Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for February 07, 2008
LCA: Bringing X into a two-handed world
Our graphical interfaces, as implemented through the X Window System, are designed around a single keyboard and a single mouse. But humans are social creatures who want to work together and share systems; they also tend to design their activities around the fact that we have two hands. Moving X out of the single-device model is not a task for the faint of heart, but Peter Hutterer is making a go of it. His LCA talk on multi-pointer X was an interesting update on where this work stands.The X device model is based on the idea of a core keyboard and a core pointer. Even in a situation where multiple input devices are present (a second mouse plugged into a laptop, say), the application still only sees a single, core device. There is no way to tell, using these core devices, which physical device generated any given event. This, of course, will be an obstacle for any application wanting to provide multi-device support.
As it happens, the XInput extension has provided basic multiple-device support for many years. XInput events look much like core device events, except that (1) applications must register to receive them separately, and (2) they include an ID number identifying the device which generated the event. XInput does not solve the problem by itself, though, for a couple of reasons. Beyond the fact that it does not provide a way for users to specify how different devices should be handled, XInput suffers from the little difficulty that approximately 100% of X applications do not make use of it. So nobody is listening to all those nice XInput events with associated device IDs. The one exception Peter mentioned is the GIMP, which uses XInput to deal with tablets.
Of course, multiple devices work on current systems; that is because the X server also generates core events for all devices. That causes the device ID to be lost, but, since applications do not care, this is not a problem, for now. But it does mean that we are still stuck in a world where systems have a single pointer and a single keyboard.
Luckily for us, says Peter, multi-pointer X is on the horizon. MPX extends X through the creation of the concept of "master" and "slave" devices. Master devices are those which generate events seen by MPX-aware clients; they are virtual devices which can be created and destroyed by the user at will. Slave devices, instead, correspond to the physical devices attached to the system. Through the use of a modified xinput command, users can create masters and attach specific slaves to them.
In the MPX world, one of three things will happen whenever something is done with a physical (slave) device:
- The X server will create an XInput event from the slave device and
deliver it to any applications which have asked for such events.
- If that event is not delivered (because nobody was interested), a core
event from the associated
master device is created and queued for delivery.
- If the event is still undelivered, the server will create an XInput event from the master device to which the slave is attached and attempt to deliver that.
The end result is a scheme where multiple devices still work as expected with non-MPX-aware applications. But when an application which does take advantage of MPX shows up, it will have access to the real information about what the user is doing.
![[Peter Hutterer]](/images/conf/lca2008/Hutterer-sm.jpg)
Peter ran a demo of some of the things he was able to do. By default,
there is still only one pointer and one keyboard. Once a new master is
created, though, and slave devices attached to it, things get more
interesting. Two mouse pointers exist on the screen, each of which can be used
independently. It's possible to be typing into two separate windows at the
same time. Or, with the right window manager, the user can move windows
simultaneously, or resize a window by grabbing two corners at the same
time. It was great fun to watch.
MPX brings with it an API which can be used with multi-device applications. When applications use it, says Peter, the result is "eternal happiness." That just leaves the problem of "the other 100%" of the application base which lacks this awareness. To a certain extent, things just work, even when independent pointers are used in the same application. There are some exceptions, though, which have required some workarounds in the system.
For example, applications typically respond when the pointer enters a specific window - illuminating a button within the application, for example. Things work fine when two pointers enter that button. But, likely as not, once the first pointer leave the button, it will go dark and refuse to respond to events from the other pointer. The solution is to nest enter and leave events, so that only the first entry is reported to the application, and only the final exit. Another problem results when a mouse button is pushed while another button is being held down (for a drag operation, perhaps) on a different device. Do that within Nautilus, and the application simply locks up - not the eternal happiness Peter was hoping for. So, when the application holds a grab on one device (as happens when buttons are held down), no other button events will be reported. Also problematic is what to do when the application asks where the pointer is: which pointer should be reported? In this case, the server simply assigns one pointer as the one to report on. All of this makes standard applications work - almost all the time.
