Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for March 27, 2008
Striking gold in binutils
A new linker is not generally something that arouses much interest outside of the hardcore development community—or even inside it—unless it provides something especially eye-opening. A newly released linker, called gold has just that kind of feature, though, because it runs up to five times as fast as its competition. For developers who do a lot of compile-link-test cycles, that kind of performance increase can significantly increase their efficiency.
Linking is an integral part of code development, but it can be invisible, as it is often invoked by the compiler. The sidebar accompanying this article is meant for non-developers or those in need of a refresher about linker operation. For those who want to know even more, the author of gold, Ian Lance Taylor, has a twenty-part series about linker internals on his weblog, starting with this entry.
For Linux systems, the GNU Compiler Collection (GCC) has been the workhorse by providing a complete toolchain to build programs in a number of different languages. It uses the ld linker from the binutils collection. With the announcement that gold has been added to binutils, there are now two choices for linking GCC-compiled programs.
A linker overview
For non-developers, a quick overview of the process that turns source code into executable programs may be helpful. Compilers are programs that turn C—or other high-level languages—into object code. Linkers then collect up object code and produce an executable. Usually the linker will not only operate on object code created from a project's source, but will also reference libraries of object code—the C runtime library libc for example. From those objects, the linker creates an executable program that a user can invoke from the command line. The linker allows program code in one file to refer to a code or data object in another file or library. It arranges that those references are usable at run time by substituting an address for the reference to an object. This "links" the two properly in the executable. Things get more complicated when considering shared libraries, where the library code is shared by multiple concurrent executables, but this gives a rough outline of the basics of linker operation.
The intent is for gold to be a complete drop-in replacement for ld—though it is not quite there yet. It is currently lacking support for some command-line options and Linux kernels that are linked with it do not boot, but those things will come. It also currently only supports x86 and x86_64 targets, but for many linker jobs, gold seems to be working well. The speed seems to be very enticing to some developers, with Bryan O'Sullivan saying:
Performance was definitely the goal that Taylor set for gold development. It supports ELF (Executable and Linking Format) objects and runs on UNIX-like operating systems only. Only supporting one object/executable format, along with a fresh start and an explicit performance goal are some of the reasons that gold outperforms ld.
Tom Tromey likes the looks of the code:
Because the implementation is geared for speed, Taylor used techniques that may confuse some. He has some concerns about the maintainability of his implementation:
Overall, it seems to be getting a nice reception by the community, with O'Sullivan commenting that he is "looking forward to the point where gold entirely supplants the existing binutils linker. I expect that won't take too long, once Mozilla and KDE developers find out about the performance boost." Once gold gets to that point, Taylor is already thinking about concurrent linking—running compiler and linker at the same time—as the next big step.
There are two other ongoing projects that are working with the greater GCC ecosystem in interesting ways: quagmire and ggx. Quagmire is an effort to replace the GNU configure and build system—consisting of autoconf, automake, and libtool—with something that depends solely on GNU make. Currently, that system uses various combinations of the shell, m4, and portable makefiles to make the building and installation of programs easy—the famous "./configure; make" command line. The tools were written that way to try and ensure that users did not need to install additional packages to configure and build GNU tools. Quagmire, which has roots in a posting by Taylor recognizes that GNU make is ubiquitous, so basing a system around that makes a great deal of sense.
The ggx project is Anthony Green's step-by-step procedure to create an entire toolchain that can build programs for a processor architecture that he is creating as a thought experiment. The basic idea is to design the instruction set based on the needs of the compiler, in this case GCC, rather than the needs of the hardware designers. He is using GCC's ability to be retargeted for new architectures, along with its simulation capabilities to create a CPU that he can write programs for. As of this writing, he has a "hello world" program working, along with large chunks of the GCC test suite passing. Well worth a look.
