Advertisement
Aztek Networks. Linux, C++ developers wanted. Embedded, Power-PC target.
Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for February 21, 2008
Reverse engineering: more than NVIDIA deserves?
Reverse engineering is a longstanding tradition in the free software community. It has often been the only way to get hardware to work when the manufacturer refuses to make documentation available, but there is more to it than that. Some of us, certainly, enjoy the challenge of figuring out how a particular device works. And our sense of freedom tells us that it is our right to understand the hardware which we have purchased and rightfully own. We, as a group, tend not to respond well to those who tell us that reverse engineering a product is not the right thing to do. But, increasingly, your editor is hearing voices within the community which are saying just that.One of the most prominent reverse engineering projects at the moment is Nouveau, which is starting to have some real success in making NVIDIA graphics adapters work with free software; see this week's Kernel Page for an article on the state of this project. NVIDIA hardware has been a problem for a long time, of course. It is said to be nicely-designed, and it is certainly present in a significant percentage of new machines, but NVIDIA has had no interest in making free drivers (or documentation) available for some years. So the only way for owners of this hardware to use it with reasonable performance under Linux is to use NVIDIA's proprietary kernel module, and that is a price many of us are not willing to pay.
There are currently about eight developers working to make the Nouveau driver better. They have reached a point where their understanding of the hardware and their reverse engineering tools are quite good; that, in turn, is enabling fast progress toward the creation of a working driver. With this kind of developer attention, the Nouveau driver may reach a stable state over the course of the next year, at least for some versions of the hardware. And that, it seems, should be a good thing.
Except for one little issue. NVIDIA's competition in this market is provided mainly by Intel and AMD/ATI. Intel provides free drivers for its hardware as a matter of company policy, and AMD has pushed a much more friendly policy onto ATI since the middle of last year. So free drivers for Intel video adapters come with distributions, and the first ATI drivers are beginning to become available.
One rather perverse result of this situation is that there are almost no community developers working on the Intel drivers at all. The development and maintenance of those drivers is an expense carried by Intel alone. One could argue that the lack of hardware documentation from Intel has made it hard for other developers to participate; Intel is now beginning to address that problem by burying the community in comprehensive, Creative Commons-licensed hardware programming manuals. It will be interesting to see how much more community help Intel gets as a result of its documentation release.
ATI, which has not, to date, provided working, free drivers, is arguably getting more help from the community and, especially, from distributors who have an interest in working drivers. But that company, too, is putting in resources of its own toward that goal.
NVIDIA, instead, is giving us nothing - and, in return, we are giving it an eight-person development team dedicated to the production of free drivers for its hardware. Once Nouveau is in a working state, Linux users will be able to buy NVIDIA hardware in the knowledge that it will simply work without requiring them to download and use binary-only kernel modules. The result of that can only be higher sales for NVIDIA.
While talking to developers at linux.conf.au, your editor heard a number of them say that NVIDIA does not deserve a gift of this magnitude from the community. We are now quite close to having free support for video hardware at all performance levels, supplied by friendly companies. Rather than penalize those companies by making a free gift to their biggest competitor, some say, shouldn't NVIDIA be made to pay for its behavior by exclusion from our community until it comes around?
There is a point here. The biggest lever we have when talking with hardware companies (or any company, for that matter) is money. Companies which see themselves as missing out on the Linux market will find a strong incentive to change their behavior. So if NVIDIA finds that system resellers are not using its chipsets for Linux-based systems, it will have to reconsider its position with regard to free drivers.
In the past, there was no credible alternative to NVIDIA, so the company had no real reason to fear that it could lose money as a result of its uncooperative behavior. Now there are well-supported alternatives at the lower end of the market, and the prospect of the same for high-end graphics as well. So there will be no need to buy hardware from this particular vendor, and, since the alternatives will be well supported, every reason to buy from somebody else.
Unless NVIDIA's hardware, too, is made to work via a community-supported driver. Should this happen, one could well say that we, as a community, have taken a prize away from companies which have treated us well and handed it to their competitor (which has not). Arguably, the community should not pursue the creation of reverse-engineered drivers in situations where competing vendors are playing by our rules. Otherwise, we are sending a rather conflicted message to both types of companies. It may really be true that, in the long run, the Nouveau driver is harmful to our real interests.
All of this discussion may be moot. There's no way that any of us could keep others from reverse-engineering their hardware and writing drivers, even if we wanted to. Anybody arguing against the mainline inclusion of a GPL-licensed driver for popular hardware is likely to end up in a minority position, to say the least. So, as a community, we cannot make a collective decision to stop this kind of development. But, as individual developers, we may occasionally want to give a moment's thought to the question of whether our activities are truly beneficial in the long run.
