SystemTap is a tool to help gather information about running Linux systems
which has been available for some time now. But applications that use the tool
have been few and far between. Mortadelo is a
GUI tool that uses SystemTap to observe and record system calls. It is
more of a proof-of-concept than a complete application—though it is
useful in its current form—but it does start
to show some of the things that can be done using SystemTap.
Mortadelo specifically intercepts system calls that deal with accessing
files, collecting the arguments to the calls as well the return codes. It
is patterned after the Windows Filemon program, which is used in much the
same way that a Linux user might use strace—only with a GUI.
Problems with permissions or files that do not exist are the kinds of
things that Mortadelo could be used to diagnose.
The data collected is displayed in a list in the GUI (shown at left),
which can then be filtered using regular expressions to pull out the
information of interest. Because it uses SystemTap, Mortadelo gathers
information from all running processes at once, allowing the user to choose
which parts they are interested in. The filtering is
somewhat primitive, in that particular fields cannot be chosen to filter
on, but still useful because it searches each entry fully.
System calls that return an error are highlighted in red making it easy to
pick them out. By choosing appropriate strings to filter on, all
permission errors in the system or every access of a particular filename
can be seen. The GUI allows one to start and stop the recording as well as
to save the captured data to a file. Each entry includes a timestamp,
the process name and pid, the system call, return code, and arguments.
The application is written in C#, using the Mono framework; one of the authors
has an interesting weblog entry comparing Mono
and Python for developing this kind of tool. Mortadelo's interface to
SystemTap is fairly straightforward, it spawns a stap command and
sends it the probe points and code via stdin. It then reads the
stap output, parsing it and displaying it in the window.
There were some tricks to getting it to build and run, but Eugene Teo's instructions
for running it on Fedora 8 were quite helpful. Part of the
problem was in getting SystemTap going on the system, which is a problem we have mentioned
before. There were some other small hurdles as well, but Teo's hints
and proper application of grep were enough to get past those.
Mortadelo's impact isn't so much in the application itself as it is in some
of the ideas behind it. Using SystemTap for GUI tools will help users and
administrators, especially those who are not command-line
savvy. If Mortadelo, or some descendant of it, becomes popular, that will
help make SystemTap use more widespread. Distributors will start packaging
it in more readily usable forms, perhaps installing it by default. That
will in turn help anyone tasked with keeping a Linux system smoothly
functioning, whether they are GUI-centric or not.
Toward the end of 2006, a company called Nevrax went out of business.
Nevrax was the operator of an online multiplayer game called Ryzom which
had developed a dedicated (if insufficiently lucrative) following. A group
of free software developers, former Nevrax employees, and assorted Ryzom players sensed an
opportunity here: perhaps the source for Ryzom could be obtained from the
failing company and turned into free software. It seemed like a winning
solution for all sides: Nevrax's creditors could get whatever money could
be raised for the code, Ryzom players would continue to have a game, and
the free software community would get an extensive new code base. All that
was needed was to convince the relevant bankruptcy court that this was a
good idea.
To that end, the Free Ryzom project raised some €170,000 in pledges -
an impressive amount of money. The Free Software Foundation offered
$60,000 toward this goal. But, in court, another suitor (Gameforge) won
out with a plan to keep the game proprietary. The Free Ryzom folks became
the Virtual Citizenship Association and faded from view; it seemed that
this story was done.
Only it seems it's not done. In February, the project sent out a news update on
what had been happening over the past year. It seems that Gameforge
stopped paying its employees in June, 2007, and, by August, was not paying
its creditors. In October, Gameforge France went back into the bankruptcy
process; then, last February, the Ryzom servers were shut down. This
particular plan to save Ryzom, it seems, was not as successful as one might
have liked.
So it seems that the Ryzom source might, once again, be up for grabs. A news update
suggests that the process is moving quickly, but the project could make a
try for the code if it is able to come up with a large (at least
€230,000) bid in the immediate future. As of this writing, the Free
Ryzom folks are examining their options and trying to come to a decision on
the best course to take.
There can be no doubt that this code would be a valuable acquisition.
Despite the fact that some of the very first multiplayer online games were
free software (consider Netrek, for example, which occupied rather too much
of your editor's time some 15 years ago, or some of the early MUD and MOO
systems), free software does not have much to offer in that area now. The
lack of competitive offerings in this area is one of the biggest
motivations for people to use Windows. A free Ryzom could be a strong step
toward better online gaming with free software.
[PULL QUOTE:
One has to wonder why we
seem to be unable to put together a competitive game without relying on a
huge infusion of source from the proprietary world.
END QUOTE]
That said, one has to wonder why we, the larger free software community,
seem to be unable to put together a competitive game without relying on a
huge infusion of source from the proprietary world. There are certainly
projects out there; consider Battle for
Wesnoth or WorldForge, for
example. Wesnoth is an addictive game with basic multiplayer capability
and an active developer community, but it is a turn-by-turn game with
relatively rudimentary graphics - though the graphics and soundtracks are
quite nice by free software standards. WorldForge has high ambitions and a
lot of infrastructure, but it never really seems to get out of that
pre-alpha state. A look at WorldForge's CVS
logs suggests that very few developers are actively contributing to the
project.
There are critics of the free software community who would argue that
gaming is the sort of program that free software just cannot do as well as
proprietary software. A certain amount of planning and direction is
required to pull together a coherent virtual world, quite a bit of artistic
work (artwork, sounds, etc) is required, and so on; a project without a
business-based revenue stream just cannot compete in this area. There
might be some truth to this claim - but not that much. When one looks all
all that we have accomplished, it does not seem like an online multiplayer
game - challenging though it might be - should be
beyond our capabilities.
What seems more likely is that we just haven't gotten the project
management right yet. Anybody who has hung around with people who are
interested in computing knows that game playing is certainly an itch that
many feel the need to scratch. We just haven't yet made it easy enough for
that scratching to happen.
What's needed is a relatively simple core upon which people
can easily create virtual worlds. It should be straightforward for people
who are not developers - artists, musicians, script writers - to contribute
to the system, and their contributions should be made welcome. The desktop
projects have had a certain amount of success in bringing in non-developer
contributors; a look at how they have done that could be worthwhile.
Arguably, we should have most of the pieces we need. Battle for
Wesnoth has shown that it's possible to put together a community which goes
beyond just software developers. WorldForge seems to have a good start on
some important pieces of infrastructure. There may be some useful code to
be had from the Second Life client, which has been free for a year now. We
are a large and talented community, we certainly have the ability to do
something interesting in this area. It should not be necessary to wait
until we get a code dump from a dead proprietary software company.
Hardware compatibility has long been a problem for Linux—though it has
gotten much better over the years—so it will be surprising to some to
see a kernel change that will make some hardware cease working. For
others, who follow kernel development a bit more closely, it will come as
no great surprise that NDISwrapper was
disabled by a change made to the kernel back in January. NDISwrapper has
never been very popular with kernel hackers, but, because it is GPL
licensed and allows more hardware to be used, there are folks on both sides
of the argument. For a while, it looked like NDISwrapper had lost that
argument, but the 2.6.25-rc4 release restores the functionality it requires.
NDISwrapper is a kernel module that is used to load Windows-only drivers
into Linux. For some hardware, notably wireless network cards, it is the
only way to support them because the manufacturer provides neither
specifications nor a working Linux driver. Unfortunately, many of these
cards are installed in laptops where it is difficult or impossible to
replace them with Linux-friendly alternatives. This is what led to
implementing the Network Device Interface Specification
(NDIS) for Linux. NDIS is an ancient—it was originally developed by
Microsoft and 3Com for MS-DOS in
the mid to late 1980s—interface for networking devices, which is
still in use today.
The NDISwrapper code has been around since 2003, but always as a separate
module that must be built by the user (or distribution) and loaded into the
kernel. It is not part of the mainline kernel, nor will it ever be;
maintaining a glue layer that allows proprietary, closed-source drivers to
be linked into the kernel is not high on anyone's list. But, NDISwrapper
is GPL. Its code is available for inspection or modification by
all, so that is not the problem, it is the intent that matters.
When a binary-only driver—the NVidia video driver for example—is loaded into the kernel, a "taint" flag is set,
indicating that the kernel is tainted by code that cannot be examined. Bug
reports for tainted kernels are routinely ignored, unless they can be
reproduced in an untainted kernel. Life, it seems, is too short to try and
diagnose problems that could easily have been created by a buggy driver
that cannot be debugged. Originally, the taint flag was just a means to
detect and ignore those bug reports, but over time it has become part of a
mechanism to restrict which symbols a module can access.
Some kernel symbols are considered so integral that any module using them
must be a derivative work. Therefore, modules that want to use them must
be GPL. Modules declare their license using the MODULE_LICENSE
macro, while symbols are exported using either EXPORT_SYMBOL or
EXPORT_SYMBOL_GPL. Any module that doesn't have a compatible
license doesn't get access to the GPL-only symbols.
Few would argue for a GPL module which existed to re-export all of the
GPL-only symbols to non-GPL modules. But that is not what NDISwrapper does;
instead it implements NDIS, but in order to do that, needs access to
GPL-only symbols, mostly for USB and workqueue interfaces. It would be
hard to contend that NDIS drivers are derivative of the Linux kernel, they
were written for an entirely different system using an interface that predates Linux. This is why NDISwrapper developers
and users think that an exception should be made for it. Clearly the
Windows drivers taint the kernel, but accessing a subset of the GPL-only
functionality through NDISwrapper should be allowed, they argue.
Since NDISwrapper itself is GPL, the normal module loading rules would
allow it to access GPL-only symbols, except that an explicit check for
NDISwrapper was added to the 2.6.16 kernel. The question, then, revolves
around what should be done when the kernel detects it being loaded.
NDISwrapper has always been careful to mark the drivers that it loads as
tainted, but the recent patch marks the module itself as tainted,
disallowing access to the GPL-only symbols and breaking NDISwrapper. Absent
that patch, only the kernel is marked as tainted—the module itself is
not.
A similar situation occurred back in October 2006, which LWN covered on the Kernel page, when
a stricter interpretation of tainting started to be enforced. At that
point, NDISwrapper stopped working and it looked like it might stay that
way, until Andrew Morton stepped in with objections to breaking NDISwrapper with no warning. Shortly
thereafter, a patch was merged that only marked the kernel as tainted when
NDISwrapper is loaded. At
that point, the issue fell by the wayside, until now.
Part of the problem is that marking a symbol as GPL-only means different
things to different developers. For some, it is a means to warn
proprietary driver developers that they are straying into territory that
makes distribution of their drivers very likely to be a violation of the GPL, while others
want to use it to completely eliminate binary-only kernel drivers. There
is no policy that clearly delineates which interpretation is "correct". Meanwhile,
NDISwrapper has been in use by many for four years or more; breaking it
now, with little or no warning, is likely to create some very unhappy users.
Quite frankly, my position on this has always been that the GPLv2
explicitly covers _derived_ works only, and that very obviously a Windows
driver isn't a derived work of the kernel. So as far as I'm concerned,
ndiswrapper may be distasteful from a technical and support angle, but not
against the license.
Jon Masters, the author of the patch that
inadvertently made this change, had an excellent suggestion that should
be pursued to try and reduce these kinds of problems in the future:
Since we've brought it up, one good thing I would like to see come of
this perhaps is a clearer understanding of what the kernel should and
should not be doing in terms of "license compliance enforcement". We
have had lots of talk, but perhaps a "policy" document is worthwhile.
Another interesting battle will be that surrounding exporting
init_mm() which was removed in early versions of 2.6.25, but
then restored in 2.6.25-rc4. It is fairly clearly a low-level kernel
interface that is unused by any in-tree driver, so its export was removed.
One rather glaring exception is that the out-of-tree NVidia binary drivers do
use it. Its export has been restored for one more development cycle, but it is clearly seen as
something that should not be touched by drivers. It could be quite a
struggle between the developers and users of a very popular driver and the kernel hackers
that don't want to see kernel API abuse.
Issues surrounding the GPL are always contentious on linux-kernel; this one
is no different. While NDISwrapper is an out-of-tree driver, it has hardly
been invisible, so complaints when it breaks should come as no surprise.
A simple renaming will avoid the current kernel check, so breaking it that
way will mostly be
an annoyance to users rather than a real barrier to its use. Since there
is no real consensus amongst kernel hackers on the binary driver issue, it is hard to see one
emerging with regards to NDISwrapper, but that would be the best outcome.
One way or another, it needs to be decided, NDISwrapper shouldn't come
under a periodic threat of breaking. If it is determined to be a violation
of the kernel interfaces, that should be clearly indicated and its users should be given some
warning so they can find alternatives.
