LWN.net Weekly Edition for October 16, 2008 [LWN.net]

OpenOffice.org releases 3.0, faces new challenges

By Jake Edge
October 15, 2008

A new version of the popular free software office application suite, OpenOffice.org (OOo) 3.0, was released this week to lots of press and enough download traffic to bring down its webserver. While the release isn't a huge leap forward in terms of features, it does provide some compelling enhancements. Perhaps the most interesting is the increased focus on extensions, a la Firefox, that don't require modifying the core OOo code. This may help combat the problem—or perceived problem—that Sun is stifling OOo development through its bureaucratic procedures for adding new functionality.

The first thing one notices when starting up OOo 3.0 is the new splash screen, but it appears for only a short time. One of the major complaints about the suite has been how long it takes to start up—something that has been addressed in 3.0. The application opens to a new welcome screen (seen at left) that presents a more friendly appearance, rather than an empty window, for new users. Once past that point, the various tools look much as they did in OOo 2.4 and earlier versions.

The other changes are mostly under the covers; they will be noticed by power users, but are not immediately obvious to basic users. These include:

Writer (word processor) has a new slider for zooming
Writer allows multi-page display and editing
Calc (spreadsheet) allows up to 1024 columns per sheet
Draw (drawing) can handle poster-size files
Impress (presentation) supports multiple monitors for presentations
Writer has additional editing modes for multi-lingual support as well as wiki document editing
Calc has a new equation solver
Chart (graphing) has improved graphical output

The OOo extensions repository has many different kinds of add-ons for OOo, that provide new or enhanced functionality for users. The most popular is the PDF import extension which allows loading PDF files into the application for editing. Given that OOo has long had the ability to natively export PDFs, importing them is an excellent addition.

Clearly Sun and the OOo project see extensions as a fertile ground for innovation by folks who are not necessarily OOo "contributors"—as they have not signed the Sun Contributor Agreement (SCA) [ PDF, currently unavailable due to the download traffic problems ]. Sun's community manager for OOo, Louis Suarez-Potts, puts it this way:

OOo 3.0 adds to that freedom by using extensions much the same way that Firefox does: it gives all users the freedom to add new features, functionality. At present, we have a couple of hundred, and they have proved popular. We've also done minimal advertising. I anticipate that in the coming months, as 3.0 gains yet more popularity (all servers are down at the moment), there will be more and more interesting extensions out there.

I can see extensions that radically depart from what we consider "office" tools---and why not? OOo is an integrated set of tools based on fairly conservative conceptions of office software. But there is no compelling reason to stick with the conservative past, and every reason to be creative.

One of the new features that OOo developers are most excited about won't affect Linux users at all. OOo 3.0 has a native Mac OS X look and feel, rather than the earlier X11-based interface. A native Windows version has always been a part of OpenOffice (and its precursor, StarOffice), but the new default theme is said to be particularly attractive on that platform.

There are various new features aimed at those currently using—or needing to interoperate with—Microsoft Office. There is support for Access database files as well as improved Visual Basic for Applications (VBA) macro support. Somewhat controversially, OOo 3.0 has added the ability to read (but not write) Office Open XML (OOXML) files. OOXML is the newly minted standard for office documents that Microsoft and Ecma pushed through the ISO standardization process earlier this year.

Support for OOXML is one of the contentious areas surrounding OOo. There are two (vocal) developer camps, one Sun-centric, the other Novell-centric; unsurprisingly they tend to clash over OOXML as well as development pace and direction issues. It has gotten to the point where a fork, called Go-OO, has come about, led by Novell's Michael Meeks. Go-OO's version of OOo has been adopted by several distributions leading some to see it as a "hostile" fork.

Sun's chief open source officer, Simon Phipps, clearly sees Go-OO (and the related OO-Build) as an attempt by Novell to control OOo:

The result of this is that go-oo.org is definitely a hostile and competitive fork of OpenOffice.org, and OO-Build is no longer a helpful downstream since it no longer upstreams much of anything (especially for Mac), small changes excepted. Unlike Groklaw I'd still hesitate to call OO-Build a fork, but Go-OO is unmistakably one, just look at the web site, the Windows build and the rhetoric.

