Will the real Firebird please stand up?
One of the many changes called for in the new Mozilla roadmap was a new
emphasis on the
Phoenix browser - and a
new name. The Phoenix name, it seems, has a number of trademark problems.
So the Mozilla project, after some thought, came up with a new name for its
to-be flagship browser: Firebird.
There's only one problem: the Firebird relational database
project has been using that name since 2000. This project is working
on a fork of the InterBase code; it just announced
the availability of the first Firebird 1.5 release candidate. The
Firebird developers are, needless to say, less than impressed with
Phoenix's new name.
The response from the Mozilla project, to the extent that there has been
one, seems to be that the two projects exist in different spaces, so there
is no naming conflict. The fact that "Firebird" is the name of an
automobile made by Pontiac is not a concern; a relational database with
that name is no more of a problem. Mozilla and its corporate sponsor may
have a defensible argument with regard to trademark law, but this is
clearly not a good way to treat other members of the free software
community. The Firebird name is not yet established - in the browser
domain, anyway. The Mozilla project should pick a new one now, when it is
still easy.
Comments (14 posted)
A new SCO distribution
SCO has sent out
a
press release on a new version of SCO Linux Server 4.0. It is a
fairly mundane offering; SCO, too, wants to sell high-priced "enterprise"
version of its distribution; the version just released starts at $999 and
runs on the Itanium architecture. It is only "licensed" for up to four
processors, however; bigger machines will cost more.
If you go to the product page on
SCO's site, though, you see some interesting things. They advertise all
sorts of "next-generation enterprise features" including logical volume
management, asynchronous I/O, the O(1) scheduler, journaling filesystems
(including JFS), PCI hotplugging, high availability features, etc. All the
sort of stuff that an aspiring business distribution with a (probably) Red
Hat-derived kernel should have.
The only problem, of course, is that these are all features that, according
to SCO's suit against IBM, could not exist in Linux unless SCO's
proprietary technology had been stolen and put there illegally. SCO is
even advertising features (JFS, EVMS) that were directly developed and
contributed by IBM; JFS was even listed explicitly in the company's
complaint. This is all stuff that, according to SCO, is
destroying SCO's Unix business and depriving the company of a billion
dollars (minimum) worth of intellectual property.
The proprietary technology that, according to SCO, was misappropriated is
certainly contained in this new distribution. And SCO is shipping it with
source, licensed under the GPL. Before filing suit, SCO might have been
able to claim that they didn't know that "their" property was contained
within their Linux distribution. But they have no "plausable deniability"
now. SCO is, itself, shipping the code that, it claims, is destroying
its business. The company is trying to have it both ways, selling Linux
while claiming that the product is tainted. It would be interesting to
hear how SCO justifies this position. Unfortunately, SCO did not respond
to questions sent by LWN, so we can't tell you.
Comments (7 posted)
What's happening with SPI?
[This article was contributed by Joe 'Zonker' Brockmeier]
What is Software in the Public
Interest (SPI) up to these days, and does anybody care? If you're
newish to the Linux Community, it wouldn't be surprising if you hadn't
![[SPI]](/images/ns/spi.jpg)
heard of SPI, though SPI and the Open Source Initiative (OSI) were big
news back in 1998 when they were squabbling over the
Open Source trademark.
SPI is a non-profit organization that acts as a kind of umbrella
organization for Free Software projects like Debian, the Linux Standard Base and GNOME. SPI is a non-profit
organization, and it accepts donations for the projects and holds the
trademarks for supported projects that have them.
SPI has two classes
of membership, non-contributing and contributing. The only requirement
for a non-contributing membership is a valid e-mail address, but it does not
confer voting rights. Contributing membership is reserved for "people
who are actively contributing to the free software community."
Recently SPI added three new members to its board of directors, Bruce
Perens, John Goerzen, and Benjamin Mako Hill. Perens, who originally
helped found SPI, left the organization in 1998 to work with the OSI and
was part of the big dust up over the Open Source
trademark. SPI board
members are elected by contributing members of SPI.
