Free licenses and warranties
Releasing a work - be it code, words, sounds, or images - under a free
license is not just a matter of tossing in a file called COPYING and
putting up a tarball. It is a legal decision which may have long-term
implications. For an example, consider
this discussion
on the warranty provisions of the Creative Commons licenses.
The Creative Commons offers several licenses
to fit different people's
wishes regarding attribution, commercial use, and derived works. They
range from being very GPLish, to something that looks vaguely like the BSD
license (though rather more complicated), to others that would not be
considered "free" by most in the community. One thing they have in common,
however, is a fairly strong warranty provision:
By offering the Work for public release under this License,
Licensor represents and warrants that, to the best of Licensor's
knowledge after reasonable inquiry:
- Licensor has secured all rights in the Work necessary to grant
the license rights hereunder and to permit the lawful exercise
of the rights granted hereunder without You having any
obligation to pay any royalties, compulsory license fees,
residuals or any other payments;
- The Work does not infringe the copyright, trademark, publicity
rights, common law rights or any other right of any third party
or constitute defamation, invasion of privacy or other tortious
injury to any third party.
In other words, when you release a work under a Creative Commons license,
you are making a promise to any potential user that nobody else has any
rights to that work that could require payments from that user. This is a
warranty: should a third party come to one of your users for royalties
or damages, they can come back to you. Releasing a work under one of these
licenses means taking on a legal liability.
This feature of the Creative Commons licenses is deliberate: it is intended
to give users of CC-licensed works confidence that they can truly
use and redistribute those works without getting into trouble. This sort
of language is not uncommon; anybody who has had a book published, for
example, has signed off on a warranty that is at least as strong as the CC
licenses require. But some authors who release under a CC license may not
understand the commitment that they are making. The Creative Commons folks
will apparently be making some changes to make the warranty commitment more
clear.
What about other licenses? The GNU General Public License
is clear that the covered works come (in capital letters) "WITHOUT WARRANTY
OF ANY KIND." Other common licenses, including the Apache Public
License, the Artistic
License, the BSD License,
the Mozilla
Public License, and others all include warranty disclaimers. The Open Software
License, instead, reads:
Licensor warrants that the copyright in and to the Original Work is
owned by the Licensor or that the Original Work is distributed by
Licensor under a valid current license from the copyright owner.
In other words, authors using the OSL are taking on a warranty obligation.
The GNU Free Documentation
License, interestingly, states only that any warranty disclaimers must
be preserved. Authors releasing under that license should probably add an
explicit statement of their warranty position.
Of course, no warranty disclaimers will keep you out of trouble if a
litigious third party decides that you are distributing their intellectual
property. For example, should SCO manage to prove in court that the famous
"printer on fire" kernel message was stolen by IBM and placed in the Linux
kernel, the fact that the relevant code was released under the GPL (if it
was) will prevent other Linux distributors from suing IBM, but will it not
help against SCO.
Regardless of disclaimers, anybody distributing material under a free
license had better be sure that they have the right to do so. Once that is
done, however, it is worth being aware of just what sort of warranty you
are promising people who are making free use of your work.
Comments (6 posted)
Silly Corporate Obnoxiousness
The latest bit of amusement in the SCO suit comes from
this talk with SCO CEO
Darl McBride on News.com. Mr. McBride is now making direct claims that
Unix source code has been copied into the Linux kernel. But don't hold
your breath while waiting to see where this copying has happened:
"We feel very good about the evidence that is going to show up in
court. We will be happy to show the evidence we have at the
appropriate time in a court setting," McBride said. "The Linux
community would have me publish it now, (so they can have it)
laundered by the time we can get to a court hearing. That's not the
way we're going to go."
Mr. McBride's contempt for the Linux developer community is, it would seem,
exceeded only by his contempt for the public as a whole. It takes little
thought to realize that his claims makes no sense whatsoever.