The motivation for Go-OO being hosted and promoted by Novell and its staff seems unmistakable to me, as does the fact it is a Novell-sponsored fork. They are promoting Microsoft's flakey XSLT-based OOXML support, they are isolating Linux from OpenOffice.org (so that no-one in the main OpenOffice.org community is able to get support contracts from Linux users). And it is all cleverly wrapped in a community-friendly story about hackers and their freedom and evil, controlling Sun, delivered without interference from Novell corporate.

Meeks most recent look at OOo development is the proximate cause of much of the current sniping in various blogs. Meeks analyzes commits to the OOo codebase to try to extract trends in the development of the tool. His conclusion is stark—undoubtedly inflammatory to those in the Sun camp—"Crude as they are - the statistics show a picture of slow disengagement by Sun, combined with a spectacular lack of growth in the developer community."

While there have been various responses to the analysis—including this LWN comment thread—there has, as yet, been no real counter-analysis that comes to a different conclusion. Perhaps there are other ways to slice and dice the data that look more favorable to growth in the OOo community, but if not, the conclusion is worrisome. OOo is a very useful tool, that is used by many, which offers a way out of Microsoft lock-in. Because of Novell's close association with Microsoft, people worry that Go-oo is an underhanded means for another kind of lock-in—this time to Novell.

In what seems almost a taunt—as well as a validation of the accusation of a hostile fork—Meeks adds a postscript to his analysis:

Why is my bug not fixed ? why is the UI still so unpleasant ? why is performance still poor ? why does it consume more memory than necessary ? why is it getting slower to start ? why ? why ? - the answer lies with developers: Will you help us make OpenOffice.org better ? if so, probably the best place to get started is by playing with go-oo.org and getting in touch [...]

There have long been complaints about the pace of OOo development, along with calls for creating a foundation to oversee it. It would seem that OOo is at a bit of a crossroads. If Sun's commitment is reduced, without a corresponding increase in contributions from others, OOo could stagnate—or Go-oo could take over.

Ostensibly, the SCA is one of the sticking points for some contributors. They do not trust Sun not to take their contributions in a proprietary direction. But the conflict is really rooted in issues of control and development direction—two things likely to lead to forking. While two forks is suboptimal, perhaps, it may lead to improvements in both the code and the development process for OOo.

There are legitimate concerns on both sides of the issue—undoubtedly the mostly silent user community has yet another perspective—but there is enough bad blood between them that it is hard to see it resolving in some relatively amicable way. The office application suite is an extremely lucrative product, at least in the proprietary world. One gets the sense that both Sun and Novell are seeing dollar signs which are clouding their vision. A neutral foundation of some kind might be a good first step towards reconciliation.

Comments (33 posted)

LK2008: Embedded and Mobile Linux

By Jonathan Corbet
October 15, 2008

Linux-Kongress 2008 attendees had the opportunity to hear two different sessions dedicated to organizations trying to improve the state of Linux support for embedded and mobile systems. They have similar goals, but are taking different approaches and have different levels of resources available to them.

The first of these is OpenSourceEmbedded, presented by uClinux developer Jeff Dionne. He opened with a statement that, ten years ago, Linux-based embedded systems were nearly unknown. Now those systems are everywhere, with hundreds of millions of deployments. Embedded systems, he says, make up the largest installed base of Linux systems.

All is not perfect, though, in the embedded sphere. Linux still has an uncomfortably large footprint for embedded use. There is also no unified distribution for embedded use; instead, the industry is full of homemade solutions made by vendors. He would like to address this situation through the creation of a next-generation platform. It would take the form of a kit that developers could start with which comes equipped with design examples for a number of applications: telephones, digital video recorders, etc.

There are two hardware platforms being targeted initially by this effort. One is a Plasma MIPS processor - a very simple device which can be implemented with an FPGA. A simulator for this processor runs about 600 lines of code. The other, more advanced platform is a LEON 2/3 SPARC processor, a full system with a memory management unit and which supports multiprocessor configurations. Examples of the first processor include a RealTek MIPS system, while the LEON SPARC CPU is similar to current SuperH 3 processors. The Plasma and LEON SPARC processors are being designed now, with the intent of producing them as open hardware designs.

On top of these processors will be a base operating system layer with a "mini-POSIX" environment. There will be an interesting packaging system which stores components as separate "blocks" in flash, outside of any filesystem. The running system will be assembled from the blocks by the boot loader. This organization is designed to avoid bricking; any bad or corrupted components can simply be bypassed without affecting the functioning of the rest of the system. This, evidently, is how PalmOS did things.

