Software patents in Europe
Europeans, like citizens of much of the "free world," have a certain
tendency toward smugness when software patents are discussed. Software
patents, after all, are an American problem. Unfortunately, the U.S. is
quite good at exporting its problems. Software patents in Europe took
another step toward reality this week when the Legal Affairs Committee of
the European Parliament voted in favor of an EU-wide software patent
scheme. The 20-8 committee vote adopted the proposed directive, as
written by the European Commission, almost without changes.
The proposal is said to be more restrictive than the American version of
software patents. Patentable technologies would have to be useful in a
particular setting and application; simply having a program is not enough.
And business models still would not be subject to patents. But the
proposed directive is still enough to raise widespread concern throughout
Europe. The Greens were quite
clear on what they think:
The Legal Affairs Committee of the European Parliament today
adopted a report that allows for the unlimited patenting of
software which will, in one swoop, entrench the market dominance of
multinational companies, force small software firms out of business
and bring to an end the European free software movement.
There is also this
release from the Foundation for a Free Information Infrastructure,
which contains quotes from a number of European business figures.
The sad truth is that software patents have done great harm in the U.S.,
and they are unlikely to be more beneficial in Europe. This is one import
the EU could do without.
Comments (none posted)
All SCO, all the time
One of these days we'll manage to keep SCO off the front page. Not this
week. The next two articles cover a couple of important issues in this
whole mess - the breathtaking scope of SCO's claims and a look inside the
company as revealed in its latest 10Q filing. Both articles, we think,
give some insight into just what the Linux community is up against.
During the last week the read-copy-update (RCU) technology has been singled
out as one of IBM's contributions that SCO objects to. We ran an article looking into the
origins of RCU and concluding that SCO had nothing to do with the creation
of RCU. The article is a
bit dated (already) but it still gives an overview of the RCU situation; a
number of the reader comments are well worth reading too. In the end,
however, origins matter little; SCO believes it owns everything that was
ever part of a Unix system.
The company has filed a new version of its complaint against IBM,
upping the damages demanded and changing many points. See this LWN article for a brief summary, a pointer
to the document, and numerous comments.
Finally, should all this not be enough on SCO, the SCOvsIBM
Wiki maintained by Karsten Self is exhaustive and exhausting.
Comments (1 posted)
SCO owns the World?
According to some opponents of free software, users of that software are
taking grave risks. The GPL, it is said, is "viral" and can cause the loss
of a company's intellectual property. And free software users are exposed
to the possibility that somebody, somewhere, may have incorporated tainted
code, exposing users and distributors to unexpected liabilities. The
solution to these problems, of course, is to simply stick with safe,
licensed, proprietary software. It costs, and you sign away a lot of
rights, but the warm, fuzzy feeling that comes from signing that license
agreement is worth it.
Except it's increasingly clear that things are not that way. We all owe
SCO a debt of gratitude for showing us how unsafe proprietary software can
be. That company is using proprietary licensing to press a truly
staggering set of claims over the work of others and power to disrupt
organizations worldwide.
Consider first the issue of intellectual property. SCO CEO Darl McBride
recently gave an
interview which provided a clear picture of how he sees the ownership
of proprietary Unix systems:
Where people get a little confused is when they think of SCO Unix
as just the Unix that runs the cash register at McDonalds. We think
of this as a tree. We have the tree trunk, with Unix System 5
running right down the middle of the trunk. That is our core
ownership position on Unix.
Off the tree trunk, you have a number of branches, and these are
the various flavors of Unix. HP-UX, IBM's AIX, Sun Solaris,
Fujitsu, NEC--there are a number of flavors out there. SCO has a
couple of flavors, too, called OpenServer and UnixWare. But don't
confuse the branches with the trunk. The System 5 source code, that
is really the area that gives us incredible rights, because it
includes the control rights on the derivative works that branch off
from that trunk.
These "control rights" are at the core of the IBM lawsuit. SCO is claiming
that any work any vendor has ever put into a Unix system is subject to
SCO's control. Chris Sontag, the head of SCOsource, is
even more direct:
We believe that UNIX System V provided the basic building blocks
for all subsequent computer operating systems, and that they all
tend to be derived from UNIX System V (and therefore are claimed as
SCO's intellectual property).
SCO, it would seem, owns everything.