The Linux community, of course, would be incapable of "laundering" the
code, since it is, according to SCO, incapable of implementing (or
reimplementing) anything so advanced without stealing it. Of course,
perhaps this band of thieves could rip off replacement code from somewhere
else. Suppose, for the sake of argument, that the code in question is
"laundered" with a replacement stolen from, say, CP/M. The resulting kernel would be
bizarre, but it would no longer infringe upon SCO's copyrights.
Such a series of events would not change SCO's case in any way, however.
If IBM truly misappropriated SCO's code, that act remains. And it is an
act that cannot be hidden; the evidence is distributed, beyond recall, all
over the Internet. And all over the physical world as well. So even if
the Kernel Janitors do
an especially effective cleanup job, SCO could certainly manage to send one
of its brand-name lawyers down to a local computer store to pick up a boxed
set of the distribution of their choice. "Exhibit A" should not be
that hard to find.
Indeed, the company could simply submit one of its own products to the
court. SCO is, with full knowledge now, distributing the disputed source
licensed under the GPL. There are two possible conclusions that can be
reached from this action:
- SCO has agreed that the code which - it claims - was taken from Unix
can now be distributed under the GPL. This would not necessarily make
the case moot - SCO might not have agreed to the initial disclosure -
but it certainly removes the need to "launder" anything.
- SCO is knowingly distributing a derived product from a GPL-licensed
program (the kernel) which is not, itself, licensed under the GPL. If
SCO is claiming proprietary rights on the kernel that it is shipping,
then SCO is in violation of the GPL, and loses the right to distribute
the kernel at all.
Either way, the implications are interesting. If it looks like SCO is in
violation of the GPL, the development community is unlikely to adopt a
forgiving attitude. The first big Linux lawsuit could end up giving birth
to the first big GPL case.
[As a postscript: SCO's veiled hints that the free software community is
behind the denial of service attack on its web site border on libel. As
Eric Raymond has pointed out,
Linux hackers have better things to do. Criminal attacks do not help us in
any way, and are not the free software way of doing things.]
Comments (none posted)
A Look At WineX
[This article was contributed by Joe 'Zonker'
Brockmeier]
Gaming is still an area where Windows is, so to speak, way ahead of the
game. Since
Loki Entertainment Software went under, Linux gamers have had little hope
of seeing a wide
selection of popular games for Linux. However, the folks at
TransGaming are trying to bridge the gap with WineX. TransGaming recently released
version 3.0 of WineX, a product that's designed to allow Linux users
to run Windows games on Linux. I took it for a spin recently to see
just how well the product worked, and whether WineX is the answer to
gaming on Linux. The answer, as it turns out, is "maybe."
WineX is not compatible with all Windows games on the market. In
fact, TransGaming supports only a small subset of Widnows games. You
can find a full list of supported games on TransGaming's
site along with ratings for games that have been tested by
TransGaming or submitted by their users.
I tested WineX 3.0 on a machine with an Athlon XP 2000+ CPU, one gigabyte
of RAM and an ATI Radeon 9000 with 64 MB of RAM running Mandrake
Linux 9.1. It's not as brawny as many gaming machines, but it's no
slouch in the speed department either. I've been running native Linux
versions of Quake III Arena and Unreal Tournament on it for some
time, and I'm happy with the performance of those games.
Setting up WineX 3.0 is pretty easy, I just grabbed the WineX RPM and
installed it. I also installed their Point2Play GUI, but I didn't
have very good luck with it. At first, it couldn't even find my
CD-ROM or DVD drives -- apparently the format of Mandrake's
/etc/fstab threw it for a loop. Even after I fixed that, the options
for installing a game using Point2Play remained greyed out. That's
not really a big deal, installing a game with WineX is easy enough
from the command line. All you need to do is mount the CD-ROM and run
"winex3 setup.exe" (replacing "setup.exe" with the appropriate name
for the setup program) and run through the normal installation
procedure you'd go through in Windows.