Directions in UMPC-land
It is an exciting time for Linux users who are interested in ultra-mobile PCs (UMPCs). New models are being announced frequently with many—dare we say most?—coming with at least the option to have Linux pre-installed. The low-cost models probably require Linux in order to make their price point, but even higher-end UMPCs seem to be made with Linux firmly in mind. In many ways, the One Laptop Per Child (OLPC) project has driven the demand for low-cost machines for adults as well.
Commercial offerings from ASUS (Eee PC), Everex (Cloudbook), Elonex (One), along with a rumored UMPC from HP are giving both the OLPC and Intel's ClassmatePC some competition. Add in Nokia's N810 and you have a half-dozen very mobile solutions featuring Linux—though the ClassmatePC seems to be more geared towards Windows XP. None of them has quite the right set of features to be the ultimate UMPC, but we seem to be headed in the right direction, so it is worth contemplating what that machine might look like.
Battery life is the achilles heel of mobile devices; some kind of breakthrough in power consumption or energy storage needs to happen for big strides to be made in this area. Because of weight considerations, today's UMPCs tend to have small batteries and three hours or less of battery life. Something on the order of twelve hours—with a measurement in days being the real goal—is more like what is needed. Perhaps some kind of human-powered or alternative charging mechanism can play a role. It is probably the biggest challenge to reaching something approaching an ultimate device.
Part of the reason that battery life is so low is because of how much power the display consumes. With rotating media on its way out (at least for these kinds of devices), the display is one of the areas where power savings would be felt most strongly. The E-Ink displays, such as those used by the newer e-book readers, have some great properties in terms of power consumption, but the speed at which they update makes them undesirable for general computer use. Many of us spend a fair amount of time looking at a static screen for several to many seconds at a time. Web pages or e-books might be candidates for using E-Ink, perhaps, but not Wesnoth or typing a document.
Perhaps a dual-mode screen that combined an LED and E-Ink display could blend the best of both. OLPC has an innovative display with many of the characteristics needed which can also can be viewed in sunlit conditions. Former OLPC CTO Mary Lou Jepsen's startup is licensing the XO display technology, so we may see it in a UMPC before too long.
The size of the display will likely need to be larger than today's offerings as well. That will be a balancing act between size, weight, and cost which will be interesting to see play out. A touchscreen is another feature that will be necessary as the display should be usable separate from the keyboard. Some way of transforming a small laptop into a tablet PC and e-book reader would be very desirable, with bonus points awarded if that transformation is fast and seamless.
A full-sized or nearly so keyboard is also a necessity. Too much of the work that we do involves words and numbers that need to be input. If this device is to become an integral part of a day-to-day routine, thumb or child-sized keyboards just won't cut it.
Wifi and wired connectivity are obvious, while Bluetooth would seem to be a good addition to provide internet via cell phone. Some might want to integrate actual cell phone functionality into the device itself—to avoid the multiple device hassle. Given that the size of a UMPC won't ever reach that of a cell phone, that seems like a stretch, but for those who want it, an optional feature seems like the way to provide that.
Like the OLPC, the device should be ruggedized, able to withstand reasonable amounts of abuse without much more than a case scratch. This is another area where flash disks will help as there won't be the threat of losing data when the disk heads suffer rapid deceleration. The price per gigabyte for solid-state drives will drop to the point where a few hundred GB will be possible at a reasonable price. Carrying around one's favorite music as FLACs, rather than in some lossy format, should be possible.
A fairly modest and power-friendly processor with a GB or two of RAM should round out the basics of the hardware. The device will run Linux, of course, and might have a few other peripherals: camera, microphone, speakers, etc. All should be available for $500-700, at least in a very functional low-end configuration. When might we see such a device? Two to three years seems quite likely, certainly before five years have passed. When it's ready, please send one to LWN for review in care of the author.
SCO to continue the fight?
Just as it seemed the SCO saga was drawing to a close, a new player, with up to $100 million to risk, has come on the scene. Stephen Norris Capital Partners (SNCP) has made an offer to take SCO private while providing a line of credit to allow the company to continue its operations. If the bankruptcy court in Delaware agrees to the plan—which is not a foregone conclusion—SCO and its various legal cases could be with us for a long time to come.
