A new linker is not generally something that arouses much interest outside
of the hardcore development community—or even inside it—unless
it provides something especially eye-opening. A newly released linker,
called gold has just that kind of feature, though, because it runs
up to five times as fast as its competition. For developers who do a lot
of compile-link-test cycles, that kind of performance increase can
significantly increase their efficiency.
Linking is an integral part of code development, but it can be invisible,
as it is often invoked by the compiler. The sidebar accompanying this
article is meant for
non-developers or those in need of a refresher about linker operation.
For those who want to know even more, the author of gold, Ian Lance
Taylor, has a twenty-part series about linker internals on his weblog,
starting with this entry.
For Linux systems, the GNU Compiler
Collection (GCC) has been the workhorse by
providing a complete toolchain to build programs in a number of different
languages. It uses the ld linker from the binutils collection. With
the announcement
that gold has been added to binutils, there are now two
choices for linking GCC-compiled programs.
A linker overview
For non-developers, a quick overview of the process that turns source code
into executable programs may be helpful.
Compilers are programs that turn C—or other high-level
languages—into object code. Linkers then collect up object
code and produce an executable. Usually the linker will not only operate
on object code created from a project's source, but will also reference
libraries of object code—the C runtime library libc for
example. From those objects, the linker creates an executable program that
a user can invoke from the command line.
The linker allows program code in one file
to refer to a code or data object in another file or library. It arranges
that those references are usable at run time by
substituting an address for
the reference to an object. This "links" the two properly in the executable.
Things get more complicated when
considering shared libraries, where the library code is shared by multiple
concurrent executables, but this gives a rough outline of the basics of
linker operation.
The intent is for gold to be a complete drop-in replacement for
ld—though it is not quite there yet. It is currently
lacking support for some command-line options and Linux kernels that are
linked with it do not boot, but those things will come. It also currently
only supports x86 and x86_64 targets, but for many linker
jobs, gold seems to be working well. The speed seems to be very
enticing to
some developers, with Bryan O'Sullivan saying:
When I switched to using gold as the linker, I was at first a little
surprised to find that it actually works at all. This isn't especially
common for a complicated program that's just been committed to a source
tree. Better yet, it's as fast as Ian claims: my app now links in 2.6
seconds, almost 5.4 times faster than with the old binutils linker!
Performance was definitely the goal that Taylor set for gold
development. It supports ELF (Executable
and Linking Format) objects and runs on UNIX-like operating systems
only. Only supporting one object/executable format, along with a fresh
start and an explicit performance goal are some of the reasons that
gold outperforms ld.
I looked through the gold sources a bit. I wish everything in the GNU
toolchain were written this way. It is very clean code, nicely commented,
and easy to follow. It shows pretty clearly, I think, the ways in which C++
can be better than C when it is used well.
While I think this is a reasonable approach, I do not yet know how
maintainable it will be over time. State machine implementations can be
difficult for people to understand, and the high-level locking is
vulnerable to low-level errors. I know that one of my characteristic
programming errors is a tendency toward code that is overly complex, which
requires global information to understand in detail. I've tried to avoid it
here, but I won't know whether I succeeded for some time.
Overall, it seems to be getting a nice reception by the community, with
O'Sullivan commenting that he is "looking forward to the point where
gold entirely supplants the existing binutils linker. I expect that won't
take too long, once Mozilla and KDE developers find out about the
performance boost." Once gold gets to that point, Taylor
is already thinking about concurrent
linking—running compiler and linker at the same time—as
the next big step.
There are two other ongoing projects that are working with the greater GCC
ecosystem in interesting ways: quagmire and ggx. Quagmire is an effort to
replace the GNU configure and build system—consisting of autoconf,
automake, and libtool—with something that depends
solely on GNU make. Currently, that system uses
various combinations of the shell, m4, and portable makefiles to make the
building and installation of programs easy—the famous
"./configure; make" command line. The tools were written that way
to try and ensure that users did not need to install additional packages to
configure and build GNU tools.
Quagmire, which has roots in a
posting by Taylor
recognizes that GNU make is ubiquitous, so basing a
system around that makes a great deal of sense.
The ggx project is Anthony Green's step-by-step procedure to create an
entire toolchain that can build programs for a processor architecture that he is
creating as a thought
experiment. The basic idea is to design the instruction set based on
the needs of the compiler, in this case GCC, rather than the needs of the
hardware designers. He is using GCC's ability to be retargeted for new
architectures, along with its simulation capabilities to create a CPU that
he can write programs for. As of this writing, he has a "hello world"
program working, along with large chunks of the GCC test suite passing.
Well worth a look.
Last month, an article about
another attempt to free the proprietary Ryzom game expressed
frustration with the implied idea that the free software community could
not, on its own, create a game experience comparable to Ryzom. One of the
resulting comments took issue
with (what was seen as) a dismissive attitude toward the Second Life client
and pointed out some of the work which is being done based on that client. So your
editor decided to take another look. The bottom line is this: the work
being done in this area is still in an early and unstable state, but it
does have the potential to open a new frontier for free software in the
area of virtual environments.
The Second
Life client for Linux is now in a beta release. "Beta," in this case,
means that all of the features have, in some way, been implemented; now
it's just a matter of making it all actually work. Your editor found the
client to be slow, unwieldy, crash-prone, and very fussy about its graphics
environment. Your editor's well-supported (in X) Intel-based desktop was
not adequate for this client, for example; the associated documentation
recommends a long list of cards which (for now) are only supported with
proprietary drivers. Still, on the right system, the
client is able to render three-dimensional worlds with the same quality
that, well, Second Life has on any platform.
An alternative is OpenViewer, a
C#/Mono-based, BSD-licensed viewer project. Your editor had little luck
getting this client going, but the screenshots are nice. The developers
appear to have made significant progress toward the creation of a
functional, three-dimensional client; this is a project to watch. Less far
along is the Aether project,
which is working on a OpenViewer-based client meant to run within Firefox;
thus far, it has a nice design diagram but not much else.
There is also RealXtend, a project
based on the Second Life client which is emphasizing performance and visual
quality. Unfortunately, it also seems to be emphasizing Windows support,
so your editor did not give it a try.
Free software clients are certainly an important tool to have; we will not
be able to access this kind of virtual environment without them. But it
would be a real shame if these clients simply facilitated a world where we
use free clients to access locked-down, proprietary virtual worlds on
somebody else's server. What would be much better would be the ability to
create our own virtual worlds - using free software, of course - and to
link those worlds into a larger virtual universe. That is the formula
which made the World Wide Web (and many other Internet services) work, and
it should certainly be applicable in this context as well.
The good news is that people are working in this area. One project, OpenSim, has the look of
something which is about to achieve much wider awareness as its features
mature. In short, OpenSim is a virtual world server which can be deployed
to create environments much like what one would find in Second Life. It
works with the Second Life client and with OpenViewer as well, and it
presents a very similar experience - at least, in the virtual worlds which
have been deployed so far. Since it's free software, it can be customized
toward the creation of different kinds of environments, including
role-playing games and such.
It is written with C# and Mono - seemingly a common choice for this kind of
software. The Mono environment, for all its faults and potential pitfalls,
may well make it easier to create a cross-platform application with the
requisite features.
What makes OpenSim really interesting, though, is its ability to connect
servers together in a "grid" mode. Once this is done, a virtual world is
not limited to a single entity's server (or imagination). Servers across
the net can be interconnected into a single, larger world. This is the
feature which has the potential to take OpenSim from another interesting
project into something which transforms the net.
There are a number of people organizing grids with OpenSim now; there is a list of public grids
on the OpenSim site. Some of them appear to be relatively proprietary
operations offering the opportunity to buy virtual land - though subprime
loans are unavailable. Others allow anybody connect their server
into the grid and become part of the whole. These grids appear, in
general, to be in a sort of early adopter state at the moment, but much of
the fundamental functionality is there. How hard could it be to make it
all work properly at this point?
The answer to that question, of course, is "quite hard." But the fact
remains that people are working on this very interesting problem, and they
are making significant progress toward solving it. These projects bear
watching; they may well be planting the seeds of the systems we will all be
using in the coming years.
The Open Source Initiative (OSI) was
formed almost ten years ago to safeguard the "Open Source" name. Over the
years it has approved licenses and attempted some other activities while,
generally, having little relevance to the wider community. It has often
been seen as a relatively closed and non-democratic organization. Now one
of OSI's founders is trying to get back into the organization and change
its direction; the outcome of the resulting discussion may (or may not)
change the direction of the OSI.
Bruce Perens has launched a bid to be elected to the OSI
board of directors, but this bid has
not been particularly well received by the current board. His on-line petition to collect community support
specifies a number of reasons that he wants to be on the board—those
reasons are ruffling some feathers. Outgoing board member Matt Asay has taken Perens to
task for some of his statements as has OSI president
Michael Tiemann.
Perens's reasons for wanting to be on the board are threefold: reducing the
over-representation of vendors, trying to ensure Microsoft does not get a
seat on the board, and reducing license proliferation. The idea of a Microsoft seat on
an open source organization's board is sure to rile a segment of the
community, which is undoubtedly part of what Perens is hoping for. The
likelihood of that happening is pretty small, though. Tiemann makes it
clear that the board doesn't elect companies at all:
The OSI nominates people to the board despite their corporate affiliations,
not because of them. The idea that the OSI would elect a "Microsoft" board
member is as absurd as the idea that we'd elect a "Google" board member or
an "IBM" board member. We elect people based on their own merits, not the
merits (or demerits) of the companies or organizations they are affiliated
with.
Microsoft and its employees do not currently contribute to open source in
any substantial
way, so there is little that would lead the board to nominate them. If that ever
changes, it would be pretty disingenuous to deny someone a seat because of
their employer's past—or even at that time,
current—misbehavior. In addition, it is hard
to see how one board member—Perens or someone "controlled" by
Microsoft—is going to make such a crucial difference in what the board
does anyway. In many ways, the Microsoft connection is
a red herring—one sure to rally the troops, though.
Reducing license proliferation is a noble goal, one that the OSI tried to
tackle a few years back without much in the way of tangible success.
Perens states that he would like to see OSI do more reduce the number of
licenses, but his claims about the number of licenses needed have raised
eyebrows:
Another problem is the failure to reduce the number of different licenses
in general use. My own work in this area shows that only four licenses, all
compatible with each other, can satisfy all common business and
non-business purposes of Open Source development. Three of these licenses
have essentially the same text, and the fourth is very short. Life would be
easier if more projects used them. While it would be difficult to shut down
approval of new licenses, I think OSI could be more proactive at reducing
license proliferation.
Part of the reason that Tiemann and others are skeptical is due to some
obvious bad blood between the board and Perens over the license
proliferation committee. LWN covered some of that "debate" in
August 2005. Perens clearly believes he should have been a
member just as strongly as others on the board seem to feel he should not
have been. When the board was formed without him as a member, Perens
refused to participate in the process in any way. It
seems to stick in the craw of some for Perens to now claim that he has the
solution. Russ Nelson, former OSI president and current board
member—as well as a member of the committee—sums up the
frustration in a comment on Tiemann's post:
I don't see how Bruce can claim to have a short list of four licenses. I
start with BSD, GPLv2, GPLv3, LGPLv2 and LGPLv3 and that's five. If he
thinks that people should simply agree with him that all GPLv2 should be
relicensed GPLv3, I invite him to spend some time with Linus Torvalds, who
notoriously and politely disagrees.
Having a solution is not the same as convincing people to adopt it.
It is rather interesting to see Perens trying to get back on the board that
he famously resigned from in 1999
after having founded the organization with Eric Raymond in 1998. This is
not the first time Perens has lost interest and/or resigned from some form of community
leadership position; Debian and UserLinux spring to mind. Though none of
the expressed concerns about his candidacy have mentioned it, some must be
wondering how long it would be before ideology or a shifting focus caused
Perens to move on from a board position if he were elected.
Perens has been an excellent advocate for free software and/or open source
over the years, but his tendency towards self-promotion
grates on some. It may not be an ego thing, as he claims, but it certainly
rubs some people the wrong way. The ego issue is one of the reasons that board observer Andrew Oliver does
not support Perens for the board:
A return to a very Amerocentric hacker culture voice with big egos is not
the answer to OSI's problems. I think OSI is on the path to real
fundamental change. I'd like to hear Bruce explain what he'd do differently
in collaboration with others who may not always agree with him.