The next challenge is creating a community around this whole effort. To that end, resources are to be put up at opensourceembedded.org - though nothing is available as of this writing. The site will include project hosting, along with the ability to download the development kits. Jeff says that the uClinux experience has shown that the kit approach works; with a ready-to-use code base like that, a community can come together.

There are also plans to create an organization behind this effort which, among other things, can enter into non-disclosure agreements with hardware manufacturers. This organization will also work to help vendors ship GPL-compliant products.

OpenSourceEmbedded appears to be in an early state, so it's hard to make any guesses about how successful it will be. For more information, see Jeff's slides [PDF].

Mobile Linux

The closing session at the 2008 Linux-Kongress was a talk by Dirk Hohndel, who began by noting that Linux-Kongress is, in fact, the oldest Linux event. It was first held in 1994, and hosted many of the kernel developers who were active at that time; Dirk estimates that about half of the development community was to be found in a single room. It would take a rather larger room to accomplish that now. Dirk complimented the event on its avoidance of commercialism and its sustained focus on the technology.

The technology that Dirk came to talk about was mobile Linux. He started by expressing his disappointment with desktop Linux. It has become a collection of poorly-integrated applications which are somehow trying to replicate Windows 95. The result does not work well on the desktop, and it most certainly is not optimized for the mobile environment.

But, says Dirk, mobile Linux is not really embedded Linux either. Embedded Linux evokes images of access points and other single-application boxes which are not meant to be extended past a single function. They are not concerned with the user's experience, and they are not concerned with mobility. The subject here is devices with a screen, and which can have new applications installed onto them. So some sort of desktop-like interface is needed, but current desktop Linux does not fill the bill.

According to Dirk, the problem with desktop Linux is the fundamental approach: developers are not the target audience for this software, but they are making all the interface decisions. What's needed is input from people who are specialized in interface design and human-computer interaction. That leads to a "scary thought": interface specialists are generally not coders, but they will be making decisions that coders are expected to implement. That is not a normal mode of operation in the free software community, but it is needed here.

Other problems include the proliferation of "80% done" projects. Much of the work has been done, but nobody wants to do the work to finish the job. There's also far too many choices; in general, says Dirk, people do not like it if they have to choose between more than two alternatives. When dealing with the Linux desktop, it's hard to find situations where there are fewer than six choices. And, overall, the Linux desktop lacks consistency. That, says Dirk, is why he uses an Apple laptop. Apple enforces a consistent design across the application space and, he says, the result is very nice.

Devices should be simple and natural to use; such devices are increasingly hard to find anywhere. As an example, he held up a paper notebook. The device boots very quickly, has a nice "touch-based" pencil-oriented interface. No manuals or explanations are needed. Linux-based devices should be just as easy to use. But, at the same time, they need to offer an experience which is close to what people expect from an ordinary, desktop computer. It should have access to the Internet, and users should be able to install software.

Dirk then pulled out an Eee PC system and gave the five-second boot demonstration. This work, he says, is an example of what is being done by Intel in support of the Moblin project. Intel is trying to solve some of the hardest problems in the mobile space, contributing the results for everybody to use.

To that end, Moblin is working toward the creation of a base distribution for mobile systems. The user interface will be based on the GNOME mobile work, but with a lot of enhancements. The end goal is the creation of a Linux distribution for mobile devices which is far better than the state of the art today. It is not, he says, an attempt to compete with distributors; instead, Moblin is providing a base which the distributors can build on. Intel's effort will naturally focus on Intel processors, but contributions for any architecture are welcome at Moblin.

In conclusion, Dirk noted that Linux's success on the server side was relatively easy. The mobile problem is much harder. Intel is hoping that others will join in to help Moblin reach its rather ambitious goals.

Comments (6 posted)

Fedora checking community health with EKG

By Jake Edge
October 15, 2008

Measuring the health of communities is an interesting, difficult task. The Fedora project has recently started using a new tool, called EKG, to try to get an overview of the demographics of the free software projects that are sponsored by the distribution. EKG is still young, but already provides some interesting information. Because it is GPL-licensed, as is the Fedora norm, it can be picked up by other distributions or interested parties to target their own projects.