An authentication bypass vulnerability is one of the more dangerous problems
that a web application can have. It allows the attacker to perform some
action that the application designer saw fit to restrict to authenticated
users without providing said authentication. Using these
techniques, an attacker can control a targeted web application from afar without
even wasting time cracking bad passwords—a dream
scenario for such people.
If an authentication bypass is found in the latest social networking site, the flaw could cause
embarrassment, but if that bypass is in your home router, much worse things
could result. A series of articles over at GNUCITIZEN highlights quite a
variety of authentication bypass flaws in various embedded devices
including routers. The flaws come from
their research and recent router
hacking challenge, which challenged readers to find holes in
their routers. (There is no table of contents for the series, so here are links to
the four installments: 1,
2,
3,
and 4).
Most authentication bypass flaws are caused by a conceptual mistake made by
web programmers: believing that the "normal" way of accessing the site is
the only way to access it. This manifests itself as applications that
check for particular URLs to see if they require credentials without
considering the possibility of aliasing. For example, web servers will
generally ignore double-slashes in a URL, but if the application checks for
/privileged/page and gets /privileged//page it may very
well fall prey to an authentication bypass. Other similar schemes can be
used to make the URL look different, but arrive at the same place.
A far uglier possibility is applications that believe you can only get to a
particular URL via a page that enforces authentication. This is a belief
in "security through obscurity"; that attackers won't be able to guess the
URLs for the pages "behind" the authentication screen. This is almost
comical in that there are many ways to find out what those URLs are,
not least by buying the device and accessing them yourself. Pages that
require authentication need to check that the credentials have been
provided whenever the page is accessed—without regard for what
URL got them there.
Some applications do all of the checking correctly on the pages that show
various settings in a form allowing them to be changed, but the action of
the form submits it to a different program. Inexplicably, sometimes that
program does not check for credentials. Perhaps the programmer believes
that web forms can only be submitted from the page that they have created, but it is
trivially easy to generate an HTTP POST with the appropriate parameters.
It certainly does no good to protect the current value of settings from
non-authenticated users if they can easily change them to any values they
want.
In terms of web security, authentication bypass is usually quite easy to
avoid, it is a matter of ensuring valid credentials anywhere they are
required. Before performing any action that requires a logged-in user,
check the cookie (or other persistent authentication mechanism) for
validity to perform the action requested. For people using routers at
home, perhaps the best advice is to make sure its administrative
interface is not internet facing. Routers have a pretty bad track record
of getting this right, so far, as the hacking challenge and other research
has shown.
Core Security has sent out an lengthy security advisory about Google's
Android platform. It seems that, in their hurry to get something out
there, the developers at Google used some old image processing libraries
with a number of old, well-known vulnerabilities. This release was not
meant for deployment anywhere, and there should have been no harm done.
Given the stakes, though, one can only assume that future releases will be made with
more care.
The am-utils package could be vulnerable to an attack in which one local
user can modify the contents of arbitrary files to which other local users
running expn have write access.
Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.
A local attacker could exploit this vulnerability to conduct symlink
attacks to delete arbitrary files and directories with the privileges
of the user running Audacity.
From the Mandriva alert:
A number of vulnerabilities were found in the Cacti program, including
XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection
vulnerabilities, and information disclosure vulnerabilities.
From the Red Hat alert:
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy. A user with the ability to connect to the dbus-daemon may
be able to execute certain method calls they should normally not have
permission to access.
The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message.
Firebird does not properly handle certain types of XDR requests,
resulting in an integer overflow (CVE-2008-0387). Furthermore, it is
vulnerable to a buffer overflow when processing usernames
(CVE-2008-0467).
A remote attacker could send specially crafted XDR requests or an
overly long username to the vulnerable server, possibly resulting in
the remote execution of arbitrary code with the privileges of the user
running the application.
From the Red Hat advisory: a flaw was found in the handling of zombie processes. A local user could
create processes that would not be properly reaped, possibly causing a
denial of service.
From the Red Hat advisory: a flaw in the hypervisor for hosts running on Itanium architectures
allowed an Intel VTi domain to read arbitrary physical memory from other
Intel VTi domains, which could make information available to unauthorized
users.
From the CVE entry: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.
Opera version 9.26 fixes: an issue where simulated text inputs could trick users into uploading arbitrary files, image properties can no longer be used to execute scripts, and an issue where the representation of DOM attribute values could allow cross site scripting.
From Debian
Security: Ian Jackson discovered that accesses beyond end of qemu
emulated disk devices can result in accesses to emulator's virtual memory
space accesses and thus can allow user with sufficient privilege in guest
(root, as this would need modification to kernel's driver) to break out of
VM.
Security research firm iDefense reported that researcher regenrecht
discovered a heap-based buffer overflow vulnerability in Mozilla mail code
which could potentially allow an attacker to run arbitrary code. The
vulnerability is caused by allocating a buffer that can be three bytes too
small in certain cases when viewing an email message with an external MIME body.
Previous versions of the wireshark package are vulnerable
to multiple types of Denial of Service attacks, including
crashes and excessive memory consumption. It has not been
determined that these vulnerabilities can be exploited to
execute malicious code.
These security issues have been fixed: - omit commits of all-forbidden files
from query results - disallow direct URL navigation to hidden CVSROOT folder -
strip forbidden paths from revision view - don't traverse log history thru
forbidden locations - honor forbiddenness via diff view path parameters
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges.
CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader
and Acrobat before 8.1.2 have unknown impact and
attack vectors.
CVE-2008-0667: The DOC.print function in the Adobe JavaScript API,
as used by Adobe Acrobat and Reader before 8.1.2, allows
remote attackers to configure silent non-interactive
printing, and trigger the printing of an arbitrary
number of copies of a document.
CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and
earlier allows remote attackers to execute arbitrary
code via crafted arguments to the printSepsWithParams,
which triggers memory corruption.
Several flaws were found in the way Adobe Reader processed malformed PDF
files. An attacker could create a malicious PDF file which could execute
arbitrary code if opened by a victim. A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack.
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)
Asterisk suffers from a protocol handling error, a buffer overflow, and a NULL pointer dereferencing bug in the IAX2 channel driver, and a memory overflow in the Skinny channel driver.
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection.
Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file
with world-readable permissions, which allows local users to perform
unauthorized named commands, such as causing a denial of service by
stopping named.
Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3,
and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause
a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption.
From the Ubuntu alert:
Will Drewry and Tavis Ormandy discovered that the boost library
did not properly perform input validation on regular expressions.
An attacker could send a specially crafted regular expression to
an application linked against boost and cause a denial of service
via application crash.
A vulnerability in Cacti 0.8.6i and earlier versions allows remote
authenticated users to cause a denial of service (CPU consumption) via
large values of the graph_start, graph_end, graph_height, or graph_width
parameters.
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges.
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives.
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
From the Mandriva advisory: A flaw was found in how CUPS handled the addition and removal of
remote printers via IPP that could allow a remote attacker to send
a malicious IPP packet to the UDP port causing CUPS to crash.
Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service.
From the rPath advisory:
Previous versions of the cups package contain a buffer-overflow
weakness. It is not believed that this weakness can be exploited
to execute malicious code.
From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash.
A flaw was found in the way CUPS handled the addition and removal of remote
shared printers via IPP. A remote attacker could send malicious UDP IPP
packets causing the CUPS daemon to attempt to dereference already freed
memory and crash. (CVE-2008-0597)
A memory management flaw was found in the way CUPS handled the addition and
removal of remote shared printers via IPP. When shared printer was
removed, allocated memory was not properly freed, leading to a memory leak
possibly causing CUPS daemon crash after exhausting available memory.
(CVE-2008-0596)
These issues were found during the investigation of CVE-2008-0882.
The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability.
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart.
From the Debian advisory: Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitizing of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user.
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.
DNSSEC-Tools 1.3.2 contains
several fixes, including a patch to the libval DNSSEC validation library to
ensure that the signature that validates it is a signature of the trust anchor
itself.
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions."
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name.
Dovecot has multiple vulnerabilities including an issue involving the
confusion between LDAP-authenticated logins across users with the
same password and a denial of service involving a connecting user.
From the Debian advisory: Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails.
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message.
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges.
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions.
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers.
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail.
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356).
Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow.
fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user.
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)
A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)
The Freetype font rendering library versions 2.3.4 and below
has an integer sign error. Remote attackers may be able to
create a specially crafted TrueType Font file with a negative
n_points value that will cause an integer overflow and heap-based
buffer overflow, allowing the execution of arbitrary code.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure. (CVE-2007-3473)
Multiple unspecified vulnerabilities in the GIF reader in the
GD Graphics Library (libgd) before 2.0.35 allow user-assisted
remote attackers to have unspecified attack vectors and
impact. (CVE-2007-3474)
The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
remote attackers to cause a denial of service (crash) via a GIF image
that has no global color map. (CVE-2007-3475)
Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause
a denial of service (crash and heap corruption) via large color
index values in crafted image data, which results in a segmentation
fault. (CVE-2007-3476)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478)
Libgd2 has a denial of service vulnerability involving the incorrect
validation of PNG callback results. If an application that is linked
against libgd2 is used to process a specially-crafted PNG file,
a denial of service involving CPU resource consumption can be
caused.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
The gimp image editor has several vulnerabilities, including
a problem where it can open PSD files with excessive dimensions
and a possible stack overflow in the Sunras loader.
Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus. A local
attacker could exploit this to bypass the user's locked screen saver.
The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information.
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code.
Ulf Harnhammer discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client.
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user).
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)
From the Red Hat advisory:
Will Drewry reported multiple flaws in the way libicu processed certain
malformed regular expressions. If an application linked against ICU, such
as OpenOffice.org, processed a carefully crafted regular expression, it may
be possible to execute arbitrary code as the user running the application.
The ImageMagick image decoders have multiple vulnerabilities.
If a user can be tricked into processing a specially crafted
DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with
the user's privileges.
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667.
The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote
user-assisted attackers to cause a denial of service (crash) and possibly
corrupt the heap via malformed image files.
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files.
The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)
The JSSE component did not correctly process SSL/TLS handshake requests. A
remote attacker who is able to connect to a JSSE-based service could
trigger this flaw leading to a denial-of-service. (CVE-2007-3698)
A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting to
services hosted on the machine that executed the applet. (CVE-2007-3922)
Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled,
allows remote attackers to violate the security model for an applet's
outbound connections via a DNS rebinding attack. (CVE-2007-5232)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not
properly enforce access restrictions for untrusted applications, which
allows user-assisted remote attackers to obtain sensitive information (the
Java Web Start cache location) via an untrusted application, aka "three
vulnerabilities." (CVE-2007-5238)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE
1.3.1_20 and earlier does not properly enforce access restrictions for
untrusted (1) applications and (2) applets, which allows user-assisted
remote attackers to copy or rename arbitrary files when local users perform
drag-and-drop operations from the untrusted application or applet window
onto certain types of desktop applications. (CVE-2007-5239)
Visual truncation vulnerability in the Java Runtime Environment in Sun JDK
and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK
and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows
remote attackers to circumvent display of the untrusted-code warning banner
by creating a window larger than the workstation screen. (CVE-2007-5240)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used,
allows remote attackers to violate the security model for an applet's
outbound connections via a multi-pin DNS rebinding attack in which the
applet download relies on DNS resolution on the proxy server, but the
applet's socket operations rely on DNS resolution on the local machine, a
different issue than CVE-2007-5274. NOTE: this is similar to
CVE-2007-5232. (CVE-2007-5273)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows
remote attackers to violate the security model for JavaScript outbound
connections via a multi-pin DNS rebinding attack dependent on the
LiveConnect API, in which JavaScript download relies on DNS resolution by
the browser, but JavaScript socket operations rely on separate DNS
resolution by a Java Virtual Machine (JVM), a different issue than
CVE-2007-5273. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5274)
An integer overflow vulnerability exists in the embedded ICC profile
image parser (CVE-2007-2788), an unspecified vulnerability exists in
the font parsing implementation (CVE-2007-4381), and an error exists
when processing XSLT stylesheets contained in XSLT Transforms in XML
signatures (CVE-2007-3716), among other vulnerabilities.
The kazehakase web browser is vulnerable to buffer overflows and
memory corruption in PCRE. If a remote attacker can convince a user to
open specially crafted bookmarks, it can lead to the
execution of arbitrary code, denial of service or
arbitrary information disclosure.
