Advertisement
Managed Dedicated Servers - HC Servers
Dedicated and managed servers in U.S and Europe. Famous 24x7 support and customizations from HCServers.net!
Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for March 6, 2008
File monitoring with Mortadelo and SystemTap
SystemTap is a tool to help gather information about running Linux systems which has been available for some time now. But applications that use the tool have been few and far between. Mortadelo is a GUI tool that uses SystemTap to observe and record system calls. It is more of a proof-of-concept than a complete application—though it is useful in its current form—but it does start to show some of the things that can be done using SystemTap.
Mortadelo specifically intercepts system calls that deal with accessing files, collecting the arguments to the calls as well the return codes. It is patterned after the Windows Filemon program, which is used in much the same way that a Linux user might use strace—only with a GUI. Problems with permissions or files that do not exist are the kinds of things that Mortadelo could be used to diagnose.
![[Mortadelo]](/images/mortadelo_sm.png)
The data collected is displayed in a list in the GUI (shown at left), which can then be filtered using regular expressions to pull out the information of interest. Because it uses SystemTap, Mortadelo gathers information from all running processes at once, allowing the user to choose which parts they are interested in. The filtering is somewhat primitive, in that particular fields cannot be chosen to filter on, but still useful because it searches each entry fully.
System calls that return an error are highlighted in red making it easy to pick them out. By choosing appropriate strings to filter on, all permission errors in the system or every access of a particular filename can be seen. The GUI allows one to start and stop the recording as well as to save the captured data to a file. Each entry includes a timestamp, the process name and pid, the system call, return code, and arguments.
The application is written in C#, using the Mono framework; one of the authors has an interesting weblog entry comparing Mono and Python for developing this kind of tool. Mortadelo's interface to SystemTap is fairly straightforward, it spawns a stap command and sends it the probe points and code via stdin. It then reads the stap output, parsing it and displaying it in the window.
There were some tricks to getting it to build and run, but Eugene Teo's instructions for running it on Fedora 8 were quite helpful. Part of the problem was in getting SystemTap going on the system, which is a problem we have mentioned before. There were some other small hurdles as well, but Teo's hints and proper application of grep were enough to get past those.
Mortadelo's impact isn't so much in the application itself as it is in some of the ideas behind it. Using SystemTap for GUI tools will help users and administrators, especially those who are not command-line savvy. If Mortadelo, or some descendant of it, becomes popular, that will help make SystemTap use more widespread. Distributors will start packaging it in more readily usable forms, perhaps installing it by default. That will in turn help anyone tasked with keeping a Linux system smoothly functioning, whether they are GUI-centric or not.
Ryzom returns?
Toward the end of 2006, a company called Nevrax went out of business. Nevrax was the operator of an online multiplayer game called Ryzom which had developed a dedicated (if insufficiently lucrative) following. A group of free software developers, former Nevrax employees, and assorted Ryzom players sensed an opportunity here: perhaps the source for Ryzom could be obtained from the failing company and turned into free software. It seemed like a winning solution for all sides: Nevrax's creditors could get whatever money could be raised for the code, Ryzom players would continue to have a game, and the free software community would get an extensive new code base. All that was needed was to convince the relevant bankruptcy court that this was a good idea.To that end, the Free Ryzom project raised some €170,000 in pledges - an impressive amount of money. The Free Software Foundation offered $60,000 toward this goal. But, in court, another suitor (Gameforge) won out with a plan to keep the game proprietary. The Free Ryzom folks became the Virtual Citizenship Association and faded from view; it seemed that this story was done.
Only it seems it's not done. In February, the project sent out a news update on what had been happening over the past year. It seems that Gameforge stopped paying its employees in June, 2007, and, by August, was not paying its creditors. In October, Gameforge France went back into the bankruptcy process; then, last February, the Ryzom servers were shut down. This particular plan to save Ryzom, it seems, was not as successful as one might have liked.
So it seems that the Ryzom source might, once again, be up for grabs. A news update suggests that the process is moving quickly, but the project could make a try for the code if it is able to come up with a large (at least €230,000) bid in the immediate future. As of this writing, the Free Ryzom folks are examining their options and trying to come to a decision on the best course to take.