At its core, EKG is a few Ruby scripts that process mailing list data so that graphs can be produced. Currently, it produces both pie charts and line graphs that indicate the number of Red Hat posters versus those from elsewhere. A portion of the most recent set of graphs can be seen at right.

Red Hat's Michael DeHaan has taken on development of EKG to use as a tool to measure how well various projects are building a community separate from Red Hat. There are lots of free software projects that have been released by Red Hat—or Fedora, which often amounts to the same thing—but may or may not be seen as useful tools outside of Fedora. By looking at the mailing list traffic, particularly over time, some idea of which projects are building a community, and which aren't, can be derived. As the project page puts it:

The premise is simple... what are the demographics behind open source projects that we run in Fedora?

Who posts
Who contributes
What projects are most active?
What projects need a little help?

Mailing lists are just one measure of the health of a project, of course, so DeHaan is looking at other metrics. Commits to the project repository—along with the identities of the commiter—would seem an obvious choice. Better graphs with more useful information on each axis as well as time series of the pie charts are also on the "to do" list. He is also looking at derived statistics that will allow direct comparison of different projects by using equations that in some way model success.

It is difficult to draw any conclusions from the limited graphs that are currently available. One thing that does stand out, though, is the popularity of gmail.com email addresses, which seem to account for around one-quarter of posts. One can also certainly see projects that are completely dominated by "inside" (i.e. Red Hat) folks. The JBoss lists are a good example.

Projects are trying various ways to measure how well they are doing their job; EKG is another way to do that. For the kernel, the statistics on each release are gathered by LWN, as well as over longer periods by the Linux Foundation. Ubuntu has its Upstream Report which looks at how well bugs are getting to upstream bug trackers. Undoubtedly other projects have their own ways of trying to measure their impact.

As yet, there is no mailing list for EKG development. We look forward to the day when EKG is applied to its own development list. It would seem that some kind of "metahealth" measurement of the community might be able to be derived from that data.

Comments (none posted)

LK2008: The values of the Linux community

By Jonathan Corbet
October 10, 2008

The opening keynote speaker for the 2008 Linux-Kongress was James Bottomley, who presented his views on the Linux community's values. What these values are, says James, is not entirely obvious. Related groups - the free software community, for example - have well-articulated value systems which define them. The Linux community's values are not so clearly expressed, but, he says, they are central to what we do.

James started with a bit of history, noting the the initial value placed on software was entirely commercial. Once the industry realized that software could be worth far more to its users than it costs to create, the proprietary mode became dominant - and that has affected the evolution of programming in general. The value placed on the code by its developers became irrelevant, leading to "paycheck coding." There is no value placed on creativity, and such a model leads to bad code.

Eventually Richard Stallman came along and challenged the commercial view of software. But, during this time, about the only alternative to commercial software was the BSD Unix distribution, and that got caught up in the lawsuit by ATT. So closed software took over; Windows won on commodity platforms, but proprietary software also became dominant in the Unix arena.

In 1991, Linux hit the scene; since then, it has become the most popular and vibrant free software operating system available. In a sense, this is interesting, in that Linux is licensed under the GPL, a license that many companies hate. Apple explicitly chose BSD as the base for MAC OS to avoid GPL-licensed code. But, despite this antipathy, lots of companies use Linux, and even contribute to its development. It is interesting, James says, to look at why that is.

The reason is the Linux community's values. In particular, the community prizes technical merit above all other considerations - including small things like what any company or user would like to have. Also prized is passion; code supported by a developer who clearly cares about it will generally fare better in the review process. If the code quality and the passion are there, the community does not care about much of anything else. Factors like the source of the code or who might benefit from its incorporation don't really matter.

In particular, contributors to the kernel are not required to sign on to any particular belief system or any specific view of freedom. A contributor may have an FSF-like belief in free software, or, instead, be a corporate developer who does not care about software freedom at all. Even the BSD community requires acquiescence with a specific view of freedom. A Linux contributor, instead, need only be willing to contribute the code under the share-alike rules of the GPL.

As a result, anybody can play with Linux, regardless of philosophy or corporate status. We have a community which is defined by contributions, not by a specific set of values regarding software freedom. That has allowed the formation of a very diverse community with a specific shared interest: creating the best kernel we can.

