Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for March 13, 2008
Emacs chooses Bazaar
The Emacs development process is undergoing some changes; Richard Stallman has handed off project maintenance duties, while a change in the version control system (VCS) seems to be in the offing. Some of the modernization suggestions made by Eric Raymond last December are taking root. Stallman has not completely stepped away from Emacs development—it's doubtful anyone expected him to—but his approach on how to choose a VCS for Emacs is raising a few eyebrows.
Currently, Emacs is tracked with CVS, but a distributed VCS (DVCS) is definitely planned down the road—how far is unclear at this point. In earlier discussions, Stallman was particularly interested in the offline capabilities of DVCS; being able to do commits, diffs, and see revision history while unconnected to the internet is a useful feature for him. Many other Emacs developers see a DVCS as a major upgrade to the development process, the question then becomes which DVCS to use.
The main contenders are git, Mercurial (aka hg), or Bazaar (aka bzr); there are other options, of course, but they were quickly eliminated due to speed or feature set issues. There was some hope that a comparative VCS study that Raymond was working on would help lead the project to the proper choice, but the study has been delayed—a major release of Wesnoth is underway which has taken Raymond from that task.
There were some discussions of the merits of the various systems but, in the meantime, Bazaar joined the GNU project which changed the equation somewhat. Stallman announced:
As might be expected, short-circuiting a technical discussion for a political expedient is not met with universal approval. Juanma Barranquero sums up his (and others') objections:
There is a certain irony in noting that one of the perceived weaknesses of git was its poor support for Windows development. It is certainly understandable, but the idea that one of the flagship GNU projects would make a decision based on tool availability for a proprietary operating system gives one pause. That isn't one of Stallman's requirements of course, he sees the decision as essentially a choice amongst equals:
As Thomas Lord (author of another GNU VCS, arch), points out, there is a cost to agonizing over a choice like this:
Over-optimizing a choice like that can be a *huge* resource suck and projects and groups fail all the time because of falling into such traps.
No technical barriers to using Bazaar have been raised, it is, as Stallman asserts, a fairly arbitrary choice. Unsurprisingly, Stallman chooses the one that serves his agenda. The new maintainers, Stefan Monnier and Chong Yidong, presumably agree with that agenda, in any case they have not indicated any resistance to the choice.
So it seems that Emacs will be moving to Bazaar. Jason Earl has been pulling the CVS history into a Bazaar repository that should be available soon. The import process seems to be taking a fair amount of time—something on the order of a week—which is hopefully not indicative of the operational speed of Bazaar. Assuming the conversion works and developers can get their work done using it, this would be a pretty high-profile project to use it. Other GNU software may follow suit, which could be a big boost to the visibility of Bazaar; precisely what Stallman was aiming for.
Some topics related to MP3 players
In many parts of the world, the U.S. is looked upon as a place with particularly poor taste in "intellectual property" legislation; the DMCA and software patents are often held up as examples. DMCA-like laws have since spread to other parts of the planet, which, for some reason, has not made people living there any more appreciative of the American legal regime. But it is often pointed out that software patents remain an almost entirely American problem; people in other parts of the world (Europe, say) need not worry about them.If only it were so. On March 5, German police raided a booth at the CeBit conference in Hannover. That booth, run by Meizu, contained an iPhone-clone product, but nobody cared about that. Instead, the contraband which absolutely had to be suppressed was a music player for which Sisvel (an Italian company which has done this kind of thing before) had not been paid royalties on its MP3 patents. The player, as it happens, did not even have MP3 playback capability, but that didn't seem to matter. The police duly cleared the booth of all mention of the offending device and saved another day for free enterprise.
This is a pure software patent action, and the U.S. has no part in it. Software patents are truly a global problem. (Police raids raise the stakes in interesting way, though; even in the U.S., things usually start with a polite letter from a lawyer first). Anybody who wonders why companies like Red Hat exercise great care around software patents (and MP3 patents in particular) need only look at episodes like this. The selling of enterprise Linux products is likely to be distinctly harder if your prospective customers see your conference booth being forcibly shut down by the authorities.