There can be no doubt that this code would be a valuable acquisition. Despite the fact that some of the very first multiplayer online games were free software (consider Netrek, for example, which occupied rather too much of your editor's time some 15 years ago, or some of the early MUD and MOO systems), free software does not have much to offer in that area now. The lack of competitive offerings in this area is one of the biggest motivations for people to use Windows. A free Ryzom could be a strong step toward better online gaming with free software.
[PULL QUOTE: One has to wonder why we seem to be unable to put together a competitive game without relying on a huge infusion of source from the proprietary world. END QUOTE] That said, one has to wonder why we, the larger free software community, seem to be unable to put together a competitive game without relying on a huge infusion of source from the proprietary world. There are certainly projects out there; consider Battle for Wesnoth or WorldForge, for example. Wesnoth is an addictive game with basic multiplayer capability and an active developer community, but it is a turn-by-turn game with relatively rudimentary graphics - though the graphics and soundtracks are quite nice by free software standards. WorldForge has high ambitions and a lot of infrastructure, but it never really seems to get out of that pre-alpha state. A look at WorldForge's CVS logs suggests that very few developers are actively contributing to the project.
There are critics of the free software community who would argue that gaming is the sort of program that free software just cannot do as well as proprietary software. A certain amount of planning and direction is required to pull together a coherent virtual world, quite a bit of artistic work (artwork, sounds, etc) is required, and so on; a project without a business-based revenue stream just cannot compete in this area. There might be some truth to this claim - but not that much. When one looks all all that we have accomplished, it does not seem like an online multiplayer game - challenging though it might be - should be beyond our capabilities.
What seems more likely is that we just haven't gotten the project management right yet. Anybody who has hung around with people who are interested in computing knows that game playing is certainly an itch that many feel the need to scratch. We just haven't yet made it easy enough for that scratching to happen.
What's needed is a relatively simple core upon which people can easily create virtual worlds. It should be straightforward for people who are not developers - artists, musicians, script writers - to contribute to the system, and their contributions should be made welcome. The desktop projects have had a certain amount of success in bringing in non-developer contributors; a look at how they have done that could be worthwhile.
Arguably, we should have most of the pieces we need. Battle for Wesnoth has shown that it's possible to put together a community which goes beyond just software developers. WorldForge seems to have a good start on some important pieces of infrastructure. There may be some useful code to be had from the Second Life client, which has been free for a year now. We are a large and talented community, we certainly have the ability to do something interesting in this area. It should not be necessary to wait until we get a code dump from a dead proprietary software company.
NDISwrapper dodges another bullet
Hardware compatibility has long been a problem for Linux—though it has gotten much better over the years—so it will be surprising to some to see a kernel change that will make some hardware cease working. For others, who follow kernel development a bit more closely, it will come as no great surprise that NDISwrapper was disabled by a change made to the kernel back in January. NDISwrapper has never been very popular with kernel hackers, but, because it is GPL licensed and allows more hardware to be used, there are folks on both sides of the argument. For a while, it looked like NDISwrapper had lost that argument, but the 2.6.25-rc4 release restores the functionality it requires.
NDISwrapper is a kernel module that is used to load Windows-only drivers into Linux. For some hardware, notably wireless network cards, it is the only way to support them because the manufacturer provides neither specifications nor a working Linux driver. Unfortunately, many of these cards are installed in laptops where it is difficult or impossible to replace them with Linux-friendly alternatives. This is what led to implementing the Network Device Interface Specification (NDIS) for Linux. NDIS is an ancient—it was originally developed by Microsoft and 3Com for MS-DOS in the mid to late 1980s—interface for networking devices, which is still in use today.
The NDISwrapper code has been around since 2003, but always as a separate module that must be built by the user (or distribution) and loaded into the kernel. It is not part of the mainline kernel, nor will it ever be; maintaining a glue layer that allows proprietary, closed-source drivers to be linked into the kernel is not high on anyone's list. But, NDISwrapper is GPL. Its code is available for inspection or modification by all, so that is not the problem, it is the intent that matters.
When a binary-only driver—the NVidia video driver for example—is loaded into the kernel, a "taint" flag is set, indicating that the kernel is tainted by code that cannot be examined. Bug reports for tainted kernels are routinely ignored, unless they can be reproduced in an untainted kernel. Life, it seems, is too short to try and diagnose problems that could easily have been created by a buggy driver that cannot be debugged. Originally, the taint flag was just a means to detect and ignore those bug reports, but over time it has become part of a mechanism to restrict which symbols a module can access.