There are some significant benefits from this approach. It forces companies to recognize their engineers' values; that, in turn, makes for more motivated developers. Developers who are interested in improving Linux can get resources and support from corporations. Users get high-quality code from developers who care about what they are doing. Companies get the ability to focus on their little piece of the problem while taking advantage of the community-maintained kernel for the rest; they can also offload their older code to the community for long-term maintenance.

James compared the Linux way of doing things with the US constitution. That document only mentions freedom three times, yet it has become a blueprint which has supported freedom for over 200 years. It is a relatively short document. The proposed EU constitution, instead, is about 20 times the length, before taking into account other documents which are referenced. That document would appear to be somewhat bloated; the goals would be better served by a more concise formulation.

Similarly, the Linux community spends little time talking about freedom. Instead, the focus is on a set of brief principles involving code quality and passion. Freedom is not legislated; it arises as an emergent value inherent in the Linux way of doing things. Linux has managed to bring about software freedom without talking about it, and without imposing a view of software freedom on its contributors. In the process, Linux has succeeded in creating something which is as free - or more free - than the GNU system envisioned by the Free Software Foundation.

During the question period, James wished for a free software advocate who would argue the point with him, but no such person emerged. He will, it seems, have to repeat the talk in a different venue before he can have that debate.

Comments (49 posted)

Page editor: Jake Edge

Security

SELinux permissive domains

By Jake Edge
October 15, 2008

Readers of this page—along with the kernel page—will not find it surprising that SELinux is a complex beast. It is, however, the dominant security framework for Linux, pushed hard by Red Hat, but also being adopted, slowly, by SUSE, Ubuntu, and others. Over the years, through lots of hard work, it has become somewhat less complex, at least for administrators; a new feature, called permissive domains will help further ease the administration of SELinux-enabled systems.

These days, SELinux has two modes, the aptly named enforcing and permissive modes. When in enforcing mode, SELinux will not allow operations that are not permitted by the policy, whereas in permissive mode, a violation is just logged and the operation is allowed to continue. Administrators trying to track down an SELinux problem with an application—whether a real security issue or just a problem with the policy—can put the system into permissive mode, then study the logs to determine what policies are being violated. Or they can use audit2allow to make those policy changes for them.

Until permissive domains, though, the choice between permissive and enforcing was binary for the entire system. By putting a system into permissive mode, various attacks that SELinux might normally stop on other applications would instead just be logged. With permissive domains, a single process, or group of related processes, can be marked as permissive, while the rest of the system stays in enforcing mode.

Red Hat SELinux hacker Dan Walsh, describes permissive domains on his blog. One of the motivations is to help third-party software developers feel more comfortable about shipping SELinux policy with their application:

Another problem SELinux has is that third party software companies want to ship with SELinux policy for their software but do not trust that they have tested it well enough to run their confined applications in enforcing mode. I have talked to developers of stock market software that wanted to write policy for an application, distribute it to a live environment of several hundred machines, and then gather the AVCs as they happen, using this information to fine-tune their policy. After a long period of time, where they saw no AVCs, they might be willing to put their policy in enforcing mode. In RHEL5 they need to put the entire machine in permissive mode, but permissive domains solve this problem.

Permissive domains are available in recently updated Fedora 9 systems and will come standard with Fedora 10. As Walsh shows, enabling permissive mode for a domain is trivial:

    # semanage permissive -a httpd_sys_script_t

which would put all CGI scripts into permissive mode. And:

    # semanage permissive -d httpd_sys_script_t

to remove permissive mode for the CGI script domain (httpd_sys_script_t).

This is definitely a nice step forward for assisting with policy development, but there is still a lingering problem with the recommended way to generate SELinux policies. Walsh describes how that is done:

Finally, when someone wants to write policy for a new confined domain, we tell the policy writer to build a minimal policy using tools like system-config-selinux. Then we advise them to put the machine in permissive mode, run the confined application, collect the AVC messages, use audit2allow to generate new policy, and try again. Lather, rinse, repeat. This puts the entire machine at risk, since it is no longer protected by SELinux. With permissive domains, you can mark the new domain as permissive and avoid putting the machine at risk.

The problem, of course, is that blindly using audit2allow is extremely dangerous. It assumes that the application has no security problems, that all of its accesses should be permitted—if that can be assumed, what is SELinux for? By taking all of the violations and turning them into policy changes, the application, rather than the policy developer, decides on the access it requires. Using audit2allow correctly is much more complex, requiring a good understanding of SELinux and the existing policies and domains.