Prior to the recent election, Perens said that the group was having
problems making a quorum at board meetings. In fact, V.P. Martin Schulze
resigned
his position as V.P. because several other members were not donating enough
time to their positions. Ean Schuessler is now V.P., and the position of
president is still
vacant after
Nils
Lohner stepped down
last December.
Recently, there had also been some concerns about allocation of funds by
SPI, but the new board passed
a resolution to clarify how donations would be earmarked. SPI will also
no longer be taking a five percent cut of donations for overhead, because
it was not clear that part of a donation for a specific project, like
Debian, would be going towards SPI.
For the most part, SPI's functions are pretty low-key. Perens says that
SPI's function is basically to "handle funds well" for its
organizations. According to Schulze, one of the things that SPI is
currently working on is counting votes for the Open and Free Technology Community
election, and working against "reasonable and non-discriminatory" patent
policies in several standards organizations.
Perens says that board is now making quorum at meetings and that things
should go more smoothly in the future. "Can't say there's a ton of news.
There used to be problems, but they're not problems anymore."
Comments (3 posted)
An installation nightmare story
The installation nightmare story was a fairly common feature of the
late-90's press. Some reporter who had never tried to install any sort of
operating system before would write about his or her horrifying week trying
to get Linux running on some system or other. The conclusion, invariably,
was that Linux wasn't ready for the masses.
You don't often see that sort of story anymore; the mainstream
distributions have become ridiculously easy to install. And, if you don't
want to
worry about installation, plenty of companies will happily sell you a
system with Linux already on it.
But that doesn't mean that all the problems have now been solved...
Your editor recently needed to replace a failing inkjet printer. Some time
spent wandering the detailed information at LinuxPrinting.org turned up a
reasonably inexpensive model which, according to the information there,
"works perfectly." That is music to a Linux user's ears, of course. So, a
quick trip and some minor credit card damage later, the printer sat on the
table, ready to start burning through expensive ink cartridges.
I'll not inflict upon you the details of what it took to make this printer
work on an almost-current Red Hat Linux system. In general terms, it
required building new versions of CUPS and gimp-print from source, editing
the PPD file by hand, and several other hacks. It took a couple days of
effort. Now, your editor has been making printers work on Unix (and other)
systems for a good twenty years. Printers have always been a pain.
But this was worse than many.
It should be pointed out that, in a lot of ways, things are better than
they have ever been. It is possible to put an inexpensive printer onto a
Linux box, get top-quality output in all of the modes that the printer
supports, and make it available over the network. Only a few years
ago, doing this required hacking on filter scripts and learning more about
strange ghostscript options than one would ever want to know. Now, most of
the hard work has been done; it's mostly a matter of getting the right
software running in the right place. The people working on Linux printing
have done an impressive amount of great work.
But it's not yet enough. Users should not have to rip out their print
system by the roots and rebuild it from source just to plug in an
off-the-shelf printer. They should not have to navigate a complex array of
software with names like foomatic, gimp-print, ghostscript, etc. and figure
out how it all goes together. They should not even have to upgrade to a
bleeding-edge distribution to make their printer work.
Windows users don't have to go through that sort of process. Of course,
they have the advantage that their new printer comes with a CD containing
the software needed to make that printer work. Linux users do not (yet!)
receive any such courtesy. So we have to come up with a different way.
Some of the work has been done. The PPD files used by modern free printing
systems contain much of the information needed to present an interface to
the user. What's missing is a description of how to drive the printer. We
need a means of describing printers in data, so that support for any
printer is just a text file away. This was done for terminals a good
twenty years ago; getting vi to work on a terminal was just a
matter of setting an environment variable. Printers are harder to describe
than ASCII terminals, but we've solved a lot of hard problems over the
years.
Imagine a world where any Linux user can go to the store and buy a nice
looking printer, along with plenty of spare flesh-tone, DMCA-protected ink
cartridges. The system, once it notices that a new printer has been
plugged in, goes out on the net and grabs the right description files. And
the printer just works. That would be a system that is ready for
desktop and home users. And it's something that we should be able to
achieve.