Some interesting problems remain, though. How, for example, should a window manager place new windows in a multi-user, multi-device situation? Users will want their windows in their part of the display space, but the window manager has no real way of knowing where that is - or even which user the window "belongs" to. In general, the whole paradigm under which desktop applications have been developed is unprepared to deal with a multi-device world.
Things will get worse as more types of input devices enter the picture. Touch screens are bad enough; they have no persistent state, so things change every time the user touches the device. But touch screens of the future will report multiple touch points simultaneously, and each of those will have attributes like the area of the touch, the pressure being applied, etc. Perhaps the device will sense elevation - a third dimension above the device itself. All of this is going to require a massive rethinking of how our applications work. There are going to be a lot of big problems. But that, says Peter, is what happens when one explores new areas. One gets the sense that he is looking forward to the challenge.
LCA: Disintermediating distributions
One of the mini-confs which happened ahead of linux.conf.au proper was the "distribution summit," meant to be a place where representatives and users of all distributions could talk about issues of interest to all. The highlight of this event, perhaps, was Jeff Waugh's talk on disintermediating distributions - or, as he rephrased it, "distributed distributions." If his ideas take hold, they could be the beginning of a new relationship between free software projects and their users.It all started, says Jeff, some years ago, when he ran into Mark Shuttleworth fresh from a visit to Antarctica. Mark's pitch, says Jeff, "sounded like crack" at the time. By 2003 or so, it just didn't seem like there was a whole lot of room for a new distribution. But Mark had some interesting ideas, and Jeff signed on; the result, of course, was Ubuntu.
Ubuntu has clearly had some success, but, in some important ways, it has failed to work out - at least for Jeff. He found himself distracted by Ubuntu's lack of participation in Debian, from which it derived its product. There was a real tension between tracking Debian and tracking upstream projects more directly. Despite Jeff's insistence that Ubuntu should be tracking (and pushing updates into) Debian's unstable distribution, Ubuntu often chose to go with upstream, resulting in what is, in effect, a fork of the Debian distribution - in terms of both the technology and the community.
![[Jeff
Waugh]](/images/conf/lca2008/JeffWaugh-sm.jpg)
What Ubuntu was doing was taking upstream packages, modifying them,
bringing in shiny new features, and generally looking for ways to
differentiate itself from the other distributors. So, for example, the
first Ubuntu release contained a great deal of Project Utopia work (aimed
at making hardware "just work" with Linux) which had been done by
developers from other distributions; Ubuntu shipped it first, though, and
got a lot of credit for it. Novell's behind-closed-doors development of
Xgl was motivated primarily by the wish to keep Ubuntu from shipping it
first. Meanwhile, Red Hat had slowly learned that trying to differentiate
itself by diverging from upstream was a path to pain. So Red Hat's
developers created AIGLX,
in an open, community oriented manner; the result is that AIGLX has proved
to be the winning technology.
Events like these led Jeff to wonder about just where the integration of packages should be done - upstream or downstream? From Jeff's (GNOME-based) upstream point of view, he wonders why he doesn't have a direct relationship with his users. While most projects deliver their code through middlemen (distributors), there is an example of a project which has managed to maintain a much more direct relationship: Firefox. Most Firefox users are direct clients of the project - though most of them are Windows users. The Firefox trademark has been used to ensure that, even when distributors are involved, the upstream developers get a say in what is delivered to users.
So, what happens if you take out the middleman? It's instructive to look back at what life was like before there were distributors. It was, Jeff says, much like pigs playing in mud; perhaps they enjoyed it, but it was messy. There are, in fact, a lot of good things that distributors have done for us. You can get a fully integrated stack of software from one source, and the distributor acts, in a way, as the user's advocate toward the upstream project. We don't want to lose out on all that.
But, if one were to look at facilitating a more direct relationship between development project and their users, one would want to take advantage of a number of maturing technologies. These include:
- OpenID. Any process of distributing distributions must look at
distributed identity, and OpenID is the way to do it.