Asay certainly doesn't see Perens as
having the right credentials either:
The OSI needs a vibrant membership of those currently shaping the open
source landscape. It's possible that its current make-up doesn't reflect
this. Point well taken. But it's equally possible - indeed, I'd say
probable - that Bruce's directorship wouldn't change this. I like Bruce but
aside from the occasional picketing he does, I can't point to anything
substantive he has done for open source in the past half-decade or so.
The petition drive came about because Tiemann encouraged Perens to show
that there was strong community support for him to be a part of the board.
As of this writing, the petition has garnered more than 1700 "signatures",
which Perens believes is enough:
Regarding my candidacy, OSI's board, through its president, asked me to
show an uprising of strong community support if the board was to to elect
me. I have. Now that I have done what you asked, are you going to hide
behind complaints about my campaign, which is really quite mild in its
criticism and is in no way the "scorched earth" that Matt refers to, or are
you going to do what you said? If you OSI can't handle a political opponent
on my laid-back scale, you'd only looking for yes-men.
The OSI board is "self-replacing" with current board members nominating and
electing candidates for empty slots. Each director serves for a three-year
term, with roughly one-third coming up for election each year—though
this year there are five slots to be filled. Three directors are standing
for re-election, leaving two slots open. Unfortunately, it's not clear
when the actual election will be held, nor is there likely to be any
advance notice of who has been nominated. Transparency, it seems, is not
one of the attributes of OSI.
Self-replacement and overlapping terms of office tend to give a certain
stability to a board, but it also creates a kind of inbreeding. It is
unlikely that a board will nominate people who think substantially
differently from themselves. This is one thing that Perens is trying to
circumvent with his very public candidacy. Whatever else can be said about
Perens's candidacy, it is clear that he would bring a different voice into
the OSI boardroom.
But, what is OSI really? Is it an organization that is somehow
supposed to represent all of the diverse voices in the community? At the moment it appears to exist for
the purpose of approving licenses and "protecting the Open Source Definition".
Perens thinks it could be more than that. OSI itself seems to agree as
they have been moving towards more relevance in the community. Oliver
describes that effort:
OSI is trying to solve its problems, by becoming more grassroots and less
bottom up. Meanwhile, it is trying to grow the movement by expanding its
international representation. Corporations do influence OSI, in that not
all of the board has a free hand to say what is on their mind
publicly. However, the solution is to make the OSI board what it should
be: a governance board.
OSI and its board are currently in a state of flux, trying to define a
role for themselves that is broader than just a license approval body. There
doesn't seem to be a lot of discontent within the board that might
lead to Perens or another controversial figure being added. Whether this
leads to continued stagnation or a more vibrant OSI remains to be seen. A
more interesting question might be: will anyone care?
If OSI starts to do visible things for the community, it will finally
acquire some relevance. Given the attitude towards his candidacy, it seems
unlikely that Perens will be able to lead the board in that direction.
Which leaves it up to the current board and the two new
members—neither of which are likely to be Perens—to find a way
to make the community care.
It is hard to believe that governments would spend money on voting
equipment that they are not allowed to test, but that is
exactly what multiple counties in New Jersey appear
to have done. They are certainly not alone, many other places are
likely to have the same restrictions on "their" voting machines. This begs the question:
where are the free software voting systems?
Union County wanted to ask Ed Felten to look at the voting machines it
purchased from Sequoia Voting Systems because of several
anomalies—less charitably known as miscounts—observed when using
them in the primary elections. Once Sequoia got wind of the plan, they
emailed Felten a nastygram
because he might engage in "non-compliant analysis" of the machines in
violation of the Sequoia license. It seems quite likely that is exactly
what Felten and the county clerk had in mind as a third-party analysis is
the only sensible way to evaluate voting machines.
Things are getting a little better, perhaps, but no one has, as yet, tried
to take on the four major voting machine makers with a system that is built
with security in mind. There is no reason that the source code for a
voting machine could not be made available for study. The voting machine
vendors claim all sorts of proprietary secret sauce in their code, but that
isn't the real reason they hide it. Covering up their shoddy code is much more likely.
Every independent review of voting machines has found numerous,
fundamental security flaws that should make anyone with an interest in the
integrity of the election process cringe. Many of those analyses were done
without the source code, so there is little doubt that even uglier problems
would have been found in the code itself. It just cannot be that difficult to
produce something vastly more secure than what is made available today.
One could speculate about the motives of these companies, but instead
looking at what could be built, with mostly off-the-shelf software, is more
fruitful. The place to start is by hiring a few good security-minded
developers, while lining up an independent review team. One might guess
that Felten and his associates would be a good place to start.
A stripped down Linux system could very easily be the basis for a voting
machine, but other free software choices would serve just as well. Some
user interface code for touchscreens and alternative input methods
for those with disabilities would need to be written. Some kind of
printing output device would need to be made a part of the system so that
voter-verifiable audit trails—better yet, ballots that can be put
into a locked box—can be created.
Source code availability does not, in and of itself, ensure vote security.
That code needs to be reviewed by as many experts as can be found. In
addition, there needs to be some mechanism to show that the source code
being reviewed is the same as that being run.
For that reason, the system itself might run on some kind of Trusted
Platform Module (TPM) chip so that interested parties can verify that
the
published code is the same as that running on the system. If the system
runs Linux, it might use the integrity management patches
for that. Most importantly, the outside interfaces (network, USB, PCMCIA,
etc.) to the device would either not be present or be very tightly
controlled. Any kind of removable vote recording memory would need
adequate cryptographic safeguards to eliminate tampering between vote
taking and vote tabulating machines.
Instead of an emphasis on PR, schmoozing, and bamboozling non-technical
folks, the focus of a free software
voting system would be on transparency. The number one goal would be to
give everyone, from the least technical voter to the Bruce Schneiers of
the world: confidence in the machines and the process. It is hard to
fathom how anyone could want anything less.
It would seem that the majority of the readers of this page are willing to part with the updated vulnerabilities section. Based on the comments we got over the last two weeks, we decided to remove it in future editions. So, this is the last week you will find one on the security page. You can always visit http://lwn.net/Vulnerabilities/ to get a look at the most recent vulnerabilities in our database.
CVE-2007-6430:
Tilghman Lesher discovered that database-based registrations are
insufficiently validated. This only affects setups, which are
configured to run without a password and only host-based
authentication.
CVE-2008-1332:
Jason Parker discovered that insufficient validation of From:
headers inside the SIP channel driver may lead to authentication
bypass and the potential external initiation of calls.
CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both
overflows can be caused by an INVITE or any other SIP packet with SDP. The
request may need to be authenticated depending on configuration of the Asterisk
installation.
The first overflow is caused by sending a payload number that surpasses the
programmed maximum payload number of 256. This causes an invalid memory write
outside of the buffer. While this does not allow the attacker to write
arbitrary data it does allow the attacker to write a 0 to other memory
locations.
The second overflow is caused by sending more than 32 RTP payloads. This causes
a buffer on the stack to overflow allowing the attacker to write values between
0 and 256 (the maximum payload number) to memory locations after the buffer.
CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely
to have a much larger than average number of 1s, which greatly reduces the
number of guesses an attacker would have to make to successfully predict the
manager ID, which is used across multiple HTTP queries to hold manager state.
bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite.
The JFreeChart component was vulnerable to multiple cross-site scripting
(XSS) vulnerabilities. An attacker could misuse the image map feature to
inject arbitrary web script or HTML via several attributes of the chart
area. The setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed
remote attackers to inject and execute arbitrary EJBQL commands via the
order parameter.
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.
SILC Toolkit contains a possible buffer overflow from PKCS#1 message decoding in
versions earlier than 1.1.7. Specially crafted digital signature can be used to
crash the program.
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.
Robin Johnson reported that the docert() function provided by
ssl-cert.eclass can be called by source building stages of an ebuild,
such as src_compile() or src_install(), which will result in the
generated SSL keys being included inside binary packages (binpkgs).
A local attacker could recover the SSL keys from publicly readable
binary packages when "emerge" is called with the "--buildpkg (-b)" or
"--buildpkgonly (-B)" option. Remote attackers can recover these keys
if the packages are served to a network.
Multiple unspecified errors were reportedly fixed by the ViewVC
development team.
A remote attacker could send a specially crafted URL to the server to
list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT
folders, and view restricted content via the revision view, the log
history, or the diff view.
Secunia Research has discovered a vulnerability in xine-lib, which can be
exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the
"sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to
overwrite arbitrary memory regions via an overly large "streamid" SDP parameter
included in a malicious RTSP stream.
Successful exploitation allows execution of arbitrary code.
The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE.
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges.
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)
A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)
Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit, performs insufficient sanitizing of
call-related data, which may lead to SQL injection.
Viktor Griph reported that the "AudacityApp::OnInit()" method in file
src/AudacityApp.cpp does not handle temporary files properly.
A local attacker could exploit this vulnerability to conduct symlink
attacks to delete arbitrary files and directories with the privileges
of the user running Audacity.
Micha Lenk discovered that backup-manager, a command-line backup tool,
sends the password as a command line argument when calling a FTP client,
which may allow a local attacker to read this password (which provides
access to all backed-up files) from the process listing.
Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key file
with world-readable permissions, which allows local users to perform
unauthorized named commands, such as causing a denial of service by
stopping named.
Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3,
and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause
a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption.
From the Mandriva alert:
A number of vulnerabilities were found in the Cacti program, including
XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection
vulnerabilities, and information disclosure vulnerabilities.
A vulnerability in Cacti 0.8.6i and earlier versions allows remote
authenticated users to cause a denial of service (CPU consumption) via
large values of the graph_start, graph_end, graph_height, or graph_width
parameters.
Cairo has an integer overflow vulnerability in the PNG image processing
code. If a user processes a specially crafted PNG image with an
application that is linked against cairo, arbitrary code can be executed
with the user's privileges.
Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.
From the CVE entry:
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash.
The cups package suffers from a heap overflow vulnerability in the cgiCompileSearch() function. This vulnerability could be exploited remotely if the print server shares printers over the network.
The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability.
From the Red Hat alert:
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy. A user with the ability to connect to the dbus-daemon may
be able to execute certain method calls they should normally not have
permission to access.
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart.
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers.
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions."
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name.
Dovecot has multiple vulnerabilities including an issue involving the
confusion between LDAP-authenticated logins across users with the
same password and a denial of service involving a connecting user.
CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users
having shell access to IMAP server could use this flaw to read, modify or delete
mails of other users stored in inbox files in /var/mail. /var/mail directory is
mail-group writable and user inbox files are by default created by useradd with
permission 660, <user>:mail. No mail_extra_groups is set by default, hence
default Fedora configuration was not affected by this problem. If your
configuration sets mail_extra_groups, see new options mail_privileged_group and
mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still
accepted, but is deprecated now)
CVE-2008-1218 On Dovecot versions 1.0.11
and newer, it was possible to gain password-less login via passwords with tab
characters, which were not filtered properly. Dovecot versions in Fedora were
not affected by this unauthorized login flaw, but only by a related minor memory
leak in dovecot-auth worker process.
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message.
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges.
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions.
The encrypted mail display code in evolution suffers from a format string vulnerability which could be exploited by way of a specially crafted email message.
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail.
From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not
properly sanitized before being processed, resulting in illegal memory
access in the postprop() and other functions (CVE-2007-6354). He also
discovered integer overflow vulnerabilities in the parsetag() and other
functions (CVE-2007-6355) and an infinite recursion in the readifds()
function caused by recursive IFD references (CVE-2007-6356).
Integer overflow in exif.cpp in exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow.
fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
Firebird does not properly handle certain types of XDR requests,
resulting in an integer overflow (CVE-2008-0387). Furthermore, it is
vulnerable to a buffer overflow when processing usernames
(CVE-2008-0467).
A remote attacker could send specially crafted XDR requests or an
overly long username to the vulnerable server, possibly resulting in
the remote execution of arbitrary code with the privileges of the user
running the application.
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user.