Comments (13 posted)
Page editor: Jonathan Corbet
Security
Security news
How the spammers find you
The Center for Democracy and Technology has released
the results
from a six-month survey on how spammers obtain email addresses. The
researchers created a few hundred special-purpose email addresses, then
carefully exposed each one in exactly one place. After that, it was mostly
a matter of sitting back and waiting for the spam to roll in. The
destination of each spam indicated where the address had been found.
The report is well worth a read. For those of you in a hurry, here are the
highlights of the group's conclusions:
- By far the most spam was sent to addresses harvested from web pages.
Postings to Usenet newsgroups came in a distant second. On Usenet,
posters to groups like alt.sex.erotica will receive vastly more spam
than those posting to misc.industry.insurance.
- Even the most simple sort of address obfuscation
("lwn at lwn.net") appears to be highly effective.
- Dictionary attacks (simply trying login names from a list) result in a
significant amount of delivered spam. Short account names are more
likely to receive this sort of spam than longer ones.
- Contrary to expectations, the WHOIS domain name database is not a big
source of spam.
- Most web sites honor their promises regarding unsolicited email - but
you do have to be careful about making your wishes clear.
Regardless of source, spam is an increasing problem; the volume of spam
sent to lwn@lwn.net (hmm...make that
lwn at lwn.net) is now running about 500 messages per
day. If it weren't for SpamAssassin, we would have a hard time
dealing with our email at all.
Comments (7 posted)
April CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for April is out. Topics this
month include "catalog attacks" (signing up a victim for large amounts of
junk mail), the National Crime Information Center database, and several
other topics. "
Security decisions are always about more than security. When trying to
evaluate a particular decision, always pay attention to the
non-security agendas of the people involved."
Full Story (comments: none)
New vulnerabilities
epic: buffer overflows
| Package(s): | epic |
CVE #(s): | |
| Created: | April 15, 2003 |
Updated: | April 16, 2003 |
| Description: |
Timo Sirainen discovered several problems in EPIC, a popular client for
Internet Relay Chat (IRC). A malicious server could craft special reply
strings, triggering the client to write beyond buffer boundaries. This
could lead to a denial of service if the client only crashes, but may also
lead to executing of arbitrary code under the user id of the chatting user. |
| Alerts: |
|
Comments (none posted)
gs-common: insecure temporary file
| Package(s): | gs-common |
CVE #(s): | |
| Created: | April 14, 2003 |
Updated: | April 16, 2003 |
| Description: |
Paul Szabo discovered insecure creation of a temporary file in
ps2epsi, a script that is distributed as part of gs-common which
contains common files for different Ghostscript releases. ps2epsiuses
a temporary file in the process of invoking ghostscript. This file
was created in an insecure fashion, which could allow a local attacker
to overwrite files owned by a user who invokes ps2epsi. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
kde: arbitrary code execution
| Package(s): | kde |
CVE #(s): | CAN-2003-0204
|
| Created: | April 10, 2003 |
Updated: | June 30, 2003 |
| Description: |
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means. |
| Alerts: |
|
Comments (none posted)
LPRng: insecure temporary file
| Package(s): | LPRng |
CVE #(s): | CAN-2003-0136
|
| Created: | April 14, 2003 |
Updated: | June 16, 2003 |
| Description: |
Karol Lewandowski discovered that psbanner, a printer filter that
creates a PostScript format banner and is part of LPRng, insecurely
creates a temporary file for debugging purpose when it is configured
as filter. The program does not check whether this file already
exists or is linked to another place writes its current environment
and called arguments to the file unconditionally with the user id
daemon. |
| Alerts: |
|
Comments (none posted)
xfsdump: insecure file creation
| Package(s): | xfsdump |
CVE #(s): | CAN-2003-0173
|
| Created: | April 11, 2003 |
Updated: | April 16, 2003 |
| Description: |
Ethan Benson discovered a problem in xfsdump, that contains administrative
utilities for the XFS filesystem. When filesystem quotas are enabled
xfsdump runs xfsdq to save the quota information into a file at the root of
the filesystem being dumped. The manner in which this file is created is
unsafe.