Toward a free metaverse
Last month, an article about another attempt to free the proprietary Ryzom game expressed frustration with the implied idea that the free software community could not, on its own, create a game experience comparable to Ryzom. One of the resulting comments took issue with (what was seen as) a dismissive attitude toward the Second Life client and pointed out some of the work which is being done based on that client. So your editor decided to take another look. The bottom line is this: the work being done in this area is still in an early and unstable state, but it does have the potential to open a new frontier for free software in the area of virtual environments.The Second Life client for Linux is now in a beta release. "Beta," in this case, means that all of the features have, in some way, been implemented; now it's just a matter of making it all actually work. Your editor found the client to be slow, unwieldy, crash-prone, and very fussy about its graphics environment. Your editor's well-supported (in X) Intel-based desktop was not adequate for this client, for example; the associated documentation recommends a long list of cards which (for now) are only supported with proprietary drivers. Still, on the right system, the client is able to render three-dimensional worlds with the same quality that, well, Second Life has on any platform.
An alternative is OpenViewer, a C#/Mono-based, BSD-licensed viewer project. Your editor had little luck getting this client going, but the screenshots are nice. The developers appear to have made significant progress toward the creation of a functional, three-dimensional client; this is a project to watch. Less far along is the Aether project, which is working on a OpenViewer-based client meant to run within Firefox; thus far, it has a nice design diagram but not much else.
There is also RealXtend, a project based on the Second Life client which is emphasizing performance and visual quality. Unfortunately, it also seems to be emphasizing Windows support, so your editor did not give it a try.
Free software clients are certainly an important tool to have; we will not be able to access this kind of virtual environment without them. But it would be a real shame if these clients simply facilitated a world where we use free clients to access locked-down, proprietary virtual worlds on somebody else's server. What would be much better would be the ability to create our own virtual worlds - using free software, of course - and to link those worlds into a larger virtual universe. That is the formula which made the World Wide Web (and many other Internet services) work, and it should certainly be applicable in this context as well.
The good news is that people are working in this area. One project, OpenSim, has the look of something which is about to achieve much wider awareness as its features mature. In short, OpenSim is a virtual world server which can be deployed to create environments much like what one would find in Second Life. It works with the Second Life client and with OpenViewer as well, and it presents a very similar experience - at least, in the virtual worlds which have been deployed so far. Since it's free software, it can be customized toward the creation of different kinds of environments, including role-playing games and such.
It is written with C# and Mono - seemingly a common choice for this kind of software. The Mono environment, for all its faults and potential pitfalls, may well make it easier to create a cross-platform application with the requisite features.
What makes OpenSim really interesting, though, is its ability to connect servers together in a "grid" mode. Once this is done, a virtual world is not limited to a single entity's server (or imagination). Servers across the net can be interconnected into a single, larger world. This is the feature which has the potential to take OpenSim from another interesting project into something which transforms the net.
There are a number of people organizing grids with OpenSim now; there is a list of public grids on the OpenSim site. Some of them appear to be relatively proprietary operations offering the opportunity to buy virtual land - though subprime loans are unavailable. Others allow anybody connect their server into the grid and become part of the whole. These grids appear, in general, to be in a sort of early adopter state at the moment, but much of the fundamental functionality is there. How hard could it be to make it all work properly at this point?
The answer to that question, of course, is "quite hard." But the fact remains that people are working on this very interesting problem, and they are making significant progress toward solving it. These projects bear watching; they may well be planting the seeds of the systems we will all be using in the coming years.
Bruce Perens and the OSI board
The Open Source Initiative (OSI) was formed almost ten years ago to safeguard the "Open Source" name. Over the years it has approved licenses and attempted some other activities while, generally, having little relevance to the wider community. It has often been seen as a relatively closed and non-democratic organization. Now one of OSI's founders is trying to get back into the organization and change its direction; the outcome of the resulting discussion may (or may not) change the direction of the OSI.Bruce Perens has launched a bid to be elected to the OSI board of directors, but this bid has not been particularly well received by the current board. His on-line petition to collect community support specifies a number of reasons that he wants to be on the board—those reasons are ruffling some feathers. Outgoing board member Matt Asay has taken Perens to task for some of his statements as has OSI president Michael Tiemann.
Perens's reasons for wanting to be on the board are threefold: reducing the over-representation of vendors, trying to ensure Microsoft does not get a seat on the board, and reducing license proliferation. The idea of a Microsoft seat on an open source organization's board is sure to rile a segment of the community, which is undoubtedly part of what Perens is hoping for. The likelihood of that happening is pretty small, though. Tiemann makes it clear that the board doesn't elect companies at all:
Microsoft and its employees do not currently contribute to open source in any substantial way, so there is little that would lead the board to nominate them. If that ever changes, it would be pretty disingenuous to deny someone a seat because of their employer's past—or even at that time, current—misbehavior. In addition, it is hard to see how one board member—Perens or someone "controlled" by Microsoft—is going to make such a crucial difference in what the board does anyway. In many ways, the Microsoft connection is a red herring—one sure to rally the troops, though.
