(s):emul-linux-x86-qtlibs CVE #(s):
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the Gentoo advisory:

An attacker could trigger one of the vulnerabilities by causing a Qt application to parse specially crafted text or Unicode strings, which may lead to the execution of arbitrary code with the privileges of the user running the application.

Alerts:
Gentoo 200712-08 2007-12-09

Comments (none posted)

firebird: arbitrary code execution

Package(s):firebird CVE #(s):CVE-2007-4992 CVE-2007-5246
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the Gentoo advisory:

Adriano Lima and Ramon de Carvalho Valle reported that functions isc_attach_database() and isc_create_database() do not perform proper boundary checking when processing their input.

A remote attacker could send specially crafted requests to the Firebird server on TCP port 3050, possibly resulting in the execution of arbitrary code with the privileges of the user running Firebird (usually firebird).

Alerts:
Gentoo 200712-06 2007-12-09

Comments (none posted)

heimdal: insufficient memory allocation

Package(s):heimdal CVE #(s):CVE-2007-5939
Created:December 7, 2007 Updated:December 12, 2007
Description: The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect.
Alerts:
Mandriva MDKSA-2007:239 2007-12-06

Comments (1 posted)

libnfsidmap: possible privilege escalation

Package(s):libnfsidmap CVE #(s):CVE-2007-4135
Created:December 7, 2007 Updated:December 12, 2007
Description: The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.
Alerts:
Mandriva MDKSA-2007:240 2007-12-07

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CVE-2007-3781 CVE-2007-5969
Created:December 11, 2007 Updated:May 21, 2008
Description: MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)

MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)

Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Gentoo 200804-04 2008-04-06
SuSE SUSE-SR:2008:003 2008-02-07
rPath rPSA-2008-0018-1 2008-01-17
Debian DSA-1451-1 2008-01-06
Ubuntu USN-559-1 2007-12-21
Red Hat RHSA-2007:1157-01 2007-12-19
Fedora FEDORA-2007-4471 2007-12-15
Fedora FEDORA-2007-4465 2007-12-15
Red Hat RHSA-2007:1155-01 2007-12-18
Mandriva MDKSA-2007:243 2007-12-10

Comments (none posted)

nagios: cross-site scripting

Package(s):nagios CVE #(s):CVE-2007-5624
Created:December 7, 2007 Updated:May 9, 2008
Description: Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Alerts:
SuSE SUSE-SR:2008:011 2008-05-09
Mandriva MDVSA-2008:067 2008-03-18
Fedora FEDORA-2007-4145 2007-12-06
Fedora FEDORA-2007-4123 2007-12-06

Comments (none posted)

phpMyAdmin: information disclosure

Package(s):phpMyAdmin CVE #(s):CVE-2007-0095
Created:December 11, 2007 Updated:September 25, 2008
Description: phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message.
Alerts:
Fedora FEDORA-2008-6502 2008-07-17
Fedora FEDORA-2008-6450 2008-07-17
Fedora FEDORA-2008-2229 2008-03-03
Fedora FEDORA-2008-2189 2008-03-03
Fedora FEDORA-2007-4298 2007-12-10
Fedora FEDORA-2007-4334 2007-12-10
Fedora FEDORA-2008-8269 2008-09-24
Fedora FEDORA-2008-8286 2008-09-24

Comments (none posted)

ruby-gnome2: format string vulnerability

Package(s):ruby-gnome2 CVE #(s):CVE-2007-6183
Created:December 7, 2007 Updated:April 23, 2008
Description: A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
Alerts:
Fedora FEDORA-2008-3249 2008-04-22
Fedora FEDORA-2008-3283 2008-04-22
Fedora FEDORA-2008-2682 2008-03-26
Fedora FEDORA-2008-2662 2008-03-26
Fedora FEDORA-2008-1535 2008-02-13
Mandriva MDVSA-2008:033 2007-02-01
Debian DSA-1431-1 2007-12-11
Gentoo 200712-09 2007-12-09
Fedora FEDORA-2007-4216 2007-12-06
Fedora FEDORA-2007-4229 2007-12-06

Comments (none posted)

samba: stack-based buffer overflow

Package(s):samba CVE #(s):CVE-2007-6015
Created:December 11, 2007 Updated:December 19, 2007
Description: A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server.
Alerts:
Ubuntu USN-556-1 2007-12-18
SuSE SUSE-SA:2007:068 2007-12-12
Mandriva MDKSA-2007:244 2007-12-11
Red Hat RHSA-2007:1117-01 2007-12-10
Red Hat RHSA-2007:1114-01 2007-12-10
Slackware SSA:2007-344-01 2007-12-11
Fedora FEDORA-2007-4275 2007-12-10
Fedora FEDORA-2007-4269 2007-12-10
Gentoo 200712-10 2007-12-10
rPath rPSA-2007-0261-1 2007-12-10
Debian DSA-1427-1 2007-12-10

Comments (none posted)

xorg-x11-xfs: arbitrary code execution

Package(s):xorg-x11-xfs CVE #(s):
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the xorg advisory:

Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Maliciously crafted requests can either cause two different problems with both requests:

* An integer overflow in the computation of the size of a dynamic buffer can lead to a heap overflow in the build_range() function.

