| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for April 24, 2003
DARPA Cancels OpenBSD Funding
[This article was contributed by Joe 'Zonker' Brockmeier]
If you follow the news at all, you've probably already heard about the OpenBSD project losing the funding from the U.S. Defense Advanced Research Projects Agency (DARPA). What's less than clear is why the funding has been pulled. In fact, it's quite a test to figure out who's actually responsible for pulling the plug, much less the reason. DARPA is, essentially, just an intermediate agency for the funding, which is passed on to the University of Pennsylvania. The funds themselves come from the Air Force Research Laboratory.
Most speculation has gone to comments made by OpenBSD project leader Theo de Raadt. The comments in question come from an interview in The Globe and Mail, where de Raadt is quoted as saying he's "uncomfortable" about the source of the grant. De Raadt also told the Globe and Mail that, "I try to convince myself that our grant means a half of a cruise missile doesn't get built," which might not sit well with U.S. military types. A few days after the comment appeared in the Globe and Mail, de Raadt was contacted by University of Pennsylvania professor Jonathan Smith. According to de Raadt, Smith objected to the comment, but wouldn't give a specific reason why. The funding was pulled on Thursday of last week.
If that is the reason for the cancellation, it's not the official story from DARPA, in as much as DARPA has or will give an official story. A statement forwarded to LWN by de Raadt, attributed to DARPA spokesperson Jan Walker, claims that the funding is under review.
Walker did not respond to e-mails or phone calls requesting confirmation of this statement or requests to elaborate on or clarify the statement.
The most immediate consequence is that the OpenBSD project has had the rug pulled out from under them with regards to the upcoming hackathon in Canada. 60 OpenBSD developers are scheduled to travel to Canada for the event, almost all of whom have already purchased tickets based on a go-ahead given in January. The hotel was contacted and told to cancel the reservation, despite the fact that an 80% cancellation fee is in effect. According to de Raadt, this amounts to about $24,000 Canadian. De Raadt also reports that the hotel was instructed not to allow anyone to pay the remaining balance to keep the reservation. However, de Raadt said that the hotel has agreed to cut the OpenBSD project a deal for the hackathon, even if they cannot apply the cancellation fee to the bill.
Fernando Pereira, chairman of the Department of Computer and Information Science at the University of Pennsylvania sent this statement to the OpenBSD "misc" mailing list to explain why the cancellation fee cannot be used towards the hotel costs:
Apparently, quite a few people in the OpenBSD community have already sent letters of protest to the University of Pennsylvania, newspapers and other sources. If you'd like to write a letter to complain or comment on the decision to official sources, de Raadt notes that it's helpful to have the contract number. The contract was granted by the Air Force Research Lab, Material Command, and is DARPA contract number F30602-01-2-0537.
With the exception of the hackathon, the loss of funding may not be as dramatic as it sounds. On Monday, de Raadt said that the OpenBSD project had already received about $7,000 in donations, and more was "in the mail." The OpenBSD project has been around for eight years, and has done just fine without the DARPA funding. In addition, the funding was set to run out within four months anyway and de Raadt noted that he works through a Canadian contracting company that should ensure that he receives the rest of his pay for the next four months. The major losers appear to be the University of Pennsylvania grad students who were also receiving money from the grant, as well as the 60 OpenBSD developers who are wondering whether there will be a place for them to stay when they arrive at the hackathon.
Novell and Linux
Readers of the discussion on LWN.net may have seen comments posted by Kristopher Magnusson, who happens to be the chair of Novell's "Open Source Review Board" and the person responsible for managing the company's relations with the free software community. We had the opportunity to ask Mr. Magnusson a few questions about Novell's plans with regard to Linux; his answers appear below. But first, a couple of other Novell-related items:
- Novell has become
a gold sponsor of the Linux
Professional Institute, and is recommending LPI certification as
part of its own certification program.