SNCP will put up $5 million in cash to essentially purchase between 51 and 85% of SCO; the exact percentage is dependent upon how much of the $95 million credit line is used to pay off Novell and/or IBM. If there is no payment, because SCO eventually wins those cases, SNCP will get 51%. If the payment is over $30 million, SNCP gets 85%; in between those two, the percentage of ownership will be pro-rated between the two. The actual transaction would issue "Series A Preferred" stock to SNCP (and its investors), which would be convertible into SCO "New Common Stock"; the current common stockholders would be see their shares "extinguished" and a trust established for them. This deal would take SCO private, no longer publicly traded nor subject to SEC reporting requirements.
Under the proposed agreement, the credit line has an interest rate of the London Interbank Offered Rate (LIBOR) plus "1700 basis points"—17% for those without a high-finance background—which currently works out to be around 20%. This is clearly not cheap money, but it does provide a rather large war chest for SCO to continue the fight. The Memorandum of Understanding (MOU) [PDF] makes it clear that interest payments are part of what the line of credit is supposed to pay for:
SCO's bombastic CEO, Darl McBride, will be required to resign as a condition of the deal. The Series A stockholders would be entitled to elect four of the seven board members, ensuring that they control the day-to-day direction of the company. The CEO would hold another seat, as would an "outside executive with suitable industry expertise." The remaining seat would be open to anyone and voted on by the current common stockholders.
What do the current stockholders get from this deal? Not much in the short term, as the MOU would set up a trust with $2 million (from the $5 million cash investment) to be distributed amongst the current stockholders. The current common stock would be "extinguished" and the trust would hold "New Common Stock" equivalent to the 15-49% left over based on the amount of the credit line used. Shareholders would get a pro-rata interest in the trust based on their current percentage of ownership. Based on 22 million outstanding shares, the distribution will amount to around $0.09 per share.
Since SCO sued IBM in March 2003, most of the stock speculation has been based on some kind of monetary settlement from IBM. Investors in SCO since that time have essentially been betting on that outcome; the new arrangement still allows the current stockholders to hold onto their litigation lottery ticket. Any settlement money that comes to SCO as a result of the Novell and IBM cases would be paid to the trust in the percentage of ownership of the company that it holds (i.e. 15-49%). At that time, the trust would also get its percentage of four times the previous year's earnings. These would then be distributed to the members of the trust.
It's a fairly complicated deal, this just covers the high points; the curious are directed at the MOU itself. It is a bit premature to proclaim that SCO is going private or getting $100 million as some in the press have done. The bankruptcy court will have its say; Novell may have an objection or two as well though, as things currently stand, they would be the likely beneficiary of some substantial part of the line of credit. We may get a read on how confident Novell is based on what, if any, objections they raise.
It is hard to imagine that SNCP thinks SCO's business prospects are such that a large financial commitment is warranted. This is very clearly an attempt to wring money out of the current litigation—and perhaps start additional lawsuits. It is interesting to note that in addition to the Novell and IBM lawsuits, the MOU specifically mentions the Autozone case. There is speculation that the idea of a "Linux tax" on users is an outcome that SNCP and its investors covet.
The question is, does SNCP truly believe that the claims made by SCO—without much in the way of supporting evidence so far—are likely to succeed on their merits? Or do they think that by providing enough incentive—in the form of a further protracted legal battle—might cause someone to settle? The IBM case has been dragging on for almost five years now. With the kind of money SCO would have at its disposal if this deal goes through, dragging out for another five does not seem implausible. At some point IBM or Novell may tire of the whole thing and try to cut some kind of deal. One hopes not, but that may be exactly what SNCP is betting on. The other side of that coin is that if that doesn't happen, we may well get a real hearing on some of IBM's counterclaims, in particular the GPL-infringement claims. That could be very interesting to watch.
Page editor: Jake Edge
Security
The dangers of weak random numbers
Amit Klein has been looking into pseudo-random number generators (PRNG) again. He has found a number of problems in the algorithms that make it easier to guess the next number generated. Much like his earlier work on Berkeley Internet Name Daemon (BIND), Klein found that with a small amount of traffic, predicting the next DNS transaction ID or IP fragmentation ID is possible. Anything that uses random numbers for security purposes—as opposed to, say, choosing which fortune to deliver—needs to ensure that their random numbers are cryptographically strong.
In his report, Klein looks at a specific algorithm that has been implemented, with slight variations, in multiple places. It was introduced into OpenBSD in 1997 to randomize two 16-bit IDs to protect against predictability. Prior to that, both DNS transaction IDs and IP fragmentation IDs were essentially just incrementing counters. Various attacks, like idle scanning and DNS cache poisoning were possible because those IDs could be predicted.