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a
user were ticked into opening a malicious web page, an attacker
could perform cross-site scripting attacks. (CVE-2008-0416)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog wasn't displayed under certain circumstances. A
malicious website could exploit this to conduct phishing attacks
against the user. (CVE-2008-0594)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web
content. A webpage containing specially-crafted content could trick a user
into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves
login information for a malicious website, it could be possible to corrupt
the password database, preventing the user from properly accessing saved
password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user
has certain extensions installed, it could allow a malicious website to
steal sensitive session data. Note: this flaw does not affect a default
installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a
website offers a file of type "plain/text", rather than "text/plain",
Firefox will not show future "text/plain" content to the user in the
browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735)
The Freetype font rendering library versions 2.3.4 and below
has an integer sign error. Remote attackers may be able to
create a specially crafted TrueType Font file with a negative
n_points value that will cause an integer overflow and heap-based
buffer overflow, allowing the execution of arbitrary code.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers
to have unspecified remote attack vectors and impact. (CVE-2007-3472)
The gdImageCreateXbm function in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause a denial
of service (crash) via unspecified vectors involving a gdImageCreate
failure. (CVE-2007-3473)
Multiple unspecified vulnerabilities in the GIF reader in the
GD Graphics Library (libgd) before 2.0.35 allow user-assisted
remote attackers to have unspecified attack vectors and
impact. (CVE-2007-3474)
The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
remote attackers to cause a denial of service (crash) via a GIF image
that has no global color map. (CVE-2007-3475)
Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
before 2.0.35 allows user-assisted remote attackers to cause
a denial of service (crash and heap corruption) via large color
index values in crafted image data, which results in a segmentation
fault. (CVE-2007-3476)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allows attackers to cause a denial
of service (CPU consumption) via a large (1) start or (2) end angle
degree value. (CVE-2007-3477)
Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the
GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote
attackers to cause a denial of service (crash) via unspecified vectors,
possibly involving truetype font (TTF) support. (CVE-2007-3478)
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
Jens Askengren discovered that gnome-screensaver became confused when
running under Compiz, and could lose keyboard lock focus. A local
attacker could exploit this to bypass the user's locked screen saver.
The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information.
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code.
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.
Ulf Harnhammer discovered that the HTML filter of the Horde web
application framework performed insufficient input sanitising, which
may lead to the deletion of emails if a user is tricked into viewing
a malformed email inside the Imp client.
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)
A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)
From the Red Hat advisory:
Will Drewry reported multiple flaws in the way libicu processed certain
malformed regular expressions. If an application linked against ICU, such
as OpenOffice.org, processed a carefully crafted regular expression, it may
be possible to execute arbitrary code as the user running the application.
The ImageMagick image decoders have multiple vulnerabilities.
If a user can be tricked into processing a specially crafted
DCM, DIB, XBM, XCF, or XWD image, arbitrary code may be executed with
the user's privileges.
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667.
The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote
user-assisted attackers to cause a denial of service (crash) and possibly
corrupt the heap via malformed image files.
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files.
The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)
The Java Web Start URL parsing component contained a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)
The JSSE component did not correctly process SSL/TLS handshake requests. A
remote attacker who is able to connect to a JSSE-based service could
trigger this flaw leading to a denial-of-service. (CVE-2007-3698)
A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting to
services hosted on the machine that executed the applet. (CVE-2007-3922)
Flaws in the JRE allowed an untrusted application or applet to elevate its
privileges. This could be exploited by a remote attacker to access local
files or execute local applications accessible to the user running the JRE
(CVE-2008-1185, CVE-2008-1186)
A flaw was found in the Java XSLT processing classes. An untrusted
application or applet could cause a denial of service, or execute arbitrary
code with the permissions of the user running the JRE. (CVE-2008-1187)
Several buffer overflow flaws were found in Java Web Start (JWS). An
untrusted JNLP application could access local files or execute local
applications accessible to the user running the JRE.
(CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196)
A flaw was found in the Java Plug-in. A remote attacker could bypass the
same origin policy, executing arbitrary code with the permissions of the
user running the JRE. (CVE-2008-1192)
A flaw was found in the JRE image parsing libraries. An untrusted
application or applet could cause a denial of service, or possible execute
arbitrary code with the permissions of the user running the JRE.
(CVE-2008-1193)
A flaw was found in the JRE color management library. An untrusted
application or applet could trigger a denial of service (JVM crash).
(CVE-2008-1194)
The JRE allowed untrusted JavaScript code to create local network
connections by the use of Java APIs. A remote attacker could use these
flaws to acesss local network services. (CVE-2008-1195)
Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled,
allows remote attackers to violate the security model for an applet's
outbound connections via a DNS rebinding attack. (CVE-2007-5232)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not
properly enforce access restrictions for untrusted applications, which
allows user-assisted remote attackers to obtain sensitive information (the
Java Web Start cache location) via an untrusted application, aka "three
vulnerabilities." (CVE-2007-5238)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0
Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE
1.3.1_20 and earlier does not properly enforce access restrictions for
untrusted (1) applications and (2) applets, which allows user-assisted
remote attackers to copy or rename arbitrary files when local users perform
drag-and-drop operations from the untrusted application or applet window
onto certain types of desktop applications. (CVE-2007-5239)
Visual truncation vulnerability in the Java Runtime Environment in Sun JDK
and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK
and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows
remote attackers to circumvent display of the untrusted-code warning banner
by creating a window larger than the workstation screen. (CVE-2007-5240)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used,
allows remote attackers to violate the security model for an applet's
outbound connections via a multi-pin DNS rebinding attack in which the
applet download relies on DNS resolution on the proxy server, but the
applet's socket operations rely on DNS resolution on the local machine, a
different issue than CVE-2007-5274. NOTE: this is similar to
CVE-2007-5232. (CVE-2007-5273)
Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier,
JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier,
and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows
remote attackers to violate the security model for JavaScript outbound
connections via a multi-pin DNS rebinding attack dependent on the
LiveConnect API, in which JavaScript download relies on DNS resolution by
the browser, but JavaScript socket operations rely on separate DNS
resolution by a Java Virtual Machine (JVM), a different issue than
CVE-2007-5273. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5274)
An integer overflow vulnerability exists in the embedded ICC profile
image parser (CVE-2007-2788), an unspecified vulnerability exists in
the font parsing implementation (CVE-2007-4381), and an error exists
when processing XSLT stylesheets contained in XSLT Transforms in XML
signatures (CVE-2007-3716), among other vulnerabilities.
The kazehakase web browser is vulnerable to buffer overflows and
memory corruption in PCRE. If a remote attacker can convince a user to
open specially crafted bookmarks, it can lead to the
execution of arbitrary code, denial of service or
arbitrary information disclosure.
The kdebase package is vulnerable to a denial of service in which a local user can render KDM unusable for logins by any user or cause KDM to exceed system resource limits.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
The IA32 system call emulation functionality in Linux kernel 2.4.x and
2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not
zero extend the eax register after the 32bit entry path to ptrace is used,
which might allow local users to gain privileges by triggering an
out-of-bounds access to the system call table using the %RAX register.
From the Red Hat advisory: A flaw was found in the way the Red Hat
Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA
method for accessing memory on Itanium architectures. A local unprivileged
user could trigger this flaw and cause a denial of service (system panic).
A possible NULL pointer dereference was found in the chrp_show_cpuinfo
function when using the PowerPC architecture. This may have allowed a local
unprivileged user to cause a denial of service (crash).
The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced
Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does
not return the correct write size, which allows local users to obtain
sensitive information (kernel memory contents) via a small count argument,
as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory.
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538)
The Minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
other versions, allows local users to cause a denial of service (hang) via
a malformed minix file stream that triggers an infinite loop in the
minix_bmap function. NOTE: this issue might be due to an integer overflow
or signedness error.
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows
remote attackers to cause a denial of service (crash) via a crafted SKB
length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA
flag is set, aka an "off-by-two error."
From the mitre.org CVE description:
VFS in the Linux kernel before 2.6.23.14 performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass file permissions.
The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors.
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes
RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an
"out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
fib_props (fib_semantics.c, IPv4) functions. (CVE-2007-2172)
mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not
prevent stack expansion from entering into reserved kernel page memory,
which allows local users to cause a denial of service (OOPS) via
unspecified vectors. (CVE-2007-3739)
The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer
ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do not check
permissions for ioctls, which might allow local users to cause a denial of
service or gain privileges. (CVE-2007-4308)
Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via long SMB responses that trigger the overflows in
the SendReceive function.
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures.
The drm/i915 component in the Linux kernel before 2.6.22.2, when used with
i965G and later chipsets, allows local users with access to an X11 session
and Direct Rendering Manager (DRM) to write to arbitrary memory locations
and gain privileges via a crafted batchbuffer. (CVE-2007-3851)
Linux kernel 2.4.35 and other versions allows local users to send arbitrary
signals to a child process that is running at higher privileges by causing
a setuid-root parent process to die, which delivers an attacker-controlled
parent process death signal (PR_SET_PDEATHSIG). (CVE-2007-3848)
Stack-based buffer overflow in the random number generator (RNG)
implementation in the Linux kernel before 2.6.22 might allow local root
users to cause a denial of service or gain privileges by setting the
default wakeup threshold to a value greater than the output pool size,
which triggers writing random numbers to the stack by the pool transfer
function involving "bound check ordering". NOTE: this issue might only
cross privilege boundaries in environments that have granular assignment of
privileges for root. (CVE-2007-3105)
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors.
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device.
The sysfs_readdir function in the Linux kernel 2.6 allows local users to
cause a denial of service (kernel OOPS) by dereferencing a null pointer to
an inode in a dentry. (CVE-2007-3104)
The CIFS filesystem, when Unix extension support is enabled, did not honor
the umask of a process, which allowed local users to gain
privileges.(CVE-2007-3740)
The Linux kernel checked the wrong global variable for the CIFS sec mount
option, which might allow remote attackers to spoof CIFS network traffic
that the client configured for security signatures, as demonstrated by lack
of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843)
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux
kernel allowed local users to have an unknown impact via a crafted argument
to the isdn_ioctl function. (CVE-2007-6063)
David Coffey discovered an uninitialized pointer free flaw in the
RPC library used by kadmind. A remote unauthenticated attacker who
could access kadmind could trigger the flaw causing kadmind to crash
or possibly execute arbitrary code (CVE-2007-2442).
David Coffey also discovered an overflow flaw in the same RPC library.
A remote unauthenticated attacker who could access kadmind could
trigger the flaw causing kadmind to crash or possibly execute arbitrary
code (CVE-2007-2443).
Finally, a stack buffer overflow vulnerability was found in kadmind
that allowed an unauthenticated user able to access kadmind the
ability to trigger the vulnerability and possibly execute arbitrary
code (CVE-2007-2798).
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by kadmind. A remote unauthenticated attacker who can access
kadmind could trigger this flaw and cause kadmind to crash.
Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A
remote unauthenticated attacker who can access kadmind could trigger this
flaw and cause kadmind to crash.
The "kdc" authentication component, part of the krb5 package, has a number of vulnerabilities, including denial of service, information (secret key) leaks, and, potentially, remote code execution.
From the Red Hat advisory: A flaw was found in the RPC library used by the MIT Kerberos kadmind
server. An unauthenticated remote attacker could use this flaw to crash
kadmind. This issue only affected systems with certain resource limits
configured.
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted ICC profile in a JPG file.
Don Armstrong discovered that ldapscripts, a suite of tools to manipulate
user accounts in LDAP, sends the password as a command line argument when
calling LDAP programs, which may allow a local attacker to read this password
from the process listing.
mirror --script in lftp before 3.5.9 does not properly quote shell
metacharacters, which might allow remote user-assisted attackers to execute
shell commands via a malicious script. NOTE: it is not clear whether this
issue crosses security boundaries, since the script already supports
commands such as "get" which could overwrite executable files.
From the Red Hat advisory: An integer overflow flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to execute arbitrary code, or crash.
From the Red Hat advisory: An infinite recursion flaw was found in the way libexif parses Exif image
tags. If a victim opens a carefully crafted Exif image file, it could cause
the application linked against libexif to crash.
The GD library does not perform proper bounds checking when creating images; as a result, an attacker could, via crafted input, potentially execute arbitrary code.
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application.
The libnet-dns-perl package can crash when decoding malformed A records, creating a denial of service vulnerability. Also, the domain name expander can be sent into an infinite loop, also a denial of service problem.
Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21
allow remote attackers to cause a denial of service (crash) via crafted (1)
pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt
(png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT
(png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read
operations. (CVE-2007-5269)
pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical
instead of bitwise operations and (2) incorrect comparisons, which might
allow remote attackers to cause a denial of service (crash) via a crafted
PNG image. (CVE-2007-5268)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause
a denial of service (crash) via a crafted PNG image, due to an incorrect
fix for CVE-2007-5266. (CVE-2007-5267)
Off-by-one error in ICC profile chunk handling in the png_set_iCCP function
in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1
allows remote attackers to cause a denial of service (crash) via a crafted
PNG image that prevents a name field from being NULL terminated.
(CVE-2007-5266)
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
From the Mitre advisory:
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
From the CVE entry: lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.
The lighttpd web server has multiple vulnerabilities involving
a remote access-control setting circumvention that is performed
by the sending of malformed requests. This can be used to crash
the server and cause a denial of service.