- DOAP. "Sounds terrible" but it's a useful way of describing a project
with XML. With a DOAP description, a user can find a project's
mailing lists, bug tracker, source repository, etc.
- Atom. This is how projects can distribute information about what they
are doing.
- XMPP. This is a Jabber-based message queueing and presence protocol.
It can be used to more active publishing of information than Atom can
do.
- Distributed revision control. Lots of functionality for integration between projects, and between upstream and downstream. Jeff sees git as a step backward, though; some of the other offerings, he thinks, have much better user interfaces.
Also important are the packaging efforts which are underway in a number of places. These include Fedora, which is "becoming competitive with Debian" as a community project. OpenSUSE has put together a build system which can create packages for a number of distributions. Debian has had a community build system for years; there is interest in Debian in going the next step, though - ideas like building packages directly from a distributed version control system. Ubuntu's Launchpad was "a spectacular vision," though the reality is "a bit of a snore"; it didn't achieve its goal of helping upstream and downstream work together.
Then there's Bugzilla, which is the "bug filing gauntlet" between projects and their users. The Debian bug tracking system has done a better job of facilitating bug reports by allowing them to be submitted by email. But most big projects are using Bugzilla. It would be much improved by using OpenID (so that users would not have to register to file bugs) and some sort of Atom-based feed which would make querying bugs easy.
If you take out the distribution, what do you replace it with? How do we achieve consistency? We need to create standards for how we interact with each other. And we can, in fact, be very good at consistency and standards when the need is clear. Good release management is a step toward that goal. GNOME once had very bad release management, but has pulled it together. Doing time-based releases was a hard sell, but few developers would want anything else now. Now GNOME release management just works.
Consistency in source management is needed. Once upon a time that was done through CVS, but CVS is no longer up to the job, and now every project is using a different distributed version control system. But, sooner or later, one of the competing projects will win out and "hopefully we'll have clarity again." Autotools and pkgconfig can also go a long way toward creating consistency between projects.
So, if we can push the available tools up into the upstream projects, those projects can get better at producing packages for distributions themselves. Once the tools (like bug trackers) can talk to each other, people will start making more use of them and network effects will take over. But, at the moment, the knowledge about integration remains at the distribution level.
Debian, Jeff thinks, is well placed to take on a project like this and push its integration knowledge upstream. While Debian has typically been ten years ahead of everybody else in its packaging and integration abilities, it currently has a "relevancy problem." Finding ways to help upstream projects support their users more directly while maintaining overall integration and consistency would be a perfect way for Debian to maintain its leadership in this area. That could change the game for everybody, bringing projects closer to their users and making us all "happy as pigs in mud."
linux.conf.au 2008
linux.conf.au has an interesting structure which differentiates it from most other events. Every year, a completely new set of organizers takes over the event, moves it to a new city, and puts its own stamp on it. They have a great deal of freedom in how they run LCA, but there is still a group of Linux Australia members and past organizers who keep an eye on things and help ensure that the event does not run into problems. The result is a conference which has a lot of fresh energy every year, but which is also reliably interesting. Many attendees consider it to be one of the best Linux events to be found anywhere in the world.
This year, LCA was held in Melbourne, Australia; the organizing team was
led by Donna Benjamin. The now-familiar LCA formula was followed, but with
some small changes. The tutorial day is no more, replaced by relatively
short tutorial sessions on each day. The traditional auction for charity
was also gone this year; instead, a raffle (with Greg Kroah-Hartman's 2.6.22 contributor poster as the
main prize) yielded some $1000 for a local penguin refuge. The raffle was
![[Donna Benjamin]](/images/conf/lca2008/DonnaBenjamin-sm.jpg)
certainly a lower-pressure, less alcohol-fueled way of raising money, but
LCA without Rusty Russell as auctioneer just isn't quite the same. That
quibble notwithstanding, LCA 2008 was an interesting, well-organized, and
well-attended event. Ms. Benjamin and company have certainly upheld the
standards for this conference.
