Reverse engineering is a longstanding tradition in the free software
community. It has often been the only way to get hardware to work when the
manufacturer refuses to make documentation available, but there is more to
it than that. Some of us, certainly, enjoy the challenge of figuring out
how a particular device works. And our sense of freedom tells us that it
is our right to understand the hardware which we have purchased and
rightfully own. We, as a group, tend not to respond well to those who tell
us that reverse engineering a product is not the right thing to do. But,
increasingly, your editor is hearing voices within the community which are
saying just that.
One of the most prominent reverse engineering projects at the moment is Nouveau, which is starting to
have some real success in making NVIDIA graphics adapters work with free
software; see this week's Kernel Page for an article on the state of this
project. NVIDIA hardware has been a problem for a long time, of course.
It is said to be nicely-designed, and it is certainly present in a
significant percentage of new machines, but NVIDIA has had no interest in
making free drivers (or documentation) available for some years. So the
only way for owners of this hardware to use it with reasonable performance
under Linux is to use NVIDIA's proprietary kernel module, and that is a
price many of us are not willing to pay.
There are currently about eight developers working to make the Nouveau
driver better. They have reached a point where their understanding of the
hardware and their reverse engineering tools are quite good; that, in turn,
is enabling fast progress toward the creation of a working driver. With
this kind of developer attention, the Nouveau driver may reach a stable
state over the course of the next year, at least for some versions of the
hardware. And that, it seems, should be a good thing.
Except for one little issue. NVIDIA's competition in this market is
provided mainly by Intel and AMD/ATI. Intel provides free drivers for its
hardware as a matter of company policy, and AMD has pushed a much more
friendly policy onto ATI since the middle of last year. So free drivers
for Intel video adapters come with distributions, and the first ATI drivers
are beginning to become available.
One rather perverse result of this situation is that there are almost no
community developers working on the Intel drivers at all. The development
and maintenance of those drivers is an expense carried by Intel alone. One
could argue that the lack of hardware documentation from Intel has made it
hard for other developers to participate; Intel is now beginning to address
that problem by burying the community in comprehensive, Creative
Commons-licensed hardware programming manuals. It will be interesting to
see how much more community help Intel gets as a result of its
documentation release.
ATI, which has not, to date, provided working, free drivers, is arguably
getting more help from the community and, especially, from distributors who
have an interest in working drivers. But that company, too, is putting in
resources of its own toward that goal.
NVIDIA, instead, is giving us nothing - and, in return, we are giving it
an eight-person development team dedicated to the production of free
drivers for its hardware. Once Nouveau is in a working state, Linux users will be able to
buy NVIDIA hardware in the knowledge that it will simply work without
requiring them to download and use binary-only kernel modules. The result
of that can only be higher sales for NVIDIA.
While talking to developers at linux.conf.au, your editor heard a number of
them say that NVIDIA does not deserve a gift of this magnitude from the
community. We are now quite close to having free support for video
hardware at all performance levels, supplied by friendly
companies. Rather than penalize those companies by making a free gift to
their biggest competitor, some say, shouldn't NVIDIA be made to pay for its
behavior by exclusion from our community until it comes around?
There is a point here. The biggest lever we have when talking with
hardware companies (or any company, for that matter) is money. Companies
which see themselves as missing out on the Linux market will find a strong
incentive to change their behavior. So if NVIDIA finds that system
resellers are not using its chipsets for Linux-based systems, it will have
to reconsider its position with regard to free drivers.
In the past, there was no credible alternative to NVIDIA, so the company
had no real reason to fear that it could lose money as a result of its
uncooperative behavior. Now there are well-supported alternatives at the
lower end of the market, and the prospect of the same for high-end graphics
as well. So there will be no need to buy hardware from this particular
vendor, and, since the alternatives will be well supported, every reason to
buy from somebody else.
Unless NVIDIA's hardware, too, is made to work via a community-supported
driver. Should this happen, one could well say that we, as a community,
have taken a prize away from companies which have treated us well and
handed it to their competitor (which has not). Arguably, the community
should not pursue the creation of reverse-engineered drivers in situations
where competing vendors are playing by our rules. Otherwise, we are
sending a rather conflicted message to both types of companies. It may
really be true that, in the long run, the Nouveau driver is harmful to our
real interests.
All of this discussion may be moot. There's no way that any of us could keep
others from reverse-engineering their hardware and writing drivers, even if
we wanted to. Anybody arguing against the mainline inclusion of a
GPL-licensed driver for popular hardware is likely to end up in a minority
position, to say the least. So, as a community, we cannot make a
collective decision to stop this kind of development. But, as individual
developers, we may occasionally want to give a moment's thought to the
question of whether our activities are truly beneficial in the long run.
It is an exciting time for Linux users who are interested in ultra-mobile
PCs (UMPCs). New models are being announced frequently with
many—dare we say most?—coming with at least the option to have
Linux pre-installed. The low-cost models probably require Linux in order
to make their price point, but even higher-end UMPCs seem to be made with
Linux firmly in mind. In many ways, the One
Laptop Per Child (OLPC) project has driven the demand for low-cost
machines for adults as well.
Commercial offerings from ASUS (Eee PC), Everex (Cloudbook), Elonex (One),
along with a rumored
UMPC from HP are giving both the OLPC and Intel's ClassmatePC some
competition. Add in Nokia's N810 and you have a half-dozen very mobile
solutions featuring Linux—though the ClassmatePC seems to be more
geared towards Windows XP. None of them has quite the right set of
features to be the ultimate UMPC, but we seem to be headed in the right
direction, so it is worth contemplating what that machine might look like.
Battery life is the achilles heel of mobile devices; some kind of
breakthrough in power consumption or energy storage needs to happen for big
strides to be made in this area. Because of weight considerations, today's
UMPCs tend to have small batteries and three hours or less of battery life.
Something on the order of twelve hours—with a measurement in days
being the real goal—is more like what is needed. Perhaps some kind
of human-powered or alternative charging mechanism can play a role. It is
probably the biggest challenge to reaching something approaching an
ultimate device.
Part of the reason that battery life is so low is because of how much power
the display consumes. With rotating media on its way out (at least for
these kinds of devices), the display is one of the areas where power
savings would be felt most strongly. The E-Ink displays, such as those
used by the newer e-book readers, have some great properties in terms of
power consumption, but the speed at which they update makes them
undesirable for general computer use. Many of us spend a fair amount of time
looking at a static screen for several to many seconds at a time. Web
pages or e-books might be candidates for using E-Ink, perhaps, but not
Wesnoth or typing a document.
Perhaps a dual-mode screen that
combined an LED and E-Ink display could blend the best of both. OLPC has
an innovative display with many of the characteristics needed which can also
can be viewed in sunlit conditions. Former OLPC CTO Mary Lou
Jepsen's startup is licensing the XO display technology, so we may see it in a
UMPC before too long.
The size of the display will likely need to be larger than today's
offerings as well. That will be a balancing act between size, weight, and cost
which will be interesting to see play out. A touchscreen is another feature
that will be necessary as the display should be usable separate
from the keyboard. Some way of transforming a small laptop into a tablet
PC and e-book reader would be very desirable, with bonus points awarded if that
transformation is fast and seamless.
A full-sized or nearly so keyboard is also a necessity. Too much of the
work that we do involves words and numbers that need to be input. If this
device is to become an integral part of a day-to-day routine, thumb
or child-sized keyboards just won't cut it.
Wifi and wired connectivity are obvious, while Bluetooth would seem to be a
good addition to provide internet via cell phone. Some might want to
integrate actual cell phone functionality into the device itself—to avoid
the multiple device hassle. Given that the size of a UMPC won't ever reach
that of a cell phone, that seems like a stretch, but for those who want it,
an optional feature seems like the way to provide that.
Like the OLPC, the device should be ruggedized, able to withstand
reasonable amounts of abuse without much more than a case scratch. This is
another area where flash disks will help as there won't be the threat of
losing data when the disk heads suffer rapid deceleration. The price per
gigabyte for solid-state drives will drop to the point where a few hundred
GB will be possible at a reasonable price. Carrying around one's favorite
music as FLACs, rather than in some lossy format, should be possible.
A fairly modest and power-friendly processor with a GB or two of RAM should round out the
basics of the hardware. The device will run Linux, of course, and might
have a few other peripherals: camera, microphone, speakers, etc. All
should be available for $500-700, at least in a very functional low-end
configuration. When might we see such a device? Two to three years seems
quite likely, certainly before five years have passed. When it's ready,
please send one to LWN for review in care of the author.
Just as it seemed the SCO saga was drawing to a close, a new player, with
up to $100 million to risk, has come on the scene. Stephen Norris Capital
Partners (SNCP) has made an offer to take SCO private while providing a
line of credit to allow the company to continue its operations.
If the bankruptcy court
in Delaware agrees to the plan—which is not a foregone
conclusion—SCO and its various legal cases could be with us for a
long time to come.
SNCP will put up $5 million in cash to essentially purchase between 51
and 85% of SCO; the exact percentage is dependent upon how much of the $95
million credit line is used to pay off Novell and/or IBM. If there is no
payment, because SCO eventually wins those cases, SNCP will get 51%. If
the payment is over $30 million, SNCP gets 85%; in between those two, the
percentage of ownership will be pro-rated between the two. The actual
transaction would issue "Series A Preferred" stock to SNCP (and its
investors), which would be convertible into SCO "New Common Stock"; the
current common stockholders would be see their shares "extinguished" and a
trust established for them. This deal would take SCO private, no longer
publicly traded nor subject to SEC reporting requirements.
Under the proposed agreement, the credit line has an interest rate of the London Interbank Offered Rate
(LIBOR) plus "1700 basis points"—17% for those without a high-finance background—which currently works out to be around 20%. This is
clearly not cheap money, but it does provide a rather large war chest for
SCO to continue the fight. The Memorandum of
Understanding (MOU) [PDF] makes it clear that interest payments are part of
what the line of credit is supposed to pay for:
The purpose of the loan is to provide funds for (i) working capital for
SCO following its emergence from bankruptcy, (ii) to pay interest when
due under the Debt Financing, and (iii) to support the prosecution of
the Reorganized Debtor's Litigation Claims, including providing letters
of credit or other financial arrangements adequate to support any
required appellate bonds (in which event the Reorganized SCO shall pay
the reasonable letter of credit fees and expenses), and to effect
payment of any final award against the Reorganized Debtor).
SCO's bombastic CEO, Darl McBride, will be required to resign as a
condition of the deal. The Series A stockholders would be entitled to
elect four of the seven board members, ensuring that they control the
day-to-day direction of the company. The CEO would hold another seat, as
would an "outside executive with suitable industry expertise." The
remaining seat would be open to anyone and voted on by the current common
stockholders.
What do the current stockholders get from this deal? Not much in
the short term, as the MOU would set up a trust with $2 million (from the
$5 million cash investment) to be distributed amongst the current
stockholders. The current common stock would be "extinguished" and the
trust would hold "New Common Stock" equivalent to the 15-49% left over
based on the amount of the credit line used. Shareholders would get a
pro-rata interest in the trust based on their current percentage of
ownership. Based on 22 million outstanding shares, the distribution will
amount to around $0.09 per share.
Since SCO sued IBM in March 2003, most of the stock speculation has been
based on some kind of monetary settlement from IBM. Investors in SCO since
that time have essentially been betting on that outcome; the new arrangement
still allows the current stockholders to hold onto their litigation lottery
ticket. Any settlement money that comes to SCO as a result of the Novell
and IBM cases would be paid to the trust in the percentage of ownership of
the company that it holds (i.e. 15-49%). At that time, the trust would
also get its percentage of four times the previous year's earnings. These
would then be distributed to the members of the trust.
It's a fairly complicated deal, this just covers the high points; the
curious are directed at the MOU itself. It is a bit premature to proclaim
that SCO is going private or getting $100 million as some in the press
have done. The bankruptcy court will have its say; Novell may have an objection
or two as well though, as things currently stand, they would be the likely
beneficiary of some substantial part of the line of credit. We may get a
read on how confident Novell is based on what, if any, objections they raise.
It is hard to imagine that SNCP thinks SCO's business prospects are such
that a large financial commitment is warranted. This is very clearly an
attempt to wring money out of the current litigation—and perhaps
start additional lawsuits. It is interesting to note that in addition to
the Novell and IBM lawsuits, the MOU specifically mentions the Autozone
case. There is speculation that the idea of a "Linux tax" on users is an
outcome that SNCP and its investors covet.
The question is, does SNCP truly believe that the claims made by
SCO—without much in the way of supporting evidence so far—are
likely to succeed on their merits? Or do they think that by providing
enough incentive—in the form of a further protracted legal
battle—might cause someone to settle? The IBM case has been dragging
on for almost five years now. With the kind of money SCO would have at its
disposal if this deal goes through, dragging out for another five does not seem implausible. At some point IBM or Novell may tire of
the whole thing and try to cut some kind of deal. One hopes not, but that
may be exactly what SNCP is betting on. The other side of that coin is
that if that doesn't happen, we may well get a real hearing on some of
IBM's counterclaims, in particular the GPL-infringement claims.
That could
be very interesting to watch.
Amit Klein has been looking into pseudo-random number generators (PRNG) again. He
has found a number of problems in the algorithms that make it easier to
guess the next number generated. Much like his earlier work on Berkeley
Internet Name Daemon (BIND), Klein found that with a small amount of
traffic, predicting the next DNS transaction ID or IP fragmentation ID is
possible. Anything that uses random numbers for security purposes—as
opposed to, say, choosing which fortune to
deliver—needs to ensure that their random numbers are
cryptographically strong.