From the Debian advisory: Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory leading by issuing ioctls with unterminated data.
The vmsplice system call did not properly verify address arguments
passed by user space processes, which allowed local attackers to
overwrite arbitrary kernel memory, gaining root privileges
(CVE-2008-0010, CVE-2008-0600).
Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page maybe improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash). (CVE-2007-6417)
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Player. Attackers with administrative privileges in a guest operating
system could cause a denial of service or possibly execute arbitrary
code on the host operating system. (CVE-2007-4496, CVE-2007-4497)
From the Gentoo advisory: Luigi Auriemma reported a signedness error in the
parseRTSPRequestString() function when processing short RTSP queries. A remote attacker could send a specially crafted RTSP query to the
vulnerable server, resulting in a crash.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before
2.1.10b1 allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors related to (1) editing templates and (2) the
list's "info attribute" in the web administrator interface, a
different vulnerability than CVE-2006-3636.
CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.
CVE-2007-4629: Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.
From the CVE entry: Cross-site scripting (XSS) vulnerability in api.php in
(1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through
1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and
earlier; when Internet Explorer is used, allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors.
A cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1
allows remote attackers to inject arbitrary web script or HTML via a style
expression in the search parameter.
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
Upgraded to seamonkey-1.1.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabil...
(* Security fix *)
+--------------------------+
MPlayer versions up to 1.0rc1 have a buffer overflow in the
loader/dmo/DMO_VideoDecoder.c DMO_VideoDecoder_Open function.
user-assisted remote attackers can use this to create a buffer overflow
and possibly execute arbitrary code.
Several buffer overflows have been discovered in the MPlayer movie player,
which might lead to the execution of arbitrary code. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-0485:
Felipe Manzano and Anibal Sacco discovered a buffer overflow in
the demuxer for MOV files.
CVE-2008-0486:
Reimar Doeffinger discovered a buffer overflow in the FLAC header
parsing.
CVE-2008-0629:
Adam Bozanich discovered a buffer overflow in the CDDB access code.
CVE-2008-0630:
Adam Bozanich discovered a buffer overflow in URL parsing.
From the Gentoo advisory: nnp discovered multiple vulnerabilities in the XML-RPC handler in the
file webserver.c. The ws_addarg() function contains a format string
vulnerability, as it does not properly sanitize username and password
data from the "Authorization: Basic" HTTP header line (CVE-2007-5825).
The ws_decodepassword() and ws_getheaders() functions do not correctly
handle empty Authorization header lines, or header lines without a ':'
character, leading to NULL pointer dereferences (CVE-2007-5824).
MySQL subselect queries using "ORDER BY" can be used by an attacker with
access to a MySQL instance in order to create an intermittent denial
of service.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
From the CVE entry: MySQL 5.0.x before 5.0.52, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not
require the DROP privilege for RENAME TABLE statements, which allows remote
authenticated users to rename arbitrary tables. (CVE-2007-2691)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges. (CVE-2007-2692)
MySQL Community Server before 5.0.45 allows remote authenticated users to
gain update privileges for a table in another database via a view that
refers to this external table. (CVE-2007-3782)
Philip Stoev discovered that the the federated engine of MySQL
did not properly handle responses with a small number of columns.
An authenticated user could use a crafted response to a SHOW
TABLE STATUS query and cause a denial of service.
From the Debian advisory: Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code.
Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Buffer overflow in the redir function in check_http.c in Nagios Plugins
before 1.4.10 allows remote web servers to execute arbitrary code via long
Location header responses (redirects).
Buffer overflow in the check_snmp function in Nagios Plugins (nagios-plugins) 1.4.10 allows remote attackers to cause a denial of service (crash) via crafted snmpget replies.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file.
Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
proxy server written by Igor Sysoev. The "msie_refresh" directive could
allow cross site scripting.
Josh Burley reported that nss_ldap does not properly handle the LDAP
connections due to a race condition that can be triggered by
multi-threaded applications using nss_ldap, which might lead to
requested data being returned to a wrong process.
From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36,
allows remote authenticated users to cause a denial of service (crash) via
a potentially-successful modify operation with the NOOP control set to
critical, possibly due to a double free vulnerability.
The OpenLDAP Lightweight Directory Access Protocol suite has a problem
with handling of malformed objectClasses LDAP attributes by the slapd
daemon. Both local and remote attackers can use this to crash slapd,
causing a denial of service.
slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when
running as a proxy-caching server, allocates memory using a malloc variant
instead of calloc, which prevents an array from being initialized properly
and might allow attackers to cause a denial of service (segmentation fault)
via unknown vectors that prevent the array from being null terminated.
A heap overflow vulnerability has been discovered in the TIFF parsing
code of the OpenOffice.org suite. The parser uses untrusted values
from the TIFF file to calculate the number of bytes of memory to
allocate. A specially crafted TIFF image could trigger an integer
overflow and subsequently a buffer overflow that could cause the
execution of arbitrary code.
A security vulnerability in HSQLDB, the default database engine shipped with OpenOffice.org 2 (all versions), may allow attackers to execute arbitrary static Java code, by manipulating database documents to be opened by a user.
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms.
Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f
and 0.9.7 allows remote attackers to execute arbitrary code via unspecified
vectors.
From the Debian advisory: An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in the libssl library from OpenSSL, an implementation of Secure
Socket Layer cryptographic libraries and utilities. This error could
allow an attacker to crash an application making use of OpenSSL's libssl
library, or potentially execute arbitrary code in the security context
of the user running such an application.
PCRE has flaws in the way it handles malformed regular
expressions.
If an application linked against PCRE, such as Konqueror,
encounters a maliciously created regular expression, it may be possible
to run arbitrary code. Vulnerabilities CVE-2005-4872 and CVE-2006-7227
have been combined into CVE-2006-7224.
Multiple flaws were found in the way pcre handles certain malformed regular
expressions. If an application linked against pcre, such as Konqueror,
parses a malicious regular expression, it may be possible to run arbitrary
code as the user running the application. (CVE-2007-1659, CVE-2007-1660)
Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application.
A buffer overflow caused by a character class containing a
very large number of characters with codepoints greater than 255 (in UTF-8 mode) may affect usages of pcre, when regular expressions from untrusted sources are compiled.
Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE)
library before 7.3 allows context-dependent attackers to execute arbitrary
code via a singleton Unicode sequence in a character class in a regex
pattern, which is incorrectly optimized. (CVE-2007-4768)
A heap-based buffer overflow in the handshakeHTTP function in servhs.cpp in PeerCast 0.1217 and earlier, and SVN 344 and earlier, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SOURCE request.
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485).
Various integer overflow flaws were found in the PHP gd extension. A
script that could be forced to resize images from an untrusted source could
possibly allow a remote attacker to execute arbitrary code as the apache
user. (CVE-2007-3996)
A previous security update introduced a bug into PHP session cookie
handling. This could allow an attacker to stop a victim from viewing a
vulnerable web site if the victim has first visited a malicious web page
under the control of the attacker, and that page can set a cookie for the
vulnerable web site. (CVE-2007-4670)
A flaw was found in the PHP money_format function. If a remote attacker
was able to pass arbitrary data to the money_format function this could
possibly result in an information leak or denial of service. Note that is
is unusual for a PHP script to pass user-supplied data to the money_format
function. (CVE-2007-4658)
A flaw was found in the PHP wordwrap function. If a remote attacker was
able to pass arbitrary data to the wordwrap function this could possibly
result in a denial of service. (CVE-2007-3998)
A bug was found in PHP session cookie handling. This could allow an
attacker to create a cross-site cookie insertion attack if a victim follows
an untrusted carefully-crafted URL. (CVE-2007-3799)
A flaw was found in handling of dynamic changes to global variables. A
script which used certain functions which change global variables could
be forced to enable the register_globals configuration option, possibly
resulting in global variable injection. (CVE-2007-4659)
An integer overflow flaw was found in the PHP chunk_split function. If a
remote attacker was able to pass arbitrary data to the third argument of
chunk_split they could possibly execute arbitrary code as the apache user.
Note that it is unusual for a PHP script to use the chunk_split function
with a user-supplied third argument. (CVE-2007-4661)
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used)
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4,
allow remote attackers to obtain sensitive information (memory contents) or
cause a denial of service (thread crash) via a large len value to the (1)
strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE:
this affects different product versions than CVE-2007-3996.
(CVE-2007-4657)
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4
has unknown impact and attack vectors, related to an incorrect size
calculation. (CVE-2007-4660)
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4
has unknown impact and attack vectors. (CVE-2007-4662)
The php5 package contains multiple vulnerabilities, the most serious of which involve several Denial of Service attacks (application crashes and temporary application hangs). It is not currently known that these vulnerabilities can be exploited to execute malicious code.
Several remote vulnerabilities have been discovered in phpMyAdmin, a
program to administrate MySQL over the web. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1325:
The PMA_ArrayWalkRecursive function in libraries/common.lib.php
does not limit recursion on arrays provided by users, which allows
context-dependent attackers to cause a denial of service (web
server crash) via an array with many dimensions.
CVE-2007-1395:
Incomplete blacklist vulnerability in index.php allows remote
attackers to conduct cross-site scripting (XSS) attacks by
injecting arbitrary JavaScript or HTML in a (1) db or (2) table
parameter value followed by an uppercase </SCRIPT> end tag,
which bypasses the protection against lowercase </script>.
CVE-2007-2245:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML via (1) the
fieldkey parameter to browse_foreigners.php or (2) certain input
to the PMA_sanitize function.
CVE-2006-6942:
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary HTML or web script via (1) a comment
for a table name, as exploited through (a) db_operations.php,
(2) the db parameter to (b) db_create.php, (3) the newname parameter
to db_operations.php, the (4) query_history_latest,
(5) query_history_latest_db, and (6) querydisplay_tab parameters to
(c) querywindow.php, and (7) the pos parameter to (d) sql.php.
CVE-2006-6944:
phpMyAdmin allows remote attackers to bypass Allow/Deny access rules
that use IP addresses via false headers.
Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable
of $_GET and $_POST as a source for its parameters.
An attacker could entice a user to visit a malicious web application
that sets an "sql_query" cookie and is hosted on the same domain as
phpMyAdmin, and thereby conduct SQL injection attacks with the
privileges of the user authenticating in phpMyAdmin afterwards.
Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authenticated with the cookie auth_type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992.
phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information
via a direct request for themes/darkblue_orange/layout.inc.php, which
reveals the path in an error message.
phpMyAdmin prior to version 2.11.2.1 has an SQL injection vulnerability
in db_create.php. Remote authenticated users with CREATE DATABASE privileges can use this to execute arbitrary SQL commands via the db parameter.
db_create.php also has a related cross-site scripting vulnerability.
Remote authenticated users can inject arbitrary web scripts or HTML
using a hex-encoded IMG element in the db parameter in a POST request.
A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin
4.1.1 allows remote attackers to inject arbitrary web script or HTML via
the server parameter.
Several vulnerabilities have been found in the PostgreSQL database manager. The developers call the fixes "critical," but also note that, as of the time of the update, none of them were known to be exploited; see this advisory for more information.
Multiple integer overflows in the imageop module in Python 2.5.1 and
earlier allow context-dependent attackers to cause a denial of service
(application crash) and possibly obtain sensitive information (memory
contents) via crafted arguments to (1) the tovideo method, and unspecified
other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other
files, which trigger heap-based buffer overflows.
From Debian
Security: Ian Jackson discovered that accesses beyond end of qemu
emulated disk devices can result in accesses to emulator's virtual memory
space accesses and thus can allow user with sufficient privilege in guest
(root, as this would need modification to kernel's driver) to break out of
VM.
The bgpd daemon in Quagga prior to 0.99.9 allowed remote BGP peers to cause
a denial of service crash via a malformed OPEN message or COMMUNITY
attribute.
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy.
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
The Samba user authentication is vulnerable to a heap-based buffer overflow.
Remote unauthenticated users can use this to crash the Samba server
and cause a denial of service.
A stack buffer overflow flaw was found in the way Samba authenticates
remote users. A remote unauthenticated user could trigger this flaw to
cause the Samba server to crash, or execute arbitrary code with the
permissions of the Samba server.
Samba's mechanism for creating NetBIOS replies is vulnerable to a
buffer overflow. Samba servers that are configured to run as a
WINS server can be crashed by a remote unauthenticated user,
execution of arbitrary code may also be possible.
From the Gentoo alert:
Sarg is vulnerable to the execution of arbitrary code when processed
with untrusted input files.