The kdebase package is vulnerable to a denial of service in which a local user can render KDM unusable for logins by any user or cause KDM to exceed system resource limits.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
The IA32 system call emulation functionality in Linux kernel 2.4.x and
2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not
zero extend the eax register after the 32bit entry path to ptrace is used,
which might allow local users to gain privileges by triggering an
out-of-bounds access to the system call table using the %RAX register.
From the Red Hat advisory: A flaw was found in the way the Red Hat
Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA
method for accessing memory on Itanium architectures. A local unprivileged
user could trigger this flaw and cause a denial of service (system panic).
A possible NULL pointer dereference was found in the chrp_show_cpuinfo
function when using the PowerPC architecture. This may have allowed a local
unprivileged user to cause a denial of service (crash).
The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced
Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does
not return the correct write size, which allows local users to obtain
sensitive information (kernel memory contents) via a small count argument,
as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory.
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538)
The Minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
other versions, allows local users to cause a denial of service (hang) via
a malformed minix file stream that triggers an infinite loop in the
minix_bmap function. NOTE: this issue might be due to an integer overflow
or signedness error.
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows
remote attackers to cause a denial of service (crash) via a crafted SKB
length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set, aka an "off-by-two error."
From the mitre.org CVE description:
VFS in the Linux kernel before 2.6.23.14 performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions.
Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
kernel memory contents via an uninitialized stack buffer. A local attacker
could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)
The GEODE-AES driver did not correctly initialize its encryption key.
Any data encrypted using this type of device would be easily compromised.
(CVE-2007-2451)
The random number generator was hashing a subset of the available
entropy, leading to slightly less random numbers. Additionally, systems
without an entropy source would be seeded with the same inputs at boot
time, leading to a repeatable series of random numbers. (CVE-2007-2453)
The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors.
The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference.
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes
RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an
"out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
fib_props (fib_semantics.c, IPv4) functions. (CVE-2007-2172)
mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not
prevent stack expansion from entering into reserved kernel page memory,
which allows local users to cause a denial of service (OOPS) via
unspecified vectors. (CVE-2007-3739)
The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer
ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check
permissions for ioctls, which might allow local users to cause a denial of
service or gain privileges. (CVE-2007-4308)
Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via long SMB responses that trigger the overflows in
the SendReceive function.
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures.
The drm/i915 component in the Linux kernel before 2.6.22.2, when used with
i965G and later chipsets, allows local users with access to an X11 session
and Direct Rendering Manager (DRM) to write to arbitrary memory locations
and gain privileges via a crafted batchbuffer. (CVE-2007-3851)
Linux kernel 2.4.35 and other versions allows local users to send arbitrary
signals to a child process that is running at higher privileges by causing
a setuid-root parent process to die, which delivers an attacker-controlled
parent process death signal (PR_SET_PDEATHSIG). (CVE-2007-3848)
Stack-based buffer overflow in the random number generator (RNG)
implementation in the Linux kernel before 2.6.22 might allow local root
users to cause a denial of service or gain privileges by setting the
default wakeup threshold to a value greater than the output pool size,
which triggers writing random numbers to the stack by the pool transfer
function involving "bound check ordering". NOTE: this issue might only
cross privilege boundaries in environments that have granular assignment of
privileges for root. (CVE-2007-3105)
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors.
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device.
The sysfs_readdir function in the Linux kernel 2.6 allows local users to
cause a denial of service (kernel OOPS) by dereferencing a null pointer to
an inode in a dentry. (CVE-2007-3104)
The CIFS filesystem, when Unix extension support is enabled, did not honor
the umask of a process, which allowed local users to gain
privileges.(CVE-2007-3740)
The Linux kernel checked the wrong global variable for the CIFS sec mount
option, which might allow remote attackers to spoof CIFS network traffic
that the client configured for security signatures, as demonstrated by lack
of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843)
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux
kernel allowed local users to have an unknown impact via a crafted argument
to the isdn_ioctl function. (CVE-2007-6063)
CVE-2004-2731:
infamous41md reported multiple integer overflows in the Sbus PROM
driver that would allow for a DoS (Denial of Service) attack by a
local user, and possibly the execution of arbitrary code.
CVE-2006-5753:
Eric Sandeen provided a fix for a local memory corruption vulnerability
resulting from a misinterpretation of return values when operating on
inodes which have been marked bad.
CVE-2006-6053:
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext3 filesystem.
CVE-2007-2525:
Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused
by releasing a socket before PPPIOCGCHAN is called upon it. This could
be used by a local user to DoS a system by consuming all available memory.
CVE-2006-7203:
OpenVZ Linux kernel team reported an issue in the smbfs filesystem which
can be exploited by local users to cause a DoS (oops) during mount.
David Coffey discovered an uninitialized pointer free flaw in the
RPC library used by kadmind. A remote unauthenticated attacker who
could access kadmind could trigger the flaw causing kadmind to crash
or possibly execute arbitrary code (CVE-2007-2442).
David Coffey also discovered an overflow flaw in the same RPC library.
A remote unauthenticated attacker who could access kadmind could
trigger the flaw causing kadmind to crash or possibly execute arbitrary
code (CVE-2007-2443).
Finally, a stack buffer overflow vulnerability was found in kadmind
that allowed an unauthenticated user able to access kadmind the
ability to trigger the vulnerability and possibly execute arbitrary
code (CVE-2007-2798).
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by kadmind. A remote unauthenticated attacker who can access
kadmind could trigger this flaw and cause kadmind to crash.
Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A
remote unauthenticated attacker who can access kadmind could trigger this
flaw and cause kadmind to crash.
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
Stefan Cornelius from Secunia Research discovered that the
"parseIrcUrl()" function in file src/kvirc/kernel/kvi_ircurl.cpp does
not properly sanitize parts of the URI when building the command for
KVIrc's internal script system.
Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted ICC profile in a JPG file.
mirror --script in lftp before 3.5.9 does not properly quote shell
metacharacters, which might allow remote user-assisted attackers to execute
shell commands via a malicious script. NOTE: it is not clear whether this
issue crosses security boundaries, since the script already supports
commands such as "get" which could overwrite executable files.
libarchive, a library for manipulating different streaming archive
formats, has a number of pax extension header vulnerabilities.
These may be used to cause a denial of service or for the execution
of arbitrary code.
Devon Miller reported a boundary error in the "print_iso9660_recurse()"
function in files cd-info.c and iso-info.c when processing long
filenames within Joliet images.
A remote attacker could entice a user to open a specially crafted ISO
image in the cd-info and iso-info applications, resulting in the
execution of arbitrary code with the privileges of the user running the
application. Applications linking against shared libraries of libcdio
are not affected.
From the Red Hat advisory: An integer overflow flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to execute arbitrary code, or crash.
From the Red Hat advisory: An infinite recursion flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to crash.
The GD library does not perform proper bounds checking when creating images; as a result, an attacker could, via crafted input, potentially execute arbitrary code.
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application.
Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21
allow remote attackers to cause a denial of service (crash) via crafted (1)
pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt
(png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT
(png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read
operations. (CVE-2007-5269)
pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical
instead of bitwise operations and (2) incorrect comparisons, which might
allow remote attackers to cause a denial of service (crash) via a crafted
PNG image. (CVE-2007-5268)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause
a denial of service (crash) via a crafted PNG image, due to an incorrect
fix for CVE-2007-5266. (CVE-2007-5267)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1
allows remote attackers to cause a denial of service (crash) via a crafted
PNG image that prevents a name field from being NULL terminated.
(CVE-2007-5266)
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
The lighttpd web server has multiple vulnerabilities involving
a remote access-control setting circumvention that is performed
by the sending of malformed requests. This can be used to crash
the server and cause a denial of service.
From the Debian advisory: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data.
The vmsplice system call did not properly verify address arguments
passed by user space processes, which allowed local attackers to
overwrite arbitrary kernel memory, gaining root privileges
(CVE-2008-0010, CVE-2008-0600).
Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page maybe improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). (CVE-2007-6417)
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Player. Attackers with administrative privileges in a guest operating
system could cause a denial of service or possibly execute arbitrary
code on the host operating system. (CVE-2007-4496, CVE-2007-4497)
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before
2.1.10b1 allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors related to (1) editing templates and (2) the
list's "info attribute" in the web administrator interface, a
different vulnerability than CVE-2006-3636.
Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename.
CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.
CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.
From the Red Hat advisory: "Versions of mod_jk before 1.2.23 decoded request URLs by default inside
Apache httpd and forwarded the encoded URL to Tomcat, which itself did a
second decoding. If Tomcat was used behind mod_jk and configured to only
proxy some contexts, an attacker could construct a carefully crafted HTTP
request to work around the context restriction and potentially access
non-proxied content."
A flaw was discovered in MoinMoin's error reporting when using the
AttachFile action. By tricking a user into viewing a crafted MoinMoin
URL, an attacker could execute arbitrary JavaScript as the current
MoinMoin user, possibly exposing the user's authentication information
for the domain where MoinMoin was hosted.
A cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1
allows remote attackers to inject arbitrary web script or HTML via a style
expression in the search parameter.
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
Upgraded to seamonkey-1.1.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
+--------------------------+
MPlayer versions up to 1.0rc1 have a buffer overflow in the
loader/dmo/DMO_VideoDecoder.c DMO_VideoDecoder_Open function.
user-assisted remote attackers can use this to create a buffer overflow
and possibly execute arbitrary code.
Several buffer overflows have been discovered in the MPlayer movie player,
which might lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0485:
Felipe Manzano and Anibal Sacco discovered a buffer overflow in
the demuxer for MOV files.
CVE-2008-0486:
Reimar Doeffinger discovered a buffer overflow in the FLAC header
parsing.
CVE-2008-0629:
Adam Bozanich discovered a buffer overflow in the CDDB access code.
CVE-2008-0630:
Adam Bozanich discovered a buffer overflow in URL parsing.
From the Gentoo advisory: nnp discovered multiple vulnerabilities in the XML-RPC handler in the
file webserver.c. The ws_addarg() function contains a format string
vulnerability, as it does not properly sanitize username and password
data from the "Authorization: Basic" HTTP header line (CVE-2007-5825).
The ws_decodepassword() and ws_getheaders() functions do not correctly
handle empty Authorization header lines, or header lines without a ':'
character, leading to NULL pointer dereferences (CVE-2007-5824).
MySQL subselect queries using "ORDER BY" can be used by an attacker with
access to a MySQL instance in order to create an intermittent denial
of service.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
From the CVE entry: MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not
require the DROP privilege for RENAME TABLE statements, which allows remote
authenticated users to rename arbitrary tables. (CVE-2007-2691)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges. (CVE-2007-2692)
MySQL Community Server before 5.0.45 allows remote authenticated users to
gain update privileges for a table in another database via a view that
refers to this external table. (CVE-2007-3782)
Philip Stoev discovered that the the federated engine of MySQL
did not properly handle responses with a small number of columns.
An authenticated user could use a crafted response to a SHOW
TABLE STATUS query and cause a denial of service.
From the Debian advisory: Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code.
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Buffer overflow in the redir function in check_http.c in Nagios Plugins
before 1.4.10 allows remote web servers to execute arbitrary code via long
Location header responses (redirects).
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file.
Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
proxy server written by Igor Sysoev. The "msie_refresh" directive could
allow cross site scripting.
Josh Burley reported that nss_ldap does not properly handle the LDAP
connections due to a race condition that can be triggered by
multi-threaded applications using nss_ldap, which might lead to
requested data being returned to a wrong process.
From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36,
allows remote authenticated users to cause a denial of service (crash) via
a potentially-successful modify operation with the NOOP control set to
critical, possibly due to a double free vulnerability.
The OpenLDAP Lightweight Directory Access Protocol suite has a problem
with handling of malformed objectClasses LDAP attributes by the slapd
daemon. Both local and remote attackers can use this to crash slapd,
causing a denial of service.
slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when
running as a proxy-caching server, allocates memory using a malloc variant
instead of calloc, which prevents an array from being initialized properly
and might allow attackers to cause a denial of service (segmentation fault)
via unknown vectors that prevent the array from being null terminated.
A heap overflow vulnerability has been discovered in the TIFF parsing
code of the OpenOffice.org suite. The parser uses untrusted values
from the TIFF file to calculate the number of bytes of memory to
allocate. A specially crafted TIFF image could trigger an integer
overflow and subsequently a buffer overflow that could cause the
execution of arbitrary code.
A security vulnerability in HSQLDB, the default database engine shipped with OpenOffice.org 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user.
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms.
Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f
and 0.9.7 allows remote attackers to execute arbitrary code via unspecified
vectors.
