| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for May 8, 2003
Free licenses and warranties
Releasing a work - be it code, words, sounds, or images - under a free license is not just a matter of tossing in a file called COPYING and putting up a tarball. It is a legal decision which may have long-term implications. For an example, consider this discussion on the warranty provisions of the Creative Commons licenses.The Creative Commons offers several licenses to fit different people's wishes regarding attribution, commercial use, and derived works. They range from being very GPLish, to something that looks vaguely like the BSD license (though rather more complicated), to others that would not be considered "free" by most in the community. One thing they have in common, however, is a fairly strong warranty provision:
- Licensor has secured all rights in the Work necessary to grant the license rights hereunder and to permit the lawful exercise of the rights granted hereunder without You having any obligation to pay any royalties, compulsory license fees, residuals or any other payments;
- The Work does not infringe the copyright, trademark, publicity rights, common law rights or any other right of any third party or constitute defamation, invasion of privacy or other tortious injury to any third party.
In other words, when you release a work under a Creative Commons license, you are making a promise to any potential user that nobody else has any rights to that work that could require payments from that user. This is a warranty: should a third party come to one of your users for royalties or damages, they can come back to you. Releasing a work under one of these licenses means taking on a legal liability.
This feature of the Creative Commons licenses is deliberate: it is intended to give users of CC-licensed works confidence that they can truly use and redistribute those works without getting into trouble. This sort of language is not uncommon; anybody who has had a book published, for example, has signed off on a warranty that is at least as strong as the CC licenses require. But some authors who release under a CC license may not understand the commitment that they are making. The Creative Commons folks will apparently be making some changes to make the warranty commitment more clear.
What about other licenses? The GNU General Public License is clear that the covered works come (in capital letters) "WITHOUT WARRANTY OF ANY KIND." Other common licenses, including the Apache Public License, the Artistic License, the BSD License, the Mozilla Public License, and others all include warranty disclaimers. The Open Software License, instead, reads:
In other words, authors using the OSL are taking on a warranty obligation. The GNU Free Documentation License, interestingly, states only that any warranty disclaimers must be preserved. Authors releasing under that license should probably add an explicit statement of their warranty position.
Of course, no warranty disclaimers will keep you out of trouble if a litigious third party decides that you are distributing their intellectual property. For example, should SCO manage to prove in court that the famous "printer on fire" kernel message was stolen by IBM and placed in the Linux kernel, the fact that the relevant code was released under the GPL (if it was) will prevent other Linux distributors from suing IBM, but will it not help against SCO.
Regardless of disclaimers, anybody distributing material under a free license had better be sure that they have the right to do so. Once that is done, however, it is worth being aware of just what sort of warranty you are promising people who are making free use of your work.
Silly Corporate Obnoxiousness
The latest bit of amusement in the SCO suit comes from this talk with SCO CEO Darl McBride on News.com. Mr. McBride is now making direct claims that Unix source code has been copied into the Linux kernel. But don't hold your breath while waiting to see where this copying has happened:
Mr. McBride's contempt for the Linux developer community is, it would seem, exceeded only by his contempt for the public as a whole. It takes little thought to realize that his claims makes no sense whatsoever.
The Linux community, of course, would be incapable of "laundering" the code, since it is, according to SCO, incapable of implementing (or reimplementing) anything so advanced without stealing it. Of course, perhaps this band of thieves could rip off replacement code from somewhere else. Suppose, for the sake of argument, that the code in question is "laundered" with a replacement stolen from, say, CP/M. The resulting kernel would be bizarre, but it would no longer infringe upon SCO's copyrights.
Such a series of events would not change SCO's case in any way, however. If IBM truly misappropriated SCO's code, that act remains. And it is an act that cannot be hidden; the evidence is distributed, beyond recall, all over the Internet. And all over the physical world as well. So even if the Kernel Janitors do an especially effective cleanup job, SCO could certainly manage to send one of its brand-name lawyers down to a local computer store to pick up a boxed set of the distribution of their choice. "Exhibit A" should not be that hard to find.