Sarg (Squid Analysis Report Generator) is a tool that provides many
informations about the Squid web proxy server users activities: time,
sites, traffic, etc.
From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
Stack-based buffer overflow in the silc_fingerprint function in lib/silcutil/silcutil.c in Secure Internet Live Conferencing (SILC) Toolkit 1.1.5, and unspecified earlier versions, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via long input data. NOTE: some of these details are obtained from third party information.
It was discovered that the regex module in Smarty, a PHP templating engine,
allows attackers to call arbitrary PHP functions via templates using the
regex_replace plugin by a specially crafted search string.
A flaw was found in the way squid stored HTTP headers for cached objects
in system memory. An attacker could cause squid to use additional memory,
and trigger high CPU usage when processing requests for certain cached
objects, possibly leading to a denial of service.
Subversion 1.4.3 and earlier does not properly implement the "partial
access" privilege for users who have access to changed paths but not copied
paths, which allows remote authenticated users to obtain sensitive
information (revision properties) via svn (1) propget, (2) proplist, or (3)
propedit.
An unspecified vulnerability involving an "incorrect use of system
classes" was reported by the Fujitsu security team. Additionally, Chris
Evans from the Google Security Team reported an integer overflow
resulting in a buffer overflow in the ICC parser used with JPG or BMP
files, and an incorrect open() call to /dev/tty when processing certain
BMP files.
A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in
teTeX might allow user-assisted remote attackers to overwrite files and
possibly execute arbitrary code via a long filename. NOTE: other overflows
exist but might not be exploitable, such as a heap-based overflow in the
check_idx function.
Joachim Schrod discovered several buffer overflow vulnerabilities and
an insecure temporary file creation in the "dvilj" application that is
used by dvips to convert DVI files to printer formats (CVE-2007-5937,
CVE-2007-5936). Bastien Roucaries reported that the "dvips" application
is vulnerable to two stack-based buffer overflows when processing DVI
documents with long \href{} URIs (CVE-2007-5935). teTeX also includes
code from Xpdf that is vulnerable to a memory corruption and two
heap-based buffer overflows (GLSA 200711-22); and it contains code from
T1Lib that is vulnerable to a buffer overflow when processing an overly
long font filename (GLSA 200710-12).
Security research firm iDefense reported that researcher regenrecht
discovered a heap-based buffer overflow vulnerability in Mozilla mail code
which could potentially allow an attacker to run arbitrary code. The
vulnerability is caused by allocating a buffer that can be three bytes too
small in certain cases when viewing an email message with an external MIME body.
From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact.
The Tk toolkit's GIF-reading code contains a buffer overflow which could be exploited via a malicious image file. Fixes may be found in versions 8.4.12 and 8.3.5.
It was discovered that Tk could be made to overrun a buffer when loading
certain images. If a user were tricked into opening a specially crafted GIF
image, remote attackers could cause a denial of service or execute
arbitrary code with user privileges.
Jan Oravec reported that the "/usr/bin/tomboy" script sets the
"LD_LIBRARY_PATH" environment variable incorrectly, which might result
in the current working directory (.) to be included when searching for
dynamically linked libraries of the Mono Runtime application.
Note that the tomboy vulnerability was added in 2007.
Some JSPs within the 'examples' web application did not escape user
provided data. If the JSP examples were accessible, this flaw could allow a
remote attacker to perform cross-site scripting attacks (CVE-2007-2449).
Note: it is recommended the 'examples' web application not be installed on
a production system.
The Manager and Host Manager web applications did not escape user provided
data. If a user is logged in to the Manager or Host Manager web
application, an attacker could perform a cross-site scripting attack
(CVE-2007-2450).
Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).
It was reported Tomcat did not properly handle the following character
sequence in a cookie: \" (a backslash followed by a double-quote). It was
possible remote attackers could use this failure to obtain sensitive
information, such as session IDs, for session hijacking attacks
(CVE-2007-3385).
A cross-site scripting (XSS) vulnerability existed in the Host Manager
Servlet. This allowed remote attackers to inject arbitrary HTML and web
script via crafted requests (CVE-2007-3386).
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Previous versions of the wireshark package are vulnerable
to multiple types of Denial of Service attacks, including
crashes and excessive memory consumption. It has not been
determined that these vulnerabilities can be exploited to
execute malicious code.
From the Debian advisory: Tavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution.
* Michal Luczaj and Luigi Auriemma reported that VLC contains
boundary errors when handling subtitles in the ParseMicroDvd(),
ParseSSA(), and ParseVplayer() functions in the
modules/demux/subtitle.c file, allowing for a stack-based buffer
overflow (CVE-2007-6681).
* The web interface listening on port 8080/tcp contains a format
string error in the httpd_FileCallBack() function in the
network/httpd.c file (CVE-2007-6682).
* The browser plugin possibly contains an argument injection
vulnerability (CVE-2007-6683).
* The RSTP module triggers a NULL pointer dereference when processing
a request without a "Transport" parameter (CVE-2007-6684).
* Luigi Auriemma and Remi Denis-Courmont found a boundary error in
the modules/access/rtsp/real_sdpplin.c file when processing SDP data
for RTSP sessions (CVE-2008-0295) and a vulnerability in the
libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a
heap-based buffer overflow.
* Felipe Manzano and Anibal Sacco (Core Security Technologies)
discovered an arbitrary memory overwrite vulnerability in VLC's
MPEG-4 file format parser (CVE-2008-0984).
Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML
generation toolkit, creates insecure temporary files in the eperl and
ipp backends and in the wmg.cgi script, which could lead to local denial
of service by overwriting files.
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.
From the Gentoo alert:
Miroslav Lichvar discovered that the "xdg-open" and "xdg-email" shell
scripts do not properly sanitize their input before processing it.
A remote attacker could entice a user to open a specially crafted link
with a vulnerable application using Xdg-Utils (e.g. an email client),
resulting in the execution of arbitrary code with the privileges of the
user running the application.
iDefense reported an integer overflow flaw in the XFree86 XC-MISC
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash) or potentially execute arbitrary code with root
privileges on the XFree86 server. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled various
font files. A malicious local user could exploit these issues to
potentially execute arbitrary code with the privileges of the X.org server.
(CVE-2007-1351, CVE-2007-1352)
An integer overflow flaw was found in the XFree86 XGetPixel() function.
Improper use of this function could cause an application calling it to
function improperly, possibly leading to a crash or arbitrary code
execution. (CVE-2007-1667)
Buffer overflow in the Matroska demuxer (demuxers/demux_matroska.c) in xine-lib before 1.1.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code or via a Matroska file with invalid frame sizes.
Moritz Jodeit discovered that the DirectShow loader of Xine did not
correctly validate the size of an allocated buffer. By tricking a user
into opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
xine-lib contains a buffer overflow which could be exploited (via a specially-crafted stream) to execute arbitrary code; see this advisory for more information.
From the CVE entry: Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function.
xmms suffers from vulnerabilities in its handling of BMP images. Should a hostile image be included in an xmms skin, it could lead to code execution on the user's system.
From the X.org security advisory:
Several vulnerabilities have been identified in server code of the X
window system caused by lack of proper input validation on user
controlled data in various parts of the software, causing various
kinds of overflows.
The X.Org X11 xfs font server has a temp file vulnerability in the
startup script. A local user can modify the permissions of the script
in order to elevate their local privileges.
CVE-2007-1095:
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292:
Stefano Di Paola discovered that insufficient validation of user names
used in Digest authentication on a web site allows HTTP response splitting
attacks.
CVE-2007-3511:
It was discovered that insecure focus handling of the file upload
control can lead to information disclosure. This is a variant of
CVE-2006-2894.
CVE-2007-5334:
Eli Friedman discovered that web pages written in Xul markup can hide the
titlebar of windows, which can lead to spoofing attacks.
CVE-2007-5337:
Georgi Guninski discovered the insecure handling of smb:// and sftp:// URI
schemes may lead to information disclosure. This vulnerability is only
exploitable if Gnome-VFS support is present on the system.
CVE-2007-5338:
"moz_bug_r_a4" discovered that the protection scheme offered by XPCNativeWrappers
could be bypassed, which might allow privilege escalation.
CVE-2007-5339:
L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay,
Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers discovered
crashes in the layout engine, which might allow the execution of arbitrary code.
CVE-2007-5340:
Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the
Javascript engine, which might allow the execution of arbitrary code.
The current 2.6 development kernel is 2.6.25-rc7, released on March 25. Says
Linus: "The shortlog has more details, but it boils down to some
reverts, some docbook fixes, some sparse annotation fixups, a number of
trivial patches, and a healthy sprinkling of small fixups. Give it a good
testing, because we're hopefully now well on our way towards that eventual
real 2.6.25 release!" Said shortlog can be found in the
announcement, or see the
long-format changelog for the details.
The current stable 2.6 kernel is 2.6.24.4, released on March 24. This
release contains a large number of patches for significant problems in the
2.6.24 kernel.
When you reject useful patches based on "this is not our preferred
style", you piss people off. That is a significant reason why
people choose to spend their time elsewhere. In certain cases
having people abandon the kernel may be a net gain, in many it is a
loss.
[M]y experience with checkpatch.pl is the exact opposite of what you
fear: it _widened_ the contributor base: a good number of newbies
felt encouraged that an objective piece of tool reports an "error"
in a file that was written by otherwise "much more knowledgable"
kernel hackers. checkpatch.pl is basically the "yes, really, you
are right, this piece of code in the Linux kernel is indeed crap"
review tool that reinforces newbies. It lowers the bar of entry to
kernel hacking, and it does so for exactly those pieces of code
that we want newbies to be active on: barely maintained source
code.
Kernel markers are a
mechanism which allows developers to put static tracepoints into the
kernel. Once placed, these markers can be used by operations staff to
trace well-known events in running systems without that staff having to
know about kernel code. Solaris provides a long list of static tracepoints
for use with Dtrace, but Linux, thus far, has none. That situation should
eventually change - static markers were only merged into the mainline in
2.6.24. But, as the developers start to look more seriously at markers,
some interesting issues are coming up.
One of those emerged as a result of this
patch from Mathieu Desnoyers which allows proprietary modules to
contain markers. The fact that current kernels do not recognize markers in binary-only
modules is mostly an accident: markers are disabled in modules with any sort
of taint flag set as a way to prevent kernel crashes - a kernel oops being
a rather heavier-weight marker than most people wish to encounter.
Matthieu tightened that test in a way that allows markers in proprietary
modules, saying "let's see how people react." Needless to
say, he saw.
One might well wonder why the kernel developers, not known for their
sympathy toward proprietary modules in general, would want to consider
letting those modules include static tracepoints. The core argument here
is that static markers allow proprietary modules to export a bit more
internal information to the kernel, and to their users. It is seen as a
sort of (very) small opening up on the part of the proprietary module
writer. Mathieu says:
I think it's only useful for the end user to let proprietary
modules open up a bit, considering that proprietary module writers
can use the markers as they want in-house, but would have to leave
them disabled on shipped kernels.
The idea is that, by placing these tracepoints, module authors can help
others learn more about what's going on inside the module and help people
track down problems. The result should be a more stable kernel which -
whether proprietary modules have been loaded or not - is generally
considered to be a good thing.
On the other hand, there's no shortage of developers who are opposed to
extending any sort of helping hand to binary module authors. Giving those
modules more access to Linux kernel internals, it is argued, only leads to
trouble. Ingo Molnar put it this way:
Why are we even arguing about this? Binary modules should be as
isolated as possible - it's a totally untrusted entity and history
has shown it again and again that the less infrastructure coupling
we have to them, the better.
Ingo also worries that allowing binary modules to use markers will serve to
make the marker API that much harder to change in the future. Since that
API is quite young, chances are good that changes will happen. As much as
the kernel developers profess not to care about binary-only modules, the
fact of the matter is that there are good reasons to avoid breaking those
modules. The testing community certainly gets smaller when testers cannot
load the modules they need to make their systems work in the manner to
which they have become accustomed. So it is possible that allowing
proprietary modules to use markers could make the marker API harder to fix
in future kernel releases.
The grumbles have been loud enough that Matthieu's patch will probably not
be merged for 2.6.25. The idea is likely to come back again, but
not necessarily right away: the marker feature may have been merged in
2.6.24, but it would appear that 2.6.25 will be released with no actual
markers defined in the source. It's not clear that binary-only module
authors are pushing to add tracepoints when none of the other developers
are doing so. Until somebody starts actually using static markers, debates
on where they can be used will continue to be of an academic nature.
When the kernel executes a program, it must retrieve the code from disk,
which it normally does by demand paging it in as required by the execution
path. If the kernel could somehow know which pages would be needed, it
could page them in more efficiently. Andi Kleen has posted an experimental set of patches that do just that.
