| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for July 10, 2003
[This article was contributed by Joe 'Zonker' Brockmeier]
Back in February, Reasoning, Inc. released a study that surprised few in the Linux and open source community. Specifically, Reasoning found that the Linux kernel's TCP/IP stack had fewer defects than implementations from vendors with proprietary versions.
This time around, Reasoning has focused on Apache. Reasoning looked at Apache 2.1-dev, released at the end of January this year, and found that release to be about the same quality as commercial software. Reasoning's study was not sponsored by a vendor, nor does the company have any real motivation to find that open source is better or worse than proprietary software. Instead, the company is using studies of open source projects to help promote its testing services. Open source makes an ideal promotional device because Reasoning can actually release the full results to the study, including source code where errors are found.
The company uses a method of automated testing that tests for memory leaks, NULL pointer dereferences, bad deallocations, out of bounds array access and/or uninitialized variables. These are classified as defects. In 58,944 lines of code (LOC) spread out in 360 files, there were a total of 31 defects, or a defect density of 0.53 per thousand lines of code. According to Reasoning, the average defect density for commercial applications is 0.51 per thousand lines of code.
Of 31 defects, 29 of the defects were NULL pointer dereferences and 2 were uninitialized variables -- no memory leaks, bad deallocations or out of bounds defects were found in Apache 2.1-dev. The detailed version of Reasoning's report lists each of the 31 defects, giving the location of the defect, a description and the actual defect in a code fragment taken from the file with the defect.
One might wonder why Reasoning chose to look at a development version of Apache rather than a more mature version that had been out for a while. Certainly, very few people are likely to be deploying a development version of Apache on production sites -- making it less comparable to a release of a proprietary product. Apparently, they decided to review a less mature version of an open source project to point out how the open source development model benefits a project in the long run.
It would be interesting for Reasoning to track Apache's development and compare its quality against proprietary code after it has been released and in use for some time. One suspects that the Apache release would fare better than proprietary projects after it had been formally released and in use for some time.
Obviously, the study doesn't provide the full picture. It only measures certain types of defects, and doesn't take into account the software's features, performance or other qualities. But, at least in the area of software defects, Reasoning's study reflects well on the open source model by demonstrating what many users of open source already know -- that open source produces code of a quality that is at least comparable to proprietary software.
[This article was contributed by Joe 'Zonker' Brockmeier]
Hewlett-Packard has quietly released a desktop PC featuring Mandrake Linux for small and medium-sized businesses. Last Wednesday the company issued a press release for the Compaq Business Desktop d220, which is available with Windows XP or Linux Mandrake 9.1. MandrakeSoft has also issued a release, which indicates that Mandrake will be on a range of HP's Compaq-branded desktop PCs.
It's encouraging to see one of the major players in desktop PCs getting behind Linux on the desktop. However, it'd be nicer if they were a little more aggressive about the play. HP's release for the d220 desktops doesn't mention that the new line is available with Linux until the sixth paragraph, when one would think that the release of a business desktop machine featuring Linux would be more noteworthy. However, the fact that HP is offering Linux on a desktop machine to SMBs at all is a significant step forward.
A d220 system with an Intel Celeron processor can be had for a mere $327 through HP's site right now, and it's worth noting that a machine with the same specs, but with Windows XP Home Edition, will set SMBs back an additional $50 per machine -- presumably due to the additional cost of adding the Windows license.
It's not exactly world domination, HP is only taking a tentative step in offering Linux to SMB customers on a small slice of its Compaq line. HP's home users, or those looking for a HP or Compaq laptop with Linux pre-loaded, are still out in the cold. (Though there's nothing to stop home users from ordering from HP's small and medium business online store...) But, this small step is necessary to help Linux gain a foothold in the desktop market.
Naysayers and analysts who have continually dismissed Linux as a desktop operating system may have to rethink their position, as it seems unlikely that HP would offer a desktop machine with Linux unless there is sufficient demand for Linux by its business customers, and that HP has decided that Linux is suitable for prime-time on the desktop. If HP is successful with Linux as a desktop offering for SMBs, we can expect to see Dell and others to follow suit very shortly.