From the Debian advisory: An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in the libssl library from OpenSSL, an implementation of Secure
Socket Layer cryptographic libraries and utilities. This error could
allow an attacker to crash an application making use of OpenSSL's libssl
library, or potentially execute arbitrary code in the security context
of the user running such an application.
The Opera browser has multiple vulnerabilities.
The JavaScript engine is vulnerable to a virtual function call on an invalid pointer that can be triggered by specially crafted JavaScript.
A freed pointer in the BitTorrent support may be
accessed, this can be used for malicious code execution.
The browser is vulnerable to several memory read protection
errors. There are URI display errors that can be used to trick
users into visiting arbitrary web sites.
PCRE has flaws in the way it handles malformed regular
expressions.
If an application linked against PCRE, such as Konqueror,
encounters a maliciously created regular expression, it may be possible
to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227
have been combined into CVE-2006-7224.
Multiple flaws were found in the way pcre handles certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it may be possible to run arbitrary
code as the user running the application. (CVE-2007-1659, CVE-2007-1660)
Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application.
A buffer overflow caused by a character class containing a
very large number of characters with codepoints greater than 255 (in UTF-8 mode) may affect usages of pcre, when regular expressions from untrusted sources are compiled.
Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE)
library before 7.3 allows context-dependent attackers to execute arbitrary
code via a singleton Unicode sequence in a character class in a regex
pattern, which is incorrectly optimized. (CVE-2007-4768)
A heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request.
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485).
Various integer overflow flaws were found in the PHP gd extension. A
script that could be forced to resize images from an untrusted source could
possibly allow a remote attacker to execute arbitrary code as the apache
user. (CVE-2007-3996)
A previous security update introduced a bug into PHP session cookie
handling. This could allow an attacker to stop a victim from viewing a
vulnerable web site if the victim has first visited a malicious web page
under the control of the attacker, and that page can set a cookie for the
vulnerable web site. (CVE-2007-4670)
A flaw was found in the PHP money_format function. If a remote attacker
was able to pass arbitrary data to the money_format function this could
possibly result in an information leak or denial of service. Note that is
is unusual for a PHP script to pass user-supplied data to the money_format
function. (CVE-2007-4658)
A flaw was found in the PHP wordwrap function. If a remote attacker was
able to pass arbitrary data to the wordwrap function this could possibly
result in a denial of service. (CVE-2007-3998)
A bug was found in PHP session cookie handling. This could allow an
attacker to create a cross-site cookie insertion attack if a victim follows
an untrusted carefully-crafted URL. (CVE-2007-3799)
A flaw was found in handling of dynamic changes to global variables. A
script which used certain functions which change global variables could
be forced to enable the register_globals configuration option, possibly
resulting in global variable injection. (CVE-2007-4659)
An integer overflow flaw was found in the PHP chunk_split function. If a
remote attacker was able to pass arbitrary data to the third argument of
chunk_split they could possibly execute arbitrary code as the apache user.
Note that it is unusual for a PHP script to use the chunk_split function
with a user-supplied third argument. (CVE-2007-4661)
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used)
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4,
allow remote attackers to obtain sensitive information (memory contents) or
cause a denial of service (thread crash) via a large len value to the (1)
strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE:
this affects different product versions than CVE-2007-3996.
(CVE-2007-4657)
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4
has unknown impact and attack vectors, related to an incorrect size
calculation. (CVE-2007-4660)
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4
has unknown impact and attack vectors. (CVE-2007-4662)
The php5 package contains multiple vulnerabilities, the most serious of which involve several Denial of Service attacks (application crashes and temporary application hangs). It is not currently known that these vulnerabilities can be exploited to execute malicious code.
Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1325:
The PMA_ArrayWalkRecursive function in libraries/common.lib.php
does not limit recursion on arrays provided by users, which allows
context-dependent attackers to cause a denial of service (web
server crash) via an array with many dimensions.
CVE-2007-1395:
Incomplete blacklist vulnerability in index.php allows remote
attackers to conduct cross-site scripting (XSS) attacks by
injecting arbitrary JavaScript or HTML in a (1) db or (2) table
parameter value followed by an uppercase </SCRIPT> end tag,
which bypasses the protection against lowercase </script>.
CVE-2007-2245:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via (1) the
fieldkey parameter to browse_foreigners.php or (2) certain input
to the PMA_sanitize function.
CVE-2006-6942:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary HTML or web script via (1) a comment
for a table name, as exploited through (a) db_operations.php,
(2) the db parameter to (b) db_create.php, (3) the newname parameter
to db_operations.php, the (4) query_history_latest,
(5) query_history_latest_db, and (6) querydisplay_tab parameters to
(c) querywindow.php, and (7) the pos parameter to (d) sql.php.
CVE-2006-6944:
phpMyAdmin allows remote attackers to bypass Allow/Deny access rules
that use IP addresses via false headers.
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin
2.11.1, when accessed by a browser that does not URL-encode requests,
allows remote attackers to inject arbitrary web script or HTML via the
query string.
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
common.lib.php in libraries/; and certain input available in PHP_SELF and
(2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other
vectors related to (3) REQUEST_URI.
phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information
via a direct request for themes/darkblue_orange/layout.inc.php, which
reveals the path in an error message.
phpMyAdmin prior to version 2.11.2.1 has an SQL injection vulnerability
in db_create.php. Remote authenticated users with CREATE DATABASE privileges can use this to execute arbitrary SQL commands via the db parameter.
db_create.php also has a related cross-site scripting vulnerability.
Remote authenticated users can inject arbitrary web scripts or HTML
using a hex-encoded IMG element in the db parameter in a POST request.
A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin
4.1.1 allows remote attackers to inject arbitrary web script or HTML via
the server parameter.
Several vulnerabilities have been found in the PostgreSQL database manager. The developers call the fixes "critical," but also note that, as of the time of the update, none of them were known to be exploited; see this advisory for more information.
Multiple integer overflows in the imageop module in Python 2.5.1 and
earlier allow context-dependent attackers to cause a denial of service
(application crash) and possibly obtain sensitive information (memory
contents) via crafted arguments to (1) the tovideo method, and unspecified
other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other
files, which trigger heap-based buffer overflows.
From this post
to the Debian security list: "I think I have discovered a
vulnerability in qemu. It is related to the block device drivers: that is,
the backends which implement the functionality offered to a guest via
emulated block devices such as the emulated IDE controller."
The bgpd daemon in Quagga prior to 0.99.9 allowed remote BGP peers to cause
a denial of service crash via a malformed OPEN message or COMMUNITY
attribute.
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
The Samba user authentication is vulnerable to a heap-based buffer overflow.
Remote unauthenticated users can use this to crash the Samba server
and cause a denial of service.
A stack buffer overflow flaw was found in the way Samba authenticates
remote users. A remote unauthenticated user could trigger this flaw to
cause the Samba server to crash, or execute arbitrary code with the
permissions of the Samba server.
Samba's mechanism for creating NetBIOS replies is vulnerable to a
buffer overflow. Samba servers that are configured to run as a
WINS server can be crashed by a remote unauthenticated user,
execution of arbitrary code may also be possible.
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
From the Debian advisory: Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp.
A flaw was found in the way squid stored HTTP headers for cached objects
in system memory. An attacker could cause squid to use additional memory,
and trigger high CPU usage when processing requests for certain cached
objects, possibly leading to a denial of service.
Subversion 1.4.3 and earlier does not properly implement the "partial
access" privilege for users who have access to changed paths but not copied
paths, which allows remote authenticated users to obtain sensitive
information (revision properties) via svn (1) propget, (2) proplist, or (3)
propedit.
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files.
A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in
teTeX might allow user-assisted remote attackers to overwrite files and
possibly execute arbitrary code via a long filename. NOTE: other overflows
exist but might not be exploitable, such as a heap-based overflow in the
check_idx function.
Joachim Schrod discovered several buffer overflow vulnerabilities and
an insecure temporary file creation in the "dvilj" application that is
used by dvips to convert DVI files to printer formats (CVE-2007-5937,
CVE-2007-5936). Bastien Roucaries reported that the "dvips" application
is vulnerable to two stack-based buffer overflows when processing DVI
documents with long \href{} URIs (CVE-2007-5935). teTeX also includes
code from Xpdf that is vulnerable to a memory corruption and two
heap-based buffer overflows (GLSA 200711-22); and it contains code from
T1Lib that is vulnerable to a buffer overflow when processing an overly
long font filename (GLSA 200710-12).
From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact.
The Tk toolkit's GIF-reading code contains a buffer overflow which could be exploited via a malicious image file. Fixes may be found in versions 8.4.12 and 8.3.5.
It was discovered that Tk could be made to overrun a buffer when loading
certain images. If a user were tricked into opening a specially crafted GIF
image, remote attackers could cause a denial of service or execute
arbitrary code with user privileges.
Jan Oravec reported that the "/usr/bin/tomboy" script sets the
"LD_LIBRARY_PATH" environment variable incorrectly, which might result
in the current working directory (.) to be included when searching for
dynamically linked libraries of the Mono Runtime application.
Note that the tomboy vulnerability was added in 2007.
Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the 'examples' web application not be installed on
a production system.
The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).
Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).
It was reported Tomcat did not properly handle the following character
sequence in a cookie: \" (a backslash followed by a double-quote). It was
possible remote attackers could use this failure to obtain sensitive
information, such as session IDs, for session hijacking attacks
(CVE-2007-3385).
A cross-site scripting (XSS) vulnerability existed in the Host Manager
Servlet. This allowed remote attackers to inject arbitrary HTML and web
script via crafted requests (CVE-2007-3386).
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Peter Paul Elfferich discovered that turba2, a contact management component
for horde framework did not correctly check access rights before allowing
users to edit addresses. This could result in valid users being able to
alter private address records.
The wireshark network traffic analyzer has three vulnerabilities
that can be used to create a denial of service. These include
off-by-one overflows in the iSeries dissector, vulnerabilities in
the MMS and SSL dissectors that can cause an infinite loop and
an off-by-one overflow in the DHCP/BOOTP dissector.
Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload.
Wireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop.
Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML
generation toolkit, creates insecure temporary files in the eperl and
ipp backends and in the wmg.cgi script, which could lead to local denial
of service by overwriting files.
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. (CVE-2007-3238)
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. (CVE-2007-2821)
Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress
2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to
wp-admin/edit.php. (CVE-2008-0193)
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0194)
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.
From the Gentoo alert:
Miroslav Lichvar discovered that the "xdg-open" and "xdg-email" shell
scripts do not properly sanitize their input before processing it.
A remote attacker could entice a user to open a specially crafted link
with a vulnerable application using Xdg-Utils (e.g. an email client),
resulting in the execution of arbitrary code with the privileges of the
user running the application.
iDefense reported an integer overflow flaw in the XFree86 XC-MISC
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash) or potentially execute arbitrary code with root
privileges on the XFree86 server. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled various
font files. A malicious local user could exploit these issues to
potentially execute arbitrary code with the privileges of the X.org server.
(CVE-2007-1351, CVE-2007-1352)
An integer overflow flaw was found in the XFree86 XGetPixel() function.
Improper use of this function could cause an application calling it to
function improperly, possibly leading to a crash or arbitrary code
execution. (CVE-2007-1667)
Moritz Jodeit discovered that the DirectShow loader of Xine did not
correctly validate the size of an allocated buffer. By tricking a user
into opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
xine-lib contains a buffer overflow which could be exploited (via a specially-crafted stream) to execute arbitrary code; see this advisory for more information.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
From the CVE entry: Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function.
xmms suffers from vulnerabilities in its handling of BMP images. Should a hostile image be included in an xmms skin, it could lead to code execution on the user's system.
From the X.org security advisory:
Several vulnerabilities have been identified in server code of the X
window system caused by lack of proper input validation on user
controlled data in various parts of the software, causing various
kinds of overflows.
The X.Org X11 xfs font server has a temp file vulnerability in the
startup script. A local user can modify the permissions of the script
in order to elevate their local privileges.
CVE-2007-1095:
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292:
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511:
It was discovered that insecure focus handling of the file upload
control can lead to information disclosure. This is a variant of
CVE-2006-2894.
CVE-2007-5334:
Eli Friedman discovered that web pages written in Xul markup can hide the
titlebar of windows, which can lead to spoofing attacks.
CVE-2007-5337:
Georgi Guninski discovered the insecure handling of smb:// and sftp:// URI
schemes may lead to information disclosure. This vulnerability is only
exploitable if Gnome-VFS support is present on the system.