Some kernel symbols are considered so integral that any module using them must be a derivative work. Therefore, modules that want to use them must be GPL. Modules declare their license using the MODULE_LICENSE macro, while symbols are exported using either EXPORT_SYMBOL or EXPORT_SYMBOL_GPL. Any module that doesn't have a compatible license doesn't get access to the GPL-only symbols.
Few would argue for a GPL module which existed to re-export all of the GPL-only symbols to non-GPL modules. But that is not what NDISwrapper does; instead it implements NDIS, but in order to do that, needs access to GPL-only symbols, mostly for USB and workqueue interfaces. It would be hard to contend that NDIS drivers are derivative of the Linux kernel, they were written for an entirely different system using an interface that predates Linux. This is why NDISwrapper developers and users think that an exception should be made for it. Clearly the Windows drivers taint the kernel, but accessing a subset of the GPL-only functionality through NDISwrapper should be allowed, they argue.
Since NDISwrapper itself is GPL, the normal module loading rules would allow it to access GPL-only symbols, except that an explicit check for NDISwrapper was added to the 2.6.16 kernel. The question, then, revolves around what should be done when the kernel detects it being loaded. NDISwrapper has always been careful to mark the drivers that it loads as tainted, but the recent patch marks the module itself as tainted, disallowing access to the GPL-only symbols and breaking NDISwrapper. Absent that patch, only the kernel is marked as tainted—the module itself is not.
A similar situation occurred back in October 2006, which LWN covered on the Kernel page, when a stricter interpretation of tainting started to be enforced. At that point, NDISwrapper stopped working and it looked like it might stay that way, until Andrew Morton stepped in with objections to breaking NDISwrapper with no warning. Shortly thereafter, a patch was merged that only marked the kernel as tainted when NDISwrapper is loaded. At that point, the issue fell by the wayside, until now.
Part of the problem is that marking a symbol as GPL-only means different things to different developers. For some, it is a means to warn proprietary driver developers that they are straying into territory that makes distribution of their drivers very likely to be a violation of the GPL, while others want to use it to completely eliminate binary-only kernel drivers. There is no policy that clearly delineates which interpretation is "correct". Meanwhile, NDISwrapper has been in use by many for four years or more; breaking it now, with little or no warning, is likely to create some very unhappy users.
Linus Torvalds clearly thinks there are no licensing issues with NDISwrapper:
Jon Masters, the author of the patch that inadvertently made this change, had an excellent suggestion that should be pursued to try and reduce these kinds of problems in the future:
Another interesting battle will be that surrounding exporting init_mm() which was removed in early versions of 2.6.25, but then restored in 2.6.25-rc4. It is fairly clearly a low-level kernel interface that is unused by any in-tree driver, so its export was removed. One rather glaring exception is that the out-of-tree NVidia binary drivers do use it. Its export has been restored for one more development cycle, but it is clearly seen as something that should not be touched by drivers. It could be quite a struggle between the developers and users of a very popular driver and the kernel hackers that don't want to see kernel API abuse.
Issues surrounding the GPL are always contentious on linux-kernel; this one is no different. While NDISwrapper is an out-of-tree driver, it has hardly been invisible, so complaints when it breaks should come as no surprise. A simple renaming will avoid the current kernel check, so breaking it that way will mostly be an annoyance to users rather than a real barrier to its use. Since there is no real consensus amongst kernel hackers on the binary driver issue, it is hard to see one emerging with regards to NDISwrapper, but that would be the best outcome. One way or another, it needs to be decided, NDISwrapper shouldn't come under a periodic threat of breaking. If it is determined to be a violation of the kernel interfaces, that should be clearly indicated and its users should be given some warning so they can find alternatives.
Page editor: Jonathan Corbet
Security
Authentication bypass in routers
An authentication bypass vulnerability is one of the more dangerous problems that a web application can have. It allows the attacker to perform some action that the application designer saw fit to restrict to authenticated users without providing said authentication. Using these techniques, an attacker can control a targeted web application from afar without even wasting time cracking bad passwords—a dream scenario for such people.