- Jack Messman, Novell's CEO, has sent us a clarification of Novell's view of Linux and the free software community, and an apology for some remarks in an interview that did not come out quite right. " Novell wouldn't be spending the tremendous time, money and resources to make this strategy a reality if we didn't believe in the present and future of Linux. After building and enhancing NetWare for 20 years, this is new territory for us. We simply ask for your patience along the way."
And now, on to the interview.
LWN: In the ComputerWorld interview, CEO Jack Messman said "Linux is an immature operating system right now. It hasn't had somebody like Novell worrying about making it robust, reliable and scalable for very much time. We think we can bring that to the Linux kernel." He has since noted that he could have expressed himself better, and his apologies have been accepted. But the point remains that Novell sees room for improvement in the Linux kernel. The kernel developers agree, of course; otherwise they would be working on something else. Could you explain what improvements Novell would like to see in the Linux kernel?
Job number one for Novell engineering is to port the services that run on the operating system. Whether customers are running NetWare 7 on the Linux kernel or the NetWare kernel, we want to make sure they have access to the very best services for file, print, storage, directories, messaging, collaboration, resource management, Web development and many others.
LWN: Which of those (if any) does Novell plan to work on (and contribute back) itself?
LWN: A quick search through the linux-kernel mailing list did not turn up any Novell engineers participating in the discussion - at least, none that identified themselves as such. Does Novell have engineers working on the Linux kernel, and do they plan to participate in the development community?
LWN: The recent announcements mention Novell's contributions to various open source projects, including Apache and OpenLDAP. Can you give a quick summary of what some of the more important contributions have been?
Our Apache work is one of our more important contributions. We have a strong relationship with the Apache Software Foundation. In the case of Apache, Novell's lead engineer in charge of porting Apache to NetWare is a member of the Apache Software Foundation, which gives him code check-in privileges as well as some degree of control over the general technical direction of Apache development. Further, Novell has been very conscientious about contributing our improvements to the Apache codebase back to the Apache Foundation.
Novell recently formed a relationship with MySQL AB. We licensed a commercial version of MySQL to ship their database on every NetWare 6.5 CD, and this has been a big hit with our biggest customers. We practice a kind of open source process between our two companies--Novell engineers porting MySQL code make improvements that we contribute back to MySQL AB. These improvements find their way into the GPL version of the database, which benefits everyone who uses the open source version of MySQL.
Novell also has a relationship with the PHP group that's part of the Apache Software Foundation. We ported PHP to NetWare as part of our AMP strategy, and we made a number of improvements to the PHP code that we contributed to that organization.
Beyond AMP, our relationship with OpenLDAP dates back to 1999, when Novell was looking for open source C-based libraries for programmatic access to LDAP directories. We found OpenLDAP's implementation, which needed some work. We decided to pitch in and help; so we completed the work for them and contributed our improvements back to OpenLDAP. Next, we needed a set of Java libraries. OpenLDAP didn't have any, so we wrote our own and contributed them to OpenLDAP outright under their BSD-based license. After four years, we still check in Java library code to OpenLDAP on a weekly basis. Most recently, a few months ago, we contributed to OpenLDAP a DSMLv2 server written in Java.
So we've been consuming open source software for some time, and have been contributing our improvements back to each community. It's been a satisfying process over the years to see our improvements included in new versions of each piece of software.
LWN: Novell has released its UDDI code with a fair amount of fanfare. Can we look forward to other releases of Novell technology in the near future?
LWN: If I understand correctly, Netware 7.0 will be able to run on top of the Linux kernel. The thinking seems to be that giving customers the option to move to Linux will make them more inclined to stay with Netware. Is that an accurate summation of Novell's strategy? How will Novell respond if it turns out that most customers would rather run on the Linux kernel?
LWN: Taking it one step further...if Netware 7 runs well on the Linux kernel, what reason would Novell have to continue developing and maintaining its own kernel? What advantage does a proprietary kernel give to Novell when it can run Linux and benefit from the reliability and scalability work being done by IBM, SGI, HP, Red Hat, SuSE, and others?