Compared to that claim, the allegedly "viral" nature of the GPL
(if you distribute something derived from a GPL-licensed product, the
derived product must also be licensed under the GPL) seems weak indeed.
SCO is laying claim to decades of work done by dozens of proprietary Unix
vendors, and that's just the starting point.
Does this claim have any basis in reality? SCO has posted the relevant
agreements on its IBM lawsuit
page, so this sort of thing can be checked - at least, for the IBM
case. The basic software
agreement ("Exhibit A") states (in section 2.01):
Such right to use includes the right to modify such SOFTWARE
PRODUCT and to prepare derivative works based on such SOFTWARE
PRODUCT, provided the resulting materials are treated hereunder as
part of the original SOFTWARE PRODUCT.
Since the agreement on the original "SOFTWARE PRODUCT" includes
prohibitions on disclosure, this language would seem to back up SCO's
claim. Thus, technologies like read-copy-update, which were never part of
any SCO product, could be said to come under this agreement and be
prohibited from disclosure. In fact, the language could even be read to
transfer ownership of any modifications to SCO, except that IBM caught that
and forced a change ("Exhibit C"):
Regarding section 2.01, we agree that modifications and derivative
works prepared by or for you are owned by you. However, ownership
of any portion or portions of SOFTWARE PRODUCTS included in any
such modification or derivative work remains with us.
So IBM owns its changes. But the company might have signed away its
right to disclose its changes to others or deploy them in other contexts.
Other vendors with less-aware lawyers may well have signed away all
ownership to their Unix work.
So much for the safety of intellectual property in the proprietary
environment.
Of course, all this is IBM's problem. As SCO and others have stated,
customers are better off with licensed, proprietary software, since it is
warranted against intellectual property problems. Sun Microsystems plans to press
this point to its advantage. The only problem is that, once again,
SCO has shown us that this statement is not true.
SCO is attempting to revoke IBM's license to distribute AIX. This move
does not just affect IBM; consider this quote from Chris
Sontag, the head of SCOsource:
SCO said that the termination of the AIX license means that all IBM
Unix customers also have no license to use the software. "This
termination not only applies to new business by IBM, but also
existing copies of AIX that are installed at all customer
sites. All of it has to be destroyed," Sontag said.
All of those AIX customers did exactly what they are supposed to do: they
signed a proprietary license, paid their fees, and went off with the idea
that they had bought the right to use the system on their machines. Now it
appears that Unix users, at SCO's whim, can be deprived of the software
upon which they have built their businesses. Proprietary Unix, it would
seem, is a foundation built upon sand. Given that Microsoft felt the need
to buy a Unix license from SCO, it is not clear that Windows users are in
any better shape. One might assume that SCO would not try to pull the plug
on Windows, but the possibility exists regardless. We look forward to the
forthcoming warning from the Gartner Group.
SCO's actions have pointed out the very real possibility for trouble
resulting from the incorporation of proprietary code into a free product.
This is an issue that should probably be taken more seriously throughout
the free software community in the future. But SCO has also made it
painfully clear that the proprietary world, too, has its traps, and those
traps are at least as frightening as any faced by free software users.
Taken to their extreme, the proprietary rights claimed by SCO give that
company ownership and control over most computing systems on the planet.
It is a frightening thing to contemplate.
Comments (17 posted)
SCO's quarterly report
SCO's
Form
10-Q filing, summarizing the company's operations for the quarter
ending April 30, is now available. These reports always have some
interesting tidbits for those who are patient enough to wade through them,
and SCO's is no exception.
SCO claims a profit of $4.5 million for the quarter - the first in the
company's history. (Bear in mind that "the company" is the one formerly
known as Caldera). Based on that figure, SCO management has made much
noise about how strong SCO is. A look at the figures tells a different
story.
Products revenue was $11 million - down 12% from one year ago. Services
revenue was $2 million, down 30% from one year ago. SCO would have
racked up a significant loss in this quarter if it weren't for SCOsource,
which brought in $8.3 million. Even after they spent over
$2 million in legal expenses and such, that money was enough to put
SCO into a position of profit for the quarter. That makes for a nice
one-time bottom line, but, as SCO says, "SCOsource licensing revenue
is unlikely to produce stable, predictable revenue for the foreseeable
future."
SCOsource, so far, has exactly two customers. They won't tell us who the
first is, saying only:
The first of these licenses was with a long-time licensee of the
UNIX source code which is a major participant in the UNIX industry
and was a 'clean-up' license to cover items that were outside the
scope of the initial license.