If an authentication bypass is found in the latest social networking site, the flaw could cause embarrassment, but if that bypass is in your home router, much worse things could result. A series of articles over at GNUCITIZEN highlights quite a variety of authentication bypass flaws in various embedded devices including routers. The flaws come from their research and recent router hacking challenge, which challenged readers to find holes in their routers. (There is no table of contents for the series, so here are links to the four installments: 1, 2, 3, and 4).
Most authentication bypass flaws are caused by a conceptual mistake made by web programmers: believing that the "normal" way of accessing the site is the only way to access it. This manifests itself as applications that check for particular URLs to see if they require credentials without considering the possibility of aliasing. For example, web servers will generally ignore double-slashes in a URL, but if the application checks for /privileged/page and gets /privileged//page it may very well fall prey to an authentication bypass. Other similar schemes can be used to make the URL look different, but arrive at the same place.
A far uglier possibility is applications that believe you can only get to a particular URL via a page that enforces authentication. This is a belief in "security through obscurity"; that attackers won't be able to guess the URLs for the pages "behind" the authentication screen. This is almost comical in that there are many ways to find out what those URLs are, not least by buying the device and accessing them yourself. Pages that require authentication need to check that the credentials have been provided whenever the page is accessed—without regard for what URL got them there.
Some applications do all of the checking correctly on the pages that show various settings in a form allowing them to be changed, but the action of the form submits it to a different program. Inexplicably, sometimes that program does not check for credentials. Perhaps the programmer believes that web forms can only be submitted from the page that they have created, but it is trivially easy to generate an HTTP POST with the appropriate parameters. It certainly does no good to protect the current value of settings from non-authenticated users if they can easily change them to any values they want.
In terms of web security, authentication bypass is usually quite easy to avoid, it is a matter of ensuring valid credentials anywhere they are required. Before performing any action that requires a logged-in user, check the cookie (or other persistent authentication mechanism) for validity to perform the action requested. For people using routers at home, perhaps the best advice is to make sure its administrative interface is not internet facing. Routers have a pretty bad track record of getting this right, so far, as the hacking challenge and other research has shown.
Security news
A set of Android vulnerabilities
Core Security has sent out an lengthy security advisory about Google's Android platform. It seems that, in their hurry to get something out there, the developers at Google used some old image processing libraries with a number of old, well-known vulnerabilities. This release was not meant for deployment anywhere, and there should have been no harm done. Given the stakes, though, one can only assume that future releases will be made with more care.
New vulnerabilities
am-utils: overwrite arbitrary files
| Package(s): | am-utils | CVE #(s): | ||||
| Created: | February 29, 2008 | Updated: | March 5, 2008 | |||
| Description: | The am-utils package could be vulnerable to an attack in which one local user can modify the contents of arbitrary files to which other local users running expn have write access. | |||||
| Alerts: |
| |||||
audacity: insecure tmpfile handling
| Package(s): | audacity | CVE #(s): | CVE-2007-6061 | ||||||
| Created: | March 3, 2008 | Updated: | March 21, 2008 | ||||||
| Description: | From the Gentoo advisory:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file src/AudacityApp.cpp does not handle temporary files properly. A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity. | ||||||||
| Alerts: |
| ||||||||
cacti: multiple vulnerabilities
| Package(s): | cacti | CVE #(s): | CVE-2008-0783 CVE-2008-0784 CVE-2008-0785 CVE-2008-0786 | |||||||||||||||
| Created: | February 28, 2008 | Updated: | May 6, 2008 | |||||||||||||||
| Description: | From the Mandriva alert: A number of vulnerabilities were found in the Cacti program, including XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection vulnerabilities, and information disclosure vulnerabilities. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
dbus: privilege escalation
| Package(s): | dbus | CVE #(s): | CVE-2008-0595 | ||||||||||||||||||
| Created: | February 28, 2008 | Updated: | March 14, 2008 | ||||||||||||||||||
| Description: | From the Red Hat alert: Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. A user with the ability to connect to the dbus-daemon may be able to execute certain method calls they should normally not have permission to access. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