Page editor: Rebecca Sobol
Security
Security news
Apache HTTP Server 2.0.47 released
Today the Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:- Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite to
a strong one could result in the weak ciphersuite being used in place of
the strong one. [CAN-2003-0192]
- Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]
- Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket. [CAN-2003-0254]
- The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
New vulnerabilities
teapop: SQL injection
| Package(s): | teapop | CVE #(s): | CAN-2003-0515 | ||||||
| Created: | July 9, 2003 | Updated: | October 1, 2003 | ||||||
| Description: | teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated. | ||||||||
| Alerts: |
| ||||||||
semi: insecure temporary file
| Package(s): | semi, wemi | CVE #(s): | CAN-2003-0440 | ||||||||||||
| Created: | July 7, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Updated vulnerabilities
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PHP: Cross site scripting vulnerability
| Package(s): | PHP | CVE #(s): | CAN-2003-0442 | |||||||||||||||||||||
| Created: | July 2, 2003 | Updated: | August 13, 2003 | |||||||||||||||||||||
| Description: | In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
xterm: command execution and denial of service
| Package(s): | XFree86 xterm | CVE #(s): | CAN-2001-1409 CAN-2002-1472 CAN-2002-0164 CAN-2003-0063 CAN-2003-0071 | ||||||||||||
| Created: | June 25, 2003 | Updated: | July 2, 2003 | ||||||||||||
| Description: | A couple of new vulnerabilities have been found in the xterm application shipped with XFree86. There is yet another "execute arbitrary commands by setting the window title" vulnerability, along with a bug which can allow an attacker to lock up an exterm window. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Xpdf - command execution vulnerability
| Package(s): | Xpdf | CVE #(s): | CAN-2003-0434 | ||||||||||||||||||||||||
| Created: | June 18, 2003 | Updated: | July 24, 2003 | ||||||||||||||||||||||||
| Description: | Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gtksee: buffer overflow
| Package(s): | gtksee | CVE #(s): | CAN-2003-0444 | ||||||
| Created: | June 29, 2003 | Updated: | July 11, 2003 | ||||||
| Description: | Viliam Holub discovered a bug in gtksee whereby, when loading PNG images of certain color depths, gtksee would overflow a heap-allocated buffer. This vulnerability could be exploited by an attacker using a carefully constructed PNG image to execute arbitrary code when the victim loads the file in gtksee. | ||||||||
| Alerts: |
| ||||||||
imagemagick: insecure temporary file
| Package(s): | imagemagick | CVE #(s): | CAN-2003-0455 | ||||||
| Created: | June 29, 2003 | Updated: | July 10, 2003 | ||||||
| Description: | There are circumstances in which imagemagick's libmagick library creates temporary files without taking appropriate security precautions. This vulnerability could be exploited by a local user to create or overwrite files with the privileges of another user who is invoking a program using this library. | ||||||||
| Alerts: |
| ||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 | |||||||||
| Created: | February 13, 2003 | Updated: | July 10, 2003 | |||||||||
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpbb: sql injection
| Package(s): | phpbb | CVE #(s): | CAN-2003-0486 | |||
| Created: | June 28, 2003 | Updated: | July 2, 2003 | |||
| Description: | An SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter. | |||||
| Alerts: |
| |||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
radiusd-cistron: possible remote system compromise
| Package(s): | radiusd-cistron | CVE #(s): | CAN-2003-0450 | ||||||||||||
| Created: | June 13, 2003 | Updated: | July 11, 2003 | ||||||||||||
| Description: | The package radiusd-cistron is an implementation of the RADIUS protocol. Unfortunately the RADIUS server handles large NAS numbers incorrectly. This leads to overwriting internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on. | ||||||||||||||
| Alerts: |
| ||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tcptraceroute: problems dropping root privileges
| Package(s): | tcptraceroute | CVE #(s): | CAN-2003-0489 | ||||||
| Created: | June 28, 2003 | Updated: | July 10, 2003 | ||||||
| Description: | tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets. This may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute. | ||||||||
| Alerts: |
| ||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
vixie-cron: Local vulnerability
| Package(s): | vixie-cron | CVE #(s): | CVE-2001-0559 | |||||||||
| Created: | April 17, 2003 | Updated: | October 3, 2003 | |||||||||
| Description: | From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page. | |||||||||||
| Alerts: |
| |||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||
| Alerts: |
| ||||||||
wget:directory traversal bug
| Package(s): | wget | CVE #(s): | CAN-2002-1344 | |||||||||||||||||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||
| Description: | Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine. See also this Bugtraq article from 1997. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle | CVE #(s): | CAN-2002-0818 | |||||||||
| Created: | August 14, 2002 | Updated: | October 1, 2003 | |||||||||
| Description: | The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." | |||||||||||
| Alerts: |
| |||||||||||
xbl: buffer overflows
| Package(s): | xbl | CVE #(s): | CAN-2003-0451 CAN-2003-0535 | ||||||
| Created: | June 20, 2003 | Updated: | July 9, 2003 | ||||||
| Description: | Steve Kemp discovered several buffer overflows in xbl, a game, which
can be triggered by long command line arguments. This vulnerability
could be exploited by a local attacker to gain gid 'games'. This has been assigned CVE #
CAN-2003-0451.