I tested several games, some on TransGaming's list and some not, and
only had real success with two games. To be fair, the games that
didn't function were either not on the list or marked as working
poorly. Half-Life installed, but threw an error after startup and
then hung on a black screen with an hourglass cursor. I suspect that
if I spend some time tweaking config file, I could probably get it to
work. The installation program for Dungeon Master died midway through
the install, as did the installer for MDK 2.
Then I tried installing the Windows version of Return to Castle
Wolfenstein. This installed flawlessly. Then I began the grueling
work of actually testing the game. After several hours of gameplay I
didn't notice any glitches or problems with Wolfenstein. I had
success switching the resolution, tweaking the brightness, saving and
loading games -- in short, it seemed to work perfectly. I then
installed Heretic II. I had to tweak the WineX configuration file so
that Heretic would realize that the CD-ROM was in the drive, but it
also ran perfectly after I made the switch.
WineX 3.0 kind of reminds me of the days when I used to buy a DOS
game and cross my fingers hoping that it would run on my computer.
Some games would install and run easily, others would take a little
wrestling to get them to run, and others never ran due to conflicts
with this or that piece of hardware or for some other almost
unknowable reason. The difference here is that TransGaming is
continuously working on WineX, so it's possible that a game that
doesn't run today will run sometime down the road.
While WineX may not be compatible with a fair number of games, the
performance of the games that are compatible is very satisfying. If
you're thinking that you want to run a Windows game under Linux, my
advice would be to check TransGaming's list of compatible games
first. If your game is on the list with a working rating of 4 or 5,
you can feel pretty confident that you'll be able to play your game
on Linux with WineX and be happy with the performance and stability
of that game. Otherwise, proceed with caution.
Even though WineX doesn't run everything under the sun, I still think
it's worth the price. TransGaming doesn't sell WineX as a boxed
product, you have to subscribe to WineX to get the prepackaged files.
They offer RPMs and Debian packages of current releases only to
subscribers, but you can access their CVS and try to build it
yourself from source. I didn't try this, but would be curious to hear
what kind of success others have had. The pricing for the
subscription is pretty reasonable, just $5 a month with a 3-month
minimum. Even if you cancel the subscription after the initial three
months, you still have the releases that you download during your
subscription. It's not a perfect solution, but WineX does show a lot
of promise.
Comments (6 posted)
Page editor: Jonathan Corbet
Security
Security news
Hardening Linux against buffer overflows
Whenever kernel hacker Ingo Molnar disappears for a while, it is reasonable
to expect that he will resurface with some interesting new development. In
the past, he has materialized with the TUX in-kernel web server, the O(1)
scheduler, and the new kernel threads implementation. His most recent
offering, however, has to do with making Linux systems more resilient in
the face of buffer overflow vulnerabilities.
The new "Exec Shield" patch (which applies
to the 2.4.21 release candidate kernel) takes several steps to fight buffer
overflows, including:
- Engaging in some x86 segmentation magic to minimize the range of
addresses where the processor can execute code. This approach is
essentially a hack to work around the inconvenient fact that the x86
architecture lacks a page table flag for controlling execute
permission. By playing with segments, this patch makes it impossible
to execute code on the stack and in as much of the data area as
possible. As a result, the execution of exploit code delivered via
buffer overflows becomes far more difficult.
- As much executable code as possible is moved into the lowest part
of the virtual address space - below 16MB. Addresses in this range
begin with a zero byte, making them hard to create with purely ASCII
overflows. Many applications which deal with C strings cannot be
overflowed with a string containing NULL bytes. Others, of course,
will read any sort of data and will not be affected by this particular
change. For applications for which this measure is effective, however
(and that set includes most web-based applications), this shift into
the "ASCII armor" area will block exploits which work by jumping into
library code which might, say, execute a shell.
- A subsequent release of the patch
includes shared library and stack address randomization. These
measures make mass exploits harder, since each target process is
different.
This approach, note, is different from that used in the recent OpenBSD 3.3 release. OpenBSD does not (yet)
provide executable stack protection on the x86 architecture; instead, it
relies on detecting buffer overflows with a modified compiler that installs
(and checks) "canaries" on the stack. The OpenBSD "W^X" execute permission
control will be extended to the x86 architecture in 3.4.