LWN: For customers wanting to run Netware over Linux, will Novell ship a specific distribution, or will customers be expected to obtain a supported distribution from elsewhere?
LWN: Why is Novell releasing Netware on top of Linux, rather than (or, at least, prior to) Windows?
Opteron launches
AMD has, at last, released its long-awaited "Opteron" (or "Hammer") processor. LWN does not normally devote much space to following developments in the microprocessor field, but Opteron is worth a mention. There is a good chance that this is the architecture many of us will be running in the future.Opteron has the potential to deliver the best from both the 32-bit and 64-bit computing worlds. It will run 32-bit x86 code natively, and with good performance. That is a nice feature for people with binary applications, of course, though it is less useful in the free software world. If you have source (and an operating system which has been 64-bit capable for years), support for a new processor is often just a matter of running "make." There is another important aspect to 32-bit support, however: for most applications, 32-bits is the optimal size. Moving to a 64-bit mode involves a sizeable expansion of a program's code and data, with bad effects on cache utilization, virtual memory use, and memory bus bandwidth. Building "cat" as a 64-bit application can only serve to make it bigger and slower. So a processor with native 32-bit support is a good thing.
There are situations, however, where only 64 bits will do. In particular, applications which need to address vast amounts of memory (e.g., big scientific crankers, large databases, emacs) will benefit from 64-bit pointers. So good 64-bit support matters too.
Of course, the thing that really matters for Linux users is Linux support. AMD has worked with the free software community for years to ensure that its processor would be supported. The end result is that you can buy an Opteron server running a stable Linux port (choosing from multiple distributors) today. Windows support, instead, will show up in beta form only later this year, and Apple's support remains a rumor. In some areas, hardware support in Linux still lags behind other systems; with the Opteron, however, Linux got there first. If Opteron lives up to its PR, it could be a platform which brings Linux into many more machine rooms in the next few years.
Page editor: Jonathan Corbet
Security
Security news
The other security problem
People who deal with systems security spend a lot of time worrying about buffer overflows, format string vulnerabilities, file creation races, and so on. These problems can all lead to the compromise of an important system, with the usual array of unpleasant consequences. So conscientious administrators pay attention to new vulnerabilities, apply their patches, and so on.This Register article, however, serves as a good reminder that there are other aspects to the security problem:
What a pain; all that patching and careful administration, then the users hand their passwords over to a stranger when asked. Unfortunately, patches for loose-lipped users are hard to come by. The security advantages of free software also fail to offer much help in the way of blabbermouth mitigation.
Lack of security consciousness is a real problem. Careless users will not increase your exposure to the next Internet worm. But an attacker who has set his sites on a specific target may well want to have a little discussion with your users. Pens are cheap, after all.