In his report,
Klein looks at a specific algorithm that has been implemented, with slight
variations, in multiple places. It was introduced into OpenBSD in 1997 to
randomize two 16-bit IDs to protect against predictability. Prior
to that, both DNS transaction IDs and IP fragmentation IDs were essentially
just incrementing counters. Various attacks, like idle scanning and DNS cache
poisoning were possible because those IDs could be predicted.
The OpenBSD PRNG algorithm was then used in their BIND 9
implementation, replacing the solution that Internet Systems Consortium
(ISC)—maintainer of BIND—had used. ISC added a random number
for the 16-bit DNS transaction ID, instead of an incrementing counter, as
part of BIND 9. Klein's earlier work found problems with that
PRNG—avoided by the OpenBSD version—leading to a certain
amount of smugness
on the part of the OpenBSD folks.
It is clear that the OpenBSD algorithm is better than the one ISC
introduced in BIND 9, but Klein was still able to find ways to break it.
The method requires much more computation than was needed to crack BIND 9
transaction IDs, roughly six minutes of computation on a fairly high-end
processor. Klein presents various ideas to parallelize the algorithm for
multi-core or multi-processor computation that could bring that number way
down. So, there is no working exploit available, but it is well
within the grasp; a determined attacker could make use of the techniques to
poison the cache of OpenBSD servers.
In addition, Klein found ways to exploit the IP fragmentation ID
predictability to do idle scanning, host operating system fingerprinting,
and other kinds of information leaks; it may also be possible to inject an
attacker-controlled packet into a TCP/IP connection, called a blind data
injection. The belief in the strength of the OpenBSD PRNG made it an attractive
option for others in the BSD family to adopt. NetBSD, FreeBSD, and
DragonFly BSD all adopted a variant of the algorithm for the IP
fragmentation ID, as did the FreeBSD-derived Mac OS X.
It should be noted that only OpenBSD and Mac OS X enable the fragmentation
ID randomization by default, the others have a setting for it, but their
default behavior is sequential IDs (i.e. id++) which is clearly even easier
to predict. The security team for each of the OSes had a fairly
predictable response, with one notable exception. NetBSD, FreeBSD, and DragonFly
BSD all changed the PRNG algorithm for less predictability; Apple claimed
to be working on the problem but could not provide a timeline for a fix.
The exceptional response came from OpenBSD, who are "completely
uninterested in the problem," according to an email from the OpenBSD
coordinator (presumably Theo de Raadt) that Klein quotes. The email goes
on to say that the problem is "completely irrelevant in the real world."
This kind of bluster is surprising from the OS that prides itself on
security; it was, after all, the first to introduce randomization of these
IDs. It may be that exploiting the predictability is hard to do, but
Klein's techniques clearly reduce the search space drastically which is not
what you want from a PRNG. The other BSDs found it important enough to
change, what does OpenBSD know that they don't?
It would be foolish for Linux users to write this off as a "BSD
problem"—though the random numbers used for IP fragmentation IDs by
Linux are considered to be cryptographically strong—because there
very well may be problems elsewhere in Linux or the applications that are
typically run on it. We are not immune to making mistakes, so all uses of
random numbers should be scrutinized. New development needs to remember
these lessons of the past as well, so that we can avoid this kind of
problem in the future.
CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader
and Acrobat before 8.1.2 have unknown impact and
attack vectors.
CVE-2008-0667: The DOC.print function in the Adobe JavaScript API,
as used by Adobe Acrobat and Reader before 8.1.2, allows
remote attackers to configure silent non-interactive
printing, and trigger the printing of an arbitrary
number of copies of a document.
CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and
earlier allows remote attackers to execute arbitrary
code via crafted arguments to the printSepsWithParams,
which triggers memory corruption.
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.
A buffer overflow in the read_4bit_bmp function in bmp.c in Imager 0.56 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via 4-bit/pixel BMP files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
A buffer overflow caused by a character class containing a
very large number of characters with codepoints greater than 255 (in UTF-8 mode) may affect usages of pcre, when regular expressions from untrusted sources are compiled.
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges.
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users."
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752)
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)
cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.
A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the AddDefaultCharset directive has been removed
from the configuration, a cross-site-scripting attack may be possible
against browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection.
Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file
with world-readable permissions, which allows local users to perform
unauthorized named commands, such as causing a denial of service by
stopping named.
Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3,
and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause
a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption.
From the Ubuntu alert:
Will Drewry and Tavis Ormandy discovered that the boost library
did not properly perform input validation on regular expressions.
An attacker could send a specially crafted regular expression to
an application linked against boost and cause a denial of service
via application crash.
A vulnerability in Cacti 0.8.6i and earlier versions allows remote
authenticated users to cause a denial of service (CPU consumption) via
large values of the graph_start, graph_end, graph_height, or graph_width
parameters.
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges.
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives.
Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510:
It was discovered that the RTF and RFC2397 parsers can be tricked
into dereferencing a NULL pointer, resulting in denial of service.
CVE-2007-4560:
It was discovered clamav-milter performs insufficient input
sanitizing, resulting in the execution of arbitrary shell commands.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service.
From the rPath advisory:
Previous versions of the cups package contain a buffer-overflow
weakness. It is not believed that this weakness can be exploited
to execute malicious code.
The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability.
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart.
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.
Luigi Auriemma discovered multiple buffer overflows in the
D_NetPlayerEvent() function, the Msg_Write() function and the
NetSv_ReadCommands() function. He also discovered errors when handling
chat messages that are not NULL-terminated (CVE-2007-4642) or contain a
short data length, triggering an integer underflow (CVE-2007-4643).
Furthermore a format string vulnerability was discovered in the
Cl_GetPackets() function when processing PSV_CONSOLE_TEXT messages
(CVE-2007-4644).
This vulnerability can be used for the execution of arbitrary code
or to create a denial of service.
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions."
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name.
Dovecot has multiple vulnerabilities including an issue involving the
confusion between LDAP-authenticated logins across users with the
same password and a denial of service involving a connecting user.
The FTP backend for Duplicity sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message.
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges.
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions.
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers.
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail.
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356).
Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow.
fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user.
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845)
A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)
A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)
The Freetype font rendering library versions 2.3.4 and below
has an integer sign error. Remote attackers may be able to
create a specially crafted TrueType Font file with a negative
n_points value that will cause an integer overflow and heap-based
buffer overflow, allowing the execution of arbitrary code.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure. (CVE-2007-3473)
Multiple unspecified vulnerabilities in the GIF reader in the
GD Graphics Library (libgd) before 2.0.35 allow user-assisted
remote attackers to have unspecified attack vectors and
impact. (CVE-2007-3474)
The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
remote attackers to cause a denial of service (crash) via a GIF image
that has no global color map. (CVE-2007-3475)
Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause
a denial of service (crash and heap corruption) via large color
index values in crafted image data, which results in a segmentation
fault. (CVE-2007-3476)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478)
Libgd2 has a denial of service vulnerability involving the incorrect
validation of PNG callback results. If an application that is linked
against libgd2 is used to process a specially-crafted PNG file,
a denial of service involving CPU resource consumption can be
caused.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
The gimp image editor has several vulnerabilities, including
a problem where it can open PSD files with excessive dimensions
and a possible stack overflow in the Sunras loader.
PCRE 7.6 fixed following bug: A character class containing a very large
number of characters with codepoints greater than 255 (in UTF-8 mode, of
course) caused a buffer overflow. The GLib release 2.14.6 updates the
included copy of PCRE to version 7.6.
Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus. A local
attacker could exploit this to bypass the user's locked screen saver.
The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information.
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code.
Ulf Harnhammer discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client.
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user).
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)
From the Red Hat advisory:
Will Drewry reported multiple flaws in the way libicu processed certain
malformed regular expressions. If an application linked against ICU, such
as OpenOffice.org, processed a carefully crafted regular expression, it may
be possible to execute arbitrary code as the user running the application.
The ImageMagick image decoders have multiple vulnerabilities.
If a user can be tricked into processing a specially crafted
DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with
the user's privileges.
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667.
The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote
user-assisted attackers to cause a denial of service (crash) and possibly
corrupt the heap via malformed image files.
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files.
The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)
The JSSE component did not correctly process SSL/TLS handshake requests. A
remote attacker who is able to connect to a JSSE-based service could
trigger this flaw leading to a denial-of-service. (CVE-2007-3698)
A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting to
services hosted on the machine that executed the applet. (CVE-2007-3922)
Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled,
allows remote attackers to violate the security model for an applet's
outbound connections via a DNS rebinding attack. (CVE-2007-5232)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not
properly enforce access restrictions for untrusted applications, which
allows user-assisted remote attackers to obtain sensitive information (the
Java Web Start cache location) via an untrusted application, aka "three
vulnerabilities." (CVE-2007-5238)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE
1.3.1_20 and earlier does not properly enforce access restrictions for
untrusted (1) applications and (2) applets, which allows user-assisted
remote attackers to copy or rename arbitrary files when local users perform
drag-and-drop operations from the untrusted application or applet window
onto certain types of desktop applications. (CVE-2007-5239)
Visual truncation vulnerability in the Java Runtime Environment in Sun JDK
and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK
and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows
remote attackers to circumvent display of the untrusted-code warning banner
by creating a window larger than the workstation screen. (CVE-2007-5240)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used,
allows remote attackers to violate the security model for an applet's
outbound connections via a multi-pin DNS rebinding attack in which the
applet download relies on DNS resolution on the proxy server, but the
applet's socket operations rely on DNS resolution on the local machine, a
different issue than CVE-2007-5274. NOTE: this is similar to
CVE-2007-5232. (CVE-2007-5273)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows
remote attackers to violate the security model for JavaScript outbound
connections via a multi-pin DNS rebinding attack dependent on the
LiveConnect API, in which JavaScript download relies on DNS resolution by
the browser, but JavaScript socket operations rely on separate DNS
resolution by a Java Virtual Machine (JVM), a different issue than
CVE-2007-5273. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5274)
An integer overflow vulnerability exists in the embedded ICC profile
image parser (CVE-2007-2788), an unspecified vulnerability exists in
the font parsing implementation (CVE-2007-4381), and an error exists
when processing XSLT stylesheets contained in XSLT Transforms in XML
signatures (CVE-2007-3716), among other vulnerabilities.
The kazehakase web browser is vulnerable to buffer overflows and
memory corruption in PCRE. If a remote attacker can convince a user to
open specially crafted bookmarks, it can lead to the
execution of arbitrary code, denial of service or
arbitrary information disclosure.
The kdebase package is vulnerable to a denial of service in which a local user can render KDM unusable for logins by any user or cause KDM to exceed system resource limits.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
The IA32 system call emulation functionality in Linux kernel 2.4.x and
2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not
zero extend the eax register after the 32bit entry path to ptrace is used,
which might allow local users to gain privileges by triggering an
out-of-bounds access to the system call table using the %RAX register.
From the Red Hat advisory: A flaw was found in the way the Red Hat
Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA
method for accessing memory on Itanium architectures. A local unprivileged
user could trigger this flaw and cause a denial of service (system panic).
A possible NULL pointer dereference was found in the chrp_show_cpuinfo
function when using the PowerPC architecture. This may have allowed a local
unprivileged user to cause a denial of service (crash).
The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced
Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does
not return the correct write size, which allows local users to obtain
sensitive information (kernel memory contents) via a small count argument,
as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory.
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538)
The Minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
other versions, allows local users to cause a denial of service (hang) via
a malformed minix file stream that triggers an infinite loop in the
minix_bmap function. NOTE: this issue might be due to an integer overflow
or signedness error.
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows
remote attackers to cause a denial of service (crash) via a crafted SKB
length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set, aka an "off-by-two error."
From the mitre.org CVE description:
VFS in the Linux kernel before 2.6.23.14 performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions.
Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
kernel memory contents via an uninitialized stack buffer. A local attacker
could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)
The GEODE-AES driver did not correctly initialize its encryption key.
Any data encrypted using this type of device would be easily compromised.
(CVE-2007-2451)
The random number generator was hashing a subset of the available
entropy, leading to slightly less random numbers. Additionally, systems
without an entropy source would be seeded with the same inputs at boot
time, leading to a repeatable series of random numbers. (CVE-2007-2453)
The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors.
The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes
RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an
"out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
fib_props (fib_semantics.c, IPv4) functions. (CVE-2007-2172)
mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not
prevent stack expansion from entering into reserved kernel page memory,
which allows local users to cause a denial of service (OOPS) via
unspecified vectors. (CVE-2007-3739)
The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer
ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check
permissions for ioctls, which might allow local users to cause a denial of
service or gain privileges. (CVE-2007-4308)
Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via long SMB responses that trigger the overflows in
the SendReceive function.
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures.
The drm/i915 component in the Linux kernel before 2.6.22.2, when used with
i965G and later chipsets, allows local users with access to an X11 session
and Direct Rendering Manager (DRM) to write to arbitrary memory locations
and gain privileges via a crafted batchbuffer. (CVE-2007-3851)
Linux kernel 2.4.35 and other versions allows local users to send arbitrary
signals to a child process that is running at higher privileges by causing
a setuid-root parent process to die, which delivers an attacker-controlled
parent process death signal (PR_SET_PDEATHSIG). (CVE-2007-3848)
Stack-based buffer overflow in the random number generator (RNG)
implementation in the Linux kernel before 2.6.22 might allow local root
users to cause a denial of service or gain privileges by setting the
default wakeup threshold to a value greater than the output pool size,
which triggers writing random numbers to the stack by the pool transfer
function involving "bound check ordering". NOTE: this issue might only
cross privilege boundaries in environments that have granular assignment of
privileges for root. (CVE-2007-3105)
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors.
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device.