Indeed, the company could simply submit one of its own products to the court. SCO is, with full knowledge now, distributing the disputed source licensed under the GPL. There are two possible conclusions that can be reached from this action:
- SCO has agreed that the code which - it claims - was taken from Unix
can now be distributed under the GPL. This would not necessarily make
the case moot - SCO might not have agreed to the initial disclosure -
but it certainly removes the need to "launder" anything.
- SCO is knowingly distributing a derived product from a GPL-licensed program (the kernel) which is not, itself, licensed under the GPL. If SCO is claiming proprietary rights on the kernel that it is shipping, then SCO is in violation of the GPL, and loses the right to distribute the kernel at all.
Either way, the implications are interesting. If it looks like SCO is in violation of the GPL, the development community is unlikely to adopt a forgiving attitude. The first big Linux lawsuit could end up giving birth to the first big GPL case.
[As a postscript: SCO's veiled hints that the free software community is behind the denial of service attack on its web site border on libel. As Eric Raymond has pointed out, Linux hackers have better things to do. Criminal attacks do not help us in any way, and are not the free software way of doing things.]
A Look At WineX
[This article was contributed by Joe 'Zonker' Brockmeier]
Gaming is still an area where Windows is, so to speak, way ahead of the game. Since Loki Entertainment Software went under, Linux gamers have had little hope of seeing a wide selection of popular games for Linux. However, the folks at TransGaming are trying to bridge the gap with WineX. TransGaming recently released version 3.0 of WineX, a product that's designed to allow Linux users to run Windows games on Linux. I took it for a spin recently to see just how well the product worked, and whether WineX is the answer to gaming on Linux. The answer, as it turns out, is "maybe."
WineX is not compatible with all Windows games on the market. In fact, TransGaming supports only a small subset of Widnows games. You can find a full list of supported games on TransGaming's site along with ratings for games that have been tested by TransGaming or submitted by their users.
I tested WineX 3.0 on a machine with an Athlon XP 2000+ CPU, one gigabyte of RAM and an ATI Radeon 9000 with 64 MB of RAM running Mandrake Linux 9.1. It's not as brawny as many gaming machines, but it's no slouch in the speed department either. I've been running native Linux versions of Quake III Arena and Unreal Tournament on it for some time, and I'm happy with the performance of those games.
Setting up WineX 3.0 is pretty easy, I just grabbed the WineX RPM and installed it. I also installed their Point2Play GUI, but I didn't have very good luck with it. At first, it couldn't even find my CD-ROM or DVD drives -- apparently the format of Mandrake's /etc/fstab threw it for a loop. Even after I fixed that, the options for installing a game using Point2Play remained greyed out. That's not really a big deal, installing a game with WineX is easy enough from the command line. All you need to do is mount the CD-ROM and run "winex3 setup.exe" (replacing "setup.exe" with the appropriate name for the setup program) and run through the normal installation procedure you'd go through in Windows.
I tested several games, some on TransGaming's list and some not, and only had real success with two games. To be fair, the games that didn't function were either not on the list or marked as working poorly. Half-Life installed, but threw an error after startup and then hung on a black screen with an hourglass cursor. I suspect that if I spend some time tweaking config file, I could probably get it to work. The installation program for Dungeon Master died midway through the install, as did the installer for MDK 2.
Then I tried installing the Windows version of Return to Castle Wolfenstein. This installed flawlessly. Then I began the grueling work of actually testing the game. After several hours of gameplay I didn't notice any glitches or problems with Wolfenstein. I had success switching the resolution, tweaking the brightness, saving and loading games -- in short, it seemed to work perfectly. I then installed Heretic II. I had to tweak the WineX configuration file so that Heretic would realize that the CD-ROM was in the drive, but it also ran perfectly after I made the switch.
WineX 3.0 kind of reminds me of the days when I used to buy a DOS game and cross my fingers hoping that it would run on my computer. Some games would install and run easily, others would take a little wrestling to get them to run, and others never ran due to conflicts with this or that piece of hardware or for some other almost unknowable reason. The difference here is that TransGaming is continuously working on WineX, so it's possible that a game that doesn't run today will run sometime down the road.