The OpenBSD PRNG algorithm was then used in their BIND 9 implementation, replacing the solution that Internet Systems Consortium (ISC)—maintainer of BIND—had used. ISC added a random number for the 16-bit DNS transaction ID, instead of an incrementing counter, as part of BIND 9. Klein's earlier work found problems with that PRNG—avoided by the OpenBSD version—leading to a certain amount of smugness on the part of the OpenBSD folks.
It is clear that the OpenBSD algorithm is better than the one ISC introduced in BIND 9, but Klein was still able to find ways to break it. The method requires much more computation than was needed to crack BIND 9 transaction IDs, roughly six minutes of computation on a fairly high-end processor. Klein presents various ideas to parallelize the algorithm for multi-core or multi-processor computation that could bring that number way down. So, there is no working exploit available, but it is well within the grasp; a determined attacker could make use of the techniques to poison the cache of OpenBSD servers.
In addition, Klein found ways to exploit the IP fragmentation ID predictability to do idle scanning, host operating system fingerprinting, and other kinds of information leaks; it may also be possible to inject an attacker-controlled packet into a TCP/IP connection, called a blind data injection. The belief in the strength of the OpenBSD PRNG made it an attractive option for others in the BSD family to adopt. NetBSD, FreeBSD, and DragonFly BSD all adopted a variant of the algorithm for the IP fragmentation ID, as did the FreeBSD-derived Mac OS X.
It should be noted that only OpenBSD and Mac OS X enable the fragmentation ID randomization by default, the others have a setting for it, but their default behavior is sequential IDs (i.e. id++) which is clearly even easier to predict. The security team for each of the OSes had a fairly predictable response, with one notable exception. NetBSD, FreeBSD, and DragonFly BSD all changed the PRNG algorithm for less predictability; Apple claimed to be working on the problem but could not provide a timeline for a fix.
The exceptional response came from OpenBSD, who are "completely uninterested in the problem," according to an email from the OpenBSD coordinator (presumably Theo de Raadt) that Klein quotes. The email goes on to say that the problem is "completely irrelevant in the real world." This kind of bluster is surprising from the OS that prides itself on security; it was, after all, the first to introduce randomization of these IDs. It may be that exploiting the predictability is hard to do, but Klein's techniques clearly reduce the search space drastically which is not what you want from a PRNG. The other BSDs found it important enough to change, what does OpenBSD know that they don't?
It would be foolish for Linux users to write this off as a "BSD problem"—though the random numbers used for IP fragmentation IDs by Linux are considered to be cryptographically strong—because there very well may be problems elsewhere in Linux or the applications that are typically run on it. We are not immune to making mistakes, so all uses of random numbers should be scrutinized. New development needs to remember these lessons of the past as well, so that we can avoid this kind of problem in the future.
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2008-0655 CVE-2008-0667 CVE-2008-0726 | |||||||||
| Created: | February 18, 2008 | Updated: | March 3, 2008 | |||||||||
| Description: | From the SUSE advisory: CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader and Acrobat before 8.1.2 have unknown impact and attack vectors. CVE-2008-0667: The DOC.print function in the Adobe JavaScript API, as used by Adobe Acrobat and Reader before 8.1.2, allows remote attackers to configure silent non-interactive printing, and trigger the printing of an arbitrary number of copies of a document. CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to execute arbitrary code via crafted arguments to the printSepsWithParams, which triggers memory corruption. | |||||||||||
| Alerts: |
| |||||||||||
clamav: arbitrary file overwrite
| Package(s): | clamav | CVE #(s): | CVE-2007-6595 | |||||||||
| Created: | February 18, 2008 | Updated: | April 24, 2008 | |||||||||
| Description: | From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. | |||||||||||
| Alerts: |
| |||||||||||
libimager-perl: buffer overflow
| Package(s): | libimager-perl | CVE #(s): | CVE-2007-2459 | |||
| Created: | February 20, 2008 | Updated: | February 20, 2008 | |||
| Description: | A buffer overflow in the read_4bit_bmp function in bmp.c in Imager 0.56 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via 4-bit/pixel BMP files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| Alerts: |
| |||||
pcre: buffer overflow
| Package(s): | pcre | CVE #(s): | CVE-2008-0674 | ||||||||||||||||||||||||
| Created: | February 19, 2008 | Updated: | March 18, 2008 | ||||||||||||||||||||||||
| Description: | A buffer overflow caused by a character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode) may affect usages of pcre, when regular expressions from untrusted sources are compiled. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
php: regression in PHP 4.4.7
| Package(s): | php | CVE #(s): | ||||
| Created: | February 20, 2008 | Updated: | February 20, 2008 | |||
| Description: | PHP 4 has a GD related bug in version 4.4.7. This has been fixed in PHP5 and is fixed in PHP 4.4.8. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | |||||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Doomsday: multiple vulnerabilities
| Package(s): | Doomsday | CVE #(s): | CVE-2007-4642 CVE-2007-4643 CVE-2007-4644 | |||