So does this approach bring any real security? Non-executable stack
patches have failed to get into the Linux kernel before, since Linus does not believe in
them:
In short, anybody who thinks that the non-executable stack gives
them any real security is very very much living in a dream
world. It may catch a few attacks for old binaries that have
security problems, but the basic problem is that the binaries allow
you to overwrite their stacks.
The real solution, says Linus, is to fix the applications. That is
undoubtedly true, but fixing all of the applications out there (and keeping
them fixed) is not an easy task. In the meantime, raising the bar for
potential attackers may well be the right thing to do. It would not be
surprising to see this patch find its way into the kernels shipped by the
major distributors, even if Linus does not accept it into the mainline.
Comments (5 posted)
OpenSSL pursuing FIPS 140-2 cryptographic certification
The
Open Source Software Institute
is leading an effort to secure National Institute of Standards and
Technology's (NIST) FIPS 140-2 level 1 cryptographic certification for
OpenSSL. Hewlett-Packard has provided funding to support the certification
effort. In addition, Gary Gross, of HP, is serving as OSSI's program
manager and technical lead for the FIPS 140-2 certification program. The
press
release is in PDF format. (Thanks to David A. Wheeler)
Comments (none posted)
New vulnerabilities
epic4: buffer overflows and arbitrary code execution
| Package(s): | epic4 |
CVE #(s): | |
| Created: | May 2, 2003 |
Updated: | May 22, 2003 |
| Description: |
Timo Sirainen discovered several problems in EPIC4, a popular client for
Internet Relay Chat (IRC). A malicious server could craft special reply
strings, triggering the client to write beyond buffer boundaries. This
could lead to a denial of service if the client only crashes, but may also
lead to executing of arbitrary code under the user id of the chatting user. |
| Alerts: |
|
Comments (none posted)
fuzz: symlink vulnerability
| Package(s): | fuzz |
CVE #(s): | |
| Created: | May 7, 2003 |
Updated: | May 7, 2003 |
| Description: |
The fuzz software stress testing tool has a temporary file vulnerability which can be exploited by a local attacker. |
| Alerts: |
|
Comments (none posted)
leksbot: improper setuid-root execution
| Package(s): | leksbot |
CVE #(s): | |
| Created: | May 6, 2003 |
Updated: | May 7, 2003 |
| Description: |
Maurice Massar discovered that, due to a packaging error, the program
/usr/bin/KATAXWR was inadvertently installed setuid root. This
program was not designed to run setuid, and contained multiple
vulnerabilities which could be exploited to gain root privileges. |
| Alerts: |
|
Comments (none posted)
mod_auth_any: remote exploit
| Package(s): | mod_auth_any |
CVE #(s): | CAN-2003-0084
|
| Created: | May 2, 2003 |
Updated: | May 7, 2003 |
| Description: |
mod_auth_any is a web server module that allows the Apache httpd server to
call arbitrary external programs to verify user passwords.
Vulnerabilities have been found in the way mod_auth_any escapes shell
arguments when calling external programs. These vulnerabilities allow
remote attackers to run arbitrary commands as the user under which the Web
server is running. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
BitchX - denial of service
| Package(s): | BitchX |
CVE #(s): | |
| Created: | February 20, 2003 |
Updated: | May 26, 2003 |
| Description: |
From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed
RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was
reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are
unaware of any patches or workarounds provided by panasync and or any
members of #bitchx |
| Alerts: |
|
Comments (none posted)
evolution: multiple vulnerabilities
| Package(s): | Evolution |
CVE #(s): | CAN-2003-0128
CAN-2003-0129
CAN-2003-0130
|
| Created: | March 21, 2003 |
Updated: | May 14, 2003 |
| Description: |
Multiple vulnerabilities have been found in Ximian's Evolution Mail User
Agent, according to this
CoreLabs advisory.
"Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system unstability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems."