CVE-2007-5338:
"moz_bug_r_a4" discovered that the protection scheme offered by XPCNativeWrappers
could be bypassed, which might allow privilege escalation.
CVE-2007-5339:
L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay,
Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of arbitrary code.
CVE-2007-5340:
Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the
Javascript engine, which might allow the execution of arbitrary code.
The current 2.6 development kernel is 2.6.25-rc4, released on March 4.
Patches still continue to go into the mainline repository at a high rate;
most of them are fixes, but there's also kdump support in the ehea driver,
dynamic tick handling in the RCU code, the temporary re-exporting of
init_mm until outside modules can be fixed, HT1100 SATA support,
Freescale MPC85xx DMA controller support, Seiko Instruments S-35390A RTC
support, and the restoration of GPL-only symbol access for ndiswrapper.
See the short-form changelog for details,
or the
full changelog for lots of details.
As of this writing, no post-rc4 patches have been merged into the mainline
repository.
The current -mm tree is 2.6.25-rc3-mm1. Recent changes
to -mm include a big set of IDE changes and the removal of some old wireless
drivers. The ext4 filesystem is disabled in -mm until it catches up with
some API changes.
This many years into the effort we ought to be slicing and dicing
volumes as second nature, changing configuration on the fly,
transparently expanding, shrinking and migrating filesystems, and
many other things that ZFS and GEOM are already doing and we are
not. It is not so much that device mapper is incapable of such
fancy tricks, but that we have taken a very powerful kernel
subsystem and hobbled it with a nearly unusable application
interface. Think about a jet turbine racecar with a two inch air
intake.
The realtime patchset has one overriding goal: provide deterministic
response times in all situations. To that end, much work has been done to
eliminate places in the kernel which can be the source of excessive
latencies; quite a bit of that work has been merged into the mainline over
the last two years or so. One of the biggest remaining out-of-tree
components is the sleeping spinlock code. Sleeping spinlocks have
advantages and disadvantages. A recently posted set of patches has the
potential to significantly reduce one of the biggest disadvantages of the
realtime spinlock code.
Mainline spinlocks work by repeatedly polling a lock variable until it
becomes available. This busy-waiting code thus "spins" while waiting for a
lock. Spinlocks are quite fast, but they can also be a source of
significant latencies: a processor which is holding a lock can delay others
for indefinite amounts of time. In the mainline kernel, it is also not
possible to preempt a thread which holds a spinlock - another source of
latencies. (See this article
for a more detailed description of the mainline spinlock implementation).
The realtime patch set addresses this problem in a couple of ways. One of
those is to cause threads waiting for a contended lock to sleep rather than
spin. As a result, lock contention cannot create latencies on processors
which are not holding the lock. When spinning is removed, it is also
possible to make code preemptible even when it holds a lock without causing
deadlock problems. That allows a high-priority process to run regardless
of any lower-priority processes which might currently hold locks on the
current CPU. Finally, the realtime patch set has added priority awareness
and priority inheritance to the locking code to ensure that the
highest-priority process is always able to run.
This is all good stuff, but there is one little disadvantage: the extra
overhead imposed by the more complicated locks can reduce system throughput
considerably. This is a cost that the realtime developers have been
willing to pay; it is often necessary to make trade-offs between throughput
and latency. Recently, though, some developers at Novell have come to the
conclusion that the throughput cost of the realtime patch set need not be
as severe as it currently is; the resulting adaptive realtime locks patch
brings the throughput of the realtime kernel to a level much closer to that
found in the mainline - at least, for some workloads.
The core observation encapsulated in this patch set is that hold times for
spinlocks tend to be quite short, especially in the realtime kernel. So
the cost of putting a waiting thread to sleep may well exceed the cost of
simply busy-waiting until the lock becomes free. So adaptive locks behave
more like their mainline counterpart and simply spin until the lock becomes
available. There are some twists, though, which are necessitated by the
realtime system:
The spinning cannot go on forever, since it may cause unacceptable
latencies elsewhere in the system. So an adaptive lock will only spin
up to a configurable number of times (the default is 10,000) before
giving up and going to sleep.
Since lock holders are preemptible in the realtime kernel, it is
possible that the thread which currently holds the lock was previously
running on the same CPU as the process trying to acquire the lock. In
that situation, spinning for the lock is
clearly a bad thing to do. In the absence of a loop counter, it would
be a hard deadlock situation; with the counter, it would just be an
unnecessary delay. Either way, the result is undesirable, so, if the
lock owner is running on the same
processor, the thread waiting for the lock simply goes to sleep.
If the lock owner is, instead, itself sleeping while waiting for something,
there is little point in having another thread stay awake in the hope
that the owner will release the lock soon. So, in this case too, a thread
contending for a lock will simply go to sleep rather than spin.
One other throughput improvement is obtained by changing the lock-stealing
code. Locks in the realtime system are normally fair, in that threads
waiting for a lock will get it in first-come-first-served order. A
higher-priority process will jump the queue, however, and "steal" the lock
from lower-priority processes which have been waiting for longer. The
adaptive locks patch tweaks this algorithm by allowing a running process to
steal a lock from another, equal-priority process which is sleeping. This
change adds some unfairness to the locking code, but it allows the system
to avoid a context switch and keep a running, cache-warm process going.
Some
benchmark results [PDF] have been posted. On the test system, the
dbench benchmark runs at about 1500 MB/s on a stock 2.6.24 system, but
at just under 170 MB/s on a system with the realtime patches applied.
The adaptive lock patch raises that number back to over 700 MB/s -
still far from a mainline system, but much better than before. The
improvement in hackbench results is even better, while the change in the
all-important "build the kernel" benchmark is small (but still positive).
A fundamental patch like this will require quite a bit of review and
testing before it might be accepted. But the initial results suggest that
adaptive locks might be a big win for the realtime patch set.
Thomas Gleixner has discovered that being the maintainer of a core kernel
infrastructure module can bring some special challenges. Whenever
somebody's kernel oopses in the timer code, for example, Thomas tends to
hear about it. The only problem is that the timer code is almost never
where the bug is. Instead, it's far more likely that some other kernel
subsystem has corrupted an active timer, leaving a bomb that will only
explode later, in the timer code, when that timer is set to expire. At
that point, it can be hard to figure out where the real problem is, as the
culprit will be long gone.
In response, Thomas developed some special-purpose code aimed at finding
the real source of timer-related problems, preferably before it brings down
the kernel. He has now generalized that code and posted it as the object debugging infrastructure
patch, which was subsequently significantly revised. As this
code develops, it has the potential to help find whole classes of
especially difficult bugs before they bring the system down.
There's a few steps involved in adding support for object debugging to a
new subsystem. The first is to create and populate a
debug_obj_descr structure (defined in
<linux/debugobjects.h>):
struct debug_obj_descr {
const char *name;
int (*fixup_init) (void *addr, enum debug_obj_state state);
int (*fixup_activate) (void *addr, enum debug_obj_state state);
int (*fixup_destroy) (void *addr, enum debug_obj_state state);
int (*fixup_free) (void *addr, enum debug_obj_state state);
};
The name field is the name of the subsystem; it is used in
debugging output. We will return to the other fields below.
The next step is to call into the object debugging code whenever an action
of interest involves one of the tracked objects. There is a set of
functions used for this purpose:
In each case, addr is a pointer to the object being operated on,
and descr is a pointer to the debug_obj_descr structure
mentioned above. The meaning of each call is:
debug_object_init(): the object is being initialized.
debug_object_activate(): it is being added to a subsystem list. For
timer debugging, this action happens when add_timer() is
called.
debug_object_deactivate(): the object is being removed from a subsystem
list.
debug_object_destroy(): the object is being destroyed and is
no longer referenced within the subsystem. This call is not
used in the version 2 patch set.
debug_object_free(): the object is being freed.
The debugging code maintains a hashed set of lists for tracking objects;
each object is added to the appropriate list when one of the above calls is
made. As actions are performed on the objects, their state is tracked.
In this way, the debugging code
is able to test for a number of common mistakes, including deactivating an
object which is not active, reinitializing active objects, or adding
objects twice.
When something goes wrong, a backtrace is sent to the system logs. Since
this backtrace identifies where the original error is made, it is likely to
be far more useful than the trace associated with the system crash which
will probably come later. But this infrastructure can also help to make
that crash less likely, in that each subsystem can register a set of "fixup
functions." These, of course, are all the methods in the
debug_obj_descr structure which we glossed over above.
For example, if a call to debug_object_init() is made with an
object which has already been activated, the debugging infrastructure will
respond with a call to the fixup_init() callback, passing in the
object in question and its current state (ODEBUG_STATE_ACTIVE in
this case). The callback should return zero if it is able to,
somehow, repair the damage. Even if things cannot be truly fixed, though,
there is still use for this function; the timer code, for example, will
disable an active timer if the calling code mishandles it. The kernel will
almost certainly not operate as expected, but, at least, it has a smaller
chance of crashing at some random time in the future.
Most debugging checks are performed in response to calls from within the
subsystem itself. There is one useful check which cannot be done that way,
though: detecting the freeing of objects which are still under some sort of
subsystem management. To catch that mistake, Thomas's patch inserts a hook
into functions like kfree() and free_hot_cold_page().
Every time an object is freed, the code checks through the appropriate list
to see if it is still seen as being active in some subsystem.
Freeing an object which is still known to a subsystem is almost always a
bug - one which can be hard to track down later on.
The check on freed memory objects is clearly a useful debugging tool. It could also have a
nontrivial overhead, though, since it requires searching a list every time
some memory is freed. So it has its own configuration option and can be
configured out of the kernel, even if the rest of the debugging code is
built in.
At this point, only the timer subsystem is covered by this infrastructure,
but there are plenty of other obvious candidates. Perhaps at the top of the
list would be kobjects, which are famously susceptible to all kinds
of programming mistakes. So expect to see the coverage of this code grow
in the near future.
Back in February, LWN published a
discussion of the vmsplice() exploit which showed how the
failure to check permissions for a read operation led to a buffer overflow
within the kernel. Subsequently, a linux-kernel reader pointed out that the article
stopped short of a complete explanation: this is not an ordinary buffer
overflow exploit. Travel schedules and such prevented the writing of an
immediate followup, but your editor would still like to tell the full
story. So this article picks up where the last one left off and describes
how the vmsplice() exploit makes use of this buffer overflow to
take over the system.
When vmsplice() is being used to feed data from memory into a
pipe, the function charged with making it all happen is
vmsplice_to_pipe(), found in fs/splice.c. It declares a
couple of arrays of interest:
PIPE_BUFFERS, remember, is 16 on exploitable configurations. Both
of these arrays are passed into get_iovec_page_array(), which, as
described in the previous article, makes a call to
get_user_pages() to fill in the pages array. As a result
of the failure to check whether the calling application is allowed to read
the requested region of memory, get_user_pages() will overflow the
pages array, writing far more than PIPE_BUFFERS pointers
into it. These are, however, pointers to legitimate kernel data
structures; it remains to be seen how this overflow enables the attacker to
take control of the system.
The partial array is also passed into
get_iovec_page_array(); it describes the portion of each page which
should be written into the pipe. To that end, a loop like this is run
immediately after returning from get_user_pages():
for (i = 0; i < error; i++) {
const int plen = min_t(size_t, len, PAGE_SIZE - off);
partial[buffers].offset = off;
partial[buffers].len = plen;
/* ... */
}
Since full pages are being written in this case, the calculated offset will be zero, and the length
will be PAGE_SIZE (4096). The value of error is the
return value from get_user_pages(); that will be the number of
pages actually mapped: 46, in the case of the exploit. Remember that the
partial array is also dimensioned to hold 16 entries, so this loop
will overflow that array as well.
Both of these arrays are declared, one right after the other, in
vmsplice_to_page(). A quick test by your editor suggests that the
partial array will be placed below pages in memory, so,
once partial is overflowed, the loop will start overwriting
pages instead. So the pages array will end up containing
alternating values of zero and 4096 rather than the real struct
page pointers it had before. (It's worth noting that the exploit
still works if the arrays are placed in the opposite order, since the
overflow causes code down the line to think that pages is larger
than it really is).
Once all this has happened, control returns to vmsplice_to_pipe()
- the overflow is not big enough to have overwritten the return address. A
call to splice_to_pipe() is supposed to finish the job, but
something interesting happens there. Toward the beginning of this
function, this test is made:
if (!pipe->readers) {
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
break;
}
Looking back at the exploit
code, we see that it closes the read side of the pipe before calling
vmsplice(). So splice_to_pipe() will quit almost
immediately. On its way out, however, it does this:
while (page_nr < spd_pages)
page_cache_release(spd->pages[page_nr++]);
The call to get_user_pages() will have locked each of the relevant
pages into memory to allow the kernel to work with them; this is the
cleanup code which goes back and unlocks the pages which will not be used.