evolution: format string vulnerability
| Package(s): | evolution | CVE #(s): | CVE-2008-0072 | |||||||||||||||||||||||||||
| Created: | March 5, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||||||||
| Description: | The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
firebird: multiple vulnerabilities
| Package(s): | firebird | CVE #(s): | CVE-2008-0387 CVE-2008-0467 | ||||||
| Created: | March 3, 2008 | Updated: | March 27, 2008 | ||||||
| Description: | From the Gentoo advisory:
Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467). A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. | ||||||||
| Alerts: |
| ||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-3731 | |||
| Created: | March 3, 2008 | Updated: | March 5, 2008 | |||
| Description: | From the rPath advisory:
Previous versions of the Linux kernel package contain a vulnerability in the ptrace system call which allows local users to cause a Denial of Service. | |||||
| Alerts: |
| |||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-6921 | |||
| Created: | March 5, 2008 | Updated: | March 5, 2008 | |||
| Description: | From the Red Hat advisory: a flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped, possibly causing a denial of service. | |||||
| Alerts: |
| |||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2007-6207 | |||
| Created: | March 5, 2008 | Updated: | March 5, 2008 | |||
| Description: | From the Red Hat advisory: a flaw in the hypervisor for hosts running on Itanium architectures allowed an Intel VTi domain to read arbitrary physical memory from other Intel VTi domains, which could make information available to unauthorized users. | |||||
| Alerts: |
| |||||
lighttpd: denial of service
| Package(s): | lighttpd | CVE #(s): | CVE-2008-0983 | |||||||||||||||
| Created: | February 29, 2008 | Updated: | April 4, 2008 | |||||||||||||||
| Description: | From the CVE entry: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
opera: several vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2008-1080 CVE-2008-1081 CVE-2008-1082 | ||||||
| Created: | February 29, 2008 | Updated: | March 5, 2008 | ||||||
| Description: | Opera version 9.26 fixes: an issue where simulated text inputs could trick users into uploading arbitrary files, image properties can no longer be used to execute scripts, and an issue where the representation of DOM attribute values could allow cross site scripting. | ||||||||
| Alerts: |
| ||||||||
qemu: insufficient block device address range checking
| Package(s): | qemu, zen | CVE #(s): | CVE-2008-0928 | ||||||
| Created: | February 29, 2008 | Updated: | March 5, 2008 | ||||||
| Description: | From Debian Security: Ian Jackson discovered that accesses beyond end of qemu emulated disk devices can result in accesses to emulator's virtual memory space accesses and thus can allow user with sufficient privilege in guest (root, as this would need modification to kernel's driver) to break out of VM. | ||||||||
| Alerts: |
| ||||||||
thunderbird: heap overflow
| Package(s): | thunderbird seamonkey | CVE #(s): | CVE-2008-0304 | ||||||||||||||||||
| Created: | February 29, 2008 | Updated: | March 7, 2008 | ||||||||||||||||||
| Description: | Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow vulnerability in Mozilla mail code which could potentially allow an attacker to run arbitrary code. The vulnerability is caused by allocating a buffer that can be three bytes too small in certain cases when viewing an email message with an external MIME body. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
tshark, wireshark: multiple vulnerabilities
| Package(s): | tshark,wireshark | CVE #(s): | CVE-2008-1070 CVE-2008-1071 CVE-2008-1072 | ||||||||||||||||||
| Created: | March 3, 2008 | Updated: | April 9, 2008 | ||||||||||||||||||
| Description: | From the rPath advisory:
Previous versions of the wireshark package are vulnerable to multiple types of Denial of Service attacks, including crashes and excessive memory consumption. It has not been determined that these vulnerabilities can be exploited to execute malicious code. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
viewvc: multiple access violations
| Package(s): | viewvc | CVE #(s): | |||||||
| Created: | March 3, 2008 | Updated: | March 5, 2008 | ||||||
| Description: | From the Fedora advisory:
These security issues have been fixed: - omit commits of all-forbidden files from query results - disallow direct URL navigation to hidden CVSROOT folder - strip forbidden paths from revision view - don't traverse log history thru forbidden locations - honor forbiddenness via diff view path parameters | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | |||||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | ||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
SDL_image: buffer overflows
| Package(s): | SDL_image | CVE #(s): | CVE-2007-6697 CVE-2008-0544 | |||||||||||||||
| Created: | February 8, 2008 | Updated: | March 27, 2008 | |||||||||||||||
| Description: | From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2008-0655 CVE-2008-0667 CVE-2008-0726 | |||||||||