While fixing this, a new option ``-f path'' has been added to xfsdq(8) to
specify an output file instead of using the standard output stream. This
file is created by xfsdq and xfsdq will fail to run if it exists already.
The file is also created with a more appropriate mode than whatever the
umask happened to be when xfsdump(8) was run. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache 2.x: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2003-0132
|
| Created: | April 9, 2003 |
Updated: | May 1, 2003 |
| Description: |
Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem. |
| Alerts: |
|
Comments (1 posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
BitchX - denial of service
| Package(s): | BitchX |
CVE #(s): | |
| Created: | February 20, 2003 |
Updated: | May 26, 2003 |
| Description: |
From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed
RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was
reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are
unaware of any patches or workarounds provided by panasync and or any
members of #bitchx |
| Alerts: |
|
Comments (none posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
EOG: vulnerability in Eye of GNOME
| Package(s): | EOG |
CVE #(s): | CAN-2003-0165
|
| Created: | April 3, 2003 |
Updated: | April 16, 2003 |
| Description: |
A vulnerability was found in EOG version 2.2.0 and earlier. A carefully
crafted filename passed to the program could lead to the execution of
arbitrary code. An attacker could exploit this because various packages
(Mutt, for example) make use of EOG for image viewing. |
| Alerts: |
|
Comments (none posted)
ethereal - format string vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0081
|
| Created: | March 10, 2003 |
Updated: | June 12, 2003 |
| Description: |
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
evolution: multiple vulnerabilities
| Package(s): | Evolution |
CVE #(s): | CAN-2003-0128
CAN-2003-0129
CAN-2003-0130
|
| Created: | March 21, 2003 |
Updated: | May 14, 2003 |
| Description: |
Multiple vulnerabilities have been found in Ximian's Evolution Mail User
Agent, according to this
CoreLabs advisory.
"Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system unstability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems."
Ximian Evolution is a personal and
workgroup information management solution for Linux and UNIX-based
systems. The software integrates email, calendaring, meeting scheduling,
contact management, and task lists, in one application. |
| Alerts: |
|
Comments (1 posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
file - memory allocation problem, stack overflow
| Package(s): | file |
CVE #(s): | CAN-2003-0102
|
| Created: | March 4, 2003 |
Updated: | June 4, 2003 |
| Description: |
Jeff Johnson found a memory allocation problem and David Endler found a
stack overflow corruption problem in the file "Automatic File Content
Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section
and program header handling in file version 3.40. The folks at OpenPKG
believe that file versions without those modifications are vulnerable to
memory allocation and stack overflow problems which put security at risk. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
glibc: integer overflow in the xdrmem_getbytes() function
| Package(s): | glibc krb5 dietlibc |
CVE #(s): | CAN-2003-0028
|
| Created: | March 21, 2003 |
Updated: | May 27, 2003 |
| Description: |
An integer overflow in the xdrmem_getbytes() function, and possibly other
functions, of XDR (external data representation) libraries derived from
SunRPC, including libnsl, libc, and glibc, allows remote attackers to
execute arbitrary code via certain integer values in length fields
See
CAN-2003-0028 and CERT advisory
CA-2003-10 for more information. |
| Alerts: |
|
Comments (3 posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
ircii: buffer overflow vulnerability
| Package(s): | ircii |
CVE #(s): | |
| Created: | March 20, 2003 |
Updated: | April 22, 2003 |
| Description: |
Timo Sirainen audited ircII based clients (see this Bugtraq post) and
found some buffer overflow vulnerabilities in ircii-20020912. |
| Alerts: |
|
Comments (none posted)
kerberos - cryptographic weakness
| Package(s): | kerberos, heimdal, openafs |
CVE #(s): | CAN-2003-0138
CAN-2003-0139
|
| Created: | March 26, 2003 |
Updated: | May 27, 2003 |
| Description: |
Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way.