| Created: | February 7, 2008 | Updated: | February 13, 2008 | |||
| Description: | From the Gentoo alert:
Luigi Auriemma discovered multiple buffer overflows in the D_NetPlayerEvent() function, the Msg_Write() function and the NetSv_ReadCommands() function. He also discovered errors when handling chat messages that are not NULL-terminated (CVE-2007-4642) or contain a short data length, triggering an integer underflow (CVE-2007-4643). Furthermore a format string vulnerability was discovered in the Cl_GetPackets() function when processing PSV_CONSOLE_TEXT messages (CVE-2007-4644). This vulnerability can be used for the execution of arbitrary code or to create a denial of service. | |||||
| Alerts: |
| |||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | ||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
SDL_image: buffer overflows
| Package(s): | SDL_image | CVE #(s): | CVE-2007-6697 CVE-2008-0544 | |||||||||||||||
| Created: | February 8, 2008 | Updated: | March 27, 2008 | |||||||||||||||
| Description: | From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CVE-2007-3847 CVE-2007-4465 | |||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 15, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
apache2: denial of service
| Package(s): | apache2 | CVE #(s): | CVE-2007-1863 | ||||||
| Created: | November 19, 2007 | Updated: | February 18, 2008 | ||||||
| Description: | From the CVE entry: cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. | ||||||||
| Alerts: |
| ||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | |||||||||
| Created: | December 3, 2007 | Updated: | April 15, 2008 | |||||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | |||||||||||
| Alerts: |
| |||||||||||
bind: off-by-one error
| Package(s): | bind | CVE #(s): | CVE-2008-0122 | ||||||||||||
| Created: | January 22, 2008 | Updated: | March 14, 2008 | ||||||||||||
| Description: | Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. | ||||||||||||||
| Alerts: |
| ||||||||||||||
boost: denial of service
| Package(s): | boost | CVE #(s): | CVE-2008-0171 CVE-2008-0172 | |||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||
| Description: | From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cacti: SQL injection vulnerability
| Package(s): | cacti | CVE #(s): | CVE-2007-6035 | ||||||||||||||||||||||||
| Created: | November 22, 2007 | Updated: | February 18, 2008 | ||||||||||||||||||||||||
| Description: | Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability. Remote attackers can execute arbitrary SQL commands via unspecified vectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cacti: denial of service
| Package(s): | cacti | CVE #(s): | CVE-2007-3112 CVE-2007-3113 | ||||||||||||
| Created: | September 18, 2007 | Updated: | February 18, 2008 | ||||||||||||
| Description: | A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: arbitrary code execution
| Package(s): | clamav | CVE #(s): | CVE-2008-0318 | ||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | From the CVE: Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2007-4510 CVE-2007-4560 | ||||||||||||||||||
| Created: | September 3, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||
| Description: | Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510: It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. CVE-2007-4560: It was discovered clamav-milter performs insufficient input sanitizing, resulting in the execution of arbitrary shell commands. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: integer overflow and off-by-one
| Package(s): | clamav | CVE #(s): | CVE-2007-6335 CVE-2007-6336 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | February 13, 2008 | ||||||||||||||||||||||||
| Description: | ClamAV contains integer overflow and off-by-one errors which could be exploited (via specially-crafted email) to execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-5848 | ||||||||||||
| Created: | January 7, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | From the CVE entry: Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. From the rPath advisory: Previous versions of the cups package contain a buffer-overflow weakness. It is not believed that this weakness can be exploited to execute malicious code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
duplicity: password disclosure
| Package(s): | duplicity | CVE #(s): | CVE-2007-5201 | ||||||
| Created: | February 13, 2008 | Updated: | February 13, 2008 | ||||||
| Description: | From the CVE: The FTP backend for Duplicity sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments. | ||||||||
| Alerts: |
| ||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | March 26, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420) Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-3844 CVE-2007-3845 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 1, 2007 | Updated: | February 20, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was discovered in handling of "about:blank" windows used by addons. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844) Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs. In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey | CVE #(s): | CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2007 | Updated: | March 3, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959) A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird | CVE #(s): | CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 | |||||||||||||||
| Created: | February 8, 2008 | Updated: | April 2, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418) A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) | |||||||||||||||||
| Alerts: |
| |||||||||||||||||