Meanwhile, it occurred to your editor, while thinking about music players, that little has been said about the Rockbox project on LWN in recent times. Rockbox, remember, is a GPL-licensed firmware which runs on a wide variety of music players. It offers a wider range of features, has more codecs, is more customizable, and has better accessibility support than the stock firmware on any of these devices. And it's free software.
Since LWN last looked at this project, the Rockbox developers have added a number of new features and new platforms. The abandoned 3.0 release has never happened; the Rockbox developers appear to have given up on the idea of formal releases for now. The daily snapshots generally work quite well, though, and there are lots of satisfied Rockbox users out there.
[PULL QUOTE: Despite the fact that Rockbox supports a lot of players, absolutely none of the supported platforms are currently in production. So anybody looking to buy a player which can run Rockbox must go digging around on auction sites. END QUOTE] The only problem is: it's not clear how many more such users may arrive in the future. Despite the fact that Rockbox supports a lot of players, absolutely none of the supported platforms are currently in production. So anybody looking to buy a player which can run Rockbox must go digging around on auction sites. Many Rockbox users do exactly that, but many more potential users would rather not get their devices that way.
Rockbox ports to current devices are underway, but the developers are fighting an uphill battle. Manufacturers tend to be uncooperative when it comes to releasing hardware information, so a certain amount of reverse engineering is required. And, by the time that work is done, the manufacturers have moved on to a new product. Music players are consumer electronics devices, and, like most such devices, their product lifetime tends to be quite short. So developers on a project like Rockbox will forever be trying to catch up.
Your editor, meanwhile, still lugs around his ancient iRiver H340. People look at it strangely, as if they expect there to be a hatch on the back so that the user can occasionally add another shovel full of coal. But it works beautifully with Rockbox, and a replacement looks hard to find. Your editor wishes that at least one manufacturer would realize that it could provide better functionality at a lower cost by designing its players to run Rockbox from the beginning. Perhaps the project needs better advocacy within the player industry.
There is another approach which could be considered here. The OpenMoko project is trying to rearrange the mobile telephone market by offering a completely open product. Surely a music player, being a much simpler device, would be amenable to the same treatment? As it turns out, there are a couple groups of people trying to jump start just this kind of effort. They have a prototype design, and a competing design as well. Both look like they could produce a respectable player at a reasonable cost - a player designed to run free software from the outset.
Designing a device which can run Rockbox and produce decent audio (and video) output is not that hard, given the components which are available. Turning it into a product which is small and sleek enough that people want to buy it seems likely to be harder. Getting a full device manufactured at a reasonable cost may be the hardest of all; that requires significant up-front money and a distribution channel which can sell enough units to make the whole thing cost-effective. There's also the little issue of those MP3 patents to take care of.
There is no real sign that the Rockbox player developers are thinking on this level at this time. One of the prototype designs carries a Creative Commons noncommercial license in an attempt to prevent others from thinking that way. So the resulting hardware may end up being little more than a kit for especially dedicated hobbyists. Unless somebody picks up the ball and tries to commercialize a product like this, Rockbox may be stuck in its role as the software of choice for last year's players. The good news in all this is that Linux-based tablet devices seem likely to become cheaper, more abundant, and more compact. Since these devices can make fine media players, we may eventually get our completely open gadget via that path. Modulo patent problems, of course.
Still waiting for Flash
Those of us who were using Linux full-time around the turn of the century will remember that the state of web browsing on Linux was a little scary then. The only real option available was the binary-only Netscape 4 client; it was buggy and old. It really seemed like the web was going to move forward without Linux, and that there was not a whole lot we could do about it.Things have improved somewhat on that front; we now have a few top-quality web browsers to choose between. At the same time, though, one might be forgiven for thinking that we are heading back into a similar situation, but involving Flash this time around. For all practical purposes, there is only one viable option for Flash on Linux: the binary-only plugin provided by Adobe. But that plugin is not just proprietary software; it also is somewhat old and buggy, and there is nothing we can do to fix it. For an increasing part of the web experience, we still have a second-rate, proprietary platform.