Programs do not know about their layout on disk, nor is their path through
the executable file optimized to reduce seeking, but with some information
about which pages will be needed, the kernel can optimize the disk
accesses. If one were to gather a list of the pages that get faulted in
as a program runs, that information could be saved for future runs. It
could then be turned into a bitmap indicating which of the pages should
be prefetched.
Once you have such a bitmap, where to store it becomes a problem. Kleen's
method uses a "hack" to the ELF format on disk, putting the bitmap at the
end of the executable. This has a number of drawbacks: a seek to get
the info, modifying the executable each time you train, and only allowing a
single usage pattern system-wide. It does have one very nice attribute,
though, the bitmap and executable stay in sync; if the executable changes,
due to an upgrade for instance, the bitmap would get cleared in the
process. Alternative bitmap storage locations—somewhere in users'
home directories for example—do not have this property.
Can't this all be done in userspace? Hook into exit() with an LD_PRELOAD,
use /proc/self/maps and the new pagemap code to work out which pages of
which files were faulted in, write that info into the elf file (or a
separate per-executable shadow file), then use that info the next time the
app is executed, either with an LD_PRELOAD or just a wrapper.
Ulrich Drepper
does not want to see the ELF format abused in the fashion it was for this
patch, Kleen doesn't either, but used it as an expedient. Drepper thinks the linker
should be taught to emit a new header type which would store the bitmap. It
would be near the beginning of the ELF file, eliminating the seek. A
problem with that approach is that old binaries would not be able to take
advantage of the technique; a re-linking would be required.
To fill in the bitmaps one can
have separate a separate tool which is explicitly asked to update the
bitmap data. To collect the page fault data one could use systemtap.
It's easy enough to write a script which monitors the minor page
faults for each binary and writes the data into a file. The binary
update tool and can use the information from that file to generate the
bitmap.
Kleen's patch walks the page tables for a process when it is exiting,
setting a bit in the bitmap if that page has been faulted in. Drepper sees
this as suboptimal:
Over many uses of a program all kinds of
pages will be needed. Far more than in most cases. The prefetching
should really only cover the commonly used code paths in the program.
If you pull in everything, this will have advantages if you have that
much page cache to spare. In that case just prefetching the entire
file is even easier. No, such an improved method has to be more
selective.
The problem is in finding the balance between just prefetching the entire
executable—which might be very wasteful—and prefetching the
subset of pages that are most commonly used. It will take some heuristics
to make that decision. As Drepper points out, recording the entire runtime
of a program "will result in all the pages of a
program to be marked (unless you have a lot of dead code in the binary
and it's all located together)."
The place where Drepper sees a need for kernel support is in providing a
bitmap interface to madvise() so that any holes in the pages that
get prefetched do not get filled by the readahead mechanism. The current interface
would require a call to madvise() for each contiguous region, which
could be add up to a large number of calls. Both he and Morton favor the
bulk of the work being done in user space.
Overall, there is lots more work to do before "predictive bitmaps" make
their way into a Linux system—if they ever do. To start with, some benchmarking will have to be done
to show that performance improves enough to consider making a change like
this. David Miller expresses some pessimism about the
approach:
I wrote such a patch ages ago as well.
Frankly, based upon my experiences then and what I know now, I think
it's a lose to do this.
It is an interesting idea though, one that will likely crop up again if
this particular incarnation does not go anywhere. Since the biggest efficiency
gain is from reducing seeks, though, it may not be interesting long-term.
As Morton says, "solid-state disks are going to put a lot of code out
of a
job."
An API should refrain from making promises that it cannot keep. A recent
episode involving the kernel's in_atomic() macro demonstrates how
things can go wrong when a function does not really do what it appears to
do. It is also a good excuse to look at an under-documented (but
fundamental) aspect of kernel code design.
Kernel code generally runs in one of two fundamental contexts. Process
context reigns when the kernel is running directly on behalf of a (usually)
user-space process; the code which implements system calls is one example.
When the kernel is running in process context, it is allowed to go to sleep
if necessary. But when the kernel is running in atomic context, things
like sleeping are not allowed. Code which handles hardware and software
interrupts is one obvious example of atomic context.
There is more to it than that, though: any kernel function moves into
atomic context the moment it acquires a spinlock. Given the way spinlocks
are implemented, going to sleep while holding one would be a fatal error;
if some other kernel function tried to acquire the same lock, the system
would almost certainly deadlock forever.
"Deadlocking forever" tends not to appear on users' wishlists for the
kernel, so the kernel developers go out of their way to avoid that
situation. To that end, code which is running in atomic context carefully follows a
number of rules, including (1) no access to user space, and,
crucially, (2) no sleeping. Problems can result, though, when a
particular kernel function does not know which context it might be invoked
in. The classic example is kmalloc() and friends, which take an
explicit argument (GFP_KERNEL or GFP_ATOMIC) specifying
whether sleeping is possible or not.
The wish to write code which can work optimally in either context is
common, though. Some developers, while trying to write such code, may well
stumble across the following definitions from
<linux/hardirq.h>:
/*
* Are we doing bottom half or hardware interrupt processing?
* Are we in a softirq context? Interrupt context?
*/
#define in_irq() (hardirq_count())
#define in_softirq() (softirq_count())
#define in_interrupt() (irq_count())
#define in_atomic() ((preempt_count() & ~PREEMPT_ACTIVE) != 0)
It would seem that in_atomic() would fit the bill for any
developer trying to decide whether a given bit of code needs to act in an
atomic manner at any specific time. A quick grep through the kernel
sources shows that, in fact, in_atomic() has been used in quite a
few different places for just that purpose.
There is only one problem: those uses are almost certainly all wrong.
The in_atomic() macro works by checking whether preemption is
disabled, which seems like the right thing to do. Handlers for events like
hardware interrupts will disable preemption, but so will the
acquisition of a spinlock. So this test appears to catch all of the cases
where sleeping would be a bad idea. Certainly a number of people who have
looked at this macro have come to that conclusion.
But if preemption has not been configured into the kernel in the first
place, the kernel does not raise the "preemption count" when spinlocks are
acquired. So, in this situation (which is common - many distributors still
do not enable preemption in their kernels), in_atomic() has no way
to know if the calling code holds any spinlocks or not. So it will return
zero (indicating process context) even when spinlocks are held. And that
could lead to kernel code thinking that it is running in process context
(and acting accordingly) when, in fact, it is not.
Given this problem, one might well wonder why the function exists in the
first place, why people are using it, and what developers can really do to
get a handle on whether they can sleep or not. Andrew Morton answered the first question in a relatively
cryptic way:
in_atomic() is for core kernel use only. Because in special
circumstances (ie: kmap_atomic()) we run inc_preempt_count() even
on non-preemptible kernels to tell the per-arch fault handler that
it was invoked by copy_*_user() inside kmap_atomic(), and it must
fail.
In other words, in_atomic() works in a specific low-level
situation, but it was never meant to be used in a wider context. Its
placement in hardirq.h next to macros which can be used
elsewhere was, thus, almost certainly a mistake. As Alan Stern pointed out, the fact that Linux
Device Drivers recommends the use of in_atomic() will not have
helped the situation. Your editor recommends that the authors of that book
be immediately sacked.
Once these mistakes are cleared up, there is still the question of just
how kernel code should decide whether it is running in an atomic context or
not. The real answer is that it just can't do that. Quoting Andrew Morton again:
The consistent pattern we use in the kernel is that callers keep
track of whether they are running in a schedulable context and, if
necessary, they will inform callees about that. Callees don't
work it out for themselves.
This pattern is consistent through the kernel - once again, the GFP_
flags example stands out in this regard. But it's also clear that this practice has
not been documented to the point that kernel developers understand that
things should be done this way. Consider this recent
posting from Rusty Russell, who understands these issues better than
most:
This flag indicates what the allocator should do when no memory is
immediately available: should it wait (sleep) while memory is freed
or swapped out (GFP_KERNEL), or should it return NULL immediately
(GFP_ATOMIC). And this flag is entirely redundant: kmalloc() itself
can figure out whether it is able to sleep or not.
In fact, kmalloc() cannot figure out on its own whether sleeping
is allowable or not. It has to be told by the caller. This rule is
unlikely to change, so expect a series of in_atomic() removal
patches starting with 2.6.26. Once that work is done, the
in_atomic() macro can be moved to a safer place where it will not
create further confusion.
[Editor's note: This article, which looks at the interactions of
software projects and distribution providers, will be presented in three
parts.]
Introduction
In today's world most users of Linux don't build their system from scratch
by downloading the sources of the applications and libraries they need and
building them by hand. Most users will use one or more distributions (the
ones that best suit their needs), and they'll stick with the packages
provided by the distribution for as long as they can.
Power users may know how to get the software they want and build it so it
runs, but the average user won't go around looking for software that is not
readily available to them. The job of a distribution is, of course, to
provide as much software as its users will need, sometimes changing the
software so that it suits the needs of its users better.
The distribution's developers, the so-called downstream
developers, have different responsibilities compared to the
original software developers, the upstream developers. The former are
responsible directly to their users, while the latter are usually more
focused on implementing their software correctly for their own
standards (which means for instance implementing a protocol exactly as
described by the standard, or supporting a file format exactly as it
should be).
Most of the time, these two objectives are compatible with one
another, and users face an interface that hides the details of the
implementation. Sometimes though there are user requests that
upstream developers won't acknowledge, for instance: to parse a
file that was written improperly by a commonly-used tool (maybe a
proprietary tool that does not support free software). In these cases,
some distributions tend to edit the source, creating a modified version for
that particular distribution, with a different behaviour, interface, or
what not.
It's because of cases like this, especially in the last few
years, that there have been many arguments between original developers and
distributions, which sometimes involved legal threats, forks or
removal of software from distributions' repositories. It's not fun to
watch these arguments going by, and sometimes it's all because of
differences in opinion between the developers, or in how their
experiences have affected their views.
Starting with the idea that everybody wants to have the software they
wrote used, this article will try to explain what distributors want
and why they ask the original developers to cooperate toward that
goal. People who worked both as an upstream developer and as a
downstream maintainer usually know what is being done with
their code in a distribution and why. For people who have only seen
one side, understanding of the needs or the reasons of the other side might
be a very difficult task.
Technical and philosophical needs
The majority of the
points where upstream and downstream have different
views can be divided into technical and philosophical
points. On the technical side, distributors need to make the
software build on their system, without lots of workarounds, and it should
follow the same behaviour as other software in their setup. On the
philosophical side, they have needs relating to user requests
and expectations. Users expect some consistency in how software looks and
behaves on their system. Often, both of these kind of matters relate to
the policy (written or unwritten) of that distributor.
While one might actually expect a philosophical debate between
developers on formats and how to implement a protocol, it's difficult to
understand how so many arguments are caused by different technical
requests. Unfortunately even the technical needs are often different
between upstream projects and distributions. The only way to
accommodate both is to provide choices, something that more times than not
is considered bad by the upstream developers, who do not
want the complication of too many choices.
I sincerely doubt there will ever be a time when all the
upstream developers and the downstream maintainers will
be on the same page, but it is possible to at least try to understand
what the other side wants, and see if it's possible to cover their
needs, without regressing. Even if that means increasing the complexity a
bit. It is true that most of today's tools, in every area, are more
sophisticated and complex than their equivalent years ago (tens of years
for computer tools, hundreds of years for other areas).
[This ends part 1 of this article. Part 2 will look at the technical
needs of distributions and the upstream developers. Finally, part 3 will
cover the philosophical concerns and present some conclusions. Stay tuned
for part 2, which should air in two weeks.]
The Ubuntu team has announced the beta release of Ubuntu 8.04 LTS
(Long-Term Support) on desktop and server. "Codenamed "Hardy Heron",
8.04 LTS continues Ubuntu's proud tradition of integrating the latest and
greatest open source technologies into a high-quality, easy-to-use Linux
distribution." Beta editions of Kubuntu, Xubuntu, UbuntuStudio, and
Mythbuntu are also available.
"Ah, spring... when a young penguin's fancy lightly turns to thoughts
of... Beta testing! Yes, spring has sprung, and so has the Beta release
of Fedora 9!" With that note, the Fedora developers announce their
beta release and request that anybody interested in Fedora 9 help to
test it out. There's a lot of interesting stuff in this release; see the
announcement for details.
The new Fedora Updates System (bodhi) integrates with the Fedora Build
System (koji) and lets any user give feedback on a specific update, be it
in updates-testing or in the stable repository. Click below to see how you
can help packagers test updates, give them feedback and even prevent a
faulty package from being pushed into the repositories.