A number of LCA talks have been covered in separate LWN articles, and a few more may yet follow. This article will quickly review a few other high points, as seen from your editor's perspective. It's worth noting that videos for almost all of the talks have been posted on the conference web site.
![[Muffins]](/images/conf/lca2008/muffins-sm.jpg)
Certainly one high point came on January 30, the day that LWN
celebrated its tenth anniversary. The crowd sang a rousing - if not
entirely harmonious - version of "happy birthday" after Bruce Schneier's
keynote. The following morning tea featured special LWN muffins; they
were, much to your editor's delight, of the intense chocolate variety. It
is hard to imagine a better place or time to celebrate to celebrate ten years of
LWN.
While most LCA presentations are quite technical in nature, there are exceptions. Australian lawyer Kimberlee Weatherall's talk on legal issues was called "Stop in the name of law"; it covered a number of topics of interest to a global audience. Kimberlee, it's worth noting, was the recipient of the "Rusty Wrench" award for service to the free software community at last year's LCA in Sydney.
The Digital Millennium Copyright Act, she noted, is ten years old now. At
this point, the debate on its anti-circumvention provisions is essentially
done, and anti-circumvention has won; she is not expecting to see any major
changes in countries which have adopted such laws. The music industry may
![[Kimberlee Weatherall]](/images/conf/lca2008/KimberleeWeatherall-sm.jpg)
be moving away from use of DRM, but "they were never very good at it
anyway." DRM is still going strong in other areas, such as movies and
subscription television.
Similarly, the fight to end software patents is over, and we have lost. There are incredible numbers of software patents issued every year; every one of those patents represents a significant investment by its owner. The total amount of investment in these patents is huge; that amount of money is almost impossible to displace. It is also very hard to define what a software patent really is; there are thousands of them in Europe, which ostensibly does not allow software patents. No matter how the rules are written, lawyers will find a way around them.
What is happening on the patent front, instead, is a more constructive engagement with the process. Some reform is happening in the US, as a result of the KSR decision and various attempts to mitigate the costs associated with patents. So the situation might improve slowly over time.
GPLv3 is out. It now has to pass two tests: the market test (will projects use it?) and any legal tests which might be brought. Kimberlee expressed some doubts on whether GPLv3 will really hold up in court, but did not elaborate on them.
There is a new threat out there which we should not underestimate: the push to force copyright enforcement duties onto ISPs. This effort takes two forms: getting "infringers" disconnected, and requiring ISPs to filter data passing through their networks. There are a lot of problems with either approach, but that is not stopping the industry (and others, such as anti-porn crusaders) from pushing hard for ISP responsibility. This is a fight to watch.
So what should the free software community do? Not much, says Kimberlee, except to keep coding. The production of good code brings us allies with money, and that's what we're going to need. As long as we are successful, people will go out of our way to protect us. Keep doing what we do, and things should come out OK.
Anthony Baxter is the Python release manager; he was also the keynote
speaker for the third day of the conference. He is, to say the least, an
entertaining speaker, so this would be a good one to watch on video. The
![[Anthony Baxter]](/images/conf/lca2008/AnthonyBaxter-sm.jpg)
talk was about coming changes in Python, and Python 3.0 in
particular. The 3.0 release, he says, is "the one where we break all of
your code." It's the first backward-incompatible update of the language
(at least, if you don't deal in C extension modules).
There are a lot of changes to the language which your editor will not repeat here; they are well documented on the Python web sites. As noted, many of these changes will cause existing code to break. This is being done, says Anthony, because the Python language is now 16 years old. Like all 16-year-olds, it has a number of annoying features. It's time to clean out a lot of accumulated cruft and get back to the minimal, "there is one way to do it" vision that has always driven the language.