The sysfs_readdir function in the Linux kernel 2.6 allows local users to
cause a denial of service (kernel OOPS) by dereferencing a null pointer to
an inode in a dentry. (CVE-2007-3104)
The CIFS filesystem, when Unix extension support is enabled, did not honor
the umask of a process, which allowed local users to gain
privileges.(CVE-2007-3740)
The Linux kernel checked the wrong global variable for the CIFS sec mount
option, which might allow remote attackers to spoof CIFS network traffic
that the client configured for security signatures, as demonstrated by lack
of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843)
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux
kernel allowed local users to have an unknown impact via a crafted argument
to the isdn_ioctl function. (CVE-2007-6063)
David Coffey discovered an uninitialized pointer free flaw in the
RPC library used by kadmind. A remote unauthenticated attacker who
could access kadmind could trigger the flaw causing kadmind to crash
or possibly execute arbitrary code (CVE-2007-2442).
David Coffey also discovered an overflow flaw in the same RPC library.
A remote unauthenticated attacker who could access kadmind could
trigger the flaw causing kadmind to crash or possibly execute arbitrary
code (CVE-2007-2443).
Finally, a stack buffer overflow vulnerability was found in kadmind
that allowed an unauthenticated user able to access kadmind the
ability to trigger the vulnerability and possibly execute arbitrary
code (CVE-2007-2798).
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by kadmind. A remote unauthenticated attacker who can access
kadmind could trigger this flaw and cause kadmind to crash.
Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A
remote unauthenticated attacker who can access kadmind could trigger this
flaw and cause kadmind to crash.
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
Stefan Cornelius from Secunia Research discovered that the
"parseIrcUrl()" function in file src/kvirc/kernel/kvi_ircurl.cpp does
not properly sanitize parts of the URI when building the command for
KVIrc's internal script system.
Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted ICC profile in a JPG file.
mirror --script in lftp before 3.5.9 does not properly quote shell
metacharacters, which might allow remote user-assisted attackers to execute
shell commands via a malicious script. NOTE: it is not clear whether this
issue crosses security boundaries, since the script already supports
commands such as "get" which could overwrite executable files.
libarchive, a library for manipulating different streaming archive
formats, has a number of pax extension header vulnerabilities.
These may be used to cause a denial of service or for the execution
of arbitrary code.
Devon Miller reported a boundary error in the "print_iso9660_recurse()"
function in files cd-info.c and iso-info.c when processing long
filenames within Joliet images.
A remote attacker could entice a user to open a specially crafted ISO
image in the cd-info and iso-info applications, resulting in the
execution of arbitrary code with the privileges of the user running the
application. Applications linking against shared libraries of libcdio
are not affected.
From the Red Hat advisory: An integer overflow flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to execute arbitrary code, or crash.
From the Red Hat advisory: An infinite recursion flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to crash.
The GD library does not perform proper bounds checking when creating images; as a result, an attacker could, via crafted input, potentially execute arbitrary code.
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application.
Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21
allow remote attackers to cause a denial of service (crash) via crafted (1)
pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt
(png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT
(png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read
operations. (CVE-2007-5269)
pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical
instead of bitwise operations and (2) incorrect comparisons, which might
allow remote attackers to cause a denial of service (crash) via a crafted
PNG image. (CVE-2007-5268)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause
a denial of service (crash) via a crafted PNG image, due to an incorrect
fix for CVE-2007-5266. (CVE-2007-5267)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1
allows remote attackers to cause a denial of service (crash) via a crafted
PNG image that prevents a name field from being NULL terminated.
(CVE-2007-5266)
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
The lighttpd web server has multiple vulnerabilities involving
a remote access-control setting circumvention that is performed
by the sending of malformed requests. This can be used to crash
the server and cause a denial of service.
From the Debian advisory: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data.
The vmsplice system call did not properly verify address arguments
passed by user space processes, which allowed local attackers to
overwrite arbitrary kernel memory, gaining root privileges
(CVE-2008-0010, CVE-2008-0600).
In the vserver-enabled kernels, a missing access check on certain
symlinks in /proc enabled local attackers to access resources in other
vservers (CVE-2008-0163).
Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page maybe improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). (CVE-2007-6417)
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Player. Attackers with administrative privileges in a guest operating
system could cause a denial of service or possibly execute arbitrary
code on the host operating system. (CVE-2007-4496, CVE-2007-4497)
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before
2.1.10b1 allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors related to (1) editing templates and (2) the
list's "info attribute" in the web administrator interface, a
different vulnerability than CVE-2006-3636.
Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename.
CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.
CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.
From the Red Hat advisory: "Versions of mod_jk before 1.2.23 decoded request URLs by default inside
Apache httpd and forwarded the encoded URL to Tomcat, which itself did a
second decoding. If Tomcat was used behind mod_jk and configured to only
proxy some contexts, an attacker could construct a carefully crafted HTTP
request to work around the context restriction and potentially access
non-proxied content."
It was discovered that moin allowed to overwrite arbitrary files writable by the
user running moin using a crafted cookie with certain user IDs via a directory
traversal flaw. This updated package fixes this issue.
A flaw was discovered in MoinMoin's error reporting when using the
AttachFile action. By tricking a user into viewing a crafted MoinMoin
URL, an attacker could execute arbitrary JavaScript as the current
MoinMoin user, possibly exposing the user's authentication information
for the domain where MoinMoin was hosted.
A cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1
allows remote attackers to inject arbitrary web script or HTML via a style
expression in the search parameter.
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
Upgraded to seamonkey-1.1.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
+--------------------------+
MPlayer versions up to 1.0rc1 have a buffer overflow in the
loader/dmo/DMO_VideoDecoder.c DMO_VideoDecoder_Open function.
user-assisted remote attackers can use this to create a buffer overflow
and possibly execute arbitrary code.
Several buffer overflows have been discovered in the MPlayer movie player,
which might lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0485:
Felipe Manzano and Anibal Sacco discovered a buffer overflow in
the demuxer for MOV files.
CVE-2008-0486:
Reimar Doeffinger discovered a buffer overflow in the FLAC header
parsing.
CVE-2008-0629:
Adam Bozanich discovered a buffer overflow in the CDDB access code.
CVE-2008-0630:
Adam Bozanich discovered a buffer overflow in URL parsing.
From the Gentoo advisory: nnp discovered multiple vulnerabilities in the XML-RPC handler in the
file webserver.c. The ws_addarg() function contains a format string
vulnerability, as it does not properly sanitize username and password
data from the "Authorization: Basic" HTTP header line (CVE-2007-5825).
The ws_decodepassword() and ws_getheaders() functions do not correctly
handle empty Authorization header lines, or header lines without a ':'
character, leading to NULL pointer dereferences (CVE-2007-5824).
MySQL subselect queries using "ORDER BY" can be used by an attacker with
access to a MySQL instance in order to create an intermittent denial
of service.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
From the CVE entry: MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not
require the DROP privilege for RENAME TABLE statements, which allows remote
authenticated users to rename arbitrary tables. (CVE-2007-2691)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges. (CVE-2007-2692)
MySQL Community Server before 5.0.45 allows remote authenticated users to
gain update privileges for a table in another database via a view that
refers to this external table. (CVE-2007-3782)
Philip Stoev discovered that the the federated engine of MySQL
did not properly handle responses with a small number of columns.
An authenticated user could use a crafted response to a SHOW
TABLE STATUS query and cause a denial of service.
From the Debian advisory: Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code.
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Buffer overflow in the redir function in check_http.c in Nagios Plugins
before 1.4.10 allows remote web servers to execute arbitrary code via long
Location header responses (redirects).
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file.
Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
proxy server written by Igor Sysoev. The "msie_refresh" directive could
allow cross site scripting.
Josh Burley reported that nss_ldap does not properly handle the LDAP
connections due to a race condition that can be triggered by
multi-threaded applications using nss_ldap, which might lead to
requested data being returned to a wrong process.
From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36,
allows remote authenticated users to cause a denial of service (crash) via
a potentially-successful modify operation with the NOOP control set to
critical, possibly due to a double free vulnerability.
The OpenLDAP Lightweight Directory Access Protocol suite has a problem
with handling of malformed objectClasses LDAP attributes by the slapd
daemon. Both local and remote attackers can use this to crash slapd,
causing a denial of service.
slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when
running as a proxy-caching server, allocates memory using a malloc variant
instead of calloc, which prevents an array from being initialized properly
and might allow attackers to cause a denial of service (segmentation fault)
via unknown vectors that prevent the array from being null terminated.
A heap overflow vulnerability has been discovered in the TIFF parsing
code of the OpenOffice.org suite. The parser uses untrusted values
from the TIFF file to calculate the number of bytes of memory to
allocate. A specially crafted TIFF image could trigger an integer
overflow and subsequently a buffer overflow that could cause the
execution of arbitrary code.
A security vulnerability in HSQLDB, the default database engine shipped with OpenOffice.org 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user.
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms.
Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f
and 0.9.7 allows remote attackers to execute arbitrary code via unspecified
vectors.
From the Debian advisory: An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in the libssl library from OpenSSL, an implementation of Secure
Socket Layer cryptographic libraries and utilities. This error could
allow an attacker to crash an application making use of OpenSSL's libssl
library, or potentially execute arbitrary code in the security context
of the user running such an application.
The Opera browser has multiple vulnerabilities.
The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript.
A freed pointer in the BitTorrent support may be
accessed, this can be used for malicious code execution.
The browser is vulnerable to several memory read protection
errors. There are URI display errors that can be used to trick
users into visiting arbitrary web sites.
PCRE has flaws in the way it handles malformed regular
expressions.
If an application linked against PCRE, such as Konqueror,
encounters a maliciously created regular expression, it may be possible
to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227
have been combined into CVE-2006-7224.
Multiple flaws were found in the way pcre handles certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it may be possible to run arbitrary
code as the user running the application. (CVE-2007-1659, CVE-2007-1660)
Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application.
Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE)
library before 7.3 allows context-dependent attackers to execute arbitrary
code via a singleton Unicode sequence in a character class in a regex
pattern, which is incorrectly optimized. (CVE-2007-4768)
A heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request.
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485).
Various integer overflow flaws were found in the PHP gd extension. A
script that could be forced to resize images from an untrusted source could
possibly allow a remote attacker to execute arbitrary code as the apache
user. (CVE-2007-3996)
A previous security update introduced a bug into PHP session cookie
handling. This could allow an attacker to stop a victim from viewing a
vulnerable web site if the victim has first visited a malicious web page
under the control of the attacker, and that page can set a cookie for the
vulnerable web site. (CVE-2007-4670)
A flaw was found in the PHP money_format function. If a remote attacker
was able to pass arbitrary data to the money_format function this could
possibly result in an information leak or denial of service. Note that is
is unusual for a PHP script to pass user-supplied data to the money_format
function. (CVE-2007-4658)
A flaw was found in the PHP wordwrap function. If a remote attacker was
able to pass arbitrary data to the wordwrap function this could possibly
result in a denial of service. (CVE-2007-3998)
A bug was found in PHP session cookie handling. This could allow an
attacker to create a cross-site cookie insertion attack if a victim follows
an untrusted carefully-crafted URL. (CVE-2007-3799)
A flaw was found in handling of dynamic changes to global variables. A
script which used certain functions which change global variables could
be forced to enable the register_globals configuration option, possibly
resulting in global variable injection. (CVE-2007-4659)
An integer overflow flaw was found in the PHP chunk_split function. If a
remote attacker was able to pass arbitrary data to the third argument of
chunk_split they could possibly execute arbitrary code as the apache user.
Note that it is unusual for a PHP script to use the chunk_split function
with a user-supplied third argument. (CVE-2007-4661)
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used)
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4,
allow remote attackers to obtain sensitive information (memory contents) or
cause a denial of service (thread crash) via a large len value to the (1)
strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE:
this affects different product versions than CVE-2007-3996.
(CVE-2007-4657)
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4
has unknown impact and attack vectors, related to an incorrect size
calculation. (CVE-2007-4660)
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4
has unknown impact and attack vectors. (CVE-2007-4662)
The php5 package contains multiple vulnerabilities, the most serious of which involve several Denial of Service attacks (application crashes and temporary application hangs). It is not currently known that these vulnerabilities can be exploited to execute malicious code.
CVE-2008-0471:
Private messaging allowed cross site request forgery, making
it possible to delete all private messages of a user by sending
them to a crafted web page.
CVE-2006-6841 / CVE-2006-6508:
Cross site request forgery enabled an attacker to perform various
actions on behalf of a logged in user. (Applies to sarge only)
CVE-2006-6840:
A negative start parameter could allow an attacker to create
invalid output. (Applies to sarge only)
CVE-2006-6839:
Redirection targets were not fully checked, leaving room for
unauthorised external redirections via a phpBB forum.
(Applies to sarge only)
CVE-2006-4758:
An authenticated forum administrator may upload files of any
type by using specially crafted filenames. (Applies to sarge only)
Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1325:
The PMA_ArrayWalkRecursive function in libraries/common.lib.php
does not limit recursion on arrays provided by users, which allows
context-dependent attackers to cause a denial of service (web
server crash) via an array with many dimensions.
CVE-2007-1395:
Incomplete blacklist vulnerability in index.php allows remote
attackers to conduct cross-site scripting (XSS) attacks by
injecting arbitrary JavaScript or HTML in a (1) db or (2) table
parameter value followed by an uppercase </SCRIPT> end tag,
which bypasses the protection against lowercase </script>.
CVE-2007-2245:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via (1) the
fieldkey parameter to browse_foreigners.php or (2) certain input
to the PMA_sanitize function.
CVE-2006-6942:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary HTML or web script via (1) a comment
for a table name, as exploited through (a) db_operations.php,
(2) the db parameter to (b) db_create.php, (3) the newname parameter
to db_operations.php, the (4) query_history_latest,
(5) query_history_latest_db, and (6) querydisplay_tab parameters to
(c) querywindow.php, and (7) the pos parameter to (d) sql.php.