The second licensee, of course, is Microsoft. We don't know how much each
one spent, only that the two add up to $8.3 million.
There are hints of some interesting stuff going on with regard to the
sale of these licenses. Consider:
During the quarter ended April 30, 2003, the Company issued a
warrant to a SCOsource licensee. The warrant allows the licensee
to acquire 210,000 shares of the Company's common stock at
an exercise price of $1.83 per share for a term of five years from
the date of grant. Because the warrant was issued for no
consideration to the SCOsource licensee, the Company has recorded
the fair value of the warrant of $500,000, as determined using the
Black-Scholes option-pricing model, as a warrant outstanding during
the quarter ended April 30, 2003 and reduced license revenue
accordingly.
Of course, at today's price for SCO stock, that warrant can be exercised
(if the holder moves quickly) for a $1.8 million overnight profit.
That, one might suppose, will
take a bit of the sting out of paying for a license from SCO. The filing
does not say which licensee got this little added gift ("for no
consideration") or why, but the wording
suggests the lucky recipient was the "long-time licensee," not Microsoft.
The story with Vista.com (covered in the June 12
Weekly Edition) gets more interesting as well. There, Vista founder got
800,000 shares (now going on the market) in exchange for a $1 million
note payable by Vista. Vista, however, is in default on some of its other
loans from SCO - but was given more money in April anyway. There is no
real explanation of why SCO is supporting Vista (and its founder) in this
way.
SCO claims to have $10 million in the bank, and another $15 million in various
assets. $1 million of that is the dubious note from Vista. In the
absence of new investments or SCOsource deals, the company may well burn
through that cash pile in two years or less. Participants in the recent
rally in SCO's stock price may yet find a reason to wish they had missed
out.
Comments (10 posted)
Java and Open Source
[This article was contributed by Joe 'Zonker' Brockmeier]
The JavaOne conference was held last week in San Francisco, and as usual
there was a barrage of announcements from Sun about new Java-related
initiatives and technologies, some of them actually of interest to the
Linux and Open Source communities.
One of the big announcements was the launch of Java.net, a cooperative effort with
O'Reilly and CollabNet. Java.net
seems to be Sun's answer to SourceForge, an Open Source development site
but with a specialization in Java and Java-related technologies.
The site will include hosting of projects, mailing lists, forums, wikis
and blogs (presumably about Java or related technologies). Right now
Java.net only boasts a few projects: JXTA, NetBeans, the Javapedia, JAIN
and so on.
The NetBeans team announced the NetBeans 3.5 release, including the
NetBeans IDE, last week as well. The NetBeans IDE is written, not
surprisingly, in Java, so you should be able to run it on Linux or any
other platform with decent Java support. However, the NetBeans IDE is
not limited to Java development -- it supports C, C++, XML and HTML as
well as Java. NetBeans has been available under an Open Source license,
the Sun Public License, for three years now.
Sun also announced the Sun ONE Studio 5
IDE, which is based on the NetBeans Platform. This one isn't Open
Source, but it does run on Linux and may be of interest to J2SE (Java 2
Standard Edition) and J2EE (Java 2 Enterprise Edition) developers.
Another interesting tidbit announced during the JavaOne timeframe is the
Scripting Java
Specification Request (JSR), a plan to help scripting languages like
PHP and Java interact. Specifically, it's aimed at writing Java classes
that can be invoked by a page using PHP, ECMAScript or other scripting
languages that are in wide usage. The Scripting JSR seems to be in a
formative stage at the moment, but it should be interesting to see what
the group comes up with in the long term. The initial members of the
group are Sun, Macromedia, Zend and Oracle.
Open Source gamers might be pleased to learn that Sun has diverted work
on some gaming APIs from the Java Community Process to Java.net as well. However,
this probably has more to do with the fact that Sun doesn't see much
profitability in gaming APIs for Java than any major commitment to the
Open Source philosophy.
Sun also touted a "simplified" Java Research License (JRL). The
JRL is supposed to "simplify and relax" the research section of Sun's Sun
Community Source License (SCSL). This allows some limited
development for research and development, but anyone hoping to
distribute a project will have to go to Sun for a commercial agreement
and meet Java compatibility requirements. In other words, it still is not
a free license.