To be fair to Walsh, in a related post, he does warn:

Whenever you generate policy in this way you should really examine the te file for what rules audit2allow has generated and try [to] make sure they make sense, and don't open a security [hole]. It is always good to ask if the policy is good on a list like fedora-selinux. If you believe this is a bug in policy, please open a bugzilla. Then we can fix the policy for others.

The audit2allow manpage is even more explicit:

Care must be exercised while acting on the output of this utility to ensure that the operations being permitted do not pose a security threat. Often it is better to define new domains and/or types, or make other structural changes to narrowly allow an optimal set of operations to succeed, as opposed to blindly implementing the sometimes broad changes recommended by this utility. Certain permission denials are not fatal to the application, in which case it may be preferable to simply suppress logging of the denial via a dontaudit rule rather than an allow rule.

Using audit2allow is, unfortunately, the way that most SELinux policy is developed. There aren't enough SELinux experts—there may never be enough—to actually look at the code for applications and determine a priori what the policy should look like. So, testing applications by running them to determine what permissions they require is the only sane way to do it, error-prone though it may be.

Comments (4 posted)

New vulnerabilities

cups: several vulnerabilities

Package(s):

cups

CVE #(s):

CVE-2008-3639 CVE-2008-3640 CVE-2008-3641

Created:

October 10, 2008

Updated:

February 20, 2009

Description:

From the Red Hat advisory:

A buffer overflow flaw was discovered in the SGI image format decoding routines used by the CUPS image converting filter "imagetops". An attacker could create a malicious SGI image file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3639)

An integer overflow flaw leading to a heap buffer overflow was discovered in the Text-to-PostScript "texttops" filter. An attacker could create a malicious text file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3640)

An insufficient buffer bounds checking flaw was discovered in the HP-GL/2-to-PostScript "hpgltops" filter. An attacker could create a malicious HP-GL/2 file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3641)

Alerts:

CentOS	CESA-2009:0308	2009-02-19
Red Hat	RHSA-2009:0308-01	2009-02-19
rPath	rPSA-2008-0338-1	2008-12-19
Gentoo	200812-11	2008-12-10
Slackware	SSA:2008-312-01	2008-11-07
Debian	DSA-1656-1	2008-10-20
SuSE	SUSE-SR:2008:021	2008-10-17
Ubuntu	USN-656-1	2008-10-15
Fedora	FEDORA-2008-8844	2008-10-16
Fedora	FEDORA-2008-8801	2008-10-16
Mandriva	MDVSA-2008:211	2007-10-10
CentOS	CESA-2008:0937	2008-10-10
Red Hat	RHSA-2008:0937-01	2008-10-10
SuSE	SUSE-SR:2009:002	2009-01-19

Comments (none posted)

dbus: denial of service

Package(s):

dbus

CVE #(s):

CVE-2008-3834

Created:

October 10, 2008

Updated:

May 3, 2011

Description:

From the CVE entry: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.

Alerts:

SUSE	SUSE-SR:2011:008	2011-05-03
Red Hat	RHSA-2010:0018-01	2010-01-07
CentOS	CESA-2010:0018	2010-01-08
Mandriva	MDVSA-2009:256	2009-10-06
CentOS	CESA-2009:0008	2009-01-08
SuSE	SUSE-SR:2008:027	2008-12-09
Gentoo	200901-04	2009-01-11
Red Hat	RHSA-2009:0008-01	2009-01-07
Debian	DSA-1658-1	2008-10-22
Mandriva	MDVSA-2008:213	2008-10-15
Ubuntu	USN-653-1	2008-10-14
Fedora	FEDORA-2008-8764	2008-10-09
openSUSE	openSUSE-SU-2012:1418-1	2012-10-31

Comments (none posted)

exiv2: denial of service

Package(s):

exiv2

CVE #(s):

CVE-2008-2696

Created:

October 15, 2008

Updated:

October 31, 2008

Description:

From the Ubuntu advisory:

Joakim Bildrulle discovered that exiv2 did not correctly handle Nikon lens EXIF information. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexiv2 to crash, leading to a denial of service. (CVE-2008-2696)