CVE-2006-6944:
phpMyAdmin allows remote attackers to bypass Allow/Deny access rules
that use IP addresses via false headers.
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin
2.11.1, when accessed by a browser that does not URL-encode requests,
allows remote attackers to inject arbitrary web script or HTML via the
query string.
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
common.lib.php in libraries/; and certain input available in PHP_SELF and
(2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other
vectors related to (3) REQUEST_URI.
phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information
via a direct request for themes/darkblue_orange/layout.inc.php, which
reveals the path in an error message.
phpMyAdmin prior to version 2.11.2.1 has an SQL injection vulnerability
in db_create.php. Remote authenticated users with CREATE DATABASE privileges can use this to execute arbitrary SQL commands via the db parameter.
db_create.php also has a related cross-site scripting vulnerability.
Remote authenticated users can inject arbitrary web scripts or HTML
using a hex-encoded IMG element in the db parameter in a POST request.
A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin
4.1.1 allows remote attackers to inject arbitrary web script or HTML via
the server parameter.
The xpdf and poppler PDF libraries contain several vulnerabilities which can lead to arbitrary command execution via hostile PDF files. Numerous other applications which use these libraries (PDF viewers, CUPS, etc.) will be affected by the vulnerabilities as well.
Several vulnerabilities have been found in the PostgreSQL database manager. The developers call the fixes "critical," but also note that, as of the time of the update, none of them were known to be exploited; see this advisory for more information.
Multiple integer overflows in the imageop module in Python 2.5.1 and
earlier allow context-dependent attackers to cause a denial of service
(application crash) and possibly obtain sensitive information (memory
contents) via crafted arguments to (1) the tovideo method, and unspecified
other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other
files, which trigger heap-based buffer overflows.
Trolltech Qt has a privilege escalation vulnerability.
An error can be triggered in QSslSocket when verifying SSL certificates,
attackers can use this to bypass the SSL certificate verification
and acquire unauthorized access to a vulnerable application.
The bgpd daemon in Quagga prior to 0.99.9 allowed remote BGP peers to cause
a denial of service crash via a malformed OPEN message or COMMUNITY
attribute.
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
The Samba user authentication is vulnerable to a heap-based buffer overflow.
Remote unauthenticated users can use this to crash the Samba server
and cause a denial of service.
A stack buffer overflow flaw was found in the way Samba authenticates
remote users. A remote unauthenticated user could trigger this flaw to
cause the Samba server to crash, or execute arbitrary code with the
permissions of the Samba server.
Samba's mechanism for creating NetBIOS replies is vulnerable to a
buffer overflow. Samba servers that are configured to run as a
WINS server can be crashed by a remote unauthenticated user,
execution of arbitrary code may also be possible.
scponly 4.6 and earlier allows remote authenticated users to bypass
intended restrictions and execute code by invoking dangerous subcommands
including (1) unison, (2) rsync, (3) svn, and (4) svnserve, as originally
demonstrated by creating a Subversion (SVN) repository with malicious
hooks, then using svn to trigger execution of those hooks. (CVE-2007-6350)
In addition, it was discovered that it was possible to invoke with scp
with certain options that may lead to execution of arbitrary commands.
(CVE-2007-6415).
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
A flaw was found in the way squid stored HTTP headers for cached objects
in system memory. An attacker could cause squid to use additional memory,
and trigger high CPU usage when processing requests for certain cached
objects, possibly leading to a denial of service.
Subversion 1.4.3 and earlier does not properly implement the "partial
access" privilege for users who have access to changed paths but not copied
paths, which allows remote authenticated users to obtain sensitive
information (revision properties) via svn (1) propget, (2) proplist, or (3)
propedit.
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files.
A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in
teTeX might allow user-assisted remote attackers to overwrite files and
possibly execute arbitrary code via a long filename. NOTE: other overflows
exist but might not be exploitable, such as a heap-based overflow in the
check_idx function.
Joachim Schrod discovered several buffer overflow vulnerabilities and
an insecure temporary file creation in the "dvilj" application that is
used by dvips to convert DVI files to printer formats (CVE-2007-5937,
CVE-2007-5936). Bastien Roucaries reported that the "dvips" application
is vulnerable to two stack-based buffer overflows when processing DVI
documents with long \href{} URIs (CVE-2007-5935). teTeX also includes
code from Xpdf that is vulnerable to a memory corruption and two
heap-based buffer overflows (GLSA 200711-22); and it contains code from
T1Lib that is vulnerable to a buffer overflow when processing an overly
long font filename (GLSA 200710-12).
From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact.
The Tk toolkit's GIF-reading code contains a buffer overflow which could be exploited via a malicious image file. Fixes may be found in versions 8.4.12 and 8.3.5.
It was discovered that Tk could be made to overrun a buffer when loading
certain images. If a user were tricked into opening a specially crafted GIF
image, remote attackers could cause a denial of service or execute
arbitrary code with user privileges.
Jan Oravec reported that the "/usr/bin/tomboy" script sets the
"LD_LIBRARY_PATH" environment variable incorrectly, which might result
in the current working directory (.) to be included when searching for
dynamically linked libraries of the Mono Runtime application.
Note that the tomboy vulnerability was added in 2007.
Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the 'examples' web application not be installed on
a production system.
The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).
Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).
It was reported Tomcat did not properly handle the following character
sequence in a cookie: \" (a backslash followed by a double-quote). It was
possible remote attackers could use this failure to obtain sensitive
information, such as session IDs, for session hijacking attacks
(CVE-2007-3385).
A cross-site scripting (XSS) vulnerability existed in the Host Manager
Servlet. This allowed remote attackers to inject arbitrary HTML and web
script via crafted requests (CVE-2007-3386).
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
The wireshark network traffic analyzer has three vulnerabilities
that can be used to create a denial of service. These include
off-by-one overflows in the iSeries dissector, vulnerabilities in
the MMS and SSL dissectors that can cause an infinite loop and
an off-by-one overflow in the DHCP/BOOTP dissector.
Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload.
Wireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop.
Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML
generation toolkit, creates insecure temporary files in the eperl and
ipp backends and in the wmg.cgi script, which could lead to local denial
of service by overwriting files.
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.
From the Gentoo alert:
Miroslav Lichvar discovered that the "xdg-open" and "xdg-email" shell
scripts do not properly sanitize their input before processing it.
A remote attacker could entice a user to open a specially crafted link
with a vulnerable application using Xdg-Utils (e.g. an email client),
resulting in the execution of arbitrary code with the privileges of the
user running the application.
iDefense reported an integer overflow flaw in the XFree86 XC-MISC
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash) or potentially execute arbitrary code with root
privileges on the XFree86 server. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled various
font files. A malicious local user could exploit these issues to
potentially execute arbitrary code with the privileges of the X.org server.
(CVE-2007-1351, CVE-2007-1352)
An integer overflow flaw was found in the XFree86 XGetPixel() function.
Improper use of this function could cause an application calling it to
function improperly, possibly leading to a crash or arbitrary code
execution. (CVE-2007-1667)
Moritz Jodeit discovered that the DirectShow loader of Xine did not
correctly validate the size of an allocated buffer. By tricking a user
into opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
xine-lib contains a buffer overflow which could be exploited (via a specially-crafted stream) to execute arbitrary code; see this advisory for more information.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
From the CVE entry: Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function.
xmms suffers from vulnerabilities in its handling of BMP images. Should a hostile image be included in an xmms skin, it could lead to code execution on the user's system.
From the X.org security advisory:
Several vulnerabilities have been identified in server code of the X
window system caused by lack of proper input validation on user
controlled data in various parts of the software, causing various
kinds of overflows.
The X.Org X11 xfs font server has a temp file vulnerability in the
startup script. A local user can modify the permissions of the script
in order to elevate their local privileges.
CVE-2007-1095:
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292:
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511:
It was discovered that insecure focus handling of the file upload
control can lead to information disclosure. This is a variant of
CVE-2006-2894.
CVE-2007-5334:
Eli Friedman discovered that web pages written in Xul markup can hide the
titlebar of windows, which can lead to spoofing attacks.
CVE-2007-5337:
Georgi Guninski discovered the insecure handling of smb:// and sftp:// URI
schemes may lead to information disclosure. This vulnerability is only
exploitable if Gnome-VFS support is present on the system.
CVE-2007-5338:
"moz_bug_r_a4" discovered that the protection scheme offered by XPCNativeWrappers
could be bypassed, which might allow privilege escalation.
CVE-2007-5339:
L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay,
Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of arbitrary code.
CVE-2007-5340:
Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the
Javascript engine, which might allow the execution of arbitrary code.
The current 2.6 development kernel is 2.6.25-rc2, released by Linus on
February 15. We are in the stabilization period now, so, as one would
expect, most of the changes are fixes. This prepatch also contains some
tweaks to the realtime group scheduling interface and the addition of a
multiple-probes capability to kernel markers. Says Linus: "I'm
optimistic that this release cycle won't be anywhere near the pain of what
24 was, which is why I'm just going to go off for the long weekend and stay
at the beach." See the
long-format changelog for the details.
As of this writing, just over 300 patches have gone into the mainline
repository since 2.6.25-rc2. They are mostly fixes, but there's also some
new watchdog drivers, a SMACK security module enhancement, and some fairly
large Video4Linux driver updates.
The current -mm tree is 2.6.25-rc2-mm1. Recent changes
to -mm include ext4 online defragmentation support and read-only bind mount
support.
For older kernels: 2.4.36.1 was released on
February 16; it contains a number of low-priority security fixes.
I claim that there's just not a single valid case of doing
wide-scale changes atomically and departing from the current
to-be-stabilized kernel tree materially. _Every_ large-scale API
change can be done in a staged way, with each subsystem adopting to
the change at their own pace, it just has to be planned well and
tested well enough and has to be executed persistently.
It is not often that one sees kernel developers in suits, so it is
impossible to resist putting up the following picture. Andrew Morton is attending
(along with your editor) the 2008 Linux Developer Symposium in Beijing,
China. This event, co-sponsored by the Linux Foundation and the Chinese
Open Source Promotion Union, is aimed at bringing Chinese developers more
deeply into the global Linux community. Look for a report in LWN next
week.
The kernel source level debugger, kgdb, has been around for a long time, but
never in the mainline tree. Linus Torvalds is not much of a fan of
debuggers in general and has always resisted the inclusion of kgdb. That
looks like it might be changing somewhat, with the inclusion of kgdb in
2.6.26 now a distinct possibility.
Over the years, Torvalds has made various pronouncements about debuggers,
particularly kernel debuggers, a long message to
linux-kernel in 2000 seems to outline his objections:
I happen to believe that not having a kernel debugger forces people to
think about their problem on a different level than with a debugger. I
think that without a debugger, you don't get into that mindset where you
know how it behaves, and then you fix it from there. Without a debugger,
you tend to think about problems another way. You want to understand
things on a different _level_.
An attempt to sneak kgdb into the mainline via x86 architecture updates
failed, but Torvalds did open the
door a crack towards merging the kgdb changes: "I won't even
consider pulling it unless it's offered as a separate tree, not mixed up
with other things. At that point I can give a look." That has
spawned the kgdb-light effort, spearheaded by Ingo Molnar.
The original hope to get it
included into 2.6.25 has been dashed, but with Molnar rapidly iterating
to address kernel hacker concerns, the amount of complaints seems to be
decreasing. Molnar is up to version 10 of the
kgdb-light patchset in something like three days since the first was
posted. The various linux-kernel threads show a number of very
hopeful developers waiting with bated breath to see if kgdb can finally
make its way into the mainline.
The light version of kgdb still has most of the capabilities of the
original kgdb and any additional, possibly more intrusive, features can be
added later. Molnar is clearly trying to do things the right way, with a
merge of the non-intrusive kgdb functionality that can eventually be used by multiple
architectures. He points out that there are already gdb remote stubs in
three separate architectures in the mainline, continuing:
So we could have done it the same way, by doing cp kernel/kgdb.c
arch/x86/kernel/gdb-stub.c and merging that. Nobody could have said a
_single_ word - we already have lowlevel UART code in early_printk.c
that we could have reused.
But we wanted to do it _right_ and not add an arch/x86/kernel/gdb-stub.c
special hack.
Discussions about the patches have been mostly to point out problems or
areas that need cleaning up. The philosophical objections have been mostly
avoided, quite possibly because Molnar has been scrupulously trying to make
a "no impact" set of patches:
this kgdb series has _obviously_ zero impact on the kernel,
because it just does not touch any dangerous codepath. From this point
on KGDB can evolve in small, well-controlled baby steps, as all other
kernel code as well.
To that end, the patch changes 22 files (rather than the 41 touched by the
original kgdb submission), removing "_all_ critical path
impact" and the low-level serial drivers—as Molnar points out,
kgdb should not be in the driver business. In addition, the "kgdb over
polled consoles" support has been reworked and cleaned up. Various hacks
to get at module symbols have been removed as a better solution for
that problem is needed. So far, no show stopping problems have been
identified, so it really seems to come down to what Torvalds thinks; for that,
we may have to wait until the 2.6.26 merge window opens in April or May.
This article was contributed by B. Rathmann (KoalaBR)
[Editor's note: the following is the first in a two-part article on the
status of the Nouveau project. This installment is an introductory piece
describing the problem; the second part (to appear in one week) looks at
how Nouveau development is being done and its current status.]
Nouveau is an effort to
create a complete open source driver for NVidia
graphics cards for X.org. It aims to support 2D and 3D acceleration from
the early NV04 cards up to the latest G80 Cards and work across all
supported architectures like x86-64, PPC and x86.
The project originated when Stéphane Marchesin set out to de-obfuscate parts
of the NVidia-maintained nv driver. However, NVidia had corporate policies
in place about the nv driver, and had no plans to change them at the
time. So they refused Stéphane's patches.