Alexandre Oliva writes: "I've stripped non-Free firmware bits from
Fedora kernels for F8 and rawhide, starting from tools developed by the
gNewSense folks and now in use by BLAG developers, and built alternate
kernels that I've successfully booted up and used on my x86_64
notebook."
There have been some questions on the Gentoo lists about the unexplained
delay in the 2008.0 beta release. What's going on is that two of the key
developers involved have suffered a severe personal loss and are not
currently able to work on that release. They ask for sympathy and
understanding from the developer and user communities, and one hopes they
get it.
The March 19 entry in the slackware-current changelog says that Slackware
12.1 RC 1 is close. Click below for snippet of the log, or read the entire
changelog.
Ubuntu 6.10 (Edgy Eft) will reach its end-of-life on April 26, 2008.
"The supported upgrade path from Ubuntu 6.10 is via Ubuntu 7.04...
Note that upgrades to version 7.10 and beyond are only supported in
multiple steps, via an upgrade first to 7.04, then to 7.10. Both Ubuntu
7.04 and Ubuntu 7.10 continue to be actively supported with security
updates and select high-impact bug fixes."
The NetBSD project is celebrating its 15th anniversary. "Throughout
the past fifteen years, NetBSD has increased the portability and security
of the 4.4BSD operating system on which NetBSD was based, and added
support for new processor and system families, while enhancing the
system's performance to such an extent that NetBSD has become known as
the most portable operating system in the world."
SliTaz GNULinux is a very small
desktop system that runs from live CD or live USB. SliTaz v1.0 is the
first stable version to be released, after two years of development. This
version, released March 22, 2008, weighs in at under 25Mb. This week's DistroWatch
Weekly says "SliTaz GNU/Linux 1.0 - at 25 MB, it has to be the
smallest desktop distro ever created!"
The Fedora Weekly News for the week of March 17, 2008 looks at several
announcements, Planet Fedora articles "Fedora University Tour", "FUDCon
Boston 2008 at the Red Hat Summit" and "Notacon 5", and much more.
This week's edition of openSUSE Weekly
News covers openSUSE 11.0 Alpha 3, SoC Student Application Period Open,
Brainshare Digest, One-Click-Install improvements, and more.
The Ubuntu Weekly Newsletter for March 22, 2008 covers Ubuntu LTS and
Kubuntu 8.04 Beta releases, interview with Jerome Gotangco (former
Community Council member), 8.04 release parties, Launchpad logo contest,
Ubuntu Forum News, Document Freedom Day, and much more.
The DistroWatch
Weekly for March 24, 2008 is out. "Debian-related happenings
form the dominant topic of this issue. The feature story is an interview
with Chris Hildebrandt, one of the main developers of the increasingly
popular sidux distribution. How do the developers of this project test and
stabilise Debian's unstable branch? And who is behind the seductive artwork
and theme that graces its fast and cutting-edge desktop? Read below for
answers. In the meantime, the Debian Installer team releases the first beta
for Lenny, while Ubuntu unveils its own beta of the upcoming "Hardy Heron"
Long-Term Support (LTS) release. But it isn't all about Debian. In the news
section, Novell hints at an upcoming release of SUSE Linux Enterprise 11,
the Fedora board votes to remove pointers to the Fluendo codecs, the
PCLinuxOS community releases a GNOME edition, and NetBSD celebrates its
15th birthday. Finally, don't miss the new distribution section where
you'll find SliTaz GNU/Linux - at just 25 MB, it has to be the smallest
desktop live CD ever created! All this and more in this week's DistroWatch
Weekly."
This week People of openSUSE introduces
Masim Sugianto. "I'm an Indonesian, 32 years old, born and live
in Bekasi-West Java, a small town near Jakarta - main city of Indonesia -
since 17 May 1976. I married with my beloved Renny Dear Yuniastuty and a
child named Muhammad "Zeze Vavai" Rivai Alifianto. I'm a happy blogger. I
have about 7 blogs :-) . I'm currently working as an IT guy in East
Jakarta."
On the ZDNet blogs, Adrian Kingsley-Hughes has a look at the Ubuntu Hardy Heron beta. "I like Ubuntu. With each incarnation Im seeing improvements and betterments that make the OS better, more robust, more user friendly and more fully-featured. In fact, Ubuntu 8.04 is the first Linux distro that Ive come across that I would consider loading onto my notebook to replace Windows. Throughout my testing Ubuntu 8.04 beta has been reliable and performed flawlessly."
The first public release of the Python
Sphinx documentation
system,
which should not be confused with the
CMU Sphinx speech recognition project,
has been announced.
Sphinx is a tool that makes it easy to create intelligent and beautiful documentation for Python projects, written by Georg Brandl and licensed under the BSD license.
It was originally created to translate the new Python documentation, but has now been cleaned up in the hope that it will be useful to many other projects. (Of course, this site is also created from reStructuredText
sources using Sphinx!)
The Sphinx
introduction
states:
"The focus is on hand-written documentation, rather than auto-generated API docs. Though there is limited support for that kind of docs as well (which is intended to be freely mixed with hand-written content), if you need pure API docs have a look at Epydoc, which also understands reST."
Includes semantic markup and automatic links for cross-referencing.
The documentation tree is hierarchically structured.
Indexes are automatically generated.
Sphinx can optionally use the
Pygments programming language syntax highlighter.
Supports a number of extensions for code snippet testing and more.
The Python source code and related files for
Sphinx are available for download
here.
The
change log shows that a number of recent releases have been made.
As of this writing,
the current version is release 0.1.61950, dated March 26, 2008.
If you need to maintain a collection of web-based or
print-based project documentation, Sphinx could be a very
useful tool.
Unstable version 1.10.0 of BusyBox, a collection of command line
utilities for embedded systems, has been announced.
Click below for a list of new features and bug fixes.
The Free Telephony Project
has announced an Alpha FreePBX port for Blackfin Asterisk.
"The goal of this project is to provide free hardware designs for telephone systems. Both the hardware and software are open. You are free to copy, modify and re-use the hardware designs. The hardware for a complete embedded Asterisk IP PBX (including multiple analog ports or a T1/E1) can be built for a few hundred dollars. No PC required!
Our first product is the IP04. The IP04 is a low cost phone system that can switch phone calls from analog phones or phone lines over the Internet using VoIP. The IP04 is a professionally designed product that is in volume production today".
Version 0.2 beta of Web Console has been
announced.
"Web Console is a web-based application that allows remote users to execute UNIX/Windows shell commands on a server directly from a browser. Web Console is open source software written on Perl using AJAX technology - it is very light, beautiful and easy.
Web Console 0.2 beta has been released that is a first public release of the Web Console."
Version 1.2.0 of xsel, a command-line utility for modifying the X
selection buffer, has been announced.
"This is a maintenance release, improving argument handling, documentation
and X11 library detection."
Release 3.1.2 of GNU Radio, a software-defined radio system, has been
announced.
"Release 3.1.2 is a feature and maintenance release, incorporating
numerous bug fixes and new functionality."
Version 2.0.9 of the GnuPG encryption system has been announced,
it features some new capabilities and bug fixes.
"The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It can be used to encrypt data, create digital
signatures, help authenticating using Secure Shell and to provide a
framework for public key cryptography."
Version 2.4.7 of Semeir has been
announced.
"Semeir is a Encryption algorythmn, Capable of Stream and block encryption. It is written in pure C. It is platform independant, and is promising for Embedded systems. Intended as an alternate, yet secure data encryption cipher. It has been a long few years since I originally submitted Semeir. Starting its humble 1.0.0 that I was never released, to the 2.1.3 that some have tried out. I apologize for taking so long to release the next version, which was not ready until now; requiring a near complete re-write of some functions, and addition of new functions. As well as pre-built functions that are ready to use, when linked with Zlib."
Version 3.2 of Games for Eclipse has been
announced, it includes several bug fixes.
"The goal of the project is to provide implementations of different games as plugins for Eclipse IDE (www.eclipse.org project)."
Beta version 0.4.0 of Fraqtive, a Mandelbrot family fractal generator,
has been
announced.
"A new version of Fraqtive is available. It has a completely new generator engine with support for SSE2, multi-core processors, different variants of fractals and many optimizations for almost real-time user experience. Also the user interface has been completely redesigned and rewritten using Qt4 to make Fraqtive available for both Linux and Windows platforms."
Version 0.9.58 of Wine has been
announced.
Changes include:
The default version is now Windows XP, Many Richedit improvements, Beginning of jscript dll support, Shell folders now respect XDG directory configuration, Many translation updates and Lots of bug fixes.
Version 0.4.0 of HOgg, a command line tool for manipulating Ogg files,
is out.
"This is the third public release. The focus is on correctness of Ogg
parsing, production and editing. The capabilities of the hogg commandline
tool are roughly on par with those of the oggz* tools."
Version 0.7.5 of Chandler Desktop has been announced.
"The Chandler Project is an open source, standards-based information
manager designed for personal use and small group collaboration.
The 0.7.5 release of Chandler Desktop simplifies the Chandler UI by
changing elements confusing to new users. In particular, multiple
toolbar buttons were removed, "tasks" were replaced with "starred
items", the "triage" button was renamed to "clean up", and the items
created when first starting have been made more useful. The sidebar
list of collections can now be reordered by dragging them in-place. A
variety of build/packaging and platform-specific bugs have also been
fixed."
Version 1.0.1 of PyKeylogger has been
announced.
"PyKeylogger is a simple keylogger written in python. It is primarily designed for backup purposes, but can be used as a stealth keylogger, too. It does not raise any trust issues, since it is a set of [relatively] short python scripts that you can easily examine.
This is a bugfix release. Properly account for relative path names in ini settings and cli arguments by detecting full path location of program. Some about dialog prettification also took place."
Version 1.7 of JOSSO has been
announced.
"JOSSO - Java Open Single Sign-On - is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication and authorization. For more information contact our website at : http://www.josso.org
The JOSSO Single Sign-on Project 1.7 release is out, bringing fully transparent single sign-on to BEA WebLogic 9 and Apache Geronimo 2 application servers, extending as well its interoperability span to generic JEE web container such as Jetty.
As part of this release, a brand new Ajax user management application comes built-in for enabling out-of-the-box account provisioning."
Version 0.6.0 of Parrot, a virtual machine aimed
at running dynamic languages, has been announced.
"This release is a milestone release featuring the
revamping of Parrot Magic Cookies."
The spring 2008 edition of
The Perl Review
is available.
Topics include:
Compiling My Own perl, FMTIEWTK About Closures, Expecting Perl,
Perl and Undecidability and The Year in Perl, 2007.
Version 1.0.1 beta 112 of Pantheios has been
announced, it includes a change to standard UNIX convention lib prefixes
in the makefiles.
"Pantheios is an Open Source C/C++ Logging API library, offering an optimal combination of 100% type-safety, efficiency, genericity and extensibility. It is simple to use and extend, highly-portable (platform and compiler-independent) and, best of all, it upholds the C tradition of you only pay for what you use."
Version 1.3 of the Bazaar version control system has been announced.
"Since 1.2, we've improved the speed of several important operations,
including log, annotate, and other operations on revision history.
Several bugs have been fixed and new options and features have been
added, including an option to hardlink files between working trees."
The 1.0 release of the Mercurial source code management system has been announced.
Mercurial has been in production use in some time, but this release adds a
number of new features and performance improvements anyway; see the
announcement for details.
The Boston Review is carrying a lengthy article by Jonathan Zittrain on protecting the net from security threats. In your editor's opinion, the analysis of the problems is good, while the proposed solutions are a bit more questionable. "What might this system look like? Roughly, it would take the form of toolkits to overcome the digital solipsism that each of our PCs experiences when it attaches to the Internet at large, unaware of the size and dimension of the network to which it connects. These toolkits would run unobtrusively on the PCs of participating users, reporting backto a central source, or perhaps only to each otherinformation about the vital signs and running code of that PC, which could help other PCs determine the level of risk posed by new code."
A number of responses have been posted, including one from Richard Stallman. "With free/libre software, no one has the power to make a malicious feature stick. Since the source code is available to the users, millions of programmers are in a position to spot and remove the malicious feature and release an improved version; someone will surely do so. Others can independently compare the two versions to assure you which version treats you right. As a practical fact, free software is generally devoid of designed-in malware."
ars technica takes a detailed look at the patent reform bill currently being considered in the U.S. Congress and comes away unimpressed. "Although the legislation includes provisions that are likely to moderately reduce the toll that patents take on high-tech innovation, none of the proposals address the fundamental problems that have cropped up in recent years. Opponents of software patents, in particular, will find the provisions of the Patent Reform Act underwhelming. Their best hope is that the Supreme Court tackles the issue in the coming years. If that doesn't happen, then they will likely need to wait for the situation to deteriorate further before there will be sufficient political will for serious reforms."