But remember that the pointers in the pages array have been
overwritten, and are now either zero or 4096. What would normally happen
here is a kernel oops, since those are not legitimate addresses. The
exploit code has done something tricky, though: using some special
mmap() calls, it has created some anonymous memory at the bottom
of its address space.
Directly dereferencing user-space addresses while running in kernel mode is
frowned upon for a number of reasons; it can blow up in a number of ways.
But, if the address is valid and the relevant page is resident in memory,
direct access to user-space memory will work. So, when the kernel starts
to work with the addresses that it thinks are struct page
pointers, it does not get any sort of fault; instead, it gets the data
placed in that memory by the exploit. Needless to say, that data has been
arranged carefully.
The Linux kernel normally manages each page as an independent object.
There are times, however, when pages are grouped into larger units, called
"compound pages." This generally happens when physically contiguous
allocations larger than one page are needed by the kernel; when this
happens, a compound page is passed back to the caller. These pages are
special in that they must be split back apart when they are released back
into the system, and there may be other cleanup work to do. So
compound pages have an attribute not found on normal pages: a destructor
which is called when the page is freed.
So, if we look at how the exploit sets up its low-memory page
structures, we see:
When the kernel looks for a page structure at user-space address
zero, it will find something which looks like a compound page. The
destructor (stored in the lru.next field of the second
page structure) is set to kernel_code(), a function
defined within the exploit itself. Since the count is set to one,
the call to page_cache_release() (which decrements that count)
will conclude that there are no further references and, since the page looks like
a compound page, the destructor will be called. At this point, the exploit
has arbitrary code running in kernel mode, and the show is truly over.
This code just sets the process's uid to zero (giving it root
access), then engages in some assembly-language trickery to return
immediately to user space, shorting out the rest of the cleanup process.
There are a couple of interesting implications from all of this. One, clearly,
is that this exploit is not something which was bashed out by a script
kiddie somewhere. It was written by somebody who understands low-level
kernel code quite well and who is able to use that understanding to
escalate an apparent information-disclosure vulnerability into a full code
execution problem. It is, clearly, a mistake to underestimate those who
write exploits, not all of whom immediately make their works known to the
development community. One also should not assume that they have not
already written exploits for other, still unfixed bugs.
Also worth noting is the fact that ordinary buffer overflow protection may
well have not been effective against this vulnerability. The return address on
the stack was not overwritten, and no exploit code was put in data areas.
This episode has caused a renewed interested in technical security measures
in the kernel. These measures are good, but it would be a mistake to think
that they will fix the problem. What is really needed is stronger review
of patches with security in mind; it is not yet clear to your editor that
this review is happening.
This week Jeff Spaleta posted a draft
proposal for a spin submission and approval process. For those
interested in creating officially approved Fedora spins, it is worth a
look.
Anyone can create a Fedora spin for their personal use. Just create a
kickstart file to install the packages you want. There are various ways of
doing this, but the Anaconda
kickstart is probably the most common. This kickstart file tells the
Anaconda installer what packages you want, and you have your own Fedora
spin.
This draft is about creating official spins that will be listed at the Fedora Project Spins Tracker,
and available for interested users to get the official Fedora spin of their
choice. However there does need to be a way to cleanly distinguish between
Released Spins and Contributed Spins.
What will it take to create an official Fedora spin according to this
proposal? The first step is get a kickstart file into the Kickstart Pool,
where the file will be reviewed and tested by a peer group of Spin
Maintainers. If the peer group approves then the spin proposal goes to the
board for review. If the Fedora Board approves the spin it will be granted
trademark usage and from there it can be added to the Fedora CVS.
A number of steps need to be completed for this plan to work. First is the
creation of Spin Guidelines. The guidelines will specify a minimum level
of technical quality for kickstart files, and contain a naming scheme for
new spins. The not-yet-formed peer group of Spin Maintainers will have
some say in these Guidelines, although the release engineering team will
probably create the first draft.
There is a long way to go to get a straightforward way for a Fedora Special
Interest Group (or anyone else) to get a spin approved, but such things
always have a start somewhere.
The first stable FreeBSD 7.0 release is out. There's a lot of new features
and performance improvements claimed. "Dramatic improvements in performance and SMP scalability shown by various
database and other benchmarks, in some cases showing peak performance
improvements as high as 350% over FreeBSD 6.X under normal loads and
1500% at high loads. When compared with the best performing Linux
kernel (2.6.22 or 2.6.24) performance is 15% better."
The first alpha release of the Kubuntu
distribution with KDE4 is available.
"There will be two editions of
Kubuntu with the 8.04 release, a commercially supported KDE 3 edition
and a community supported KDE 4 edition. It includes KDE 4.0.1 and a
few applications from KDE 3 to fill in any gaps.
This is our first alpha for the KDE 4 version of Kubuntu."
The first release candidate of Mandriva Linux 2008.1 has been released.
"This pre-release includes the all-new artwork for the 2008 Spring
release, further improvements to the Mandriva software management tools,
WPA-EAP support in the network configuration tools, KDE 3.5.9 and available
4.0.1, some new default applications in KDE and GNOME, and the latest
pre-release of OpenOffice.org 2.4."
The Debian project is looking for nominations for the Project Leader role. Nominations are due by Sunday March 9, 2008 and a new project leader will take office on April 17th. In between, there will be a campaign, with IRC debates, and a vote. Click below for more details.
Marc 'HE' Brockschmidt takes a look at the Debian Lenny release.
"There haven't been any changes in our release schedule. Please note
that we want to release lenny in *6 months*..."
The Debian listmaster team has been improving the setup of the listserver.
Quite a few things have happened since the update last September. Click
below for some highlights; including the new hosting location, the new list
archive search engine, config cleanup, better bounce handling, de-spamming
the list archive, and more.
Security support for Debian GNU/Linux 3.1 (Sarge) will be terminated on
March 31, 2008. "One year after the release of Debian GNU/Linux 4.0
alias 'etch' and nearly three years after the release of Debian GNU/Linux
3.1 alias 'sarge' the security support for the old distribution (3.1 alias
'sarge') is coming to an end next month. The Debian project is proud to be
able to support its old distribution for such a long time and even for one
year after a new version has been released."
The Fedora project has just begun considering a proposal (from Red Hat) to
incorporate the MRG grid scheduler into its distribution. This would
enable Fedora users to donate their spare CPU cycles to some worthy
project. "This would be fantastic for Fedora as it would allow us to lead the open
source movement into the area of open services and community computing
based on open source. It would also be a great marketing showcase for
Fedora by showing our leadership in grid technology and in the power of
our community. And, it would provide Fedora users a feel-good way to
contribute to Fedora--even if they don't code--by contributing CPU
cycles towards things like builds or automated testing."
Anyone who has been running Fedora rawhide, or keeping up with the mail on
the 'testers' list knows that rawhide has been quite unstable. The Fedora
9 beta has been postponed for a week to stabilize rawhide, fix problems in
X and get the impending release of perl-5.10.0 into the system.
Click below for some notes on the February 26, 2008 meeting of the Fedora
Board. Topics discussed include secondary arch hosting, fedoraproject.org
mail, status of PPC, Summer of Code, and several other topics.
New trustees of the Gentoo Foundation have been elected. The winners are
Roy Bamford (neddyseagoon), Ferris McCormick (fmccor), Joshua Jackson
(tsunam), Tom Gall (tgall) and William Thomson (wltjr).
The Mandriva developers are putting together a "what's coming"
document describing the 2008 Spring release, which has just gone into
release-candidate status. "The graphical software manager now
defaults to searching only among applications with a graphical user
interface, rather than among all available packages (of course, it is still
easy to switch to searching through all available packages), reducing the
confusion new and inexperienced users find on being presented with lots of
packages they likely are not interested in installing."
The current openSUSE board is working on a proposal for organizing the
elections of the next board. "As a first step, and also because we
want it to be an open and transparent process, we'd like to hear about
ideas and recommendations about how we should do that."
The Fedora Weekly News for February 25, 2008 looks at "Banners for
Interviews", "Network Manager Interview", "New Fedora Chair plans to remove
obstacles for volunteers" and much more.
This week the OpenSUSE Weekly
News covers small changes, continued work on slimming down the
installation, Firefox 3.0 beta 3 packages, expanded Lenovo SUSE Linux
offerings, and much more.
The Ubuntu Weekly Newsletter for March 1, 2008 covers the Alpha 6 Freeze,
the release of Kubuntu-KDE4, Full Circle Magazine #10, Ubuntu Mobile,
launch of Ubuntu Brainstorm, a Mark Shuttleworth Interview, and much more.
The DistroWatch
Weekly for March 3, 2008 is out. "The delayed FreeBSD 7.0 was
finally released last week and there is a lot to be excited about -
especially if you deploy this excellent operating system on servers. But
how about the desktop users? Is this latest version ready to take over our
workstations? Read our first look review to find out. In the news section,
the Debian release team contemplates the inclusion of KDE 4 in "Lenny",
KNOPPIX springs to life at CeBIT with a new live DVD, Mandriva continues
its relentless march towards version 2008.1, and Fedora discusses
improvements in NetworkManager. Finally, we are pleased to announce that
the recipient of the DistroWatch February 2008 donation is Frugalware
Linux, a community distribution from Hungary."
In his ongoing series of interviews on the Fedora wiki, Jonathan Roberts talks to both the incoming and outgoing Fedora Project Leaders, Paul Frields and Max Spevack respectively. The interview covers the history of the position, how it came about, what Spevack accomplished, what Frields hopes to accomplish, and more. "Paul: To be honest, like most Fedora contributors outside Red Hat, I didn't know Max. However, I did know that Matthew Szulik had asked Max specifically to do this job. I also knew Matthew was totally committed to an open culture that promoted work like that of Fedora, so I knew that his choice would be informed by those principles. If he was putting his faith in Max, I was pretty certain we could expect someone carrying those principles into practice. When I met Max at the Fedora Core 5 FUDCon in 2006 I knew he was definitely one of us! And the last two years have been a real testament to that good judgment on Matthew's part."
This week the People of openSUSE talks
with Marcus Rueckert, also known as darix. "When did you
join the openSUSE community and what made you do that? I don't think
you can really join a community. You grow into it. When more and more
stuff got moved to Linux I started hanging out on some Linux IRC channels
in ircnet. Later some OSS project channels got added to the list. And at
some point I started packaging stuff I needed for my servers. The first 2
SuSE guys I met on IRC were mmj and daemon. I got invited to join the beta
program and later started working directly at SuSE."
Linux-Watch takes a look
at the recent release of SystemRescueCd v1.0. "For those of you who
haven't had the pleasure of using SystemRescueCd, the Linux kernel
2.6.24.2-based distribution can be booted from either a CD-ROM or a USB
stick. Once it's running, and I've yet to meet a busted PC that still had a
working CPU and memory it couldn't run on, you have your choice of the
lightweight WindowsMaker GUI or a shell command-line interface."
The GNOME Foundation has
announced
a new outreach program for the GNOME
accessibility
project:
The GNOME Foundation is running an accessibility outreach program, offering US$50,000 to be split among individuals. This program will promote software accessibility awareness among the GNOME and broader Free Software communities, as well as harden and improve the overall quality of the GNOME accessibility offering.
The program is sponsored by GNOME Foundation, Mozilla Foundation, Google's Open Source Program Office, Canonical, and Novell.
Applications were opened for review starting on March 1,
the project closes on December 31. Acceptance of long-term tasks
closes on October 1, short-term task acceptance closes on December 15.
The goal of the program is to work on improving shortcomings in the
existing GNOME accessibility system.
There is an aim to increase awareness of accessibility-related issues,
encourage developers to work on accessibility issues and
generally improve accessibility in free software.
From the project announcement:
"There will be two tracks to the program: In the first track accepted individuals will work towards accomplishing one of the major projects nominated for the program, earning US$6,000 and can take up to six months to complete the task. The second track will reward contributors US$1,000 for fixing five bugs out of a pool of accessibility bugs nominated by the program judges."
The
program rules explain the contract that the developers will
work under, the process of claiming tasks, the judging process
and more.
A
list of tasks has been
announced:
"Are you a developer who wants to become more familiar with accessibility? Are you an artist that can draw? Maybe you might also be interested in becoming a module maintainer some day. A great way to get started is by fixing bugs, and we're offering you a way to get paid to do it. :-)"
The list of long-term tasks includes:
Writing and updating accessibility documentation.