Alerts:

SuSE	SUSE-SR:2008:023	2008-10-31
Ubuntu	USN-655-1	2008-10-15

Comments (none posted)

kernel: several vulnerabilities

Package(s):

linux-2.6

CVE #(s):

CVE-2008-1514 CVE-2008-3833 CVE-2008-4210 CVE-2008-4302

Created:

October 14, 2008

Updated:

January 8, 2009

Description:

From the Debian advisory:

Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. (CVE-2008-1514)

The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. (CVE-2008-3833)

David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. (CVE-2008-4210)

A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash. (CVE-2008-4302)

Alerts:

Red Hat	RHSA-2008:0787-01	2009-01-05
CentOS	CESA-2008:0973	2008-12-17
Red Hat	RHSA-2008:0973-03	2008-12-16
SuSE	SUSE-SA:2008:057	2008-12-04
SuSE	SUSE-SA:2008:056	2008-12-03
Ubuntu	USN-679-1	2008-11-27
Mandriva	MDVSA-2008:220-1	2008-11-19
CentOS	CESA-2008:0972	2008-11-20
Red Hat	RHSA-2008:0972-01	2008-11-19
SuSE	SUSE-SR:2008:025	2008-11-14
Red Hat	RHSA-2009:0001-01	2009-01-08
CentOS	CESA-2008:0957	2008-11-05
Red Hat	RHSA-2008:0957-02	2008-11-04
Mandriva	MDVSA-2008:220	2008-10-29
SuSE	SUSE-SA:2008:051	2008-10-21
Debian	DSA-1655-1	2008-10-16
Debian	DSA-1653-1	2008-10-13

Comments (none posted)

mon: insecure temp files

Package(s):

mon

CVE #(s):

CVE-2008-4477

Created:

October 9, 2008

Updated:

October 17, 2008

Description:

mon has an insecure temporary file creation vulnerability. From the Debian alert:

Dmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.

Alerts:

Mandriva	MDVSA-2008:214	2008-10-16
Debian	DSA-1648-1	2008-10-08

Comments (none posted)

portage: privilege escalation

Package(s):

portage

CVE #(s):

CVE-2008-4394

Created:

October 10, 2008

Updated:

October 15, 2008

Description:

From the Gentoo advisory: A search path vulnerability in Portage allows local attackers to execute commands with root privileges if emerge is called from untrusted directories.

Alerts:

Gentoo

200810-02

2008-10-09

Comments (none posted)

ruby: multiple vulnerabilities

Package(s):

ruby

CVE #(s):

CVE-2008-3905 CVE-2008-3790 CVE-2008-3443

Created:

October 10, 2008

Updated:

January 5, 2009

Description:

From the CVE entries:

CVE-2008-3905 - resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.

CVE-2008-3790 - The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."

CVE-2008-3443 - The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.

Alerts:

Debian	DSA-1695-1	2009-01-02
Gentoo	200812-17	2008-12-16
Ubuntu	USN-691-1	2008-12-16
Mandriva	MDVSA-2008:226	2008-11-06
CentOS	CESA-2008:0897	2008-10-24
CentOS	CESA-2008:0896	2008-10-21
Red Hat	RHSA-2008:0897-01	2008-10-21
Red Hat	RHSA-2008:0896-01	2008-10-21
Red Hat	RHSA-2008:0895-02	2008-10-21
Debian	DSA-1652-1	2008-10-12
Debian	DSA-1651-1	2008-10-12
Ubuntu	USN-651-1	2008-10-10
Fedora	FEDORA-2008-8736	2008-10-09
Fedora	FEDORA-2008-8738	2008-10-09

Comments (none posted)

Events

OWASP Summit set for November in Portugal

The Open Web Application Security Project is announcing its European summit to be held November 4-7 in Algarve, Portugal. The theme of the conference is "Setting the AppSec [Application Security] agenda for 2009". "This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today." Click below for the full announcement.

LWN.net Weekly Edition for October 16, 2008

Mobile Linux

cups: several vulnerabilities

dbus: denial of service

exiv2: denial of service

kernel: several vulnerabilities

mon: insecure temp files

portage: privilege escalation

ruby: multiple vulnerabilities

Solid-state storage devices

Request affinity

Timeout handling

Other changes in brief

Events: October 23, 2008 to December 22, 2008