When one thinks of Flash, naturally, one thinks of video sites like YouTube. But there is more to the Flash experience than silly videos and obnoxious advertising. Some parts of Google are heavily into flash, as can be seen from that company's finance sites or analytics offerings. Your editor's children will attest that there's no end of game sites which require Flash, and for which the Linux plugin fails to work properly. Looking for any way to reduce the total amount of time spent in airplane seats, your editor recently investigated "around the world" tickets; that search ended up at this travel planning site which, of course, requires Flash. And so on. Like it or not, Flash is the language in which an increasing number of interactive sites are being coded, and Linux does not have proper support for it.
With this in mind, your editor decided to give the recently-announced Gnash 0.8.2 release a try. This release was billed as the first beta version of Gnash, so there was reason to hope that it would be something close to a true solution to the Flash problem. In reality, Gnash is a step in the right direction, but the Flash issue will be with us for some time yet.
For now, the acid test for a Flash player would appear to be YouTube, so that is the first place your editor went. The experience there was mixed. It is, in fact, possible to watch YouTube videos using the Gnash Firefox plugin. Hearing them is another matter, though; they all played silently. It would not be surprising to learn that getting audio is a matter of filling in a missing codec - but would sure be nice if the software were to say something to that effect. Pausing and playing the video worked, but skipping around in it did not. Playing videos from other sites was uniformly unsuccessful.
The "around the world" calculator appeared to load properly, but then took off as if somebody were punching all of its buttons at once. Charts on Google sites are uniformly blank. Some flash games mostly worked, others showed more input-related confusion. Few of them were truly playable. On the other hand, Flash "intros" and advertisements mostly work as intended - just what your editor wanted.
So Gnash is not really there yet. In truth, this software is not in a condition where the use of the term "beta" makes sense; there is a lot of work yet to be done. There are few of us clamoring for support for more obnoxious advertising - especially among the LWN readership, as your plentiful emails over the last couple of months have made clear. What we want is working support for the useful Flash applications out there - and there are a few of those at this point. Gnash does not, currently, provide that support. (Your editor also tried out Swfdec 0.6.0, with generally worse results).
That said, it is clear that a lot of work has been done to get Gnash to this point. Your editor has no real way to judge how much more is required to get full support for even Flash version 7; chances are it is not a small job. Needless to say, support for newer versions of Flash will require even more work. But there now appears to be a solid platform upon which that work can be done, and that is an important start. Gnash has the look of a project which has overcome some of the biggest initial hurdles and is now setting a pace to finish the job. With luck, it will have reached the point where the fact that it almost works will inspire new developers to come in and fill in the remaining pieces.
Adobe has the ability to make this job a lot easier. Your editor has heard, informally, that the company has taken a less hostile position toward the Gnash developers than it had in the past, but it certainly is still not helping them. The Flash specifications are not available to anybody trying to create a Flash player, and, unsurprisingly, the Flash EULA forbids any sort of reverse engineering. That EULA, incidentally, also forbids running Adobe's player on any "non-PC device," including tablets and phones. That restriction suggests that Adobe sees business opportunities in the lack of a free Flash player for such systems and intends to ensure that this scarcity continues. So, despite the occasionally friendly noises Adobe has been making toward the Linux community, we should not expect a great deal of help from that direction.
Someday, people will figure out that closed standards (like Flash) are best avoided. Meanwhile, Flash is a fact of life that we will need to deal with. It appears that we are getting closer to being able to deal with it - but we are not there yet.
Page editor: Jonathan Corbet
Security
Extended Validation certificates and cross-site scripting
Cross-site scripting (XSS) is a frequent topic on security forums because it is a common web application flaw that can lead to variety of unpleasant surprises. One of the more frequently seen abuses of an XSS flaw is in the aid of a phishing attack. With the advent of Extended Validation (EV) certificates coupled with the accompanying browser UI changes, some XSS attacks will become much more powerful.
By now, most users are familiar with SSL certificates, which are used to authenticate one or both sides of an HTTPS connection to the other. EV certificates are a step up from a more pedestrian SSL certificate as the recipient must undergo more scrutiny from the certificate authority (CA) before being granted one. We covered EV certificates in more detail in November 2006, but they are just now starting to be installed more widely.