Ximian Evolution is a personal and
workgroup information management solution for Linux and UNIX-based
systems. The software integrates email, calendaring, meeting scheduling,
contact management, and task lists, in one application. |
| Alerts: |
|
Comments (1 posted)
LPRng: insecure temporary file
| Package(s): | LPRng |
CVE #(s): | CAN-2003-0136
|
| Created: | April 14, 2003 |
Updated: | June 16, 2003 |
| Description: |
Karol Lewandowski discovered that psbanner, a printer filter that
creates a PostScript format banner and is part of LPRng, insecurely
creates a temporary file for debugging purpose when it is configured
as filter. The program does not check whether this file already
exists or is linked to another place writes its current environment
and called arguments to the file unconditionally with the user id
daemon. |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
NetPBM: math overflow errors
| Package(s): | NetPBM |
CVE #(s): | CAN-2003-0146
|
| Created: | March 17, 2003 |
Updated: | May 27, 2003 |
| Description: |
Al Viro and Alan Cox discovered several maths overflow errors in
NetPBM, a set of graphics conversion tools. These programs are not
installed setuid root but are often installed to prepare data for
processing. These vulnerabilities may allow remote attackers to cause
a denial of service or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
TCP/IP: inconsistent flag handling
| Package(s): | TCP/IP |
CVE #(s): | |
| Created: | May 5, 2003 |
Updated: | May 20, 2003 |
| Description: |
Various vendors' TCP/IP implementations handle packets containing unusual
flag combinations in different ways, which may lead to a violation of
implicit or explicit security policies.
See CERT VU#464113 and
this BugTraq post for more information. |
| Alerts: |
|
Comments (none posted)
apache 2.x: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2003-0132
|
| Created: | April 9, 2003 |
Updated: | May 1, 2003 |
| Description: |
Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem. |
| Alerts: |
|
Comments (1 posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
balsa: imap code buffer overflow
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Bugzilla: several vulnerabilities.
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | April 30, 2003 |
Updated: | May 21, 2003 |
| Description: |
The Bugzilla bug tracking system has a new set of vulnerabilities which can
lead to cross-site scripting and symlink attacks. Versions 2.16.3 and
2.17.4 contain the necessary fixes; see this
advisory for the details. |
| Alerts: |
|
Comments (none posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
ethereal - format string vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0081
|
| Created: | March 10, 2003 |
Updated: | June 12, 2003 |
| Description: |
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
file - memory allocation problem, stack overflow
| Package(s): | file |
CVE #(s): | CAN-2003-0102
|
| Created: | March 4, 2003 |
Updated: | June 4, 2003 |
| Description: |
Jeff Johnson found a memory allocation problem and David Endler found a
stack overflow corruption problem in the file "Automatic File Content
Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section
and program header handling in file version 3.40. The folks at OpenPKG
believe that file versions without those modifications are vulnerable to
memory allocation and stack overflow problems which put security at risk. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
glibc: integer overflow in the xdrmem_getbytes() function
| Package(s): | glibc krb5 dietlibc |
CVE #(s): | CAN-2003-0028
|
| Created: | March 21, 2003 |
Updated: | May 27, 2003 |
| Description: |
An integer overflow in the xdrmem_getbytes() function, and possibly other
functions, of XDR (external data representation) libraries derived from
SunRPC, including libnsl, libc, and glibc, allows remote attackers to
execute arbitrary code via certain integer values in length fields
See
CAN-2003-0028 and CERT advisory
CA-2003-10 for more information. |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
kde: arbitrary code execution
| Package(s): | kde |
CVE #(s): | CAN-2003-0204
|
| Created: | April 10, 2003 |
Updated: | June 30, 2003 |
| Description: |
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means. |
| Alerts: |
|
Comments (none posted)
kerberos - cryptographic weakness
| Package(s): | kerberos, heimdal, openafs |
CVE #(s): | CAN-2003-0138
CAN-2003-0139
|
| Created: | March 26, 2003 |
Updated: | May 27, 2003 |
| Description: |
Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way.