OpenAFS
kaserver implements version 4 of the Kerberos protocol, and therefore
is also vulnerable. |
| Alerts: |
|
Comments (none posted)
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lprold - buffer overflow in lprm
| Package(s): | lprold lpd |
CVE #(s): | CAN-2003-0144
|
| Created: | March 13, 2003 |
Updated: | May 28, 2003 |
| Description: |
The lprm command of the printing package lprold contains a buffer
overflow. This buffer overflow can be exploited by a local user, if the
printer system is set up correctly, to gain root privileges. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
man - code execution vulnerability
| Package(s): | man |
CVE #(s): | CAN-2003-0124
|
| Created: | March 19, 2003 |
Updated: | May 7, 2003 |
| Description: |
Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. |
| Alerts: |
|
Comments (none posted)
mgetty spool permission
| Package(s): | mgetty |
CVE #(s): | CAN-2002-1391
CAN-2002-1392
|
| Created: | April 8, 2003 |
Updated: | May 13, 2003 |
| Description: |
mgetty is a getty replacement for use with data and fax modems.
mgetty can be configured to run an external program to decide whether or
not to answer an incoming call based on Caller ID information. Unpatched
versions of mgetty prior to 1.1.29 would overflow an internal buffer if the
caller name reported by the modem was too long.
Additionally, the faxspool script supplied with versions of mgetty prior to
1.1.29 used a simple permissions scheme to allow or deny fax transmission
privileges. This scheme was easily circumvented because the spooling
directory used for outgoing faxes was world-writable. |
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
mutt: buffer overflow in IMAP client code
| Package(s): | mutt |
CVE #(s): | CAN-2003-0140
|
| Created: | March 21, 2003 |
Updated: | April 22, 2003 |
| Description: |
Core
Security Technologies has found a remotely exploitable buffer overflow
in mutt's IMAP client code. This Bugtraq post
contains additional information.
The problem has been fixed in Mutt 1.4.1 (stable) and 1.5.4 (unstable). |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
mysql - configuration file vulnerability
| Package(s): | mysql mysqld |
CVE #(s): | CAN-2003-0150
|
| Created: | March 18, 2003 |
Updated: | May 16, 2003 |
| Description: |
According to a
report on BugTraq, a vulnerability exists in
version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is
launched by root, as it is often done by system startup scripts, any
database users with the "FILE" privilege can write a configuration file
(usually my.cnf) that causes the MySQL server to run under an arbitrary
user id, including the user id of the super-user, on the next restart. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
NetPBM: math overflow errors
| Package(s): | NetPBM |
CVE #(s): | CAN-2003-0146
|
| Created: | March 17, 2003 |
Updated: | May 27, 2003 |
| Description: |
Al Viro and Alan Cox discovered several maths overflow errors in
NetPBM, a set of graphics conversion tools. These programs are not
installed setuid root but are often installed to prepare data for
processing. These vulnerabilities may allow remote attackers to cause
a denial of service or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
netscape-flash: buffer overflow
| Package(s): | netscape-flash |
CVE #(s): | |
| Created: | March 10, 2003 |
Updated: | June 20, 2003 |
| Description: |
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade." |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl |
CVE #(s): | CAN-2003-0147
|
| Created: | March 18, 2003 |
Updated: | May 22, 2003 |
| Description: |
David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications,
mainly because it is not obvious how to do so when using OpenSSL to provide
SSL/TLS. This problem affects mostly all applications using OpenSSL and
have to be rebuilded against the fixed OpenSSL version (where RSA blinding
is now enabled by default) or have to enable RSA blinding explicitly their
own.
The performance impact of RSA blinding appears to be small (a few percent
only) and the RSA functionality is still fully compatible. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0147 to the problem. |
| Alerts: |
|
Comments (none posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