Netcraft reported the problem a few weeks ago with regard to sourceforge.net. Sourceforge is one of the 4,000 or so sites with an EV certificate, but it also has an XSS problem. So anyone using the site for XSS purposes now gets the benefit of the higher trust that is supposed to be embodied in an EV certificate.
Browser vendors are being encouraged to highlight the EV certificates in their UI so as to give users more confidence in those sites. The most recent Firefox 3 betas as well as IE7 are highlighting the site name in green in the address bar to denote this higher trust. Unfortunately, the extra validation does not extend to testing the site for XSS flaws, which could leave users easily fooled.
A phishing attack could use an XSS flaw in a search box or error message, for example, to add content to the appearance of a site. That content is really coming from the XSS attack but it would appear under the "green means go" address bar for the EV certificate-protected site. That content could include a login screen that sent the credentials elsewhere or a cookie stealing attack for session hijacking. For any site with sensitive information, XSS attacks are already a problem, EV certificates just add another mechanism for exploiting the user's trust.
Much like the padlock icon that appeared many years ago to denote a "secure" (really, just encrypted) connection, this new green address bar indicator is somewhat difficult to explain. Based on the vetting process for EV certificates, there should be a real entity behind an EV certificate—or at least there was one at the time of issuance—but it is by no means an endorsement of the security of everything on a web page that has one. It is, like the original padlock, more nuanced than that.
Unfortunately, users are not good at security nuances. They want yes or no answers to "Is this site safe?"; that answer is nearly always "maybe" or perhaps "probably". At one time, the padlock icon was seen as a "yes" answer; now the green address bar may take its place. Somehow users need to be taught to look beyond simple answers and websites need to clean up their act so that their users are not scammed.
The number of sites with XSS problems is staggering (a look at xssed.com is instructive) and new ones crop up all the time. In many ways, XSS is an attack against users rather than directly against a site. This may make it less of a priority to fix than a direct attack, like a SQL injection, might be. That is very unfortunate for their users, especially if they have a shiny new EV certificate.
Removing the updated vulnerability listings
The LWN Security page has lots of useful information, but sometimes it seems to stretch on for a long ways. A lot of that length is contained in the "Updated vulnerabilities" section and we are starting to wonder if that really adds that much to the page. It is collected automatically from our daily security updates, so removing it won't help us kick out the weekly edition any faster, but it might make reading the page, especially in the "one big page" format, somewhat easier. If we removed that section, the information will still appear in the daily summaries, of course, and be available by searching our database. Before we do that, though, we'd like to hear from our readers regarding their thoughts on the matter. Please comment if you have thoughts one way or the other.
New vulnerabilities
java: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 | |||||||||||||||||||||||||||||||||||||||
| Created: | March 7, 2008 | Updated: | April 29, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
joomla: multiple vulnerabilities
| Package(s): | joomla | CVE #(s): | CVE-2007-6642 CVE-2007-6643 CVE-2007-6644 CVE-2007-6645 | |||
| Created: | March 6, 2008 | Updated: | March 12, 2008 | |||
| Description: | The Joomla PHP-based content management system has the following vulnerabilities: There are multiple cross-site request forgery vulnerabilities. There is one cross-site scripting vulnerability. There is a vulnerability where remote authenticated administrators can promote arbitrary users to the administrator group, violating the intended security model. There is a registered user privilege escalation vulnerability. | |||||
| Alerts: |
| |||||
kronolith: privilege escalation and more?