Another buffer overflow was discovered in xbl which could also be exploited by a local attacker to gain gid 'games'. This has been assigned CVE # CAN-2003-0535. | ||||||||
| Alerts: |
| ||||||||
xgalaga: buffer overflows
| Package(s): | xgalaga | CVE #(s): | CAN-2003-0454 | |||
| Created: | June 29, 2003 | Updated: | July 2, 2003 | |||
| Description: | Steve Kemp discovered several buffer overflows in the game xgalaga, which can be triggered by a long HOME environment variable. This vulnerability could be exploited by a local attacker to gain gid 'games'. | |||||
| Alerts: |
| |||||
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd | CVE #(s): | CAN-2003-0211 | |||||||||||||||
| Created: | May 13, 2003 | Updated: | November 12, 2003 | |||||||||||||||
| Description: | Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ypserv: denial of service
| Package(s): | ypserv | CVE #(s): | CAN-2003-0251 | ||||||||||||
| Created: | June 25, 2003 | Updated: | July 11, 2003 | ||||||||||||
| Description: | From the Red Hat advisory: "A vulnerability has been discovered in the ypserv NIS server prior to version 2.7. If a malicious client queries ypserv via TCP and subsequently ignores the server's response, ypserv will block attempting to send the reply. This results in ypserv failing to respond to other client requests." The fix is up upgrade to version 2.8.0. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Resources
Linux Advisory Watch
The July 4 issue of the Linux Advisory Watch newsletter from LinuxSecurity.com is available.
Linux Security Week
The July 7 issue of the Linux Security Week newsletter from LinuxSecurity.com is available.
Events
HiverCon 2003 Announcements
Earlybird registration has opened for this year's HiverCon show which will be held in Dublin on November 6th and 7th. Register for your ticket now and save 200 Euro !
Page editor: Rebecca Sobol
Kernel development
Release status
Kernel release status
The current development kernel is 2.5.74, which was released by Linus on July 2. The summary says: "Updates all over, the patch itself is big largely because of a MIPS/MIPS64 merge (and SH, for that matter). Network driver updates, USB updates, PnP, SCTP, s390, you name it. See the changelog for more details."The current stable kernel is 2.4.21, Marcelo has released Linux 2.4.22-pre4. "Here goes -pre4. It contains a lot of updates and fixes. We decided to include this new code quota code which allows usage of quotas with 32bit UID/GIDs. Most Toshibas should work now due to an important ACPI fix. Please help and test."
Linux 2.4.22-pre3-ac1
Alan Cox has released 2.4.22-pre3-ac1. "Lots of small fixes and compiler clean up. S/390 qeth is finally GPL'd and included, and the Wolfson written AC97 touchscreen driver is present and would benefit from a once over by the input folks. We now have a working framework for plugging add on modules into audio codecs with funny features - be that modules for flipping connections around or stuff like the touchscreen interface."
Kernel development news
Changes to the USB driver API for the 2.5 series kernel
[This article was contributed by Greg Kroah-Hartman]
Over the 2.5 kernel development series, the USB driver api has changed a lot. As LWN has graciously allowed me to write a kernel article this week, and I know a bit about the USB kernel code, I thought I would discuss a short summary of the major changes that have happened with it for anyone wanting to port a 2.4 USB driver to 2.5.
The main struct usb_driver structure has shrunk. The fops and minor variables have been removed, as the majority of USB drivers do not need to use the USB major number. If a USB driver needs to use the USB major, then the usb_register_dev() function should be called when a USB device has been found, and a minor number needs to be assigned to it. This function needs to have a struct usb_interface that the minor number should be assigned to, and a pointer to a struct usb_class_driver structure. This usb_class_driver structure is defined as:
struct usb_class_driver {
char *name;
struct file_operations *fops;
mode_t mode;
int minor_base;
};
The name variable is the devfs name for this driver. The fops variable is a pointer to the struct file_operations that should be called when this device is accessed. The mode variable defines the file permissions that devfs will use when creating the device node. Finally, the minor_base variable is the start of the minor range that this driver has assigned to it.
When usb_register_dev() is called, the devfs node will be created if devfs is enabled, and a usb class device is created in sysfs at /sys/class/usb/. After the device is removed from the system, the usb_unregister_dev() function should be called. This function will return the minor number to the USB core (to be used again later for a new device), the devfs node will be deleted if devfs is enabled in the kernel, and the usb class device will be removed from sysfs.