This left Stéphane with the greatest open source choice:
"fork it"! At FOSDEM in February 2006, Stéphane unveiled his plans for an
open source driver for NVidia hardware called Nouveau. The name was
suggested by his IRC client's French autoreplace feature which suggested
the word "nouveau" when he typed "nv". People liked it, so the name
stuck. The FOSDEM presentation got the project enough publicity to engage
the curiosity of other developers.
Ben Skeggs was one of the first developers to sign up. He had worked on reverse
engineering the R300 (one of ATI graphics chips) shader components and
writing parts of the R300 driver; as a result, he had great experience with graphics
drivers. He initially showed interest in the NV40 shaders only, but he got
caught in the event horizon and has worked on every aspect of the driver
for NV40 and later cards.
The project engaged other developers with short and long term interest. It
also generated a large amount of interest due to a pledge drive that an
independent user started.
However, the project was mainly developed on IRC and it was quite difficult
for newcomers to get any insight into previous development; reading
IRC logs is unpractical at best. With this in mind, KoalaBR decided to
start summarizing development in a series of articles known as the TiNDC
(The irregular Nouveau Development Companion). This series of articles
proved very useful for attracting developers and testers to the
project. TiNDC issues are published every two to four weeks; as of this
writing, the current issue is TiNDC
#34.
Linux.conf.au 2007 saw the first live demo of Nouveau. Dave Airlie had signed up to
give a talk on the subject; he managed to persuade Ben Skeggs that showing a
working glxgears demo would be a great finish to the talk. Ben toiled furiously
with the other developers to get the init code into shape for his laptop
card and the presentation was a great success.
After missing a Google Summer of Code place, X.org granted Nouveau a
Vacation of Code alternative. This saw Arthur Huillet join the team to
complete proper Xv support on Nouveau. Arthur saw the light and continued
with the project once the VoC ended.
In autumn 2007 Stuart Bennett and Maarten Maathuis vowed to get Nouveau's
RandR1.2 into a better shape. Since then a steady stream of patches has
advanced the code greatly.
The project now has 8 regular contributors (Stéphane Marchesin, Ben Skeggs,
Patrice Mandin, Arthur Huillet, Pekka Paalanen, Maarten Maathuis, Peter
Winters, Jeremy Kolb, Stuart Bennett) with many more part time
contributors, testers, writers and translators.
NVidia card families
This article will use the NVidia GPU technical names as opposed to marketing names.
GPU name
Product name(s)
NV04/05
Riva TNT, TNT2
NV1x
GeForce 256, GeForce 2, GeForce 4 MX
NV2x
GeForce 3, GeForce 4 Ti
NV3x
GeForce 5
NV4x(G7x)
GeForce 6, GeForce 7
NV5x(G8x)
GeForce 8
Where there are "N" and "G" naming the "N" variant (NV4x, NV5x) will be used.
Further information can be found on the Nouveau site.
Graphic Stack Overview
Before jumping into the Nouveau driver, this section provides a short
background on the mess that is the Linux graphics stack.
This stack has a long history dating back to Unix X
servers and the XFree86 project. This history has lead to a situation quite unlike
the driver situation for any other device on a Linux system. The graphics
drivers existed mainly in user space, provided by the XFree86 project, and
little or no kernel interaction was required. The user-space component known
as the DDX (Device-Dependant X) was responsible for initializing the card,
setting modes and providing acceleration for 2D operations.
The kernel also provided framebuffer drivers on certain systems to allow a
usable console before X started. The interaction between these drivers
and the X.org drivers was very complex and often caused many problems
regarding which driver "owned" the hardware.
The DRI project was started to add support for direct rendering of 3D
applications on Linux. This meant that an application could talk to the 3D
hardware directly, bypassing the X server. OpenGL was the standard 3D API, but
it is a complex interface which is definitely too large to
implement in-kernel. GPUs also provided completely different low-level
interfaces. So, due to the complexity of the higher level interface and
nonstandard nature of the hardware APIs, a kernel component (DRM) and a
userspace driver (DRI) were required to securely expose the hardware interfaces
and provide the OpenGL API.
Shortcomings of the current architecture have been noted over the past few
years; the current belief is that GPU initialization, memory management,
and mode setting need to migrate to the kernel in order to provide better
support for features such as suspend/resume, proper cohabitation of X and
framebuffer driver, kernel error reporting, and future graphics card
technologies.
The GPU memory manager implemented by Tungsten Graphics is known as TTM. It was originally designed as a
general VM memory manager but initially targeted at Intel hardware.
On top of this memory manager, a new modesetting architecture for the
kernel is being implemented. This is based on the RandR 1.2 work found in
the X.org server.
GPU architecture
Graphics cards are programmed in numerous ways, but most initialization and
mode setting is done via memory-mapped IO. This is just a set of registers
accessible to the CPU via its standard memory address space. The registers
in this address space are split up into ranges dealing with various
features of the graphics card such as mode setup, output control, or clock
configuration.
A longer explanation can be found on Wikipedia.
Most recent GPUs also provide some sort of command processing ability where
tasks can be offloaded from the CPU to be executed on the GPU, reducing the
amount of CPU time required to execute graphical operations. This
interface is commonly a FIFO implemented as a circular ring buffer into which
commands are pushed by the CPU for processing by the GPU. It is
located somewhere in a shared memory area (AGP memory, PCIGART, or video
RAM). The GPU will also have a set of state information that is used to
process these commands, usually known as a context.
Most modern GPUs only contain a single command processing state
machine. However NVidia hardware has always contained multiple independent
"channels" which consist of a private FIFO (push buffer), a graphics
context and a number of context objects. The push buffer contains the
commands to be processed by the card. The graphics context stores
application specific data such as matrices, texture unit configuration,
blending setup, shader information etc. Each channel has 8 subchannels to
which graphics objects are bound in order to be addressed by FIFO
commands.
Each NVidia card provides between 16 and 128 channels, depending on model;
these are assigned to different rendering-related tasks. Each 3D client has
an associated channel, while some are reserved for use in the kernel and
the X
server. Channels are context-switched by software via an interrupt (on older
cards) or automatically by the hardware on cards after the NV30.
Now what to store within the FIFO? Each NVidia card offers a set of
objects, each of which provide a set of methods related to a given task,
e.g. DMA memory transfers or rendering. Those methods are the ones used by
the driver (or on a higher level, the rendering application). Whenever a
client connects, it uses an ioctl() to create the channel. After that the
client creates the objects it needs via an additional ioctl().
Currently we do have two types of possible clients: X (via the DDX driver)
and OpenGL via DRI/MESA. An accelerated framebuffer using the new
mode setting architecture (nouveaufb) will also be a future client to avoid
conflicts with nvidiafb.
Let's have a look at a small number of objects:
object name
Description
Available on
NV_IMAGE_BLIT
2D engine, blit image from
one image into another one
NV03 NV04 NV10 NV20
NV12_IMAGE_BLIT
An enhanced version of the
above
NV11 NV20 NV20
NV30 NV40
NV_MEMORY_TO_MEMORY_FORMAT
DMA memory transfer
NV04 NV10 NV20 NV30 NV40 NV50
From this list, you can see that there are object types which are
available on all cards (NV_MEMORY_TO_MEMORY_FORMAT) while others are only
available on certain cards. For example, each class of card has its own
3D-engine object, such as NV10TCL on NV1x and NV20TCL on NV2x. An object
is identified by a unique number: its "class". This id is 0x5f for
NV_IMAGE_BLIT, 0x9f for NV12_IMAGE_BLIT and 0x39 for
NV_MEMORY_TO_MEMORY_FORMAT. If you want to use functionality provided by a
given object, you must first bind this object to a subchannel. The card
provides a certain number of subchannels which correspond to a certain
number of "active" (or "bound") objects.
A command in the FIFO is made of a command header, followed by one or more
parameters. The command header usually contains the subchannel number, the
method offset to be called, and the number of parameters (a command header
can also define a jump in the FIFO but this is outside the scope of this
document). Each method the object provides has an offset which has to be set in the
command.
In order to limit the number of command headers to be written, thereby
improving performance, NVidia cards will call several subsequent methods in
a row if you provide several parameters.
How do we refer to an object? The data written to the FIFO doesn't hold any
info about that... Binding an object to a subchannel is done by writing
the object ID as an argument to method number 0. For example: 00044000
5c00000c binds object id 5c00000c to subchannel 2. This object ID is used
as a key in a hash table kept in the card's memory which is filled up when
creating objects.
The creation of an object relies on special memory areas.
RAMIN is "instance memory", an area of memory through which the graphics
engines of the card are configured. A RAMIN area is present on all NVIDIA
chipsets in some form, but it has evolved quite a bit as newer chipsets have
been released. Basically, RAMIN is what contains the objects. An object is
usually not big (128 bytes in general, up to a few kilobytes in case of DMA
transfer objects).
Card-specific RAMIN areas
Pre-NV40
Area of dedicated internal memory accessible through the card's MMIO
registers.
NV4x
A 16MiB PCI resource is used to access PRAMIN. This
resource maps over the last
16MiB of VRAM. The first 1MiB of PRAMIN is also accessible through the (now "legacy")
MMIO PRAMIN aperture.
NV5x
A 32MiB PCI resource, which is unusable in the default power-on state of the card. It
can be configured in a variety of different ways through the NV5x virtual memory.
The legacy MMIO aperture can be re-mapped over any 1MiB of VRAM that's desired.
There are also a few specific areas in RAMIN that are worth mentioning:
RAMFC, the FIFO Context Table. It is a global table that stores the
configuration/state of the FIFO engine for each channel. It doesn't exist
in the same way on NV5x, where the FIFO has registers that contain pointers to each
channel's PFIFO state, rather than a single global table.
RAMHT, the FIFO hash table. A global table, used by PFIFO to locate context
objects, except on NV5x, where each channel has its own hash table.
When I was but a wee computer science student at New Mexico Tech, a
graduate student in OS handed me an inch-thick print-out and told me
that if I was really interested in operating systems, I had to read
this. It was something about a completely lock-free operating system
optimized using run-time code generation, written from scratch in
assembly running on a homemade two-CPU SMP with a two-word
compare-and-swap instruction - you know, nothing fancy. The print-out
I was holding was Alexia (formerly Henry) Massalin's PhD thesis, Synthesis: An
Efficient Implementation of Fundamental Operating Systems Services
(html version
here). Dutifully, I read the entire 158 pages. At the end, I
realized that I understood not a word of it, right up to and including
the cartoon of a koala saying "QUA!" at the end. Okay, I exaggerate -
lock-free algorithms had been a hobby of mine for the previous few
months - but the main point I came away with was that there was a lot
of cool stuff in operating systems that I had yet to learn.
Every year or two after that, I'd pick up my now bedraggled copy of
"Synthesis" and reread it, and every time I would understand a little
bit more. First came the lock-free algorithms, then the run-time code
generation, then quajects. The individual techniques were not always
new in and of themselves, but in Synthesis they were developed,
elaborated, and implemented throughout a fully functioning UNIX-style
operating system. I still don't understand all of Synthesis, but I
understand enough now to realize that my grad student friend was
right: anyone really interested in operating systems should read this
thesis.
Run-time code generation
The name "Synthesis" comes from run-time code generation - code
synthesis - used to optimize and re-optimize kernel routines in
response to changing conditions. The concept of optimizing code
during run-time is by now familiar to many programmers in part from
Transmeta's processor-level code optimization, used to lower power
consumption (and many programmers are familiar with Transmeta as the
one-time employer of Linus Torvalds.)
Run-time code generation in Synthesis begins with some level of
compile-time optimization, optimizations that will be efficient
regardless of the run-time environment. The result can thought of as a
template for the final code, with "holes" where the run-time data will
go. The run-time code generation then takes advantage of
data-dependent optimizations. For example, if the code evaluates A *
B, and at run-time we discover that B is always 1, then we can generate
more efficient code that skips the multiplication step and run that
code instead of the original. Fully optimized versions of the code
pre-computed for common data values can be simply swapped in without
any further run-time computation. Another example from the thesis:
[...] Suppose that the compiler knows, either through static
control-flow analysis, or simply by the programmer telling it through
some directives, that the function f(p1, ...) = 4 * p1 +
... will be specialized at run-time for constant p1. The compiler can
deduce that the expression 4 * p1 will reduce to a constant, but it
does not know what particular value that constant will have. It can
capture this knowledge in a custom code generator for f that
computes the value 4 * p1 when p1 becomes known and stores it in the
correct spot in the machine code of the specialized function
f, bypassing the need for analysis at run-time.
Run-time code generation in Synthesis is a fusion of compile-time and
run-time optimizations in which useful code templates are created at
compile time that can later be optimized simply and cleanly at run
time.
Quajects
Understanding run-time code generation is a prerequisite for
understanding quajects, the basic unit out of which the Synthesis
kernel is constructed. Quajects are almost but not quite entirely
unlike objects. Like objects, quajects come in types - queue quaject,
thread quaject, buffer quaject - and encapsulate all the data
associated with the quaject. Unlike objects, which contain pointers
to functions implementing their methods, quajects contain the code
implementing their methods directly. That's right - the actual
executable instructions are stored inside the data structure of the
quaject, with the code nestled up against the data it will operate on.
In cases where the code is too large to fit in the quaject, the code
jumps out to the rest of the method located elsewhere in memory. The
code implementing the methods is created by filling in pre-compiled
templates and can be self-modifying as well.
Quajects interact with other quajects via a direct and simple system
of cross-quaject calls: callentries, callouts, and callbacks. The
user of quaject invokes callentries in the quaject, which implement
that quaject's methods. Usually the callentry returns back to the
caller as normal, but in exceptional situations the quaject will
invoke a method in the caller's quaject - a callback. Callouts are
places where a quaject invokes some other quaject's callentries.