While WineX may not be compatible with a fair number of games, the performance of the games that are compatible is very satisfying. If you're thinking that you want to run a Windows game under Linux, my advice would be to check TransGaming's list of compatible games first. If your game is on the list with a working rating of 4 or 5, you can feel pretty confident that you'll be able to play your game on Linux with WineX and be happy with the performance and stability of that game. Otherwise, proceed with caution.
Even though WineX doesn't run everything under the sun, I still think it's worth the price. TransGaming doesn't sell WineX as a boxed product, you have to subscribe to WineX to get the prepackaged files. They offer RPMs and Debian packages of current releases only to subscribers, but you can access their CVS and try to build it yourself from source. I didn't try this, but would be curious to hear what kind of success others have had. The pricing for the subscription is pretty reasonable, just $5 a month with a 3-month minimum. Even if you cancel the subscription after the initial three months, you still have the releases that you download during your subscription. It's not a perfect solution, but WineX does show a lot of promise.
Page editor: Jonathan Corbet
Security
Security news
Hardening Linux against buffer overflows
Whenever kernel hacker Ingo Molnar disappears for a while, it is reasonable to expect that he will resurface with some interesting new development. In the past, he has materialized with the TUX in-kernel web server, the O(1) scheduler, and the new kernel threads implementation. His most recent offering, however, has to do with making Linux systems more resilient in the face of buffer overflow vulnerabilities.The new "Exec Shield" patch (which applies to the 2.4.21 release candidate kernel) takes several steps to fight buffer overflows, including:
- Engaging in some x86 segmentation magic to minimize the range of
addresses where the processor can execute code. This approach is
essentially a hack to work around the inconvenient fact that the x86
architecture lacks a page table flag for controlling execute
permission. By playing with segments, this patch makes it impossible
to execute code on the stack and in as much of the data area as
possible. As a result, the execution of exploit code delivered via
buffer overflows becomes far more difficult.
- As much executable code as possible is moved into the lowest part
of the virtual address space - below 16MB. Addresses in this range
begin with a zero byte, making them hard to create with purely ASCII
overflows. Many applications which deal with C strings cannot be
overflowed with a string containing NULL bytes. Others, of course,
will read any sort of data and will not be affected by this particular
change. For applications for which this measure is effective, however
(and that set includes most web-based applications), this shift into
the "ASCII armor" area will block exploits which work by jumping into
library code which might, say, execute a shell.
- A subsequent release of the patch includes shared library and stack address randomization. These measures make mass exploits harder, since each target process is different.
This approach, note, is different from that used in the recent OpenBSD 3.3 release. OpenBSD does not (yet) provide executable stack protection on the x86 architecture; instead, it relies on detecting buffer overflows with a modified compiler that installs (and checks) "canaries" on the stack. The OpenBSD "W^X" execute permission control will be extended to the x86 architecture in 3.4.
So does this approach bring any real security? Non-executable stack patches have failed to get into the Linux kernel before, since Linus does not believe in them:
The real solution, says Linus, is to fix the applications. That is undoubtedly true, but fixing all of the applications out there (and keeping them fixed) is not an easy task. In the meantime, raising the bar for potential attackers may well be the right thing to do. It would not be surprising to see this patch find its way into the kernels shipped by the major distributors, even if Linus does not accept it into the mainline.