Perhaps what's most interesting is what won't be done. The language will not be bloated - it will stay Python. There will be no braces; white space will still be used to mark blocks of code. The much-criticized global interpreter lock will remain. And, importantly, this will be an incremental (if big) update - there will be no overall rewrite of the interpreter. The experience of certain other projects (being Perl 6 and Mozilla) shows that total rewrites tend to be much longer, more painful affairs than anybody might envision at the outset.
There will be migration tools, of course, and warnings built into the forthcoming 2.6 release which will point out things that may cause migration difficulties. The 2.x series will be supported for some years into the future. And, says Anthony, there will be no Python 4.0 release. This is their one chance to break everything and start over, and they plan to get it right this time.
Dave Jones is the head maintainer for the Fedora kernel. At LCA 2008 he
took a break from pointing out user-space problems and talked about "a day
![[Dave Jones]](/images/conf/lca2008/DaveJones-sm.jpg)
in the life of a distribution kernel maintainer." The real subject of the
talk was the process that the Fedora project goes through to put together
the kernels they ship.
There are currently three developers working on the Fedora kernel (Dave, Chuck Ebbert, and Kyle McMartin), and "several dozen" working on the RHEL kernels. Most of the RHEL folks are doing backports of fixes, drivers, etc. to the older kernels used by RHEL releases.
Once a kernel has been chosen for release, it's time to start adding patches. Some interesting numbers were put up at this point. Red Hat Linux 7 had 70 patches added to its 2.2.24 kernel. That number went slowly up, to the point where Fedora Core 6 had 191 patches. There are currently 63 patches added to the Fedora 8 kernel, though that may grow over the life of this release. By comparison, RHEL 5 is shipping a 2.6.18 kernel with 1628 patches added to it - a very different world.
There's all kinds of patches which go into a distributor kernel. These include security technologies (ExecShield) which have not made it into the mainline, changes to some default parameters, the silencing of certain "scary messages" which tend to provoke lots of needless bug reports, out-of-tree drivers, patches which help debug problems found in the field, stuff which has been vetoed upstream, and more. Then it's a matter of putting the package and dealing with the subsequent bug reports - lots of them.
![[mascot]](/images/conf/lca2008/tuz.png)
The closing ceremony included the traditional introduction of the organizer
for next year's event. This event will go, for the first time ever, to
Hobart, Tasmania; see MarchSouth.org
for more information. There is some information on what this team is
planning in the bid
document [1.6MB PDF]; your editor is intrigued by the following:
"The official Speakers' Dinner will be held at a mystery location
south of Hobart following a 40 minute river cruise on a high speed luxury
catamaran." It's never too soon to get that talk proposal
together.
Finally, the last few LCA events have included the passing of the "Rusty Wrench" award to somebody who has performed a great service to the community. Recipients so far are Rusty Russell (after whom the award is named), Pia Waugh, and Kimberlee Weatherall. The Rusty Wrench was not awarded at LCA2008, though. It seems that, in the future, the Rusty Wrench will be part of an extensive set of awards which will be handed out at a separate "gala dinner" event held in the (Australian) winter. The awarding of the Rusty Wrench was a nice LCA feature which will be missed, but, then, there are advantages to having another excuse to visit Australia.
Page editor: Jake Edge
Security
Security hardening for Debian
Making the programs in a distribution more resistant to exploits—a process known as hardening—is a fairly common way to reduce the attack surface for the distribution. Many distributions have made an effort in this area, with some adding in an overall security architecture, like AppArmor for SUSE or SELinux for Red Hat and Fedora distributions. Debian is currently looking at enabling some hardening features, potentially throughout a large swath of packages that it distributes. The features being considered and the concerns raised provide an interesting look at the tradeoffs.
A posting to debian-devel-announce regarding hardening features for Lenny started the conversation. Those packages that are most susceptible—network services, packages that parse files from untrusted sources, or those that have been the subject of a security alert—should enable a set of security tools that will help deflect attacks against them. Various attacks rely upon certain characteristics of Linux binaries that allow them to be exploited. By altering the way the binaries are built, those particular threats can be mitigated.