What are the prospects of Sun making Java itself Open Source? It's
probably not going to happen anytime soon, but there are folks at Sun
who'd are in favor of making Java, or parts of it, Open Source. James
Gosling, the guy responsible for Java, is in favor of releasing Java
according to this Computerworld article:
Oh, yeah. I've always felt that sort of in the abstract, open-source is
the right thing to do for a lot of the kinds of things that we do. There
are a variety of issues that make it a very complex discussion as to
whether it actually works as a business.
Slowly but surely, Sun seems to be moving towards a more open stance
with Java, but the company is still retaining very tight control on the
core Java technologies.
Comments (6 posted)
Page editor: Jonathan Corbet
Security
Security news
Some goodies from OpenWall
Solar Designer has sent out
an announcement
of a new set of security-oriented releases from OpenWall. These components
are, of course, integrated into
Openwall Linux, but they are
available separately for integration into other distributions as well.
Here's what's available:
- A patch for the 2.4.21
kernel fixing problems and adding a number of security features.
You can now use 2.4.21 in Openwall Linux, though, in true conservative
form, they still recommend sticking with 2.2 for now.
- msulogin, a version of
the "sulogin" program (which is normally used to control access to a
system in single-user mode). The twist offered by msulogin is that it
can handle multiple root accounts.
- tcb, an alternative shadow
password implementation. The difference is that tcb implements
separate shadow files for each user. This technique allows group
permissions to be used to implement password policies, and it allows
the entire password subsystem to work with no need for root
privileges.
These tools and patches can be used as components in a more secure Linux
system, and that can only be a good thing.
Comments (none posted)
June CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for June is out; it looks at
cyberterrorism, teaching virus writing, attacking virtual machines with
memory errors, and fun with expired domains (beyond the usual trick of
pointing them at porn sites): "
Step 1: Buy an expired
domain. Step 2: Watch all the spam come in, and figure out what e-mail
accounts were active for that domain's previous owner. Step 3: Go to
an account-based site -- eBay, Amazon, etc. -- and request that the
password be sent to those accounts. If the people with those accounts
didn't bother to change their e-mail address when the domain expired,
you can collect their passwords."
Full Story (comments: 1)
New vulnerabilities
BitchX: Denial of service vulnerability
| Package(s): | BitchX |
CVE #(s): | CAN-2003-0334
|
| Created: | June 17, 2003 |
Updated: | June 17, 2003 |
| Description: |
A Denial Of Service (DoS) vulnerability was discovered in BitchX that would
allow a remote attacker to crash BitchX by changing certain channel modes.
Read more
here and here. |
| Alerts: |
|
Comments (none posted)
ethereal: buffer and integer overflows
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0356
CAN-2003-0357
|
| Created: | June 12, 2003 |
Updated: | June 18, 2003 |
| Description: |
Timo Sirainen discovered several vulnerabilities in ethereal, a
network traffic analyzer. These include one-byte buffer overflows in
the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB,
SMPP, and TSP dissectors, and integer overflows in the Mount and PPP
dissectors. |
| Alerts: |
|
Comments (none posted)
gnocatan: buffer overflows, denial of service
| Package(s): | gnocatan |
CVE #(s): | CAN-2003-0433
|
| Created: | June 12, 2003 |
Updated: | June 28, 2003 |
| Description: |
Bas Wijnen discovered that the gnocatan server is vulnerable to
several buffer overflows which could be exploited to execute arbitrary
code on the server system. |
| Alerts: |
|
Comments (none posted)
lyskom-server: denial of service
| Package(s): | lyskom-server |
CVE #(s): | CAN-2003-0366
|
| Created: | June 13, 2003 |
Updated: | June 17, 2003 |
| Description: |
Calle Dybedahl discovered a bug in lyskom-server which could result in
a denial of service where an unauthenticated user could cause the
server to become unresponsive as it processes a large query. |
| Alerts: |
|
Comments (none posted)
man: format string exploit
| Package(s): | man |
CVE #(s): | |
| Created: | June 16, 2003 |
Updated: | June 17, 2003 |
| Description: |
Versions of man 1.5l and below contain a format string vulnerability. The
vulnerability occurs when man uses an optional catalog file, supplied by
the NLSPATH/LANG environmental variables. See the full
advisory for more details. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
noweb: insecure temporary files
| Package(s): | noweb |
CVE #(s): | CAN-2003-0381
|
| Created: | June 17, 2003 |
Updated: | June 28, 2003 |
| Description: |
Jakob Lell discovered a bug in the 'noroff' script included in noweb
whereby a temporary file was created insecurely. During a review,
several other instances of this problem were found and fixed. Any of
these bugs could be exploited by a local user to overwrite arbitrary
files owned by the user invoking the script. |
| Alerts: |
|
Comments (none posted)
radiusd-cistron: possible remote system compromise
| Package(s): | radiusd-cistron |
CVE #(s): | CAN-2003-0450
|
| Created: | June 13, 2003 |
Updated: | July 11, 2003 |
| Description: |
The package radiusd-cistron is an implementation of the RADIUS protocol.