OpenSSL pursuing FIPS 140-2 cryptographic certification
The Open Source Software Institute is leading an effort to secure National Institute of Standards and Technology's (NIST) FIPS 140-2 level 1 cryptographic certification for OpenSSL. Hewlett-Packard has provided funding to support the certification effort. In addition, Gary Gross, of HP, is serving as OSSI's program manager and technical lead for the FIPS 140-2 certification program. The press release is in PDF format. (Thanks to David A. Wheeler)
New vulnerabilities
epic4: buffer overflows and arbitrary code execution
| Package(s): | epic4 | CVE #(s): | |||||||
| Created: | May 2, 2003 | Updated: | May 22, 2003 | ||||||
| Description: | Timo Sirainen discovered several problems in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. | ||||||||
| Alerts: |
| ||||||||
fuzz: symlink vulnerability
| Package(s): | fuzz | CVE #(s): | ||||
| Created: | May 7, 2003 | Updated: | May 7, 2003 | |||
| Description: | The fuzz software stress testing tool has a temporary file vulnerability which can be exploited by a local attacker. | |||||
| Alerts: |
| |||||
leksbot: improper setuid-root execution
| Package(s): | leksbot | CVE #(s): | ||||
| Created: | May 6, 2003 | Updated: | May 7, 2003 | |||
| Description: | Maurice Massar discovered that, due to a packaging error, the program /usr/bin/KATAXWR was inadvertently installed setuid root. This program was not designed to run setuid, and contained multiple vulnerabilities which could be exploited to gain root privileges. | |||||
| Alerts: |
| |||||
mod_auth_any: remote exploit
| Package(s): | mod_auth_any | CVE #(s): | CAN-2003-0084 | |||
| Created: | May 2, 2003 | Updated: | May 7, 2003 | |||
| Description: | mod_auth_any is a web server module that allows the Apache httpd server to
call arbitrary external programs to verify user passwords.
Vulnerabilities have been found in the way mod_auth_any escapes shell arguments when calling external programs. These vulnerabilities allow remote attackers to run arbitrary commands as the user under which the Web server is running. | |||||
| Alerts: |
| |||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Updated vulnerabilities
BitchX - denial of service
| Package(s): | BitchX | CVE #(s): | |||||||||||||
| Created: | February 20, 2003 | Updated: | May 26, 2003 | ||||||||||||
| Description: | From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: multiple vulnerabilities
| Package(s): | Evolution | CVE #(s): | CAN-2003-0128 CAN-2003-0129 CAN-2003-0130 | |||||||||||||||||||||
| Created: | March 21, 2003 | Updated: | May 14, 2003 | |||||||||||||||||||||
| Description: | Multiple vulnerabilities have been found in Ximian's Evolution Mail User
Agent, according to this
CoreLabs advisory.
"Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system unstability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems."
Ximian Evolution is a personal and workgroup information management solution for Linux and UNIX-based systems. The software integrates email, calendaring, meeting scheduling, contact management, and task lists, in one application. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
LPRng: insecure temporary file
| Package(s): | LPRng | CVE #(s): | CAN-2003-0136 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
NetPBM: math overflow errors
| Package(s): | NetPBM | CVE #(s): | CAN-2003-0146 | ||||||||||||
| Created: | March 17, 2003 | Updated: | May 27, 2003 | ||||||||||||
| Description: | Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
TCP/IP: inconsistent flag handling
| Package(s): | TCP/IP | CVE #(s): | ||||
| Created: | May 5, 2003 | Updated: | May 20, 2003 | |||
| Description: | Various vendors' TCP/IP implementations handle packets containing unusual
flag combinations in different ways, which may lead to a violation of
implicit or explicit security policies.
See CERT VU#464113 and this BugTraq post for more information. | |||||
| Alerts: |
| |||||
apache 2.x: denial of service
| Package(s): | apache | CVE #(s): | CAN-2003-0132 | ||||||||||||
| Created: | April 9, 2003 | Updated: | May 1, 2003 | ||||||||||||
| Description: | Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
balsa: imap code buffer overflow
| Package(s): | balsa | CVE #(s): | CAN-2003-0140 CAN-2003-0167 | |||||||||
| Created: | April 30, 2003 | Updated: | May 7, 2003 | |||||||||
| Description: | Balsa, it turns out, suffers from the same buffer overflow found in mutt; see the mutt vulnerability information for details. | |||||||||||
| Alerts: |
| |||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Bugzilla: several vulnerabilities.