Synthesis implements a basic set of quajects - thread, queue, buffer,
clock, etc. - and builds higher-level structures by combining
lower-level quajects. For example, a UNIX process is constructed out
of a thread quaject, a memory quaject, and some I/O quajects.
As an example, let's look at the queue quaject's interface. A queue
has two callentries, queue_put and queue_get. These
are invoked by another quaject wanting to add or remove entries to and
from the queue. The queue quaject also has four callbacks into the
caller's quaject, queue_full, queue_full-1,
queue_empty, and queue_empty-1. When a caller
invokes the queue_put method and the queue is full, the queue
quaject invokes the queue_full callback in the caller's
quaject. From the thesis:
The idea is: instead of returning a condition code for interpretation
by the invoker, the queue quaject directly calls the appropriate
handling routines supplied by the invoker, speeding execution by
eliminating the interpretation of return status codes.
The queue_full-1 method is executed when a queue has
transitioned from full to not full, queue_empty when the queue doesn't
contain anything, and queue_empty-1 when the queue
transitions from empty to not empty. With these six callentries and
callbacks, a queue is implemented in a generic, extensible, yet
incredibly efficient manner.
Pretty cool stuff, huh? But wait, there's more!
Optimistic lock-free synchronization
Most modern operating systems use a combination of interrupt disabling
and locks to synchronize access to shared data structures and
guarantee single-threaded execution of critical sections in general.
The most popular synchronization primitive in Linux is the spinlock,
implemented with the nearly universal test-and-set-bit atomic
operation. When one thread attempts to acquire the spinlock guarding
some critical section, it busy-waits, repeatedly trying to acquire the
spinlock until it succeeds.
Synchronization based on locks works well enough but it has several
problems: contention, deadlock, and priority inversion. Each of these
problems can be (and is) worked around by following strict rules: keep
the critical section short, always acquire locks in the same order,
and implement various more-or-less complex methods of priority
inheritance. Defining, implementing, and following these rules is
non-trivial and a source of a lot of the pain involved in writing code
for modern operating systems.
To address these problems, Maurice Herlihy proposed a system of
lock-free synchronization using an atomic compare-and-swap
instruction. Compare-and-swap takes the address of a word, the
previous value of the word, and the desired new value of the word. It
swaps the previous and new values of the word if and only if the
previous value is the same as the current value. The bare
compare-and-swap instruction allows atomic updates of single pointers.
To atomically switch between larger data structures, a new copy of the
data structure is created, updated with the changes, and the addresses
of the two data structures swapped. If the compare-and-swap fails
because some other thread has updated the value, the operation is
retried until it succeeds.
Lock-free synchronization eliminates deadlocks, the need for strict
lock ordering rules, and priority inversion (contention on the
compare-and-swap instruction itself is still a concern, but rarely
observed in the wild). The main drawback of Herlihy's algorithms is
that they require a lot of data copying for anything more complex than
swapping two addresses, making the total cost of the operation greater
than the cost of locking algorithms in many cases. Massalin took
advantage of the two-word compare-and-swap instruction available in
the Motorola 68030 and expanded on Herlihy's work to implement
lock-free and copy-free synchronization of queues, stacks, and linked
lists. She then took a novel approach: Rather than choose a general
synchronization technique (like spinlocks) and apply it to arbitrary
data structures and operations, instead build the operating system out
of data structures simple enough to be updated in an efficient
lock-free manner.
Synthesis is actually even cooler than lock-free: Given the system of
quajects, code synthesis, and callbacks, operations on data structures
can be completely synchronization-free in common situations. For
example, a single-producer, single-consumer queue can be updated
concurrently without any kind of synchronization as long as the queue
is non-empty, since each thread operates on only one end of the queue.
When the callback for queue empty happens, the code to operate on the
queue is switched to use the lock-free synchronization code. When the
quaject's queue-not-empty callback is invoked, the quajects switch
back to the synchronization-free code. (This specific algorithm is
not, to my knowledge, described in detail in the thesis, but was
imparted to me some months ago by Dr. Massalin herself at one of those
wild late-night kernel programmer parties, so take my description with
a grain of salt.)
The approach to synchronization in Synthesis is summarized in the
following quote:
Avoid synchronization whenever possible.
Encode shared data into one or two machine words.
Express the operation in terms of one or more fast lock-free data
structure operations.
Partition the work into two parts: a part that can be done
lock-free, and a part that can be postponed to a time when there can
be no interference.
Use a server thread to serialize the operation. Communications
with the server happens using concurrent, lock-free queues.
The last two points will sound familiar if you're aware of Paul McKenney's
read-copy-update (RCU) algorithm. In Synthesis, thread structures
to be deleted or removed from the run queue are marked as such, and
then actually deleted or removed by the scheduler thread during normal
traversal of the run queue. In RCU, the reference to a list entry is
removed from the linked list while holding the list lock, but the
removed list entry is not actually freed until it can be guaranteed
that no reader is accessing that entry. In both cases, reads are
synchronization-free, but deletes are separated into two phases, one
that begins the operation in an efficient low-contention manner, and a
second, deferred, synchronization-free phase to complete the
operation. The two techniques are by no means the same, but share a
similar philosophy.
Synthesis: Operating system of the future?
The design principles of Synthesis, while powerful and generic, still
have some major drawbacks. The algorithms are difficult to understand
and implement for regular human beings (or kernel programmers, for
that matter). As Linux has demonstrated, making kernel development
simple enough that a wide variety of people can contribute has some
significant payoffs. Another drawback is that two-word
compare-and-swap is, shall we say, not a common feature of modern
processors. Lock-free synchronization can be achieved without this
instruction, but it is far less efficient. In my opinion, reading
this paper is valuable more for retraining the way your brain thinks
about synchronization than for copying the exact algorithms. This
thesis is especially valuable reading for people interested in
low-latency or real-time response, since one of the explicit goals of
Synthesis is support for real-time sound processing.
Finally, I want to note that Synthesis contains many more elegant
ideas that I couldn't cover in even the most superficial detail -
quaject-based user/kernel interface, per-process exception tables,
scheduling based on I/O rates, etc., etc. And while the exact
implementation details are fascinating, the thesis is also peppered
with delightful koan-like statements about design patterns for
operating systems. Any time you're feeling bored with operating
systems, sit down and read a chapter of this thesis.
[ Valerie Henson is a Linux file
systems consultant and proud recipient of a piggy-back ride from
Dr. Alexia Massalin. ]
It is an exciting time for free software as massive strides forward
have been made in increasing both market share and mind share within
the less technically orientated circles of society. Ubuntu is now
available pre-installed on Dell systems, SUSE on Lenovo systems, the
Xandros based eeePC has sold millions already and the One Laptop Per
Child project has gone into mass production. Stephen Fry, the popular
British actor, is even pledging his support
in national newspapers. Taking advantage of this momentum and using it
to help extend existing communities is going to be vital for any free
software project, and with this in mind Fedora is seeking to set
itself on solid ground with a revitalised marketing effort which hopes
to both define Fedora's position in the world and find new ways of
growing its user and contributor base.
Recently the first tentative steps have been made along this path with
the revitalising of Fedora's community marketing team. In Fedora talk
there is now an official Special Interest Group (SIG). Following on from a
session at the recent Fedora Users' and Developers' Conference the SIG
is gaining a lot of momentum, with input from Red Hat's professional
marketing team pouring in. This help is being provided on top of their
Red Hat duties, and so their involvement is exactly the same as that
of any other community members. So far their contributions have
largely been aiding the creation of a long term marketing
plan for Fedora, which will help to provide a more consistent message
across Fedora's many outlets. This means that not only will Fedora's
community Ambassadors be better briefed on what the key promotional
aspects of Fedora are, but they'll have a better understanding of the
best methods to achieve this and more support in terms of marketing
collateral. The same benefits will also apply to Fedora's online
marketing efforts, including their Developer
Interviews and Release
Overviews.
Creating this plan still depends on overcoming a number of challenges.
Foremost amongst these is understanding exactly what Fedora is, and
what its target audience is. Recently Fedora has gone from being a
simple distribution, to the upstream for an increasing number of
projects. Thanks to its open build tools and custom re-spinning
applications there are a growing number of custom spins, and
other projects such as the Creative Commons LiveContent CDs
and DVDs, as well as offerings from the Fedora Unity Project. Graphical tools
such as Revisor have made
re-spinning easy. Other Fedora derivatives, notably Red Hat Enterprise
Linux and the OLPC, don't rely on the custom re-spinning applications, but
do rely on Fedora source code to build their distributions.
To accompany this, and widening Fedora's mission even further is the newly
launched beta of a service called Fedora
TV. Its goals are to encourage the use and development of free media
formats such as OGG Vorbis/Theora, PNGs and SVGs, as well as encouraging
the continued development of the free software tools to create media in
these formats.
This is not to say that Fedora is no longer focused on its core
purpose of providing a distribution which showcases the latest and
greatest free software has to offer. Fedora 9 (Sulphur) Alpha was
released recently and a quick glance at its release
notes shows a lot of interesting new features appearing. Along
with the usual bundle of software updates, including KDE 4 and GNOME
2.21.4, a lot of attention has been given to Anaconda, Fedora's system
installer. In particular Anaconda now has the ability to resize partitions
as well as create and install the system on encrypted partitions. Also
exciting is the inclusion of FreeIPA, a system
which "... combines the power of the Fedora Directory Server with
FreeRADIUS, MIT Kerberos, NTP and DNS to provide an easy, out of the box
solution" for managing various auditing, identity and policy
processes. If the events following Fedora 8's release are anything to go
by, we can expect to see many of these features appearing in other
distributions during the autumn 2008 and spring 2009 release cycles.
Also a significant challenge for the Fedora Marketing SIG is not just
defining what Fedora is, but persuading people that they want to be a
part of it. In the short term this means promoting the large amount of
work that Fedora does upstream and making it as easy as possible for people
to get involved by lowering their barriers to entry. In the long term this
means, as Paul Frields, Fedora's new project leader, recently commented,
overcoming the "... decline of volunteerism in the USA overall
..."
Of course, talk and good intentions are wonderful, but without
practical results are meaningless. To this end the Fedora Marketing
SIG is already beginning to pick up speed. Concrete, long term plans
are being laid with the aid of Red Hat's professionals; and in the
short term Fedora seems to be cropping up in popular news sites more
often than it has done for quite a while. Fedora developers are gaining
increased recognition for the work that they put in, which often shows up
in other distributions. With the release of Fedora 9 (Sulphur) Alpha, and
the increased attention that this received in comparison to previous early
development releases, as well as an already impressive set of new features,
the future seems bright.
The CentOS Development team has announced the availability of the CentOS
5.1 i386 Live CD. This live CD can be used as a workstation, or as a
rescue disk. Click below for more information.
Debian has released its third update to etch, collecting together all of the updates since the original etch release for new installations. "This update
mainly adds corrections for security problems to the stable release,
along with a few adjustment to serious problems." Note that the update for the recent kernel local root privilege escalation problem did not make into this release is not listed as being fixed, but appears to be. Click below for more details.
The second beta of Mandriva Linux 2008.1 is available for testing.
"This pre-release brings recognition of other installed distributions
during installation, NTFS-3G (with write support) by default for all NTFS
partitions, significant improvements to the Mandriva graphical software
management tool and more."
The latest and greatest version of pg_live, 8.3.0.1, is ready for
download. "For those who don't know, pg_live is the [PostgreSQL]
community's Linux Live CD, and is now 4 years old! The objective of
pg_live is to introduce PostgreSQL to both the general public and seasoned
DBA."
For those who would rather run pure Debian on their eeePC, the Debian eeePC
team reports that there has been progress. "Thanks to the efforts of
numerous users and developers who are being added to our ranks daily, we
expect by the time Lenny releases we will be well on our way to providing a
pure Debian solution for the Eee. Whether or not everything needed for the
Eee is in Lenny at that time remains to be seen. We need to allow for how
long it takes to get new drivers into the kernel. But if we miss the
release, we will certainly provide backports and look forward to full
support in the following release."
Now that Ubuntu 8.04 LTS (Hardy Heron) is now past feature freeze, it's time to look forward to
the next Ubuntu release. "And so I'd like to introduce you to the
Intrepid Ibex, the release which is planned for October 2008, and which is
likely to have the version number 8.10. During the 8.10 cycle we will be
venturing into interesting new territory, and we'll need the rugged
adventurousness of a mountain goat to navigate tricky terrain. Our desktop
offering will once again be a focal point as we re-engineer the user
interaction model so that Ubuntu works as well on a high-end workstation as
it does on a feisty little subnotebook. We'll also be reaching new peaks of
performance - aiming to make the mobile desktop as productive as
possible."
The Fedora Weekly News for February 11, 2008 is out. Topics include
"Announcing Fedora 8 Xfce Spin", Planet Fedora articles "KDE 4 Interview",
"Announcing Fedora Ambassadors Wall", "Insert favorite Elvis joke here",
"Publican - the 'new' Documentation Publisher", and "SCALE 6X Trip Report",
and much more.
The Gentoo Monthly Newsletter for February 18, 2008 looks at GMN feedback
and improvements, Gentoo Trustee Elections, kernel security exploits:
upgrade ASAP, KDE 4.0.1 in the tree, Council Meeting Summary, and several
other topics.
The OpenSUSE
Weekly News for the week starting February 11, 2008 covers SUSE Hack
Week Innovations, FOSDEM 2008 - This Weekend, In Tips and Tricks: How to
Enable 3rd-party Upgrades, and much more.