New vulnerabilities
gkrellm-newsticker - multiple vulnerabilities
| Package(s): | gkrellm-newsticker | CVE #(s): | CAN-2003-0205 CAN-2003-0206 | |||
| Created: | April 23, 2003 | Updated: | April 23, 2003 | |||
| Description: | gkrellm-newsticker has two vulnerabilities: a denial of service problem and a failure to filter shell metacharacters which can allow an attacker to run arbitrary commands by way of a hostile (or compromised) news feed. | |||||
| Alerts: |
| |||||
mime-support: insecure temporary file creation
| Package(s): | mime-support | CVE #(s): | ||||||||||
| Created: | April 22, 2003 | Updated: | April 30, 2003 | |||||||||
| Description: | Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though. | |||||||||||
| Alerts: |
| |||||||||||
rinetd: incorrect memory resizing
| Package(s): | rinetd | CVE #(s): | CAN-2003-0212 | |||
| Created: | April 17, 2003 | Updated: | April 23, 2003 | |||
| Description: | Sam Hocevar discovered a security problem in rinetd, an IP connection redirection server. When the connection list is full, rinetd resizes the list in order to store the new incoming connection. However, this is done improperly, resulting in a denial of service and potentially execution of arbitrary code. | |||||
| Alerts: |
| |||||
snort - multiple vulnerabilities
| Package(s): | snort | CVE #(s): | CAN-2003-0029 CAN-2003-0033 | |||||||||||||||
| Created: | April 23, 2003 | Updated: | May 7, 2003 | |||||||||||||||
| Description: | Versions of the snort intrusion detection system through 2.0-rc1 contain buffer and heap overflow vulnerabilities which could lead to remote code execution. Sites running snort are advised to upgrade to 2.0.0 as soon as possible; see this CERT advisory for more information. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Updated vulnerabilities
BitchX - denial of service
| Package(s): | BitchX | CVE #(s): | |||||||||||||
| Created: | February 20, 2003 | Updated: | May 26, 2003 | ||||||||||||
| Description: | From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx | ||||||||||||||
| Alerts: |
| ||||||||||||||
EOG: vulnerability in Eye of GNOME
| Package(s): | EOG | CVE #(s): | CAN-2003-0165 | ||||||
| Created: | April 3, 2003 | Updated: | April 16, 2003 | ||||||
| Description: | A vulnerability was found in EOG version 2.2.0 and earlier. A carefully crafted filename passed to the program could lead to the execution of arbitrary code. An attacker could exploit this because various packages (Mutt, for example) make use of EOG for image viewing. | ||||||||
| Alerts: |
| ||||||||
evolution: multiple vulnerabilities
| Package(s): | Evolution | CVE #(s): | CAN-2003-0128 CAN-2003-0129 CAN-2003-0130 | |||||||||||||||||||||
| Created: | March 21, 2003 | Updated: | May 14, 2003 | |||||||||||||||||||||
| Description: | Multiple vulnerabilities have been found in Ximian's Evolution Mail User
Agent, according to this
CoreLabs advisory.
"Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system unstability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems."
Ximian Evolution is a personal and workgroup information management solution for Linux and UNIX-based systems. The software integrates email, calendaring, meeting scheduling, contact management, and task lists, in one application. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
LPRng: insecure temporary file
| Package(s): | LPRng | CVE #(s): | CAN-2003-0136 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
NetPBM: math overflow errors
| Package(s): | NetPBM | CVE #(s): | CAN-2003-0146 | ||||||||||||
| Created: | March 17, 2003 | Updated: | May 27, 2003 | ||||||||||||
| Description: | Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache 2.x: denial of service
| Package(s): | apache | CVE #(s): | CAN-2003-0132 | ||||||||||||
| Created: | April 9, 2003 | Updated: | May 1, 2003 | ||||||||||||
| Description: | Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
epic: buffer overflows
| Package(s): | epic | CVE #(s): | ||||
| Created: | April 15, 2003 | Updated: | April 16, 2003 | |||
| Description: | Timo Sirainen discovered several problems in EPIC, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. | |||||
| Alerts: |
| |||||
ethereal - format string vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2003-0081 | ||||||||||||||||||
| Created: | March 10, 2003 | Updated: | June 12, 2003 | ||||||||||||||||||
| Description: | The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
file - memory allocation problem, stack overflow
| Package(s): | file | CVE #(s): | CAN-2003-0102 | |||||||||||||||||||||||||||||||||
| Created: | March 4, 2003 | Updated: | June 4, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
glibc: integer overflow in the xdrmem_getbytes() function