OpenAFS
kaserver implements version 4 of the Kerberos protocol, and therefore
is also vulnerable. |
| Alerts: |
|
Comments (none posted)
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lprold - buffer overflow in lprm
| Package(s): | lprold lpd |
CVE #(s): | CAN-2003-0144
|
| Created: | March 13, 2003 |
Updated: | May 28, 2003 |
| Description: |
The lprm command of the printing package lprold contains a buffer
overflow. This buffer overflow can be exploited by a local user, if the
printer system is set up correctly, to gain root privileges. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
man - code execution vulnerability
| Package(s): | man |
CVE #(s): | CAN-2003-0124
|
| Created: | March 19, 2003 |
Updated: | May 7, 2003 |
| Description: |
Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. |
| Alerts: |
|
Comments (none posted)
mgetty spool permission
| Package(s): | mgetty |
CVE #(s): | CAN-2002-1391
CAN-2002-1392
|
| Created: | April 8, 2003 |
Updated: | May 13, 2003 |
| Description: |
mgetty is a getty replacement for use with data and fax modems.
mgetty can be configured to run an external program to decide whether or
not to answer an incoming call based on Caller ID information. Unpatched
versions of mgetty prior to 1.1.29 would overflow an internal buffer if the
caller name reported by the modem was too long.
Additionally, the faxspool script supplied with versions of mgetty prior to
1.1.29 used a simple permissions scheme to allow or deny fax transmission
privileges. This scheme was easily circumvented because the spooling
directory used for outgoing faxes was world-writable. |
| Alerts: |
|
Comments (none posted)
mime-support: insecure temporary file creation
| Package(s): | mime-support |
CVE #(s): | |
| Created: | April 22, 2003 |
Updated: | April 30, 2003 |
| Description: |
Colin Phipps discovered several problems in mime-support, that contains
support programs for the MIME control files 'mime.types' and 'mailcap'.
When a temporary file is to be used it is created insecurely, allowing
an attacker to overwrite arbitrary under the user id of the person
executing run-mailcap, most probably root. Additionally the program did
not properly escape shell escape characters when executing a command.
This is unlikely to be exploitable, though. |
| Alerts: |
|
Comments (none posted)
Monkey HTTPd Remote Buffer Overflow
| Package(s): | monkeyd |
CVE #(s): | |
| Created: | April 28, 2003 |
Updated: | April 30, 2003 |
| Description: |
A buffer overflow vulnerability exists in Monkey's handling of forms
submitted with the POST request method. The unchecked buffer lies in the
PostMethod() procedure. The advisory contains more information. |
| Alerts: |
|
Comments (none posted)
mysql - configuration file vulnerability
| Package(s): | mysql mysqld |
CVE #(s): | CAN-2003-0150
|
| Created: | March 18, 2003 |
Updated: | May 16, 2003 |
| Description: |
According to a
report on BugTraq, a vulnerability exists in
version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is
launched by root, as it is often done by system startup scripts, any
database users with the "FILE" privilege can write a configuration file
(usually my.cnf) that causes the MySQL server to run under an arbitrary
user id, including the user id of the super-user, on the next restart. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
netscape-flash: buffer overflow
| Package(s): | netscape-flash |
CVE #(s): | |
| Created: | March 10, 2003 |
Updated: | June 20, 2003 |
| Description: |
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade." |
| Alerts: |
|
Comments (none posted)
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl |
CVE #(s): | CAN-2003-0147
|
| Created: | March 18, 2003 |
Updated: | May 22, 2003 |
| Description: |
David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications,
mainly because it is not obvious how to do so when using OpenSSL to provide
SSL/TLS. This problem affects mostly all applications using OpenSSL and
have to be rebuilded against the fixed OpenSSL version (where RSA blinding
is now enabled by default) or have to enable RSA blinding explicitly their
own.
The performance impact of RSA blinding appears to be small (a few percent
only) and the RSA functionality is still fully compatible. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0147 to the problem. |
| Alerts: |
|
Comments (none posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions o |