| Package(s): | bugzilla | CVE #(s): | ||||
| Created: | April 30, 2003 | Updated: | May 21, 2003 | |||
| Description: | The Bugzilla bug tracking system has a new set of vulnerabilities which can lead to cross-site scripting and symlink attacks. Versions 2.16.3 and 2.17.4 contain the necessary fixes; see this advisory for the details. | |||||
| Alerts: |
| |||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal - format string vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2003-0081 | ||||||||||||||||||
| Created: | March 10, 2003 | Updated: | June 12, 2003 | ||||||||||||||||||
| Description: | The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
file - memory allocation problem, stack overflow
| Package(s): | file | CVE #(s): | CAN-2003-0102 | |||||||||||||||||||||||||||||||||
| Created: | March 4, 2003 | Updated: | June 4, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
glibc: integer overflow in the xdrmem_getbytes() function
| Package(s): | glibc krb5 dietlibc | CVE #(s): | CAN-2003-0028 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 21, 2003 | Updated: | May 27, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | An integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, and glibc, allows remote attackers to execute arbitrary code via certain integer values in length fields See CAN-2003-0028 and CERT advisory CA-2003-10 for more information. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kde: arbitrary code execution
| Package(s): | kde | CVE #(s): | CAN-2003-0204 | ||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kerberos - cryptographic weakness
| Package(s): | kerberos, heimdal, openafs | CVE #(s): | CAN-2003-0138 CAN-2003-0139 | ||||||||||||||||||||||||||||||
| Created: | March 26, 2003 | Updated: | May 27, 2003 | ||||||||||||||||||||||||||||||
| Description: | Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way.
OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is also vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lprold - buffer overflow in lprm
| Package(s): | lprold lpd | CVE #(s): | CAN-2003-0144 | |||||||||||||||
| Created: | March 13, 2003 | Updated: | May 28, 2003 | |||||||||||||||
| Description: | The lprm command of the printing package lprold contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
man - code execution vulnerability
| Package(s): | man | CVE #(s): | CAN-2003-0124 | ||||||||||||
| Created: | March 19, 2003 | Updated: | May 7, 2003 | ||||||||||||
| Description: | Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mgetty spool permission
| Package(s): | mgetty | CVE #(s): | CAN-2002-1391 CAN-2002-1392 | ||||||||||||
| Created: | April 8, 2003 | Updated: | May 13, 2003 | ||||||||||||
| Description: | mgetty is a getty replacement for use with data and fax modems.
mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Unpatched versions of mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mime-support: insecure temporary file creation
| Package(s): | mime-support | CVE #(s): | ||||||||||
| Created: | April 22, 2003 | Updated: | April 30, 2003 | |||||||||
| Description: | Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though. | |||||||||||
| Alerts: |
| |||||||||||
Monkey HTTPd Remote Buffer Overflow
| Package(s): | monkeyd | CVE #(s): | ||||
| Created: | April 28, 2003 | Updated: | April 30, 2003 | |||
| Description: | A buffer overflow vulnerability exists in Monkey's handling of forms submitted with the POST request method. The unchecked buffer lies in the PostMethod() procedure. The advisory contains more information. | |||||
| Alerts: |
| |||||
mysql - configuration file vulnerability
| Package(s): | mysql mysqld | CVE #(s): | CAN-2003-0150 | ||||||||||||||||||||||||
| Created: | March 18, 2003 | Updated: | May 16, 2003 | ||||||||||||||||||||||||
| Description: | According to a report on BugTraq, a vulnerability exists in version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is launched by root, as it is often done by system startup scripts, any database users with the "FILE" privilege can write a configuration file (usually my.cnf) that causes the MySQL server to run under an arbitrary user id, including the user id of the super-user, on the next restart. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
netscape-flash: buffer overflow
| Package(s): | netscape-flash | CVE #(s): | |||||||
| Created: | March 10, 2003 | Updated: | June 20, 2003 | ||||||
| Description: | Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade." | ||||||||
| Alerts: |
| ||||||||
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl | CVE #(s): | CAN-2003-0147 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2003 | Updated: | May 22, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own. The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 to the problem. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 |
| Created: | February 13, 2003 | Updated: | July 10, 2003 |
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions o | ||