Reducing license proliferation is a noble goal, one that the OSI tried to tackle a few years back without much in the way of tangible success. Perens states that he would like to see OSI do more reduce the number of licenses, but his claims about the number of licenses needed have raised eyebrows:
Part of the reason that Tiemann and others are skeptical is due to some obvious bad blood between the board and Perens over the license proliferation committee. LWN covered some of that "debate" in August 2005. Perens clearly believes he should have been a member just as strongly as others on the board seem to feel he should not have been. When the board was formed without him as a member, Perens refused to participate in the process in any way. It seems to stick in the craw of some for Perens to now claim that he has the solution. Russ Nelson, former OSI president and current board member—as well as a member of the committee—sums up the frustration in a comment on Tiemann's post:
Having a solution is not the same as convincing people to adopt it.
It is rather interesting to see Perens trying to get back on the board that he famously resigned from in 1999 after having founded the organization with Eric Raymond in 1998. This is not the first time Perens has lost interest and/or resigned from some form of community leadership position; Debian and UserLinux spring to mind. Though none of the expressed concerns about his candidacy have mentioned it, some must be wondering how long it would be before ideology or a shifting focus caused Perens to move on from a board position if he were elected.
Perens has been an excellent advocate for free software and/or open source over the years, but his tendency towards self-promotion grates on some. It may not be an ego thing, as he claims, but it certainly rubs some people the wrong way. The ego issue is one of the reasons that board observer Andrew Oliver does not support Perens for the board:
Asay certainly doesn't see Perens as having the right credentials either:
The petition drive came about because Tiemann encouraged Perens to show that there was strong community support for him to be a part of the board. As of this writing, the petition has garnered more than 1700 "signatures", which Perens believes is enough:
The OSI board is "self-replacing" with current board members nominating and electing candidates for empty slots. Each director serves for a three-year term, with roughly one-third coming up for election each year—though this year there are five slots to be filled. Three directors are standing for re-election, leaving two slots open. Unfortunately, it's not clear when the actual election will be held, nor is there likely to be any advance notice of who has been nominated. Transparency, it seems, is not one of the attributes of OSI.
Self-replacement and overlapping terms of office tend to give a certain stability to a board, but it also creates a kind of inbreeding. It is unlikely that a board will nominate people who think substantially differently from themselves. This is one thing that Perens is trying to circumvent with his very public candidacy. Whatever else can be said about Perens's candidacy, it is clear that he would bring a different voice into the OSI boardroom.
But, what is OSI really? Is it an organization that is somehow supposed to represent all of the diverse voices in the community? At the moment it appears to exist for the purpose of approving licenses and "protecting the Open Source Definition". Perens thinks it could be more than that. OSI itself seems to agree as they have been moving towards more relevance in the community. Oliver describes that effort:
OSI and its board are currently in a state of flux, trying to define a role for themselves that is broader than just a license approval body. There doesn't seem to be a lot of discontent within the board that might lead to Perens or another controversial figure being added. Whether this leads to continued stagnation or a more vibrant OSI remains to be seen. A more interesting question might be: will anyone care?
If OSI starts to do visible things for the community, it will finally acquire some relevance. Given the attitude towards his candidacy, it seems unlikely that Perens will be able to lead the board in that direction. Which leaves it up to the current board and the two new members—neither of which are likely to be Perens—to find a way to make the community care.
Page editor: Jonathan Corbet
Security
Voting machine integrity through transparency
It is hard to believe that governments would spend money on voting equipment that they are not allowed to test, but that is exactly what multiple counties in New Jersey appear to have done. They are certainly not alone, many other places are likely to have the same restrictions on "their" voting machines. This begs the question: where are the free software voting systems?