Unfortunately the RADIUS server handles large NAS numbers incorrectly. This
leads to overwriting internal memory of the server process and may be
abused to gain remote access to the system the RADIUS server is running on. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
Xpdf - command execution vulnerability
| Package(s): | Xpdf |
CVE #(s): | CAN-2003-0434
|
| Created: | June 18, 2003 |
Updated: | July 24, 2003 |
| Description: |
Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache 2 - denial of service
| Package(s): | apache |
CVE #(s): | CAN-2003-0189
CAN-2003-0245
|
| Created: | May 28, 2003 |
Updated: | June 16, 2003 |
| Description: |
A new set of denial of service vulnerabilities has been found in Apache versions 2.0 through 2.0.45. The potential for a remote code exploit apparently exists as well. See the Apache 2.0.46 announcement for more information. |
| Alerts: |
|
Comments (none posted)
atftp: buffer overflow
| Package(s): | atftp |
CVE #(s): | CAN-2003-0380
|
| Created: | June 9, 2003 |
Updated: | June 12, 2003 |
| Description: |
Rick Patel discovered that atftpd is vulnerable to a buffer overflow
when a long filename is sent to the server. An attacker could exploit
this bug remotely to execute arbitrary code on the server. Read the
full
advisory for more information. |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups |
CVE #(s): | CAN-2003-0195
|
| Created: | May 27, 2003 |
Updated: | July 22, 2003 |
| Description: |
Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP
(Internet Printing Protocol) implementation. The IPP implementation is
single-threaded, which means only one request can be serviced at a time.
An attacker could make a partial request that does not time out and
therefore creates a denial of service. In order to exploit this bug, an
attacker must have the ability to make a TCP connection to the IPP port (by
default 631). |
| Alerts: |
|
Comments (none posted)
eterm: buffer overflow
| Package(s): | eterm |
CVE #(s): | |
| Created: | June 9, 2003 |
Updated: | June 12, 2003 |
| Description: |
"bazarr" discovered that eterm is vulnerable to a buffer overflow of
the ETERMPATH environment variable. This bug can be exploited to gain
the privileges of the group "utmp" on a system where eterm is
installed. |
| Alerts: |
|
Comments (none posted)
ethereal - format string vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0081
|
| Created: | March 10, 2003 |
Updated: | June 12, 2003 |
| Description: |
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
ghostscript: command execution vulnerability
| Package(s): | ghostscript |
CVE #(s): | CAN-2003-0354
|
| Created: | June 2, 2003 |
Updated: | June 16, 2003 |
| Description: |
A flaw in unpatched versions of Ghostscript before 7.07 allows malicious
postscript files to execute arbitrary commands even with -dSAFER enabled. |
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 15, 2003 |
Updated: | November 17, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
gzip: insecure temporary files
| Package(s): | gzip |
CVE #(s): | CVE-1999-1332
CAN-2003-0367
|
| Created: | June 9, 2003 |
Updated: | June 16, 2003 |
| Description: |
Paul Szabo discovered that znew, a script included in the gzip
package, creates its temporary files without taking precautions to
avoid a symlink attack (CAN-2003-0367).
The gzexe script has a similar vulnerability which was patched in an
earlier release but inadvertently reverted. |
| Alerts: |
|
Comments (none posted)
hanterm: two vulnerabilities in Hangul Terminal
| Package(s): | hanterm |
CVE #(s): | CAN-2003-0077
CAN-2003-0079
|
| Created: | June 6, 2003 |
Updated: | June 11, 2003 |
| Description: |
Hangul Terminal is a terminal emulator for the X Window System, based on Xterm.