The DistroWatch
Weekly for February 18, 2008 is out. "Do you trust your
distribution? Does it have what it takes to provide you with important and
timely updates? The issue of operating system and applications security in
the era of millions of interconnected multi-user computing systems is more
important than ever. In this week's issue we investigate how different
Linux distributions handled the much-publicised vmsplice() privilege
escalation exploit announced last week. In the news section, the Fedora
developer community offers more desktop options to their users, VectorLinux
announces a fast, light edition designed for old hardware, and
ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software
installation service. Looking ahead, this week is likely to deliver further
opportunities for heavy distro testing with the upcoming arrival of the
fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva
Linux 2008.1."
Jonathan Roberts continues his series of interviews on the Fedora wiki, by chatting with members of the KDE Special Interest Group (SIG) about including KDE 4 in Fedora 9. "Kevin Kofler: I am personally doing my best to fight that reputation within the KDE community, and that, together with what we accomplished within Fedora to make KDE a first class citizen, is starting to pay off. There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old 'Qt is not free' troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Matt Asay talks
with the new Fedora leader Paul Frields, in this C|Net blog.
"What is your background? How did you get involved in
Fedora? I started with Fedora in the documentation group in
2003. After working in documentation I moved into packaging (Fedora
Extras), art work, marketing, translation, and other areas of Fedora
(mostly "collateral" groups). I'm not a hard-core software developer. I've
tended to get involved in all the other areas of Fedora."
Linux-Watch
takes a look at the Linpus Linux Lite distribution.
"Linpus Technologies has long been known in Taiwan for its Linux distributions. Now, it wants to become a player in the global Linux market with its new Linux distribution Linpus Linux Lite, which features a dual-mode user interface. One mode is for people who may never have used a computer before; the other is for experienced Linux users.
According to the company, these two modes are Easy and Normal."
eWeek has a review
of the Lenovo ThinkPad T61 with SLED 10 pre-installed. "Right off
the bat we found that that the fingerprint reader, the USB ports, the
integrated wireless (Wi-Fi and Bluetooth), the sound card, the networking
and so on all were well-supported and work as expected. That is no small
task considering how fickle Linux drivers can be and how much of Lenovo's
ThinkPad technology is proprietary."
On February 14, 2008 the
Boulder Linux Users Group
presented a talk by Rob Savoye entitled
Gnash, and the quest for Open Media politics and legalities.
This article aims to cover some of the key points raised by Rob.
The Gnash
home page describes the project:
Gnash is a GNU
Flash movie player.
Previously, it was only possible to play flash movies with proprietary software. While there are some other free flash players, none support anything beyond SWF v4. Gnash is based on
GameSWF,
and supports many SWF v7 features.
Gnash is cross-platform software. It currently works on the Linux,
MacOS, Windows and some embedded platforms. Under Linux, it runs on
the KDE, Gnome and FLTK desktop environments. Gnash can be run in
standalone mode or as a browser plugin for Mozilla Firefox and
Konqueror. The software currently runs on small platforms such as
cell phones and PDAs, larger desktop systems and game platforms.
Gnash does not yet run on the
ROCKbox platform, but that is an interesting idea.
Gnash has been developed with efficiency in mind from the beginning.
One of the main design goals has been to trap all possible errors
and deal with them correctly.
OMNow is a foundation dedicated to the development, support and empowerment of an open media infrastructure. Upon this infrastructure stand companies and individuals who need free media solutions. Free media solutions save companies money and give them control over product technology. Such solutions support individuals by offering them legal ways to create, distribute and display their creative works. Our foundation opens the media market by actively developing operating system-agnostic and cross-platform solutions.
Gnash development originally started because of a need for an open-source
alternative to proprietary Flash/FLV players.
Red Hat's Bob Young is supporting the Gnash project. His desire was to
have a legal, but free client that allowed Linux users to view
online video sites like YouTube.
Gnash development has been done using a
Clean room reverse engineering technique.
By agreeing to the license for the Adobe (formerly Shockwave) Flash
player, a developer gives up the right to develop a competing product.
This has limited the input from some "tainted" developers to only
remotely testing the application and reporting bugs.
Rob made a number of comments on the Gnash development process.
Reverse engineering of a proprietary format has been
tricky, it involved a lot of effort from numerous people.
Developers involved in this type of project require a lot of
personal motivation.
After enough hours staring at hex dumps, one is able to recognize
data structures and read the text represented by hex-encoded ASCII.
Patterns emerge in the hex output, some apparent bugs have even been
found in the data generated by proprietary CODECs.
The Gnash project has wider goals than just providing a free
media player. The writing of open-source creation tools, servers
and clients is in the planning stages.
One interesting concept is to have Gnash negotiate with a content
server and automatically switch to a free CODEC mid stream.
There are plans to support a broader selection of free video
CODECs. This is somewhat hampered by the numerous and fuzzy
legal issues around CODECs.
FLV is currently the most common online video format,
it tends to lock users in and has successfully locked in the market.
Gnash hopes to break this lock by giving Gnash free CODECs with
more features such as higher quality video and better bandwidth
utilization.
Interestingly, the mobile phone platform, which has a much
quicker design cycle turnaround, may lead the way for open video
formats. Due to its small memory footprint, Gnash is often the best,
if not only option for providing video on phones.
Patent-free CODECs can have a large appeal to content providers.
With proprietary CODECs, it is up to the provider to pay the licensing
fees. This can often consume most of the profit such an organization
brings in. Free CODECs will enable a much larger group of content
providers to open up.
The Wikipedia online encyclopedia project has recently started
experimenting with a collaborative video project.
Rob mentioned one interesting side topic that applies to many free
software projects. There are three stages of project development.
The first is making software that works in basic way. This is relatively
easy, and is where many projects get stuck. The next stage is to
make the software work well. Some, but not many, free software projects
graduate to this level. The last stage is to make a product.
This is something that only a few free software projects ever achieve.
A product works well for almost all users and is easy to figure out.
Bugs are rarely encountered. It can take more effort to move to the
product level than the other stages combined.
Wrapping things up, Rob mentioned that the Gnash project is very much
in need of some assistance from a GUI expert, knowledge of both KDE
and GNOME is desirable. Interested people should apply.
Also, a new release of Gnash should be out fairly soon.
Version 0.15 of DNX has been
announced.
"Distributed Nagios eXecutor (DNX) is a NEB module, server, and client daemons which allow the check plug-ins to execute across multiple "worker nodes" in a load distribution cluster.
It's been four months since our last release, but we've been working hard the whole time. This release sports several major improvements, not the least of which is that we're building packages for various Linux distributions on the OpenSuSE Build Service."
Version 5.1.23-rc of the MySQL DBMS has been announced, many changes are
included.
"We are proud to present to you the MySQL Server 5.1.23-rc release,
a new "release candidate" version of the popular open source database.
Bear in mind that this is still a "candidate" release, and as with any
other pre-production release, caution should be taken when installing on
production level systems or systems with critical data."
Version 1.9.1 of BusyBox,
a collection of command line utilities for embedded systems, has been announced.
"This is a bugfix-only release, with fixes to fsck, iproute, mdev, mkswap, msh, nameif, stty, test, zcip.
hush has `command` expansion re-enabled for NOMMU, although it is inherently unsafe (by virtue of NOMMU's use of vfork instead of fork). The plan is to make this less likely to bite people in future versions."
Version 0.8 of allmydata.org "Tahoe", a secure, decentralized, fault-tolerant
filesystem, is out.
"This release improves performance, diagnostics, and packaging. This
release of allmydata.org "Tahoe" will form the basis of the next
consumer backup product from Allmydata, Inc."
Version 6.9 of TestDisk has been
announced,
it features many improvements.
"TestDisk is a powerful free data recovery program! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting your Partition Table)."
Version 1.0 of Chillifire Hotspot has been
announced.
"Chillifire is a turn-key hotspot solution. Users purchase internet access time online via credit card or PayPal account. One or many hotspots can be supported per account."
The oVirt project has been
announced.
"It is my pleasure to announce oVirt, the next step in open virtual
machine management. oVirt is:
A small OS image that runs libvirt and hosts virtual machines,
A Web-based virtual machine management console"
(Thanks to Daniel P. Berrange).
Version 6.0 of Drupal, a web content management system, has been
announced.
"After one year of development we are ready to release Drupal 6.0 to the world. Thanks to the tireless work of the Drupal community, over 1,600 issues have been resolved during the Drupal 6.0 release cycle. These changes are evident in Drupal 6's major usability improvements, security and maintainability advancements, friendlier installer, and expanded development framework. Further, from bug fix to feature request, these issues follow-through on the Drupal project's continued commitment to deliver flexibility and power to themers and developers."
(Thanks to Jakob Petsovits).
A new version of HttpBot has been announced.
"This project automates Http-requests i.e. all browser activities can be logged/written to XML-formated files and redone by using simple methods. This is very useful for automating http-server-requests e.g. queries to search engines, external databases.."
Version 3.11.2 of rsyslog, an enhanced replacement for the syslog
logging utility, has been
announced.
"Rsyslog 3.11.2 has just been released. Now it has the ability to convert
text files into syslog. This is done by the imfile plugin, which
monitors text files. A new libdbi-based output plugin has been written.
This adds six additional databases (including Firebird and Oracle) to
the supported database set. Also contains small bug fixes. Version
3.11.2 is a recommended release for all version 3 users."
Version 0.109.2 of Jack,
the Jack Audio Connection Kit, has been announced.
"As always, releasing reveals issues... and then they get solved... so we release..."
Version 2.40 of
Ploticus,
a data plotting utility, has been announced.
This release adds some new functionality and includes numerous bug fixes.
See the
what's new
document for change details.
Version 2.21.91 of the GNOME desktop has been released.
"This is our second beta release on our road towards GNOME 2.22.0, which
will be released in March 2008. your mission is simple : Go download it.
Go compile it. Go test it. And go hack on it, document it, translate it,
fix it."
Version 2.21.91 of GARNOME, the bleeding-edge GNOME distribution,
has been announced.
"We are pleased to announce the release of GARNOME 2.21.91 Desktop and
Developer Platform. This is the second beta release on our road towards
GNOME 2.22.0, which will be released in March 2008.
This release does not come with more features -- but more fixes! It is
for anyone who'd like to get a peek at future features, or who wants to
help spot remaining issues and smoke-test."
Version 3.5.9 of KDE has been
announced.
"The KDE Community today announced the immediate availability of KDE 3.5.9, a maintenance release for the latest generation of the most advanced and powerful free desktop for GNU/Linux and other UNIXes. The most important changes have been made to the KDE-PIM applications, including the KMail email client, KOrganizer, a planning application and other components."
KDE.News notes
some PIM improvements in KDE 3.5.9.
"The KDE community is happy to announce another update for the KDE 3 branch. KDE 3.5.9 is the latest bugfix and translation update for those who cannot or do not want to switch to KDE 4 yet. While currently no subsequent release for KDE 3 is planned, we will make sure to provide updates as they are needed to run your KDE3 smoothly also in the future.
The KDE-PIM enterprise branch that has enhanced functionality and stability in the PIM components KMail, KOrganizer, KAddressbook, KAlarm and of course its shell Kontact is merged back as official part into the KDE3 branch."
Version 20080206 of gwave has been
announced.
"This version of gwave, a waveform viewer for spice simulation output,
requires guile-gnome-platform and its prerequesites. Packages for those
are available for Fedora and Debian, I believe.
It is not entirely stable, but I'm very interested in hearing what
environments it can be built in, and what sorts of problems are
encountered."
Version 1.2.7 of Hamlib has been
announced.
"Hamlib purpose is to develop flexible and portable shared libraries that offer a standardised API to control any radio oriented equipment through a computer interface.
Hamlib provides a unified environment for the development of radio and
rotator control applications. The release 1.2.7 includes many improvements
since last official version."
Version 2.8.12 of SQL-Ledger,
a web-based accounting system, has been announced. Changes include:
"added missing language code variable for template editor.
fixed beginning balance for GL detail report,
fixed missing FROM clause in non-taxable report."
Version 0.6.7 of Arianne has been
announced.
"Arianne is a multiplayer online engine to develop turn based and real time games providing a simple way of creating the game server rules and clients like Stendhal. Marauroa, our server, uses Java and MySQL for hosting dozens of players on a solo host.
Mr and Mrs Yeti have a sweet little ice cave below Semos Mountain. Be like Mr Yeti, keep your loved one sweet, with a red rose from Fleur in Kirdneh."
Version 0.6.0 of Clutter has been announced, many new capabilities have been
added.
"Clutter is an open source software library for creating fast, visually
rich and animated graphical user interfaces. Clutter is licensed under
the terms of the GNU Lesser General Public License version 2.1."
Version 0.5.2 of QFE has been
announced.
"QFE is full-featured cross-platform FTN message editor with a graphical interface. It written on C++/Qt and does not depend on either KDE, Gnome or other window managers.
This is a major release with a lot of enhancements and bugfixes."
LinuxMedNews
covers
the latest release of OpenMedSpel.
"OpenMedSpel, a free and open source medical spelling word list, is now available as add-ons for Firefox, Thunderbird, and SeaMonkey. The availability of a free and open source browser based medical spelling application is of great value for those who use or develop browser based medical applications such as electronic medical records."
Version 0.9.7 of Oggz, a collection of tools and a library for handling
ogg stream data, has been announced.
"This release adds a new oggz-sort tool, includes fixes for serialno generation
on 64bit (LP64) platforms, and adds decoding of FLAC vorbiscomment packets and
basic support for the Ogg mapping of the experimental CELT codec. It also
includes various API additions, documentation updates and new example code."
Version 1.3 of Musical MIDI Accompaniment has been announced.
"Included in this release:
Extended MIDI voicing now supported -- it is now easy to
set any voice you have on your sequencer!
A SWELL command (increase then restore volume over a number of bars),
A number of minor bug fixes and enhancements."
KDE.News announces
the release of KOffice 2 Alpha 6.
"KOffice 2 Alpha 6 has been released. This preview release improves the OpenDocument infrastructure, adds snap guidelines to several applications and sees major improvements in Krita, Karbon & KPlato."