KDE.News covers
a hardware donation to KDE by 3DConnexion.
"A couple of weeks ago Hans Bakker, who had never touched KOffice code before, started hacking on a Krita plugin for the 3DConnexion SpaceNavigator. Within a week or two he had a working plugin for Krita and it quickly became clear how cool these little devices are and how many possibilities for new user interaction paradigms they afford. So Hans suggested contacting Ettore Pasquini from 3DConnexion about the possibility of them donating a SpaceNavigator to the KOffice project for testing purposes. Well, that was only last week, and this week a box with three SpaceNavigators already landed on my desk."
Groklaw reports
that India has voted No to OOXML. "There is a difference, in other
words, between supporting XML, what you might call pro forma support, and
supporting OOXML as a standard. For that matter, there is a difference
between support for Microsoft Office 2007 and support for OOXML. They are
not the same thing, so when OpenOffice.org announces native read and write
support for Office 2007 documents, that is all it means. It doesn't mean
OpenOffice.org supports OOXML as a standard. No matter what Microsoft folks
try to tell you."
From virishi.net comes a tale of woe in trying to use Meraki hardware to provide internet to part of Vancouver, British Columbia. It seems that this MIT Roofnet project commercial spin-off keeps changing its pricing models and licensing on the free software-based devices. "Then in February Meraki announced a change to their EULA (End User Licence Agreement) which precluded anyone from changing any of the software that they install on their units. This meant that from that point forward we would be breaking their rules, and maybe the law, by installing our own work on their hardware. Of course this could not be applied retroactively so we were free to continue to work with the hardware that we'd already bought but we intensified our search for alternatives to the Meraki hardware." (Seen on Slashdot).
PolishLinux.org takes
a look at KDE 4.1 with lots of screenshots. "You don't always
see this in the official changelogs but the KDE 4 development is
progressing in an extraordinary speed. After a deep look at rev 777000 we
are presenting you a new visual review of changes made to KDE 4 during the
last couple of weeks." (Found on KDE.News)
LinuxDevices takes
a look at the Xenomai/SOLO project. "Newly available open source
software could significantly increase Linux's utility in industrial
computing applications. The Xenomai/SOLO project aims to provide VxWorks
and other RTOS emulation in user-space on most any Linux kernel, and to
deliver short, bounded application latency on kernels with built-in
real-time capabilities."
LinuxDevices
looks at a Linux-powered wireless security system.
"A British startup called AlertMe.com has introduced a remotely managed security system that runs off a Linux-driven Hub. The AlertMe Hub tracks various sensors via Zigbee, and then reports back to AlertMe.com's servers, which in turn relay alarm events to the customer via SMS or email.
Costing $800 plus $23.50 a month, the system alerts remote customers to events such as an intruder or a fire, says the company. The battery-powered, ZigBee-enabled devices in the AlertMe network include door and window sensors and alarm detectors that listen for existing smoke or carbon monoxide alarms."
The curl project has
announced its ten year anniversary.
"Like many other projects, this started because of an itch. I wanted to get currency rates off the internet to allow an IRC bot to be able to provide an exchange service for users with accurate up-to-date rates. I thought the existing projects I found all did too much or did the wrong thing. That bot and service is now gone since long."
(Thanks to Daniel Stenberg).
The Free Software Foundation Europe has sent out a press release stating
that March 26 is Document Freedom Day. "In a world where records are
increasingly kept in electronic form, Open Standards are crucial for
valuable information to outlive the application in which it was initially
generated. The question of Document Freedom has severe repercussions for
freedom of choice, competition, markets and the sovereignty of countries
and their governments."
The Audacious audio player project
will take part in the 2008 Google Summer of Code.
"Due to the success we've had in last year's Summer of Code, we are pleased to announce that we are participating in it again, and this time we're not limited to just Audacious. Atheme.org, the development teams who work on Audacious, charybdis, Atheme IRC Services, and other projects, is the mentoring organisation this year."
The Audacity
sound editor project has announced its participation in the
Google Summer of Code 2008.
"Students! Interested in supporting Audacity and earning a stipend this summer? Apply by 5:00 PM PDT on March 31, 2008 (00:00 UTC on April 1, 2008)!
Audacity is a mentoring organization for the Google Summer of Code 2008! GSoC offers student developers $4,500 stipends to write code for various open source projects."
KDE.News has announced
the KDE group's participation in the 2008 Google's Summer of Code.
"Google's Summer of Code will begin accepting applications soon and KDE will be participating for this fourth year. If you are a student over 18 and want to work on KDE this summer take a look at our ideas page. You are not restricted to what is listed there, other projects are welcome. Take the opportunity to talk to potential mentors over e-mail & IRC to see how feasible your project is, then write a project proposal for your application. You will have a week to apply starting from Monday, March 24."
KDE.News has announced
the Season of Usability coding project.
"Our friends over at OpenUsability have just started a call for students of usability, user-interface design, and interaction design or related subjects for the Season of Usability. Season of Usability is a project that offers mentoring students that want to work on usability aspects of various projects, including KDE. Students are offered a stipend worth $US1000. KDE is involved in the Season of Usability with three possible stipends, two for students who want to work on the KDE 4 Human Interface Guidelines, another project aims for improving the toolbox and palette interaction KOffice."
The Perl Foundation has
announced its participation in the Google Summer of Code.
"The Perl Foundation is participating in Google's 2008 Summer of Code(tm) and we have a lot of capable, willing mentors looking forward to working with some talented, driven students. So, we would like you to help find those students (and quickly -- the application period opens March 24th and closes March 31st.)"
The PostgreSQL DBMS project has
announced
its participation in the 2008 Google Summer of Code.
"For Summer of Code, Google will be paying for student internships to work on PostgreSQL features and applications. We've put up a list of ideas,
including guidelines for submissions and more. Applications for students open March 25th, and close March 31, so urge any students you know to get your applications prepared right away!"
The Samba project has
announced
its participation in the 2008 Google Summer of Code.
"Samba is again participating as a mentoring organization for the Google Summer of Code. If you are a student and interested in participating, check out our ideas list. We would appreciate if you could drop by on the samba-technical mailing list or in #samba-technical on Freenode and have a chat with us on the project you are interested in.
The Samba Team would like to thank Google, Leslie Hawthorn in particular, for organizing this great project yet another year."
The XMMS2 music player project has
announced its participation in the 2008 Google Summer of Code.
"Google has just announced the mentor organizations for Summer of Code 2008 and we are happy to announce that XMMS2 was selected to participate this year as well."
CodeWeavers has announced their new CrossOver Games product.
"CrossOver Games will allow you to install and play
some of the most popular games available for Windows on your Mac or
Linux system, all without needing to buy or run a copy of Windows.
This includes support for Guild Wars, World of Warcraft, and many
games through Steam, including Team Fortress 2, Portal, Half Life 2,
Civilization IV, Peggle, and many others."
Likewise Software has announced the availability of their
Open Spring '08 product.
"Likewise Software, formerly Centeris, a leader in delivering
authentication and audit solutions for mixed networks, today announced the availability of Likewise
Open Spring '08, an Open Source offering that provides fast and easy integration of Linux, UNIX and
Mac systems with Microsoft's Active Directory. This release brings the platforms supported by
Likewise Open from a few to over 110 Linux, UNIX and Mac Platforms, or virtually all non-Windows
enterprise platforms. Likewise Open Spring '08 is available today as a free download from
http://www.likewisesoftware.com/download/index.php"
The Linux Box Corporation has announced it has joined Nagios Enterprises in
a partnership that will help both companies provide open source support for
Nagios products to customers nationwide.
Microsoft's Port 25 weblog is carrying a tour of the company's open source software lab. "To some folks outside of Microsoft, the Open-Source Software Lab has been a sort of mysterious place. A place where we study Linux and open-source software, cursing our enemies while brewing our malevolent plans to combat those nasty FOSS developers. Oh, and we also have a death ray on the roof of building 17. It's Linux-powered, of course, just to add a little irony."
The Software Freedom Law Center has announced the
formation of Moglen Ravicher LLC.
"The Software Freedom Law Center (SFLC),
provider of pro bono legal services to protect and advance free and
open source software (FOSS), today announced the formation of Moglen
Ravicher LLC, a law firm which will represent select for-profit
clients that support FOSS but are not eligible to receive SFLC's pro
bono services.
An initial client of Moglen Ravicher LLC is OpenNMS, an open source
enterprise grade network management platform. OpenNMS has retained the
firm for representation regarding violations of the GNU General Public
License (GPL)."
Oracle has
announced the availability of Oracle Clusterware for its
Oracle Unbreakable Linux support customers.
"Oracle Clusterware is portable cluster software that groups together
individual servers so they can cooperate as a single system. A
fundamental component of Oracle Real Application Clusters, Oracle
Clusterware can operate independently and helps ensure the protection
of an application, Oracle or third-party."
REvolution Computing has
announced the establishment of a new advisory board.
"REvolution Computing, a New Haven, CT-based provider of
software for computational statistics, today announced the formation of an advisory board that includes many of the leading figures in the creation and development of open source communities. David Henderson, Director of Community for REvolution Computing, will be the director of the board, charged with coordinating the exchange and discussion between the board, the 'R' community and developers."
Trusted Computer Solutions has announced Security Blanket 1.2.
"Security Blanket enables
systems administrators to automatically configure and enhance the security
level of their Linux operating platform by simplifying the current arduous
methods for "hardening" systems that must be undertaken on a regular basis
to meet security compliancy requirements."
Vyatta has introduced the Vyatta 514, a networking appliance that combines
Vyatta's open-source routing and security software with a small form factor
hardware platform. "With integrated routing, firewall, and VPN
features, the Vyatta 514 is ideally suited to connect small businesses and
branch offices to the Internet or private networks. The Vyatta 514
provides all the security, performance, and functionality of proprietary
networking solutions at a fraction of the cost."
The Free Software Foundation has announced that Harald Welte is the
recipient of this year's Award for the Advancement of Free Software, and
Groklaw has won the groups Social Benefit Award. "The
awards committee honored both Welte's technical contributions to
projects like the Linux kernel and the OpenMoko mobile platform
project, and his community leadership in safeguarding the freedom of
free software users by successfully enforcing the GNU General Public
License in over one hundred cases since the gpl-violations.org project
began in 2004."
The KDE Plasma Themes Contest has been
announced.
"The KDE Plasma team is inviting everyone to participate in a contest to create Plasma themes from which a select few will be chosen to be included as a part of the upcoming KDE 4.1 release. This is a great opportunity to contribute to a very visible component of the KDE project, the Plasma desktop. A great feature of Plasma is the ability to theme components of the desktop using Scalable Vector Graphics (SVGs). This means there is no need for you to know C++ or any other programming language to create a great looking theme."
Andrew Kuchling
covers the PyCon 2008 Python conference.
"With every PyCon the organizers try various innovations, some of which work and some of which don't. Now that PyCon 2008 is over and I've had a chance to recover from sleep deprivation, here's my re-cap."
The Embedded Linux Conference 2008 has announced its program for the conference being held April 15-17 in Mountain View, California. The conference features keynotes from Henry Kingman, Andrew Morton, and Tim Bird along with more than 50 sessions on a variety of embedded Linux topics. Click below for more information.
The Linux Foundation has
announced
a spring 2008 legal summit.
"The Linux Foundation (LF), the nonprofit organization dedicated to accelerating the growth of Linux, today announced the details for its second Legal Summit, which will be held at the Motorola Customer Briefing Center in Schaumburg, Ill. on April 23, 2008."
The LinuxWorld Conference & Expo is accepting applications for the
Linux Garage.
"Linux is now a part of phones, cars, satellite TV, multimedia, and more gizmos
and gadgets than anyone can imagine. As embedded Linux continues to grow, the
Linux Garage is the new demonstration area where the newest and coolest gadgets
will be showcased at LinuxWorld 2008.
The goal of the Linux Garage is to provide a forum for the creators of
innovative devices that employ embedded Linux and to provide attendees a peek
under the hood at gadgets they can be coding for.
Established companies showcasing real products can buy space in the area, while
early stage companies and pre-revenue inventors can apply for free space
awarded on coolness factor."
![[Python Sphinx]](/images/ns/PythonSphinxlogo.png)