Hangul Terminal provides an escape sequence for reporting the current
window title, which essentially takes the current title and places it
directly on the command line. An attacker can craft an escape sequence
that sets the window title of a victim using Hangul Terminal to an
arbitrary command and then report it to the command line. Since it is not
possible to embed a carriage return into the window title the attacker
would then have to convince the victim to press Enter for it to process the
title as a command, although the attacker could craft other escape
sequences that might convince the victim to do so.
In addition, it is possible to lock up Hangul Terminal before version 2.0.5
by sending an invalid DEC UDK escape sequence. |
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
kde: arbitrary code execution
| Package(s): | kde |
CVE #(s): | CAN-2003-0204
|
| Created: | April 10, 2003 |
Updated: | June 30, 2003 |
| Description: |
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means. |
| Alerts: |
|
Comments (none posted)
KDE: vulnerability in SSL implementation
| Package(s): | KDE |
CVE #(s): | CAN-2003-0370
|
| Created: | June 6, 2003 |
Updated: | June 11, 2003 |
| Description: |
KDE versions 2.2.2 and earlier have a vulnerability in their SSL
implementation that makes it possible for users of Konqueror and other SSL
enabled KDE software to fall victim to a man-in-the-middle attack. |
| Alerts: |
|
Comments (none posted)
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2003-0244
CAN-2003-0246
|
| Created: | May 14, 2003 |
Updated: | July 25, 2003 |
| Description: |
The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
- The ioperm() system call doesn't perform proper checking,
allowing a local user to manipulate arbitrary I/O ports.
- The networking code contains a remotely exploitable denial of
service condition; see the May 24 Security Page for details.
|
| Alerts: |
|
Comments (2 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
kon2: buffer overflow allows local users to obtain root privileges
| Package(s): | kon2 |
CVE #(s): | CAN-2002-1155
|
| Created: | June 3, 2003 |
Updated: | June 16, 2003 |
| Description: |
KON is a Kanji emulator for the console. There is a buffer overflow
vulnerability in the command line parsing code portion of the kon program
up to and including version 0.3.9b. This vulnerability, if appropriately
exploited, can lead to local users being able to gain elevated (root)
privileges. |
| Alerts: |
|
Comments (none posted)
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete |
CVE #(s): | CAN-2003-0256
|
| Created: | May 8, 2003 |
Updated: | June 27, 2003 |
| Description: |
A vulnerability was discovered in versions of kopete
prior to 0.6.2. Kopete is a KDE instant messenger client. This
vulnerabiliy is in the GnuPG plugin that allows for users to send each
other GPG-encrypted instant messages. The plugin passes encrypted messages
to gpg, but does no checking to sanitize the commandline passed to gpg.
This can allow remote users to execute arbitrary code, with the permissions
of the user running kopete, on the local system. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
LPRng: insecure temporary file
| Package(s): | LPRng |
CVE #(s): | CAN-2003-0136
|
| Created: | April 14, 2003 |
Updated: | June 16, 2003 |
| Description: |
Karol Lewandowski discovered that psbanner, a printer filter that
creates a PostScript format banner and is part of LPRng, insecurely
creates a temporary file for debugging purpose when it is configured
as filter. The program does not check whether this file already
exists or is linked to another place writes its current environment
and called arguments to the file unconditionally with the user id
daemon. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mod_php: integer overflow
| Package(s): | mod_php php |
CVE #(s): | |
| Created: | June 9, 2003 |
Updated: | June 12, 2003 |
| Description: |
The PHP emalloc() function implements the error safe wrapper around
malloc(). Unfortunately this function suffers from an integer overflow and
considering the fact that emalloc() is used in many places around PHP
source code, it may lead to many serious security issues. Read the full
advisory.
The function str_repeat(string input, int multiplier) returns input
repeated multiplier times. The implementation of this function suffers
from a simple integer overflow caused by a very long second argument and
could allow a local/remote attacker in the worst case to gain control over
the web server. Read the full
advisory.
The function array_pad(array input, int pad_size, mixed pad_value) returns
a copy of the input padded to size specified by pad_size with pad_value.
Unfortunately the implementation of this function suffers from an integer
overflow caused by a very long second argument and could allow a
local/remote attacker in the worst case to gain control over the web
server. Read the full
advisory. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
netscape-flash: buffer overflow
| Package(s): | netscape-flash |
CVE #(s): | |
| Created: | March 10, 2003 |
Updated: | June 20, 2003 |
| Description: |
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade." |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