Union County wanted to ask Ed Felten to look at the voting machines it purchased from Sequoia Voting Systems because of several anomalies—less charitably known as miscounts—observed when using them in the primary elections. Once Sequoia got wind of the plan, they emailed Felten a nastygram because he might engage in "non-compliant analysis" of the machines in violation of the Sequoia license. It seems quite likely that is exactly what Felten and the county clerk had in mind as a third-party analysis is the only sensible way to evaluate voting machines.
Other jurisdictions have done better of late, with Felten's Freedom to Tinker weblog noting that California has denied certification for two voting machines from Election Systems & Software (ES&S). California Secretary of State Debra Bowen has been at the forefront of trying to ensure that voting machines work correctly. LWN's home state of Colorado also decertified a number of voting machines, but, like the earlier California study, it was done after those machines were purchased. As in California, it seems likely that Colorado will be using those machines in November.
Things are getting a little better, perhaps, but no one has, as yet, tried to take on the four major voting machine makers with a system that is built with security in mind. There is no reason that the source code for a voting machine could not be made available for study. The voting machine vendors claim all sorts of proprietary secret sauce in their code, but that isn't the real reason they hide it. Covering up their shoddy code is much more likely.
Every independent review of voting machines has found numerous, fundamental security flaws that should make anyone with an interest in the integrity of the election process cringe. Many of those analyses were done without the source code, so there is little doubt that even uglier problems would have been found in the code itself. It just cannot be that difficult to produce something vastly more secure than what is made available today.
One could speculate about the motives of these companies, but instead looking at what could be built, with mostly off-the-shelf software, is more fruitful. The place to start is by hiring a few good security-minded developers, while lining up an independent review team. One might guess that Felten and his associates would be a good place to start.
A stripped down Linux system could very easily be the basis for a voting machine, but other free software choices would serve just as well. Some user interface code for touchscreens and alternative input methods for those with disabilities would need to be written. Some kind of printing output device would need to be made a part of the system so that voter-verifiable audit trails—better yet, ballots that can be put into a locked box—can be created.
Source code availability does not, in and of itself, ensure vote security. That code needs to be reviewed by as many experts as can be found. In addition, there needs to be some mechanism to show that the source code being reviewed is the same as that being run.
For that reason, the system itself might run on some kind of Trusted Platform Module (TPM) chip so that interested parties can verify that the published code is the same as that running on the system. If the system runs Linux, it might use the integrity management patches for that. Most importantly, the outside interfaces (network, USB, PCMCIA, etc.) to the device would either not be present or be very tightly controlled. Any kind of removable vote recording memory would need adequate cryptographic safeguards to eliminate tampering between vote taking and vote tabulating machines.
Instead of an emphasis on PR, schmoozing, and bamboozling non-technical folks, the focus of a free software voting system would be on transparency. The number one goal would be to give everyone, from the least technical voter to the Bruce Schneiers of the world: confidence in the machines and the process. It is hard to fathom how anyone could want anything less.
The last updated vulnerabilities section
It would seem that the majority of the readers of this page are willing to part with the updated vulnerabilities section. Based on the comments we got over the last two weeks, we decided to remove it in future editions. So, this is the last week you will find one on the security page. You can always visit http://lwn.net/Vulnerabilities/ to get a look at the most recent vulnerabilities in our database.