* An arbitrary number of bytes on the heap can be swapped by the swap_char2b() function.

Alerts:
Fedora FEDORA-2007-763 2007-12-07

Comments (none posted)

zabbix: privilege escalation

Package(s):zabbix CVE #(s):CVE-2007-6210
Created:December 6, 2007 Updated:December 12, 2007
Description: Bas van Schaik has found a privilege escalation in the agentd process of the Zabbix network monitor application. Agentd can be used to run user commands under the root account, leading to an escalation of privilege.
Alerts:
Debian DSA-1420-1 2007-12-05
Fedora FEDORA-2007-4176 2007-12-06
Fedora FEDORA-2007-4160 2007-12-06

Comments (none posted)

Updated vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2007-3304 CVE-2006-5752
Created:June 27, 2007 Updated:February 18, 2008
Description: The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19
Fedora FEDORA-2007-2214 2007-09-18
rPath rPSA-2007-0182-1 2007-09-14
Ubuntu USN-499-1 2007-08-16
Red Hat RHSA-2007:0662-01 2007-07-13
Red Hat RHSA-2007:0557-01 2007-07-13
Fedora FEDORA-2007-615 2007-07-12
Mandriva MDKSA-2007:142 2007-07-04
Mandriva MDKSA-2007:141 2007-07-04
Mandriva MDKSA-2007:140 2007-07-04
Fedora FEDORA-2007-617 2007-07-02
rPath rPSA-2007-0136-1 2007-06-27
Red Hat RHSA-2007:0556-01 2007-06-26
Red Hat RHSA-2007:0534-01 2007-06-26
Red Hat RHSA-2007:0533-01 2007-06-27
Red Hat RHSA-2007:0532-01 2007-06-26

Comments (1 posted)

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

apache2: denial of service

Package(s):apache2 CVE #(s):CVE-2007-1863
Created:November 19, 2007 Updated:February 18, 2008
Description:

From the CVE entry:

cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.

Alerts:
Fedora FEDORA-2008-1711 2008-02-15
SuSE SUSE-SA:2007:061 2007-11-19

Comments (1 posted)

httpd: denial of service, cross-site scripting

Package(s):apache httpd CVE #(s):CVE-2007-3847 CVE-2007-4465
Created:September 25, 2007 Updated:February 15, 2008
Description: A flaw was found in the mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465)

Alerts:
Slackware SSA:2008-045-02 2008-02-15
Ubuntu USN-575-1 2008-02-04
Red Hat RHSA-2008:0008-01 2008-01-15
Red Hat RHSA-2008:0006-01 2008-01-15
Red Hat RHSA-2008:0005-01 2008-01-15
Red Hat RHSA-2008:0004-01 2008-01-15
Mandriva MDKSA-2007:235 2007-12-03
SuSE SUSE-SA:2007:061 2007-11-19
Red Hat RHSA-2007:0747-02 2007-11-15
Gentoo 200711-06 2007-11-07
Red Hat RHSA-2007:0746-04 2007-11-07
Red Hat RHSA-2007:0911-01 2007-10-25
Fedora FEDORA-2007-707 2007-09-24

Comments (none posted)

asterisk: possible SQL injection

Package(s):asterisk CVE #(s):CVE-2007-6170
Created:December 3, 2007 Updated:April 15, 2008
Description: Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection.
Alerts:
Gentoo 200804-13 2008-04-14
SuSE SUSE-SR:2008:005 2008-03-06
Debian DSA-1417-1 2007-12-02

Comments (none posted)

cacti: SQL injection vulnerability

Package(s):cacti CVE #(s):CVE-2007-6035
Created:November 22, 2007 Updated:February 18, 2008
Description: Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors.
Alerts:
Fedora FEDORA-2008-1737 2008-02-15
Fedora FEDORA-2008-1699 2008-02-15
Debian DSA-1418-1 2007-12-02
Mandriva MDKSA-2007:231 2007-11-22
Fedora FEDORA-2007-3683 2007-11-22
Gentoo 200712-02:02 2007-12-05
SuSE SUSE-SR:2007:024 2007-11-22
Fedora FEDORA-2007-3667 2007-11-22