| Package(s): | kronolith | CVE #(s): | |||||||
| Created: | March 10, 2008 | Updated: | March 12, 2008 | ||||||
| Description: | The Fedora advisory is light on details: Fix privilege escalation in Horde API. Fix missing ownership validation on share changes. | ||||||||
| Alerts: |
| ||||||||
libnet-dns-perl: denial of service
| Package(s): | libnet-dns-perl | CVE #(s): | CVE-2007-6341 CVE-2007-3409 | |||||||||
| Created: | March 12, 2008 | Updated: | March 27, 2008 | |||||||||
| Description: | The libnet-dns-perl package can crash when decoding malformed A records, creating a denial of service vulnerability. Also, the domain name expander can be sent into an infinite loop, also a denial of service problem. | |||||||||||
| Alerts: |
| |||||||||||
lighttpd: cgi source disclosure
| Package(s): | lighttpd | CVE #(s): | CVE-2008-1111 | |||||||||||||||
| Created: | March 7, 2008 | Updated: | April 4, 2008 | |||||||||||||||
| Description: | lighttpd before 1.4.18 is vulnerable to cgi source disclosure. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
MediaWiki: cross-site scripting
| Package(s): | mediawiki | CVE #(s): | CVE-2008-0460 | ||||||
| Created: | March 7, 2008 | Updated: | March 12, 2008 | ||||||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||||||
| Alerts: |
| ||||||||
moin: multiple vulnerabilities
| Package(s): | moin | CVE #(s): | CVE-2007-2637 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | ||||||||||||
| Created: | March 10, 2008 | Updated: | April 29, 2008 | ||||||||||||
| Description: | From the Debian advisory: CVE-2007-2637: Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. CVE-2008-0782: A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. CVE-2008-1098: Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. CVE-2008-1099: The macro code validates access control lists insufficiently, which could lead to information disclosure. | ||||||||||||||
| Alerts: |
| ||||||||||||||
nx: multiple vulnerabilites
| Package(s): | nx | CVE #(s): | ||||
| Created: | March 7, 2008 | Updated: | March 12, 2008 | |||
| Description: | There are multiple vulnerabilities in nx before 3.1.0. | |||||
| Alerts: |
| |||||
pdflib: multiple buffer overflows
| Package(s): | pdflib | CVE #(s): | CVE-2007-6561 | |||
| Created: | March 11, 2008 | Updated: | March 12, 2008 | |||
| Description: | From the CVE entry: Multiple stack-based buffer overflows in PDFLib allow user-assisted remote attackers to execute arbitrary code via a long filename argument to the PDF_load_image function that results in an overflow in the pdc_fsearch_fopen function, and possibly other vectors. | |||||
| Alerts: |
| |||||
phpmyadmin: sql injection
| Package(s): | phpmyadmin | CVE #(s): | CVE-2008-1149 | ||||||
| Created: | March 10, 2008 | Updated: | April 25, 2008 | ||||||
| Description: | From the Gentoo advisory: Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable of $_GET and $_POST as a source for its parameters. An attacker could entice a user to visit a malicious web application that sets an "sql_query" cookie and is hosted on the same domain as phpMyAdmin, and thereby conduct SQL injection attacks with the privileges of the user authenticating in phpMyAdmin afterwards. | ||||||||
| Alerts: |
| ||||||||
SynCE: several vulnerabilities
| Package(s): | synce-sync-engine | CVE #(s): | CVE-2007-6703 CVE-2008-1136 | ||||||||||||||||||||||||||||||||||||
| Created: | March 7, 2008 | Updated: | March 12, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | Red Hat bug #436023:
"Unspecified vulnerability in vdccm before 0.10.1 in SynCE
(SynCE-dccm) might allow attackers to cause a denial of service via
unspecified vectors."