| Package(s): | glibc krb5 dietlibc | CVE #(s): | CAN-2003-0028 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 21, 2003 | Updated: | May 27, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | An integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, and glibc, allows remote attackers to execute arbitrary code via certain integer values in length fields See CAN-2003-0028 and CERT advisory CA-2003-10 for more information. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
gs-common: insecure temporary file
| Package(s): | gs-common | CVE #(s): | ||||
| Created: | April 14, 2003 | Updated: | April 16, 2003 | |||
| Description: | Paul Szabo discovered insecure creation of a temporary file in ps2epsi, a script that is distributed as part of gs-common which contains common files for different Ghostscript releases. ps2epsiuses a temporary file in the process of invoking ghostscript. This file was created in an insecure fashion, which could allow a local attacker to overwrite files owned by a user who invokes ps2epsi. | |||||
| Alerts: |
| |||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
ircii: buffer overflow vulnerability
| Package(s): | ircii | CVE #(s): | ||||||||||
| Created: | March 20, 2003 | Updated: | April 22, 2003 | |||||||||
| Description: | Timo Sirainen audited ircII based clients (see this Bugtraq post) and found some buffer overflow vulnerabilities in ircii-20020912. | |||||||||||
| Alerts: |
| |||||||||||
kde: arbitrary code execution
| Package(s): | kde | CVE #(s): | CAN-2003-0204 | ||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kerberos - cryptographic weakness
| Package(s): | kerberos, heimdal, openafs | CVE #(s): | CAN-2003-0138 CAN-2003-0139 | ||||||||||||||||||||||||||||||
| Created: | March 26, 2003 | Updated: | May 27, 2003 | ||||||||||||||||||||||||||||||
| Description: | Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way.
OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is also vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lprold - buffer overflow in lprm
| Package(s): | lprold lpd | CVE #(s): | CAN-2003-0144 | |||||||||||||||
| Created: | March 13, 2003 | Updated: | May 28, 2003 | |||||||||||||||
| Description: | The lprm command of the printing package lprold contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
man - code execution vulnerability
| Package(s): | man | CVE #(s): | CAN-2003-0124 | ||||||||||||
| Created: | March 19, 2003 | Updated: | May 7, 2003 | ||||||||||||
| Description: | Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mgetty spool permission
| Package(s): | mgetty | CVE #(s): | CAN-2002-1391 CAN-2002-1392 | ||||||||||||
| Created: | April 8, 2003 | Updated: | May 13, 2003 | ||||||||||||
| Description: | mgetty is a getty replacement for use with data and fax modems.
mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Unpatched versions of mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. | ||||||||||||||
| Alerts: |
| ||||||||||||||
micq: Denial of service
| Package(s): | micq | CVE #(s): | |||||||
| Created: | December 13, 2002 | Updated: | April 24, 2003 | ||||||
| Description: | Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash. | ||||||||
| Alerts: |
| ||||||||
mutt: buffer overflow in IMAP client code
| Package(s): | mutt | CVE #(s): | CAN-2003-0140 | ||||||||||||||||||||||||||||||||||||
| Created: | March 21, 2003 | Updated: | April 22, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | Core
Security Technologies has found a remotely exploitable buffer overflow
in mutt's IMAP client code. This Bugtraq post
contains additional information.
The problem has been fixed in Mutt 1.4.1 (stable) and 1.5.4 (unstable). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
mysql - configuration file vulnerability
| Package(s): | mysql mysqld | CVE #(s): | CAN-2003-0150 | ||||||||||||||||||||||||
| Created: | March 18, 2003 | Updated: | May 16, 2003 | ||||||||||||||||||||||||
| Description: | According to a report on BugTraq, a vulnerability exists in version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is launched by root, as it is often done by system startup scripts, any database users with the "FILE" privilege can write a configuration file (usually my.cnf) that causes the MySQL server to run under an arbitrary user id, including the user id of the super-user, on the next restart. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
netscape-flash: buffer overflow
| Package(s): | netscape-flash | CVE #(s): | |||||||
| Created: | March 10, 2003 | Updated: | June 20, 2003 | ||||||
| Description: | Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade." | ||||||||
| Alerts: |
| ||||||||
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl | CVE #(s): | CAN-2003-0147 | |||||||||||||
| Created: | March 18, 2003 | Updated: | May 22, 2003 | |||||||||||||
| Description: | David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own. The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 to the problem. | |||||||||||||||
| Alerts: |
| |||||||||||||||