| Created: | February 18, 2008 | Updated: | March 3, 2008 | |||||||||
| Description: | From the SUSE advisory: CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader and Acrobat before 8.1.2 have unknown impact and attack vectors. CVE-2008-0667: The DOC.print function in the Adobe JavaScript API, as used by Adobe Acrobat and Reader before 8.1.2, allows remote attackers to configure silent non-interactive printing, and trigger the printing of an arbitrary number of copies of a document. CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to execute arbitrary code via crafted arguments to the printSepsWithParams, which triggers memory corruption. | |||||||||||
| Alerts: |
| |||||||||||
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2007-5659 CVE-2007-5663 CVE-2007-5666 CVE-2007-0044 | ||||||
| Created: | February 22, 2008 | Updated: | March 3, 2008 | ||||||
| Description: | Several flaws were found in the way Adobe Reader processed malformed PDF files. An attacker could create a malicious PDF file which could execute arbitrary code if opened by a victim. A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack. | ||||||||
| Alerts: |
| ||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2007-3762 CVE-2007-3763 CVE-2007-3764 CVE-2007-4103 | |||||||||
| Created: | February 27, 2008 | Updated: | February 27, 2008 | |||||||||
| Description: | Asterisk suffers from a protocol handling error, a buffer overflow, and a NULL pointer dereferencing bug in the IAX2 channel driver, and a memory overflow in the Skinny channel driver. | |||||||||||
| Alerts: |
| |||||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | |||||||||
| Created: | December 3, 2007 | Updated: | April 15, 2008 | |||||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | |||||||||||
| Alerts: |
| |||||||||||
bind: off-by-one error
| Package(s): | bind | CVE #(s): | CVE-2008-0122 | ||||||||||||
| Created: | January 22, 2008 | Updated: | March 14, 2008 | ||||||||||||
| Description: | Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. | ||||||||||||||
| Alerts: |
| ||||||||||||||
boost: denial of service
| Package(s): | boost | CVE #(s): | CVE-2008-0171 CVE-2008-0172 | |||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||
| Description: | From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
clamav: arbitrary code execution
| Package(s): | clamav | CVE #(s): | CVE-2008-0318 | ||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | From the CVE: Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: arbitrary file overwrite
| Package(s): | clamav | CVE #(s): | CVE-2007-6595 | |||||||||
| Created: | February 18, 2008 | Updated: | April 24, 2008 | |||||||||
| Description: | From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. | |||||||||||
| Alerts: |
| |||||||||||
clamav: heap corruption
| Package(s): | clamav | CVE #(s): | CVE-2008-0728 | |||||||||
| Created: | February 22, 2008 | Updated: | April 18, 2008 | |||||||||
| Description: | From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." | |||||||||||
| Alerts: |
| |||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0886 | ||||||
| Created: | February 27, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | From the Mandriva advisory: A flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash. | ||||||||
| Alerts: |
| ||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-5848 | ||||||||||||
| Created: | January 7, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | From the CVE entry: Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. From the rPath advisory: Previous versions of the cups package contain a buffer-overflow weakness. It is not believed that this weakness can be exploited to execute malicious code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0882 | ||||||||||||||||||||||||
| Created: | February 22, 2008 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2008-0596 CVE-2008-0597 | |||||||||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
diatheke: insufficient input sanitizing
| Package(s): | diatheke | CVE #(s): | CVE-2008-0932 | ||||||||||||
| Created: | February 26, 2008 | Updated: | March 4, 2008 | ||||||||||||
| Description: | From the Debian advisory: Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitizing of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dnssec-tools: insufficient validation
| Package(s): | dnssec-tools | CVE #(s): | |||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | DNSSEC-Tools 1.3.2 contains several fixes, including a patch to the libval DNSSEC validation library to ensure that the signature that validates it is a signature of the trust anchor itself. | ||||||||
| Alerts: |
| ||||||||
dspam: insecure password
| Package(s): | dspam | CVE #(s): | CVE-2007-6418 | |||
| Created: | February 22, 2008 | Updated: | February 27, 2008 | |||
| Description: | From the Debian advisory: Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. | |||||
| Alerts: |
| |||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | March 26, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420) Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||