New vulnerabilities
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2007-6430 CVE-2008-1332 CVE-2008-1333 | |||||||||||||||
| Created: | March 20, 2008 | Updated: | April 25, 2008 | |||||||||||||||
| Description: | From the Debian alert:
CVE-2007-6430: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. CVE-2008-1332: Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2008-1289 CVE-2008-1390 | ||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | ||||||
| Description: | From the Red Hat bugzilla: CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation. The first overflow is caused by sending a payload number that surpasses the programmed maximum payload number of 256. This causes an invalid memory write outside of the buffer. While this does not allow the attacker to write arbitrary data it does allow the attacker to write a 0 to other memory locations. The second overflow is caused by sending more than 32 RTP payloads. This causes a buffer on the stack to overflow allowing the attacker to write values between 0 and 256 (the maximum payload number) to memory locations after the buffer. CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely to have a much larger than average number of 1s, which greatly reduces the number of guesses an attacker would have to make to successfully predict the manager ID, which is used across multiple HTTP queries to hold manager state. | ||||||||
| Alerts: |
| ||||||||
bzip2: denial of service
| Package(s): | bzip2 | CVE #(s): | CVE-2008-1372 | |||||||||||||||||||||
| Created: | March 24, 2008 | Updated: | April 9, 2008 | |||||||||||||||||||||
| Description: | From the CVE entry: bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 26, 2008 | Updated: | May 8, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Firefox 2.0.0.13 release contains fixes for several vulnerabilities; see this list for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
JBoss: inject and execute arbitrary commands
| Package(s): | JBoss | CVE #(s): | CVE-2007-6306 CVE-2007-6433 | |||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | |||
| Description: | The JFreeChart component was vulnerable to multiple cross-site scripting (XSS) vulnerabilities. An attacker could misuse the image map feature to inject arbitrary web script or HTML via several attributes of the chart area. The setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed remote attackers to inject and execute arbitrary EJBQL commands via the order parameter. | |||||
| Alerts: |
| |||||
krb5: memory use after free
| Package(s): | krb5 | CVE #(s): | CVE-2007-5901 | |||||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | |||||||||
| Description: | From the CVE entry: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code. | |||||||||||
| Alerts: |
| |||||||||||
libsilc: buffer overflow
| Package(s): | libsilc | CVE #(s): | |||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | ||||||
| Description: | From the Red Hat bugzilla: SILC Toolkit contains a possible buffer overflow from PKCS#1 message decoding in versions earlier than 1.1.7. Specially crafted digital signature can be used to crash the program. | ||||||||
| Alerts: |
| ||||||||
namazu: cross-site scripting
| Package(s): | namazu | CVE #(s): | CVE-2008-1468 | ||||||
| Created: | March 26, 2008 | Updated: | March 26, 2008 | ||||||
| Description: | The sanitizing of input to namazu does not work properly with certain encodings, allowing HTML directives and script code to be injected into content. | ||||||||
| Alerts: |
| ||||||||
openssh: hijacking of forwarded X connections
| Package(s): | openssh | CVE #(s): | CVE-2008-1483 | ||||||||||||||||||
| Created: | March 25, 2008 | Updated: | April 11, 2008 | ||||||||||||||||||
| Description: | OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ruby: directory traversal
| Package(s): | ruby | CVE #(s): | CVE-2008-1145 | |||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | |||
| Description: | Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. | |||||
| Alerts: |
| |||||
serendipity : insufficient input sanitizing
| Package(s): | serendipity | CVE #(s): | CVE-2007-6205 CVE-2008-0124 | |||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | |||
| Description: | Serendipity, a weblog manager, did not properly sanitize input to several scripts which allowed for cross site scripting. | |||||
| Alerts: |
| |||||
ssl-cert: certificate disclosure
| Package(s): | ssl-cert | CVE #(s): | CVE-2008-1383 | |||
| Created: | March 20, 2008 | Updated: | March 26, 2008 | |||
| Description: | From the Gentoo alert:
Robin Johnson reported that the docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs). A local attacker could recover the SSL keys from publicly readable binary packages when "emerge" is called with the "--buildpkg (-b)" or "--buildpkgonly (-B)" option. Remote attackers can recover these keys if the packages are served to a network. | |||||
| Alerts: |
| |||||
viewvc: multiple vulnerabilities
| Package(s): | viewvc | CVE #(s): | CVE-2008-1290 CVE-2008-1291 CVE-2008-1292 | |||
| Created: | March 20, 2008 | Updated: | March 26, 2008 | |||
| Description: | From the Gentoo alert:
Multiple unspecified errors were reportedly fixed by the ViewVC development team. A remote attacker could send a specially crafted URL to the server to list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT folders, and view restricted content via the revision view, the log history, or the diff view. | |||||