Comments (none posted)

cacti: denial of service

Package(s):cacti CVE #(s):CVE-2007-3112 CVE-2007-3113
Created:September 18, 2007 Updated:February 18, 2008
Description: A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters.
Alerts:
Fedora FEDORA-2008-1737 2008-02-15
Fedora FEDORA-2007-3683 2007-11-22
Fedora FEDORA-2007-2199 2007-09-18
Mandriva MDKSA-2007:184 2007-09-17

Comments (none posted)

cairo: integer overflow

Package(s):Cairo CVE #(s):CVE-2007-5503
Created:November 29, 2007 Updated:April 10, 2008
Description: Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges.
Alerts:
Debian DSA-1542-1 2008-04-09
SuSE SUSE-SR:2008:003 2008-02-07
Mandriva MDVSA-2008:019 2007-01-21
Fedora FEDORA-2007-3818 2008-01-16
rPath rPSA-2008-0015-1 2008-01-15
Ubuntu USN-550-3 2007-12-13
Ubuntu USN-550-2 2007-12-10
Gentoo 200712-04 2007-12-09
Ubuntu USN-550-1 2007-12-03
Slackware SSA:2007-337-01 2007-12-04
Red Hat RHSA-2007:1078-02 2007-11-29

Comments (none posted)

centericq: buffer overflows

Package(s):centericq CVE #(s):CVE-2007-3713
Created:July 20, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160.
Alerts:
Debian DSA-1433-1 2007-12-16
Debian-Testing DTSA-55-1 2007-09-03
Fedora FEDORA-2007-1160 2007-07-19

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-3725
Created:July 24, 2007 Updated:February 27, 2008
Description: A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200708-04 2007-08-09
Mandriva MDKSA-2007:150 2007-07-25
Debian DSA-1340-1 2007-07-24

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):clamav CVE #(s):CVE-2007-4510 CVE-2007-4560
Created:September 3, 2007 Updated:February 13, 2008
Description: Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service.

CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands.

Alerts:
Fedora FEDORA-2008-1608 2008-02-13
Fedora FEDORA-2008-0170 2008-01-22
Gentoo 200709-14 2007-09-20
Fedora FEDORA-2007-2050 2007-09-07
Mandriva MDKSA-2007:172 2007-08-31
Debian DSA-1366-1 2007-09-01

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

debian-goodies: privilege escalation

Package(s):debian-goodies CVE #(s):CVE-2007-3912
Created:October 5, 2007 Updated:March 24, 2008
Description: Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.
Alerts:
Debian DSA-1527-1 2008-03-24
Ubuntu USN-526-1 2007-10-04

Comments (none posted)

Django: denial of service

Package(s):Django CVE #(s):CVE-2007-5712
Created:November 12, 2007 Updated:September 22, 2008
Description:

From the CVE notice:

The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.

Alerts:
Fedora FEDORA-2007-2788 2007-11-09
Fedora FEDORA-2007-3157 2007-11-09
Debian DSA-1640-1 2008-09-20

Comments (none posted)

dovecot: privilege escalation

Package(s):dovecot CVE #(s):CVE-2007-4211
Created:August 15, 2007 Updated:May 21, 2008
Description: From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a minor privilege escalation attack in which an authenticated user may exploit an ACL plugin weakness to save message flags without having proper permissions."
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Fedora FEDORA-2007-664 2007-08-20
rPath rPSA-2007-0161-1 2007-08-14

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):drupal CVE #(s):CVE-2007-5593 CVE-2007-5594 CVE-2007-5595 CVE-2007-5596 CVE-2007-5597
Created:October 24, 2007 Updated:December 7, 2007
Description: From the Fedora advisory:

- Upgrade to 5.3, fixes:
- HTTP response splitting.
- Arbitrary code execution.
- Cross-site scripting.
- Cross-site request forgery.
- Access bypass.
Alerts:
Fedora FEDORA-2007-4163 2007-12-06
Fedora FEDORA-2007-4136 2007-12-06
Fedora FEDORA-2007-2649 2007-10-24

Comments (none posted)

eggdrop: stack-based buffer overflow

Package(s):eggdrop CVE #(s):CVE-2007-2807
Created:September 7, 2007 Updated:January 7, 2008
Description: A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message.
Alerts:
Debian DSA-1448-1 2008-01-05
Fedora FEDORA-2007-4325 2007-12-10
Fedora FEDORA-2007-4305 2007-12-10
Gentoo 200709-07 2007-09-15
Mandriva MDKSA-2007:175 2007-09-06

Comments (none posted)

emacs: command execution via local variables

Package(s):emacs CVE #(s):CVE-2007-5795
Created:November 14, 2007 Updated:February 5, 2008
Description: From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands.
Alerts:
Mandriva MDVSA-2008:034 2007-02-04
Gentoo 200712-03 2007-12-09
Ubuntu USN-541-1 2007-11-13
Fedora FEDORA-2007-2946 2007-11-17
Fedora FEDORA-2007-3056 2007-11-17