Red Hat bug #436024: "The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679." | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
vlc: multiple vulnerabilities
| Package(s): | vlc | CVE #(s): | CVE-2007-6681 CVE-2007-6682 CVE-2007-6683 CVE-2007-6684 CVE-2008-0295 CVE-2008-0296 CVE-2008-0984 | ||||||
| Created: | March 10, 2008 | Updated: | April 23, 2008 | ||||||
| Description: | From the Gentoo advisory: * Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681). * The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682). * The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683). * The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684). * Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow. * Felipe Manzano and Anibal Sacco (Core Security Technologies) discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984). | ||||||||
| Alerts: |
| ||||||||
vobcopy: insecure temp file
| Package(s): | vobcopy | CVE #(s): | CVE-2007-5718 | |||
| Created: | March 6, 2008 | Updated: | March 12, 2008 | |||
| Description: | From the Gentoo alert: Joey Hess reported that vobcopy appends data to the file "/tmp/vobcopy.bla" in an insecure manner. A local attacker could exploit this vulnerability to conduct symlink attacks and append data to arbitrary files with the privileges of the user running Vobcopy. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | |||||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | ||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
SDL_image: buffer overflows
| Package(s): | SDL_image | CVE #(s): | CVE-2007-6697 CVE-2008-0544 | |||||||||||||||
| Created: | February 8, 2008 | Updated: | March 27, 2008 | |||||||||||||||
| Description: | From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
am-utils: overwrite arbitrary files
| Package(s): | am-utils | CVE #(s): | ||||
| Created: | February 29, 2008 | Updated: | March 5, 2008 | |||
| Description: | The am-utils package could be vulnerable to an attack in which one local user can modify the contents of arbitrary files to which other local users running expn have write access. | |||||
| Alerts: |
| |||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | |||||||||
| Created: | December 3, 2007 | Updated: | April 15, 2008 | |||||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | |||||||||||
| Alerts: |
| |||||||||||
audacity: insecure tmpfile handling
| Package(s): | audacity | CVE #(s): | CVE-2007-6061 | ||||||
| Created: | March 3, 2008 | Updated: | March 21, 2008 | ||||||
| Description: | From the Gentoo advisory:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file src/AudacityApp.cpp does not handle temporary files properly. A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity. | ||||||||
| Alerts: |
| ||||||||
bind: off-by-one error
| Package(s): | bind | CVE #(s): | CVE-2008-0122 | ||||||||||||
| Created: | January 22, 2008 | Updated: | March 14, 2008 | ||||||||||||
| Description: | Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. | ||||||||||||||
| Alerts: |
| ||||||||||||||
boost: denial of service
| Package(s): | boost | CVE #(s): | CVE-2008-0171 CVE-2008-0172 | |||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||
| Description: | From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
cacti: multiple vulnerabilities
| Package(s): | cacti | CVE #(s): | CVE-2008-0783 CVE-2008-0784 CVE-2008-0785 CVE-2008-0786 | |||||||||
| Created: | February 28, 2008 | Updated: | March 11, 2008 | |||||||||
| Description: | From the Mandriva alert: A number of vulnerabilities were found in the Cacti program, including XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection vulnerabilities, and information disclosure vulnerabilities. | |||||||||||
| Alerts: |
| |||||||||||
clamav: arbitrary code execution
| Package(s): | clamav | CVE #(s): | CVE-2008-0318 | ||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | From the CVE: Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: arbitrary file overwrite
| Package(s): | clamav | CVE #(s): | CVE-2007-6595 | |||||||||
| Created: | February 18, 2008 | Updated: | April 24, 2008 | |||||||||
| Description: | From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. | |||||||||||
| Alerts: |
| |||||||||||
clamav: heap corruption
| Package(s): | clamav | CVE #(s): | CVE-2008-0728 | |||||||||
| Created: | February 22, 2008 | Updated: | April 18, 2008 | |||||||||
| Description: | From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." | |||||||||||
| Alerts: |
| |||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0882 | ||||||||||||||||||||||||
| Created: | February 22, 2008 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2008-0596 CVE-2008-0597 | |||||||||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
dbus: privilege escalation
| Package(s): | dbus | CVE #(s): | CVE-2008-0595 | ||||||||||||||||||
| Created: | February 28, 2008 | Updated: | March 14, 2008 | ||||||||||||||||||
| Description: | From the Red Hat alert: Havoc Pennington discovered a flaw in the way the dbus-daemon applies its security policy. A user with the ability to connect to the dbus-daemon may be able to execute certain method calls they should normally not have permission to access. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
evolution: format string vulnerability
| Package(s): | evolution | CVE #(s): | CVE-2008-0072 | |||||||||||||||||||||||||||
| Created: | March 5, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||||||||
| Description: | The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
firebird: multiple vulnerabilities
| Package(s): | firebird | CVE #(s): | CVE-2008-0387 CVE-2008-0467 | ||||||
| Created: | March 3, 2008 | Updated: | March 27, 2008 | ||||||
| Description: | From the Gentoo advisory:
Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467). A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. | ||||||||
| Alerts: |
| ||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | March 26, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420) Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird | CVE #(s): | CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 | ||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | April 2, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417) A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418) A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||