The experimental hardening-wrapper package makes enabling the various toolchain differences as easy as setting DEB_BUILD_HARDENING=1 in the environment. This will change gcc, g++, and ld to use the desired flags when building packages. Each hardening feature can also be disabled separately by setting DEB_BUILD_HARDENING_xyzzy=0 (where xyzzy is the name of a hardening feature) if they cause build or performance problems for a particular package.
The specific features enabled are described in the original posting as well as with more detail on the Debian wiki entry for Hardening. They are:
- using -Wformat to catch printf() family calls that do not have a string literal for the format string which can lead to problems if the argument came from an untrusted source and contains format specifiers.
- using -D_FORTIFY_SOURCE_ to validate glibc calls such as strcpy() when the buffer sizes are known at compile time, which can help stop buffer overflow attacks.
- using -fstack-protector to thwart most stack smashing attacks.
- creating Position Independent Executables (PIE) which facilitates using the Address Space Layout Randomization that is available in some kernels. This makes it difficult for an attacker to have any knowledge of what the addresses for the program's sections will look like.
- using ld -z relro to change certain sections to be read-only once ld has made its modifications while loading the program. This can thwart attacks that try to overwrite the Global Offset Table (GOT).
Many other distributions have already been down this path: Gentoo has a page describing their hardened toolchain, Mark Cox of Red Hat has a detailed look at the evolution of security features in Red Hat and Fedora releases, OpenSUSE has a page about its security features, and so on. There is a price to be paid in binary size, execution speed, and cache behavior for these techniques, but for most environments, where resources are not massively constrained, the cost is worth it. It makes new attacks against those systems more difficult to design, which will make users and administrators sleep a little better at night.
New vulnerabilities
gnatsweb: cross-site scripting
| Package(s): | gnatsweb | CVE #(s): | CVE-2007-2808 | |||
| Created: | February 6, 2008 | Updated: | February 6, 2008 | |||
| Description: | From the Debian advisory: "r0t" discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitize the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or javascript code. | |||||
| Alerts: |
| |||||
goffice: multiple vulnerabilities
| Package(s): | goffice | CVE #(s): | ||||
| Created: | January 31, 2008 | Updated: | February 6, 2008 | |||
| Description: | GOffice is vulnerable to buffer overflows and memory corruption in PCRE. If an attacker can convince a user to open specially crafted documents, it may be possible to execute arbitrary code, disclose information or cause a denial of service. | |||||
| Alerts: |
| |||||
kazehakase: multiple vulnerabilities
| Package(s): | kazehakase | CVE #(s): | ||||
| Created: | January 31, 2008 | Updated: | February 6, 2008 | |||
| Description: | The kazehakase web browser is vulnerable to buffer overflows and memory corruption in PCRE. If a remote attacker can convince a user to open specially crafted bookmarks, it can lead to the execution of arbitrary code, denial of service or arbitrary information disclosure. | |||||
| Alerts: |
| |||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-4130 CVE-2007-6694 | |||||||||||||||
| Created: | February 1, 2008 | Updated: | March 6, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This may have allowed a local unprivileged user to cause a denial of service (crash). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pcre: denial of service
| Package(s): | pcre | CVE #(s): | CVE-2006-7225 CVE-2006-7226 | |||
| Created: | February 1, 2008 | Updated: | February 6, 2008 | |||
| Description: | From the CVE entries: Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a "malformed POSIX character class", as demonstrated via an invalid character after a [[ sequence. Perl-Compatible Regular Expression (PCRE) library before 6.7 does not properly calculate the compiled memory allocation for regular expressions that involve a quantified "subpattern containing a named recursion or subroutine reference," which allows context-dependent attackers to cause a denial of service (error or crash). | |||||
| Alerts: |
| |||||
rb_libtorrent: stack overflow
| Package(s): | rb_libtorrent | CVE #(s): | ||||
| Created: | February 4, 2008 | Updated: | February 6, 2008 | |||
| Description: | From the Fedora advisory: A potential remote exploit was found in the bdecode_recursive routine that could trigger a stack overflow when passed malformed message data. | |||||
| Alerts: |
| |||||
xdg-utils: arbitrary command execution