Comments (1 posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

firebird: buffer overflow

Package(s):firebird CVE #(s):CVE-2007-3181
Created:July 2, 2007 Updated:March 27, 2008
Description: The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user.
Alerts:
Debian DSA-1529-1 2008-03-24
Gentoo 200707-01 2007-07-01

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2007-3844 CVE-2007-3845
Created:August 1, 2007 Updated:February 20, 2008
Description:

A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845)

Alerts:
Mandriva MDVSA-2007:047 2007-02-19
Fedora FEDORA-2007-3414 2007-11-16
Fedora FEDORA-2007-3431 2007-11-16
Red Hat RHSA-2007:0981-01 2007-10-19
Red Hat RHSA-2007:0980-01 2007-10-19
Red Hat RHSA-2007:0979-01 2007-10-19
Debian DSA-1391-1 2007-10-19
Gentoo 200708-09 2007-08-14
rPath rPSA-2007-0157-1 2007-08-10
Slackware SSA:2007-215-01 2007-08-06
Debian DSA-1346-1 2007-08-04
Debian DSA-1345-1 2007-08-04
Debian DSA-1344-1 2007-08-03
Foresight FLEA-2007-0040-1 2007-08-03
Slackware SSA:2007-213-01 2007-08-02
Mandriva MDKSA-2007:152 2007-08-01
Foresight FLEA-2007-0039-1 2007-08-01
Ubuntu USN-493-1 2007-07-31

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey CVE #(s):CVE-2007-5947 CVE-2007-5959 CVE-2007-5960
Created:November 27, 2007 Updated:March 3, 2008
Description: A cross-site scripting flaw was found in the way Firefox handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960)

Alerts:
rPath rPSA-2008-0093-1 2008-02-29
Foresight FLEA-2008-0001-1 2008-02-11
Gentoo 200712-21 2007-12-29
Red Hat RHSA-2007:1083-01 2007-12-19
Mandriva MDKSA-2007:246 2007-12-13
Fedora FEDORA-2007-4098 2007-12-06
Debian DSA-1425-1 2007-12-08
Fedora FEDORA-2007-4106 2007-12-06
rPath rPSA-2007-0260-1 2007-12-06
Fedora FEDORA-2007-756 2007-12-03
Slackware SSA:2007-333-01 2007-11-30
Fedora FEDORA-2007-3962 2007-11-29
Fedora FEDORA-2007-3952 2007-11-29
Red Hat RHSA-2007:1082-01 2007-11-26
Debian DSA-1424-1 2007-12-08
Ubuntu USN-546-2 2007-12-04
SuSE SUSE-SA:2007:066 2007-12-05
Slackware SSA:2007-331-01 2007-11-28
Ubuntu USN-546-1 2007-11-26
Red Hat RHSA-2007:1084-01 2007-11-26

Comments (1 posted)

firefox, thunderbird, seamonkey: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735
Created:July 18, 2007 Updated:May 12, 2008
Description: shutdown and moz_bug_r_a4 reported two separate ways to modify an XPCNativeWrapper such that subsequent access by the browser would result in executing user-supplied code. (CVE-2007-3738)

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656)

Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670)

Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285)

An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737)

Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089)

Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736)

As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)

Alerts:
Debian DSA-1574-1 2008-05-12
Debian DSA-1534-2 2008-04-24
Debian DSA-1535-1 2008-03-30
Debian DSA-1534-1 2008-03-28
Debian DSA-1532-1 2008-03-27
Mandriva MDVSA-2007:047 2007-02-19
Ubuntu USN-503-1 2007-08-24
Slackware SSA:2007-222-04 2007-08-13
SuSE SUSE-SA:2007:049 2007-08-02
Slackware SSA:2007-205-02 2007-07-25
Slackware SSA:2007-205-01 2007-07-25
Foresight FLEA-2007-0033-1 2007-07-24
Debian DSA-1339-1 2007-07-23
Debian DSA-1338-1 2007-07-23
Fedora FEDORA-2007-1181 2007-07-20
Fedora FEDORA-2007-1180 2007-07-20
Debian DSA-1337-1 2007-07-22
Fedora FEDORA-2007-642 2007-07-20
Fedora FEDORA-2007-641 2007-07-20
rPath rPSA-2007-0148-1 2007-07-20
Ubuntu USN-490-1 2007-07-19
Slackware SSA:2007-200-01 2007-07-20
Fedora FEDORA-2007-1159 2007-07-19
Fedora FEDORA-2007-1157 2007-07-19
Fedora FEDORA-2007-1155 2007-07-19
Red Hat