Because of these two functions, USB drivers no longer need to worry about managing the devfs entries on their own, like is necessary in the 2.4 kernel.
Also, USB drivers can use the usb_set_intfdata() function to save a pointer to a USB driver specific structure. This can be used instead of having to keep a static array of device pointers for every driver. usb_set_intfdata() should be called at the end of the USB driver probe function. Then in the open() function, usb_get_intfdata() should be called to retrieve the stored pointer.
For a good example of how to make these changes, look at how the usb-skeleton.c driver has changed between the 2.4 and 2.5 kernels. This driver is a framework driver that can be used to base any new USB drivers on.
There are also a number of USB api functions that have had their parameters modified from 2.4 to 2.5. Two of the most visible examples of this is the usb_submit_urb() function, and the USB probe() callback function.
In the usb_submit_urb() function, the USB core and host controller drivers can need to allocate memory from the kernel to complete the USB transfer. In 2.4, the core and host controller drivers guess that it is safe to sleep when requesting memory, and would call kmalloc with the GFP_KERNEL flag. The USB developers quickly realized that this is not always the best thing. So the usb_submit_urb() function now requires that the memory flags be passed to it:
int usb_submit_urb(struct urb *urb, int mem_flags);
In the 2.5 kernel the probe callback is now:
int (*probe) (struct usb_interface *intf,
const struct usb_device_id *id);
This was done to emphasize that USB drivers bind to a USB interface, and
not to an entire USB device. If the struct usb_device structure is
needed to be found, the interface_to_usbdev() macro should be used.
The biggest change in the USB api between the 2.4 and 2.5 kernels is much improved documentation. To build the kernel USB documentation, run:
make psdocs
By doing this, the Documentation/DocBook/usb.ps file will have
been created. This contains a lot of details about how the USB
subsystem works, and what all of the options to the USB functions are.
The primary author of all of this documentation is David Brownell, who
also wrote the USB gadget and USB 2.0 EHCI host controller driver.
libsysfs v0.1.0 announced
Daniel Stekloff has announced libsysfs, a library built over sysfs.
Patches and updates
Core kernel code
- Con Kolivas: O2int 0307041440 for 2.5.74-mm1. (July 7, 2003)
- Con Kolivas: O3int interactivity for 2.5.74-mm2. (July 7, 2003)
- David Howells: anti-cross-CPU printk/oops interleaving. (July 7, 2003)
- john stultz: linux-2.5.74_jiffies-include-fix_A0. (July 7, 2003)
- Arvind Kandhare: fix current->user->__count leak for processes. (July 7, 2003)
- Mikael Pettersson: use task_cpu() not ->thread_info->cpu in sched.c. (July 7, 2003)
- rwhron@earthlink.net: fix return of compat_sys_sched_getaffinity. (July 7, 2003)
- Rusty Trivial Russell: __cat and __unique_id in stringify.h. (July 7, 2003)
- Rusty Trivial Russell: Remove chatty printk on CPU bringup.. (July 7, 2003)
- Ulrich Drepper: updated: tgkill patch for safe inter-thread signals. (July 7, 2003)
- Jim Keniston: [2/2] 2.6 must-fix list - kernel error reporting. (July 8, 2003)
- Jim Keniston: [1/2] 2.6 must-fix list - kernel error reporting. (July 8, 2003)
- Guillaume Chazarain: Interactivity bits. (July 8, 2003)
- Alex Tomas: parallel directory operations. (July 9, 2003)
Device drivers
- Greg KH: PCI and sysfs fixes for 2.5.74. (July 7, 2003)
- Rusty Russell: Remove cpu arg from cpu_raise_irq. (July 7, 2003)
- Rusty Russell: Remove CPU arg from softirq functions, rename.. (July 7, 2003)
- Paul Fulghum: 2.5.74 synclink.c. (July 7, 2003)
- Paul Fulghum: 2.5.74 synclink_cs.c. (July 7, 2003)
- Paul Fulghum: 2.5.73 synclinkmp.c. (July 7, 2003)
- Adrian Bunk: 2.5.74: i2o_scsi.c must include pci.h. (July 7, 2003)
- Adam Belay: PnP Fixes for 2.5.74. (July 7, 2003)
- Adam Belay: PnP Fixes for 2.5.74. (July 7, 2003)
- Mikael Pettersson: fix IDE init oops on PowerMac. (July 7, 2003)
- Mikael Pettersson: fix PowerMac swim3 floppy driver. (July 7, 2003)
- Andrew de Quincey: nvnet for kernel 2.5. (July 7, 2003)
- Paul Clements: misc. nbd cleanups/fixes. (July 7, 2003)