Improving accessibility support in the Evince document viewer.
Adding and improving GNOME magnification support.
Building an accessibility testing framework.
Adding new participant-defined accessibility projects.
Developers who need some income and are willing to improve
availability of GNOME to all should consider taking on a task.
Version 2.6.5 of SQuirreL SQL Client has been
announced.
"SQuirreL SQL Client is a graphical SQL client written in Java that will allow you to view the structure of a JDBC compliant database, browse the data in tables, issue SQL commands etc. This is a bug-fix release".
Version 0.6.1 of Samizdat is out with new security features.
"Samizdat is a generic RDF-based engine for building collaboration and
open publishing web sites. Samizdat provides users with means to
cooperate and coordinate on all kinds of activities, including media
activism, resource sharing, education and research, advocacy, and so on.
Samizdat intends to promote values of freedom, openness, equality, and
cooperation."
The JSR48 CIM Client 2.0.4 component of SBLIM has been
announced.
"SBLIM (pronounced "sublime"), the Standards Based Linux Instrumentation for Manageability is an IBM-initiated Open Source project, intended to enhance the manageability of GNU/Linux systems. It does so by enabling WBEM, Web Based Enterprise Management.
Today the SBLIM project has released the initial public version of the JSR48 CIM Client, a Java Class Library based on the Java Specification Request 48 which can be used for the development of applications which need to communicate to a CIM server via the CIM Operations over HTTP protocol."
There is a new report on MIDI progress with the
Ardour multi-track audio recorder.
"Dave MIDI Robillard writes: Hi all. Thought Id make a little post on MIDI stuff so things appear alive to you weirdos who arent on IRC 24 hours a day. Just some random not-very-prepared screenshots.
An older shot showing multi-line controllers, and the editor controllers: Editor controls. On MIDI controller tracks (CC) the bar controllers can be used to record/touch, or twiddled in realtime to control MIDI apps/gear.
MIDI import was introduced yesterday (Importing MIDI is done with the same dialog as audio, though it doesnt look appropriate yet..). Heres some Mozart imported into Ardour from a (single, multi-track) Standard MIDI File: Mozart Import."
Version 1.0 of pyjackctl has been announced.
"This project was created to take advantage of Nedko Arnaudov's JACK
Audio Connection Kit (improvements) patches, especially the dbus proof
of concept patch. It offers basic functionalities to control a JACK
daemon over a dbus interface (start/stop, configure, etc.), it also
includes a jack log viewer, a wmdock applet and a script to display
jack's state on a G15 keyboard's LCD. Those curious of how it looks
will find a set of screenshots on the homepage. You are welcome to
test and comment."
Version 1.2 of Vamp plugin SDK has been announced.
"Vamp is a plugin API for audio analysis and feature extraction plugins written
in C or C++. Its SDK features an easy-to-use set of C++ classes for plugin
and host developers, a reference host implementation, example plugins, and
documentation. It is supported across Linux, OS/X and Windows.
Version 1.2 contains a further addition to the host extension classes
introduced in 1.1".
Release candidate 2.21.92 of GARNOME 2.22.0, the bleeding edge GNOME
distribution, is out.
"This is the last unstable GNOME release before
2.22.0. It's been a pretty fun ride since September. New features. Bug
fixes. Translations. Documentation. Lots of bug triaging too. And we're
getting ready to start again for 2.23!"
Release candidate 2.21.92 of the GNOME desktop is available.
"This is the last unstable release before 2.22.0. It's been a pretty fun
ride since September. New features. Bug fixes. Translations.
Documentation. Lots of bug triaging too. And we're getting ready to
start again for 2.23! But before, we need to make sure 2.22.0 will be
rock-solid. There's still a few days before the hard code freeze, so
it's not too late to fix this last bug you're ashamed of ;-)"
Version 2.8.13 of SQL-Ledger,
a web-based accounting system, has been announced. Changes include:
"added subject, message and inline/attachment option to batch email,
removed extra line when "Ship all" was clicked,
added missing customer number to generate sales order list,
fixed foreign exchange gain/loss calculation when exchange rate is 1,
added company name to title line for account detail report,
updated German and Swiss German translations."
The WorldForge game project has published a new
Ember progress report.
"Since the release of 0.5.1 Ive spent some time fixing a large number of bugs, many of which were discovered through the public release of 0.5.1, and reported on the Launchpad. So far Im very pleased with the Launchpad, since its actually being used for bug reporting. However, Id like to highlight some of the new features in Ember currently being developed.
The main improvement is the inclusion of a new system for rendering foliage and trees. Its called the Paged Geometry engine and is a plugin component to Ogre."
The first release of Te Tuhi Video Game System is available.
"Te Tuhi is not a game in itself; rather it creates games based on
arbitrary images that it is given. To use it, you draw a picture of
the game you want to play, and it will give you the game that you
really drew.
The software was originally written for an exhibit at Te Tuhi Centre
for the Arts in Manukau City, New Zealand, from which it borrowed its
name. That show ended on 10 February 2008, at which point the
software was released under the GPL.
It is written primarily in Python and C."
Version 0.7.4 of AJAX Chat has been
announced.
"AJAX Chat is a fully customizable web chat implemented in JavaScript, PHP and MySQL which integrates nicely with common forum systems like phpBB, MyBB, PunBB, SMF and vBulletin. A Flash and Ruby based socket connection can be used to boost performance.
AJAX Chat now features an easy to use installation script to create the required database tables. Additionally some minor bugs have been fixed and some translations have been updated (see changelog for this release)."
Version 3.3.1 of Claws Mail has been
announced.
Changes include bug fixes and:
"Forbid attaching anything containing "../" or ".ssh/" in mailto:
URIs. Add a hidden preference, 'use_networkmanager', to disable
NetworkManager handling
Updated translations: French, Hebrew"
Version 0.7.6.0 of MediaInfo has been
announced.
"MediaInfo supplies technical and tag information about video or audio files (MKV/AVI/MOV/MPEG1, 2, 4/M4A/M4V/MP3/AAC/RM/...)
There are several versions: Graphical interface, Command line, or DLL for third-party software developers (like emule). GUI is multi-language. In this release: RMP3 and Id3v2.2 support, better detection of Lame encoder (MP3), and few bug fixes."
Version 1.6 of the Amsterdam Music Composer has been announced.
"This version is aiming more at "real composers", who are not supposed
t[o] be computer geeks also. So more menu's and less need to use the
command line. Also a Debian package is available, so you don't need
a development environment in order to install Amuc."
Version 0.8.0 of PalOOCa has been
announced.
"PalOOCa is a Java based OpenOffice OLAP Add-On intended to be used with OpenOffice Calc. It is supposed to be the equivalent to the Palo Add-in for MS Excel. It took a while longer before I was able to test this release but finally it is done.
Version 0.8.0 includes a first version of the promised modeller aswell as the ability to localize most of the dialogs. I also localized it into German to give an example how it is done."
The February 7, 2008 edition of the Mozilla Links Newsletter
is online, take a look for the latest news about the Mozilla browser
and related projects.
Version 4.3.0-rc2 of GCC has been announced.
"Please test the tarballs there and report any problems to Bugzilla. CC me
on the bugs if you believe they are regressions from previous releases
severe enough that they should block the 4.3.0 release."
The March 3, 2008 edition of the GCC 4.3.0 Status Report has been
published.
"GCC 4.3.0rc2 is out and we are not expecting further delay of the
4.3.0 release. The trunk is in stage1 since two weeks."
Version 1.2.6 of Retrotranslator
is available with some new capabilities.
"Retrotranslator is a tool that makes Java applications compatible with Java 1.4, Java 1.3 and other environments.
It supports all Java 5.0 language features and a significant part of the Java 5.0 API on both J2SE 1.4 and J2SE 1.3. In other Java environments only the Java 5.0 features that don't depend on the new API are supported."
Version 1.0.0 of xmote has been
announced.
"xmote is a standard for exchanging data in a compact standardized XML format. In addition to defining the standard, xmote aims to provide a fully compliant and easy to use reference implementation.
Version 1.0.0 of the xmote standard and Java API are now available."
GNOME hacker Elijah Newren has put up a survey of recent developments in version control systems. "I have often found it somewhat strange that mercurial doesnt have more active vocal proponents. Usually one hears from the git or bzr proponents, but not so much from mercurial. Yet it has always had many of the advantages of both (and, in some ways seems to have the most svn-like UI, and would seem a more natural transition for svn converts). I guess its a case where having most of the advantages or capabilities of other systems (even multiple other systems) yet not clearly standing out in one particular area will rob you of the active advocates that you could otherwise have."
On a related note, it appears that Emacs will be moving to Bzr, not for a specific technical reason, but because Bzr is becoming a GNU project.
The Gnash video player site
mentions
efforts by Adobe to add DRM capabilities to the next version of Flash.
"The immense popularity of sites like YouTube has unexpectedly turned Flash Video (FLV) into one of the de facto standards for Internet video. The proliferation of sites using FLV has been a boon for remix culture, as creators made their own versions of posted videos. And thus far there has been no widespread DRM standard for Flash or Flash Video formats; indeed, most sites that use these formats simply serve standalone, unencrypted files via ordinary web servers.
Now Adobe, which controls Flash and Flash Video, is trying to change that with the introduction of DRM restrictions in version 9 of its Flash Player and version 3 of its Flash Media Server software."
KDE.News
covers
the KDE presence at this year's FOSDEM conference.
"The combined KDE/Amarok booth and developer room at the annual Free and Open Source Developers' European Meeting (FOSDEM) in Brusssels was a great experience (as usual!). Many people showed up from the KDE and Amarok communities, and we had a hard time fitting all our cool hardware and people in the booth. Luckily, the talks drew quite a crowd, and the booth became less busy as the day progressed. Read on for an overview of FOSDEM 2008 from the KDE perspective."
eWeek
reports on Adobe's plans to release Adobe Integrated Runtime for Linux.
"Adobe Systems hopes to make nice with the open-source community and soon deliver a Linux version of its newly released Adobe Integrated Runtime.
Kevin Lynch, chief technology officer at Adobe, said the company is working on a Linux version of AIR, a run-time that lets developers use proven Web technologies to build RIAs (rich Internet applications) that deploy to the desktop and run across operating systems."
eWeek reports
that Sun Microsystems is hiring Python developer Ted Leung and Jython lead
implementer Frank Wierzbicki. "Leung and Wierzbicki join other
technologists, such as Ian Murdock, Charles Nutter, Thomas Enebo and Nick
Kew, who have recently joined Sun to pursue open-source project development
and community activities. Murdock is the founder of the Debian Linux
project, Nutter and Enebo are lead developers on the JRuby effort to create
an implementation of Ruby on the JVM, and Kew is involved in a variety of
ASF technologies and is working on OpenSolaris at Sun."
Fedora developer Jack Aboutboul had the opportunity to visit NASA (National
Aeronautics and Space Administration in the US). This blog
post covers a day at NASA, with lots of photos. "There has been
a long standing rumor regarding NASA running Fedora which all of us in the
Fedora community have been always intrigued by. Is it true? What are they
doing with it there? Why don't they run RHEL. Fortunately enough, a couple
of weeks ago, I got to experience NASA behind the scenes, first hand, and
hang out with the coolest members of the Fedora community, and find out the
answer to these questions and lots more."
Digital Life
reports on a cluster based on Linux PlayStation3 platforms.
"When the PlayStation3 was released in November 2006, Gaurav Khanna's wife braved long queues so he could be one of the first people in the US to get his hands on the gaming console.
But the astrophysicist was not itching to burn some rubber in Gran Turismo or shoot hoops in NBA 07. Instead he wanted to build his own supercomputer.
Mr Khanna now owns 16 PS3s, which spend their days simulating the activities of very large black holes in the universe for the physics department at the University of Massachusetts."
(Thanks to Mark Tall).