| Alerts: |
| |||||
xine-lib: arbitrary code execution
| Package(s): | xine-lib | CVE #(s): | CVE-2008-0073 | |||||||||||||||||||||
| Created: | March 24, 2008 | Updated: | April 23, 2008 | |||||||||||||||||||||
| Description: | From the Red Hat bugzilla: Secunia Research has discovered a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large "streamid" SDP parameter included in a malicious RTSP stream. Successful exploitation allows execution of arbitrary code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
xwine: several vulnerabilities
| Package(s): | xwine | CVE #(s): | CVE-2008-0930 CVE-2008-0931 | |||
| Created: | March 21, 2008 | Updated: | March 26, 2008 | |||
| Description: | The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | |||||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | ||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
SDL_image: buffer overflows
| Package(s): | SDL_image | CVE #(s): | CVE-2007-6697 CVE-2008-0544 | |||||||||||||||
| Created: | February 8, 2008 | Updated: | March 27, 2008 | |||||||||||||||
| Description: | From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | |||||||||
| Created: | December 3, 2007 | Updated: | April 15, 2008 | |||||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | |||||||||||
| Alerts: |
| |||||||||||
audacity: insecure tmpfile handling
| Package(s): | audacity | CVE #(s): | CVE-2007-6061 | ||||||
| Created: | March 3, 2008 | Updated: | March 21, 2008 | ||||||
| Description: | From the Gentoo advisory:
Viktor Griph reported that the "AudacityApp::OnInit()" method in file src/AudacityApp.cpp does not handle temporary files properly. A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity. | ||||||||
| Alerts: |
| ||||||||
backup-manager: password disclosure
| Package(s): | backup-manager | CVE #(s): | CVE-2007-4656 | |||
| Created: | March 17, 2008 | Updated: | March 19, 2008 | |||
| Description: | From the Debian advisory: Micha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing. | |||||
| Alerts: |
| |||||
cacti: multiple vulnerabilities
| Package(s): | cacti | CVE #(s): | CVE-2008-0783 CVE-2008-0784 CVE-2008-0785 CVE-2008-0786 | |||||||||||||||
| Created: | February 28, 2008 | Updated: | May 6, 2008 | |||||||||||||||
| Description: | From the Mandriva alert: A number of vulnerabilities were found in the Cacti program, including XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection vulnerabilities, and information disclosure vulnerabilities. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
clamav: arbitrary code execution
| Package(s): | clamav | CVE #(s): | CVE-2008-0318 | ||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | From the CVE: Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: arbitrary file overwrite
| Package(s): | clamav | CVE #(s): | CVE-2007-6595 | |||||||||
| Created: | February 18, 2008 | Updated: | April 24, 2008 | |||||||||
| Description: | From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. | |||||||||||
| Alerts: |
| |||||||||||
clamav: heap corruption
| Package(s): | clamav | CVE #(s): | CVE-2008-0728 | |||||||||
| Created: | February 22, 2008 | Updated: | April 18, 2008 | |||||||||
| Description: | From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." | |||||||||||
| Alerts: |
| |||||||||||
cups: heap overflow
| Package(s): | cups | CVE #(s): | CVE-2008-0047 | |||||||||||||||||||||||||||
| Created: | March 19, 2008 | Updated: | April 9, 2008 | |||||||||||||||||||||||||||
| Description: | The cups package suffers from a heap overflow vulnerability in the cgiCompileSearch() function. This vulnerability could be exploited remotely if the print server shares printers over the network. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0882 | ||||||||||||||||||||||||
| Created: | February 22, 2008 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
dovecot: multiple vulnerabilities
| Package(s): | dovecot | CVE #(s): | CVE-2008-1199 CVE-2008-1218 | ||||||||||||||||||
| Created: | March 13, 2008 | Updated: | March 27, 2008 | ||||||||||||||||||
| Description: | From the Fedora alert:
CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, <user>:mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
emacs: buffer overflow
| Package(s): | emacs | CVE #(s): | CVE-2007-6109 | ||||||||||||
| Created: | December 10, 2007 | Updated: | May 6, 2008 | ||||||||||||
| Description: | From the National Vulnerability Database: Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line. | ||||||||||||||
| Alerts: |
| ||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
firebird: multiple vulnerabilities
| Package(s): | firebird | CVE #(s): | CVE-2008-0387 CVE-2008-0467 | ||||||
| Created: | March 3, 2008 | Updated: | March 27, 2008 | ||||||
| Description: | From the Gentoo advisory:
Firebird does not properly handle certain types of XDR requests, resulting in an integer overflow (CVE-2008-0387). Furthermore, it is vulnerable to a buffer overflow when processing usernames (CVE-2008-0467). A remote attacker could send specially crafted XDR requests or an overly long username to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. | ||||||||
| Alerts: |
| ||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | March 26, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420) Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||