| Package(s): | xdg-utils | CVE #(s): | CVE-2008-0386 | |||||||||
| Created: | January 31, 2008 | Updated: | February 22, 2008 | |||||||||
| Description: | From the Gentoo alert: Miroslav Lichvar discovered that the "xdg-open" and "xdg-email" shell scripts do not properly sanitize their input before processing it. A remote attacker could entice a user to open a specially crafted link with a vulnerable application using Xdg-Utils (e.g. an email client), resulting in the execution of arbitrary code with the privileges of the user running the application. | |||||||||||
| Alerts: |
| |||||||||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | ||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | February 8, 2008 | ||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | |||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | February 8, 2008 | |||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 6, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | |||||||||||||||
| Created: | August 9, 2006 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | March 12, 2008 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CVE-2007-3847 CVE-2007-4465 | |||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 15, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
apache2: denial of service
| Package(s): | apache2 | CVE #(s): | CVE-2007-1863 | ||||||
| Created: | November 19, 2007 | Updated: | February 18, 2008 | ||||||
| Description: | From the CVE entry: cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. | ||||||||
| Alerts: |
| ||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | ||||||
| Created: | December 3, 2007 | Updated: | March 7, 2008 | ||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | ||||||||
| Alerts: |
| ||||||||
bind: off-by-one error
| Package(s): | bind | CVE #(s): | CVE-2008-0122 | ||||||||||||
| Created: | January 22, 2008 | Updated: | March 14, 2008 | ||||||||||||
| Description: | Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. | ||||||||||||||
| Alerts: |
| ||||||||||||||
boost: denial of service
| Package(s): | boost | CVE #(s): | CVE-2008-0171 CVE-2008-0172 | |||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||
| Description: | From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cacti: SQL injection vulnerability
| Package(s): | cacti | CVE #(s): | CVE-2007-6035 | ||||||||||||||||||||||||
| Created: | November 22, 2007 | Updated: | February 18, 2008 | ||||||||||||||||||||||||
| Description: | Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cacti: denial of service
| Package(s): | cacti | CVE #(s): | CVE-2007-3112 CVE-2007-3113 | ||||||||||||
| Created: | September 18, 2007 | Updated: | February 18, 2008 | ||||||||||||
| Description: | A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2007-4510 CVE-2007-4560 | ||||||||||||||||||
| Created: | September 3, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: integer overflow and off-by-one
| Package(s): | clamav | CVE #(s): | CVE-2007-6335 CVE-2007-6336 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||||||||
| Description: | ClamAV contains integer overflow and off-by-one errors which could be exploited (via specially-crafted email) to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-5848 | ||||||||||||
| Created: | January 7, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | From the CVE entry: Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. From the rPath advisory: Previous versions of the cups package contain a buffer-overflow weakness. It is not believed that this weakness can be exploited to execute malicious code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | |||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 26, 2008 | |||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
e2fsprogs: integer overflows
| Package(s): | e2fsprogs | CVE #(s): | CVE-2007-5497 | |||||||||||||||||||||||||||
| Created: | December 7, 2007 | Updated: | February 12, 2008 | |||||||||||||||||||||||||||
| Description: | Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
emacs: buffer overflow
| Package(s): | emacs | CVE #(s): | CVE-2007-6109 | |||||||||
| Created: | December 10, 2007 | Updated: | February 8, 2008 | |||||||||
| Description: | From the National Vulnerability Database: Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. | |||||||||||
| Alerts: |
| |||||||||||
emacs: command execution via local variables
| Package(s): | emacs | CVE #(s): | CVE-2007-5795 | |||||||||||||||
| Created: | November 14, 2007 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey | CVE #(s): | CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | March 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959) A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | March 31, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||