DW-World.de covers
a ruling by Germany's Constitutional Court that limits police online
investigations to the most serious cases. "Intelligence agencies
will only be allowed to collect data secretly from suspects' computer hard
drives if there is evidence that "legally protected interests," like human
lives or state property, are in danger, the Constitutional Court in
Karlsruhe announced." Here is the
ruling (in German). (Thanks to Marc Mutz)
Sean Daly interviews
Vint Cerf for Groklaw. "Groklaw's Sean Daly had an opportunity to
meet Vint Cerf, Vice President and Chief Internet Evangelist at Google, at
OpenForum Europe last week. Mr. Cerf, known as the Father of the Internet
because of being the co-designer with Robert Kahn of TCP/IP protocols and
the basic architecture of the Internet, was gracious enough to answer some
email questions Sean propounded regarding the future of the Internet,
standards in general, and OOXML in particular. Like many others this week,
Cerf has been giving the standards process considerable thought, and he
concludes in connection with OOXML that "Internet users deserve better
handling of global Internet standards.""
ars technica looks forward to Thunderbird 3.0, which has an alpha release due next month. "Thunderbird 3 will use Gecko 1.9, a new version of the rendering engine that serves as the foundation for the Mozilla platform. Gecko 1.9, which has also been instrumental in the making of Firefox 3, offers a number of very significant improvements, including a new Cairo-based rendering backend and support for JavaScript 2. Improving the Thunderbird user interface is another very high priority for version 3."
Ryan Paul takes
a look at WebKit. "The open-source WebKit HTML rendering engine
is rapidly gaining ground on the Linux platform where it is increasingly
being adopted by conventional desktop applications for content
display. Ongoing efforts to facilitate tighter WebKit integration are
opening the door for developing rich Internet applications on Linux with
the open-source GTK and Qt development toolkits."
Groklaw reports
that OOXML failed to get majority approval at the Ballot Resolution Meeting
(BRM) in Geneva. "Now it's the 30-day voting period, but Updegrove
asks, if they never could discuss all the issues, which is the purpose of a
BRM, what's the basis for a vote? And with the vast majority either voting
to abstain or even refusing to vote as a protest, I think one may conclude
this proposal didn't belong on the fast track, and it isn't getting the
kind of support you would have thought it might, given all the muscle that
has gone into the push to get OOXML approved."
The Free Software Foundation Europe is calling on Microsoft to
release interoperability information without restrictions.
"The European Commission has fined Microsoft 899 million Euro for
anti-competitive behaviour by restricting access to interoperability
information through unreasonable royalty payments prior to October
2007. This is in addition previous fines of 497 million Euro and 280
million Euro applied in the same investigation, resulting in a total
penalty of 1.676 billion Euro.
"Microsoft is the last company that actively promotes the use of
software patents to restrict interoperability. This kind of behaviour
has no place in an Internet society where all components should connect
seamlessly regardless of their origin," says Georg Greve, president of
the Free Software Foundation Europe."
The GNOME Foundation and the Mozilla Foundation have announced that they
will be working more closely together in the future. Specifics include
Mozilla joining the GNOME advisory board, working with GNOME on XUL and
Firefox, and a $10,000 donation in support of the recently-announced
accessibility program.
The Free Software Foundation Europe reports on a donation to its
Freedom Task Force by Google.
"Google has made a donation to assist FSFE's Freedom Task Force with
delivering training courses, attending conferences and localising
documents.
"The Freedom Task Force is working to foster effective legal
infrastructure for Free Software in Europe. A great deal of our work is
based on engaging directly with people and Google's contribution will
allow us to do this more effectively," says Shane Coughlan, FTF
Coordinator. "Training, physical presence in countries and providing
materials in local languages are essential aspects of building a
coherent pan-European community.""
The Linux Foundation (LF) has announced the
results of its annual Board of Directors election. The LF board is
comprised of all LF membership classes as well as individual affiliates.
"New board members elected during this cycle include Linux and
open-source expert Larry Augustin, Advanced Micro Device's Chris Schlaeger
and Texas Instrument's Eric Thomas. Mark Shuttleworth, founder of Ubuntu,
has been re-elected as an individual member to the board. James Bottomley
was also re-elected as the Technical Advisory Board's (TAB) representative
to the board. The TAB is a collection of community developers and provides
the Linux kernel community a direct voice into The Linux Foundation's
activities."
The Electronic Frontier Foundation reports that an injunction against
wikileaks.org has been dropped.
"A federal district court judge in San
Francisco today rescinded a controversial order that
disabled the "wikileaks.org" domain name which had -- until
two weeks ago -- pointed to Wikileaks, a website designed
to give whistleblowers a forum for posting materials of
public concern."
IGEL Technology has announced full dictation and speech recognition
capabilities on Linux and XP embedded thin clients.
"IGEL Technology, one of the world's
leading thin client vendors, today announced that they have partnered
with Philips Speech Recognition Systems to bring advanced digital
dictation and speech recognition solutions to its Linux and XP embedded
thin clients. This solution is expected to offer substantial savings and
optimization potential in the healthcare sector because it enables
attaching digitally captured findings directly to patient files where
additional information can be added and stored."
Linspire, Inc. and Virtual Bridges have
announced the availability of Win4Lin Pro Desktop 4.5
through the CNR.com site.
"Available at a special
introductory price of $34.99, Win4Lin Pro Desktop provides consumers, SMBs
and enterprise customers an easy-to-use virtualization solution that allows
Freespire 2.0, Linspire 6.0, Ubuntu 7.04 & 7.10 desktop Linux users to run
Windows on Linux and assists in the complete migration process to desktop
Linux."
Novell, Inc. has
announced its financial results for the first quarter of its 2008
fiscal year, which ended on January 31.
"For the quarter, Novell reported net revenue of $231
million. This compares to net revenue of $218 million for the first fiscal
quarter 2007. Income from operations for the first fiscal quarter 2008 was
$8 million, compared to a loss from operations of $21 million for the first
fiscal quarter 2007. Income from continuing operations in the first fiscal
quarter 2008 was $15 million, or $0.04 per share. This compares to a loss
from continuing operations of $12 million, or $0.04 loss per share, for the
first fiscal quarter 2007. Foreign currency exchange rates favorably
impacted revenue and unfavorably impacted operating expenses by $7 million
and did not materially impact income from operations year-over-year."
OpenedHand has released version 3.1 of Poky platform builder.
"OpenedHand are pleased to announced the
release of version 3.1 of Poky platform builder. Poky is a freely available
open source platform build tool that enables device manufacturers to design,
develop, build, debug, and test a complete, modern, software stack using
Linux, the X Window System and GNOME Mobile based application frameworks for
both ARM and x86 based platforms."
OpenMoko has announced the availability of the industrial design source
files for its Neo branded mobile phones. "Openmoko's source code was
freed in February 2007, allowing complete transformation of its mobile
phone software. Now, by publishing mechanical CAD files, Openmoko frees
industrial designers to fundamentally redesign the Neo branded mobile
phones to fit their vision and market needs. Some already have."
Shuttle has announced that the newly launched $199 KPC will feature
the Foresight Linux operating system. "With an intuitive interface
and user focused design, Foresight does away with the need for users to be
familiar with Linux. A host of the latest software is packaged with the
operating system, giving users convenient and enjoyable access to music,
photos, videos, documents, and the Internet. Even keeping up-to-date with
the latest features and fixes is a simple process with the user friendly
update button."
Vyatta has announced the launch of
Vyatta.org.
"Vyatta, the leader in Linux-based
networking, today announced Vyatta.org, a new
site for the popular Vyatta Community, which brings together users and
developers to advance the cause of open-source networking as an
alternative to the over-priced and inflexible solutions from proprietary
vendors. Vyatta.org will feature more collaborative and efficient ways
for members to contribute, learn, and shape the future of Vyatta."
Issue #148 of the Linux Gazette
has been published.
"Linux Gazette is a volunteer-run monthly web magazine dedicated to two
simple ideas: making Linux a little more fun, and sharing ideas and
discoveries."
Alfresco Software, Inc. has
announced the winners of its 2007 Annual Content Excellence Awards.
"The debut year for
the awards program recognizes its top partners and contributors in the
categories of Partner of the Year, Content Management and Collaboration
Implementation of the Year, and Contributor of the Year, in Europe and
North America."
The Electronic Frontier Foundation will hold its
17th Annual Pioneer Awards at the O'Reilly Emerging Technology
Conference.
"The ceremony will be held at 7:15
p.m., March 4th, in the Marina Ballroom of the San Diego
Marriott Hotel and Marina.
The 2008 winners of EFF's Pioneer Awards are the Mozilla
Foundation and its Chairman Mitchell Baker, University of
Ottawa Professor Michael Geist, and AT&T whistleblower Mark
Klein. Michael Robertson -- founder and CEO of MP3.com,
Linspire, MP3Tunes and Gizmo5 -- will give the awards'
keynote address: "What to Expect When You're Expecting...To
Be Sued.""
LinuxMedNews
covers
an announcement at the HIMSS 2008 conference.
"At the HIMSS 2008 conference in Orlando, Florida, the Open eHealth Foundation released a press statement describing the formation of this new organization with new partners including InterComponentWare, Agfa HealthCare and Sun Microsystems."
The minutes from the , 2008 Perl 6 Design Meeting
have been published. "The Perl 6 design team met by phone on 27 February 2008. Larry, Allison, Patrick, Will, Jerry, Jesse, Nicholas, and chromatic attended."
The meeting minutes from the February 14, 2008 X.Org board meeting have
been published.
"Attending: Bart Massey, Keith Packard, Carl Worth, Stuart
Kreitman, Kevin Martin, Daniel Stone, Matthieu Herrb, Jim
McQuillan, Adam Jackson, Egbert Eich, Stuart Anderson, Eric
Anholt".
A Call for Presentations
has gone out for Akademy 2008.
"As the new leaves of spring bud in the Low Countries, the organisation of Akademy is also growing. This will bear fruit in August as the worldwide KDE community gathers in Sint-Katelijne-Waver, Belgium at the De Nayer Institute to celebrate and consider the post-KDE 4.0 world. Now that the KDE 4 technology platform is in place, this year's Akademy will focus on bringing the pillars of KDE to applications, research efforts around KDE, and work on non-traditional platforms for the desktop. Your work on KDE is interesting to us, so please submit a talk. See the complete Call for Presentations for more details. The important date is the deadline for submissions to the main conference tracks: May 1st."
A call for participation
has gone out for the 2008 Google Summer of Code.
"Google Summer of Code 2008 is on! Over the past three years, the program has brought together over 1500 students and 2000 mentors from 90 countries worldwide, all for the love of code. We look forward to welcoming more new contributors and projects this year. We are now accepting applications from open source projects who would like to act as mentoring organizations for 2008, and will be accepting these applications through March 12, 2008. We will begin accepting student applications on Monday, March 24th."
The GUADEC 2008 web site
is online and a call for participation has gone out.
"GUADEC, the annual GNOME conference will
be held in Istanbul, Turkey from the 7th to the 12th of July 2008. The
conference will bring together the GNOME development and user community
and key personalities from businesses and governments, to discuss the
future direction of the GNOME project."
The submission deadline is March 30.
A
call for papers and tutorials has gone out for the 2008 SAGE-AU
conference. The event takes place in Adelaide, Australia on August
11-15, 2008, submissions are due by March 31.
"The SAGE-AU Annual Conference is the premier Systems Administration event in the Asia-Pacific region. The conference offers a premium educational forum for System Administrators of all platforms and levels of experience, and an excellent opportunity to meet, network and learn from acknowledged experts in the field.
This year's conference will start with three days of tutorials followed by the technical program. The technical program will run in two parallel streams covering a wide variety of system administration related talks."
The FSF Annual Associate Member Meeting will take place on
Saturday, March 15 at MIT, Cambridge, MA.
"Keynote speeches from FSF board members Mako Hill and Henri
Poole and the director of the FSF-backed End Software Patents campaign
Ben Klemens will each address the 2008 theme, "Tackling the Big Issues."
They will look at the projects that will demand the Free Software
Foundation's attention in 2008: from software patents to freedom for web
services, from advancing free software adoption to the changing
relations with the entertainment industry brought about by this year's
Hollywood writers strike."
GUADEC 2008 has been
announced.
"GUADEC, the annual GNOME conference will be held in Istanbul, Turkey from the 7th to the 12th of July 2008. The conference will bring together the GNOME development and user community and key personalities from businesses and governments, to discuss the future direction of the GNOME project."
The OpenOffice.org community overwhelmingly voted for Beijing, China as the site for the next OOo conference. This is the first time OOoCon has been held outside of Europe. It is tentatively scheduled for October 15-17. Click below for more details.
Continuent, Inc. has announced its sponsorship of the
PostgreSQL Conference East 08.
"Continuent, Inc., the leading provider of commercial open
source middleware solutions for database high-availability and scalability, today announced its
sponsorship of the PostgreSQL Conference East 08. The conference takes place March 29-30, 2008, in
the Computer and Space Sciences Building at the University of Maryland College Park, and is
designed allow contributors, current users and future users/developers to learn and network."
![[Mortadelo]](/images/mortadelo_sm.png)
![[GNOME Accessibility]](/images/ns/gnomeaccessibility.png)