The February 14, 2008 edition of the Mozilla Links Newsletter
is online, take a look for the latest news about the Mozilla browser
and related projects.
The February 14, 2008 edition of the GCC 4.3.0 Status Report
has been published.
"We are in Stage 3 and the trunk is open for regression and documentation
fixes only. We have reached our goal of zero open P1 regressions (in fact
several times, but each time different P1s appeared), so 4.3.0 release
candidate will be created early next week."
Version 1.6 of
IcedTea,
a harness for building the source code from openjdk using free software
build tools, has been announced.
"The "Zero-assembler" mentioned only briefly in this announcement is
actually very big news. It allows IcedTea to run on any GNU/Linux
architecture that has a gcc and libffi port available."
Release candidate 1 of Python 2.5.2 is available.
"This is the second bugfix release of Python 2.5. Python 2.5 is now in
bugfix-only mode; no new features are being added. According to the
release notes, over 100 bugs and patches have been addressed since
Python 2.5.1, many of them improving the stability of the interpreter,
and improving its portability."
Version 3.0 of libffi has been
announced.
"I'm pleased to announce a software release 10 years in the making:
libffi 3.0
libffi is a portable foreign function interface library.
The last release of libffi, version 1.2, was released almost a decade
ago in October, 1998. Shortly thereafter we started maintaining it
within the GCC source repository along with the help of the GCC
developers. libffi's primary customer at the time was the GNU java
runtime library, libgcj, and libffi benefited tremendously from the
contributions of the GCC community. However..."
CNews reports
that Victor Alksnis and Alexander Ponosov are founding the Open Source
Technology Center in Russia. "Victor Alksnis, former deputy, and
Alexander Ponosov, former school principal, announce to establish a public
organization to promulgate open source software in Russia. According to the
founders of the Open Source Technology Center, the given software is based
on the world Linux-community principles, i.e. there will be no fixed
membership and it will gain no profit to its developers. Mr. Alksnis and
Mr. Ponosov believe that the open source software will consolidate the
domestic IT-community, although to succeed support from the government or a
philanthropist is necessary."
The EE Times takes
a look at the Android mobile operating system demonstrations at the
Mobile World Congress in Barcelona. "One open question is what it
will mean to be an "open source" semiconductor manufacturer in a market as
competitive as mobile-handset applications processors. Several
semiconductor manufacturers are active members in the Open Handset
Alliance, a group of technology and mobile companies committed to deploy
handsets and services using the Android platform. Among them are leading
handset chip makers Broadcom, Texas Instruments and Qualcomm."
Coverage
of FOMS 2008 has been announced.
"FOMS 2008, the Foundations of Open Media Software Workshop was held on
24th/25th January 2008 in Melbourne, Australia."
KDE.News has a report from the
KDE booth at the Southern California Linux Expo (SCALE 6x). "From
February 8th to the 10th, Linux enthusiasts from the greater Los Angeles
area (and beyond that!) converged at the Westin Hotel near Los Angeles
Airport to celebrate Linux and Free Software. KDE was once again there
showing attendees the best Free Software desktop. Starting things off, one
of KDE's usability helpers Celeste Paul gave a talk on A Quick and Dirty
Intro to User-Centred Design in Open Source Development."
C|Net
reports on an effort by Google to bring the commercial Photoshop
image editing software to Linux.
"For the project, Google is funding programmers at CodeWeavers, a company whose open-source Wine software lets Windows software run on Linux. Wine is a compatibility layer that intercepts a program's Windows commands and converts them to instructions for the Linux kernel and its graphics subsystem.
"We hired CodeWeavers to make Photoshop CS and CS2 work better under Wine," Dan Kegel, of Google's software engineering team and the Wine 1.0 release manager, said on Google's open-source blog. "Photoshop is one of those applications that desktop Linux users are constantly clamoring for, and we're happy to say they work pretty well now...We look forward to further improvements in this area.""
eWeek
looks at Red Hat's plans for JBoss.
"Whatever else you can say about new Red Hat CEO Jim Whitehurst, you can't say he thinks small.
At the JBoss World 2008 tradeshow Feb. 13 in Orlando, Fla., Whitehurst said Red Hat plans not only for JBoss Enterprise Middleware to take 50 percent of the enterprise middleware market by 2015, but for JBoss' revenue to grow twice as fast as Red Hat's flagship Linux operating system during the next three years.
During Red Hat's second fiscal quarter 2007, which ended Aug. 31, then-CEO Matthew Szulik said that the "rate of JBoss bookings and revenue to date has not met our expectations. The company expected it to grow at twice the rate its core RHEL [Red Hat Enterprise Linux] business has, but so far, it's about the same. We know we can do much better.""
IBM developerWorks is carrying an article by security hacker Serge Hallyn on how to set up role-based access control using SELinux. "Different users using the same /bin/register program are able to read and write different files that they cannot access without the program. This is one of the core concepts of type enforcement: both the authorized context of the user and the code being executed should together determine the resulting process's 'domain of influence' over the system (or TE domain)."
HowtoForge has published
a tutorial about configuring remote access on a Ubuntu system.
"This guide explains how you can enable a remote desktop on an Ubuntu desktop so that you can access and control it remotely. This makes sense for example if you have customers that are not very tech-savvy. If they have a problem, you can log in to their desktops without the need to drive to their location. I will also show how to access the remote Ubuntu desktop from a Windows XP client and an Ubuntu client."
Vnunet looks
at a new Linux laptop. "UK manufacturer Elonex is to unveil a
£ 99 laptop aimed at school children. The Linux-based 'One' laptop
weighs less than 1kg and offers a claimed three-hour battery life, Wi-Fi, a
Flash-based hard drive, a hard-wearing case and a wireless music
server."
LinuxMedNews
reports
on an open-source move by the Instantiations Corporation.
"The Board of the FreeMED Software Foundation wishes to recognize the generous contribution of Instantiations Corporation of the GWT Designer, a designer for Google Web Tools. This most generous donation will allow us to move toward our next release of FreeMED, 0.9.1 FreeMED, in development since 1998, has had a consistent international base of support. The latest version, 0.9.0 is being transferred to a new UI."
Mozilla Messaging has announced
that it has begun operations. "The initial focus for Mozilla
Messaging is the development of Thunderbird 3, which will deliver
significant improvements, notably integrated calendaring, better search and
enhancements to the overall user experience."
eRacks has
announced a line of quiet computers that come with either the
64 Studio or Ubuntu Studio distributions installed.
"The eRacks / STUDIO is a professional-grade audio creation / production computer system, hardware-optimized for studio-level audio and video work. The system is Linux-based, Dual or Quad Core CPU, and QuietByDesignTM, which means computer noise wont interfere with your audio production.
The system comes loaded with a set of Open Source audio and video software applications."
LinuxMedNews has an
announcement
concerning the release of Misys Connect as open-source software.
"Misys plc, the global application software and services company announced today that it will release components of proprietary source code to the open source community at the Southern California Linux Expo (Scale), in Los Angeles on February 8. Scale signifys Misys first conference appearance into the open source arena.
In October 2007, we announced our intention to release the Misys Connect Healthcare solution to the open source community and now were delivering on our promise, said Bob Barthelmes, Executive Vice President and General Manager of the newly created Open Source Solutions division at Misys."
Open-Xchange Inc. has announced plans to release the server components and
installation/administration tools of the Open-Xchange
e-mail and collaboration server under the GNU General Public License.
"With its AJAX-based user interface, Open-Xchange Community Edition provides an unprecedented user
experience and allows businesses to take advantage of the cost benefits of open source software.
Initially, Open-Xchange Community Edition will be available for Debian and Ubuntu, with more Linux
distribution support to be added soon."
SCO has sent out a press release detailing a new plan to come out of bankruptcy. It seems that Stephen Norris Capital Partners "and its partners from the Middle East" have offered to put $100 million into the company and take it private. "SNCP has developed a business plan for SCO that includes unveiling new product lines aimed at global customers. This reorganization plan will also enable the company to see SCO's legal claims through to their full conclusion." We may be stuck with this story for a little longer than we had thought.
SGI has
announced the acquisition of Linux Networx, Inc.
"In exchange for the issuance of SGI common stock, SGI has acquired key
Linux Networx software, patents, technology and expertise. Linux Networx is
a recognized technology leader in the clustered HPC space and boasts a
significant customer base. The acquisition is expected to advance SGI
leadership in production-ready high performance computing solutions."
Sun Microsystems has
announced plans to buy innotek.
"Sun Microsystems, Inc. today announced that it has entered into a stock purchase agreement to acquire innotek, the provider of the leading edge, open source virtualization software called VirtualBox. By enabling developers to more efficiently build, test and run applications on multiple platforms, VirtualBox will extend the Sun xVM platform onto the desktop and strengthen Sun's leadership in the virtualization market. This software is available for all major operating systems at www.virtualbox.org and www.openxvm.org." (Thanks to Cry Regarder).
The Software Freedom Law Center has announced the publication of the "Legal Issues Primer for Open Source and Free Software Projects."
It is an extensive document with separate sections on copyright, patents,
trademarks, and organizational issues. "Our intended audience for
this Primer is any person interested in a basic understanding of the legal
issues that impact FOSS development and distribution. In particular, this
Primer, like most of our other public work at SFLC, is addressed to two
constituencies. First, we provide creative, productive hackers insight on
how to interact with the legal system-insofar as it affects the projects
they work on-with a minimum of cost, fuss and risk. Second, we present a
starting point for lawyers and risk managers for thinking about the
particular, at times counter-intuitive, logic of software freedom."
The Linux Foundation has announced an
update of the Linux Standard Base (LSB). "The new LSB 3.2 introduces
new features for interpreted languages, printing and multimedia, further
enabling application developers to easily and cost-effectively support the
Linux operating system. "The LSB meets the increasing demands of ISVs that
want to build portable applications for Linux," said Jim Zemlin, executive
director of the Linux Foundation. "With the inclusion of interpreted
languages, printing support, and a variety of other requested features,
this release provides the functionality that ISVs need to deliver their
sophisticated applications in a portable, cross-distribution
format.""
The minutes from the February 13, 2008 Perl 6 Design Meeting
have been published. "The Perl 6 design team met by phone on 13 February 2008. Larry, Allison, Jerry, Will, Richard, Patrick, and chromatic attended."
A
call for participation
has gone out for the YAPC::NA 2008 Perl conference.
"The Chicago Perl Mongers are excited to officially open the call for participation for YAPC::NA 2008. To submit your proposal, visit the YAPC site, create an account, and let us know what you'd like to talk about. Submissions will be accepted through March 15th 2008, so get yours in soon.
We are currently accepting proposals for conference talks with durations of 20, 45, 70, and 95 minutes."
Document Freedom Day is a global day for document liberation, a grassroots
action for promotion of Free Document Formats and Open Standards in
general. "On 26 March 2008, the Document Freedom Day will provide a
global rallying point for Document Liberation and Open Standards. It will
literally give teams around the world the chance to "hoist the flag": A
"DFD Starter Pack" containing a flag, t-shirt, leaflets and stickers is in
preparation and is planned to be sent out in the first weeks of March to
the first 100 teams that sign up. Sixteen teams already signed up during
the preparation phase of the DFD prior to this release. Sign your team up
now!"
FREED.IN/2008
will take place in Delhi, India on February 22-24, 2008.
"In the new scheme of things, where every FOSS event in India chooses a
particular focus (such as FOSS.IN, with its developer and contributor
focus), FREED.IN has chosen to focus on knowledge, using the FOSS approach
to things. Of course, there are talks about all kinds of FOSS related
subjects, so there is something for everyone."
The FSFE has announced a European Licensing and Legal Workshop.
"FSFE's Freedom Task Force today announces the first European Licensing and
Legal Workshop for Free Software will be held on Friday the 11th of April in
Amsterdam, The Netherlands. The venue for this meeting is the
InterContinental Amstel Hotel.
The event is targeted towards large projects and medium to large enterprises
wishing to discuss their existing licence compliance processes."
The 2008 LAC stream server is running.
"The 6th annual Linux Audio Conference is taking place in Cologne, Germany, Feb
28th to March 2nd, 2008. As with each previous year this year's conference will
be streamed live over the internet in ogg theora via icecast. The stream server
is up at: http://lac2008.khm.de:8000/
There is nothing to see at the moment, but keep checking over the coming days
as we hope to have a test stream up soon."
The Linux Foundation has announced the speakers who will be featured at its
second Collaboration Summit, to be held April 8 to 10 in Austin,
Texas. Those speaking will include Dan Frye, Marten Mickos, Bdale Garbee,
along with the return of the kernel developers' panel.
A vote is being held to decide the location of the OpenOffice.org
annual conference.
"This year we have received a record six proposals from teams competing to
host this prestigious event. In alphabetical order, they are:
* Amsterdam, The Netherlands
* Beijing, China
* Bratislava, Slovakia
* Budapest, Hungary
* Dundalk, Ireland
* Orvieto, Italy
If you were a registered member of the OpenOffice.org community on January
1st 2008 then you are entitled to vote."
Voting ends on February 29.
Google will be hosting the 2008 X Developers'
Conference (XDC 2008) in Mountain View, California, from April 16 - 18,
2008. Attendance is free, but you must be registered beforehand. The call
for presentations is open. Click below for more information.
It is not often that one sees kernel developers in suits, so it is
impossible to resist putting up the following picture. Andrew Morton is attending
(along with your editor) the 2008 Linux Developer Symposium in Beijing,
China. This event, co-sponsored by the Linux Foundation and the Chinese
Open Source Promotion Union, is aimed at bringing Chinese developers more
deeply into the global Linux community. Look for a report in LWN next
week. ![[Gnash logo]](/images/ns/gnashlogo.png){kind=small}