LWN.net Logo

LWN.net Weekly Edition for July 17, 2003

RFCs - insufficiently free?

Debian bug 92810 has the distinction of being one of the oldest release-critical bugs in the entire distribution. It was first reported on April 3, 2001, and has been the subject of occasional debate for over two years. Its resolution at the end of June, 2003 has left few people happy. Bug 92810, it seems, embodies an issue which remains unresolved in the free software community: how documentation should be licensed.

The issue at hand is how the Internet Society Request For Comments (RFC) documents are licensed. The RFCs are the core of the design of the Internet; they are the standards the describe the protocols, formats, algorithms, and conventions that make the net work. There are RFCs covering everything from the basic network protocols (i.e. for IP and TCP), email headers (RFC 2822) and HTML (RFC 1866) to netiquette (RFC 1855), avian datagram protocols (RFC 1149), and the Y10K problem (RFC 2550). Without the RFC series, the standards-based, interoperable Internet would not exist.

For anybody implementing or otherwise working with a network protocol, the relevant RFCs are required reading. So it is not surprising that a project like Debian would package up the RFC collection and include it with its distribution. The doc-rfc package is useful for Debian developers and its presence would not be questioned, except for a bit of a licensing problem. RFCs, it turns out, are required to carry a specific copyright notice (as specified in RFC 2223) which includes the following text:

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

This license, of course, does not allow the free creation of derived versions of the RFCs except in certain circumstances. That restriction violates the Debian Free Software Guidelines (DFSG). Most distributors would not be overly concerned about this problem; the license does allow them to distribute the RFC collection, after all. But the Debian Project takes its social contract seriously, and that contract requires that the distribution be "100% free software." Since the RFCs do not meet the DFSG (though there is not a complete consensus on that point), they have been evicted from the Debian distribution. Debian users wanting to install the doc-rfc package will have to look for it in the non-free area.

To many, Debian's uncompromising stance on licensing seems like a pedantic exercise carried out by people with nothing better to do with their time. But Debian is serving an important role in the community by serving as its conscience and early warning system. As recent events have shown, licensing is important. Every set of bits comes with its own copyright and its own restrictions. Failure to pay attention to those restrictions can lead to unwanted contact with lawyers, and is best avoided. Debian's high sensitivity to licensing problems brings those problems out into the open before somebody gets burned, and often leads to licensing changes which make the problems go away. Even when nothing changes, the Debian process points out where the open issues are.

The open issue in this case is that there is still no consensus on what free licensing means when applied to documentation. As a general rule, those who write text tend to want to maintain more control over their works than those to write code. Consider, for example, the Free Software Foundation's Free Documentation License, which includes a vast number of restrictions on modification and redistribution. (Debian, incidentally, is the group that has done the most to point out the non-free aspects of the FDL).

The Internet Society wants to retain enough control so that copies of a particular standard (and that's what the RFCs are) reflect the standard. A modified version of an RFC no longer reflects the standard, so such modifications are not allowed. The motivation is understandable and reasonable, but there is an important question which must be kept in mind. What happens if, sometime in the future, the Internet Society is coopted over to the Dark Side and starts moving the network standards in a proprietary or repressive direction? With the current licensing, there is no right to fork the RFCs and attempt to maintain a free, interoperable net. The RFC collection, thus, is truly not free. This result is almost certainly not what the Internet Society had in mind when it adopted its copyright notice, but that is the way it has turned out.

Five years or so ago, new software releases often were accompanied by new, one-off licenses that, as often as not, turned out to not be free. In more recent times, a relatively small set of well-known licenses has been adopted by most developers. Documentation, however, remains in the "roll your own license" stage. With luck, this area, too, will soon evolve toward a reasonable set of truly free licenses which reflect the needs and interests of writers.

Comments (26 posted)

Graphics programs for Linux

[This article was contributed by Joe 'Zonker' Brockmeier]

With the 1.0 release of Scribus this week, we thought we'd take a look at the state of open source graphics applications. There's a wide variety of these applications, and they are rapidly maturing, though maybe not quite as quickly as some might like. The most popular, and most mature in terms of features and polish, open source graphics application is The GNU Image Manipulation Program, better known as the GIMP. For those who are unfamiliar with the GIMP, it's very similar to Adobe Photoshop in nature, and offers much of the functionality of Photoshop though it still lacks some features that make Photoshop attractive to folks working with high-quality print publications. The GIMP has been around for quite some time, but the open source community has lacked a full-featured desktop publishing (DTP) programs like QuarkXPress, Adobe InDesign or PageMaker, Adobe Illustrator and CorelDraw.

The 1.0 release of Scribus may help fill that gap. While it still needs some work, Scribus is similar to Adobe InDesign and QuarkXPress. Unlike Quark or InDesign, though, Scribus is available under the GNU GPL and runs on Linux. I've tried Scribus on and off for some time now, and it definitely shows promise. After downloading the 1.0 release, I was impressed by how far Scribus has come in a fairly short time. It offers [Scribus screenshot] all the features you'd need to produce a decent company newsletter or flyer, allows you to prepare a document for printing or convert to PDF for electronic publishing. Scribus saves documents in an XML-type format, and can export projects to PDF, Encapsulated PostScript (EPS) and/or Scalable Vector Graphics (SVG) format.

There are a few glitches; some of the tools don't act quite as you might expect, and there are a few features that you'd definitely want in desktop publishing application that aren't in Scribus just yet. For example, the "text chain" feature doesn't seem to work predictably, and it doesn't seem possible to create a text box with multiple columns for text. But, a few shortcomings aside, Scribus is definitely a boon for folks who want to see Linux succeed on the desktop. While it may not be perfect, it should be good enough to attract a strong audience that will help to see it move forward in much the same way the GIMP has over the years.

Sodipodi is vector-based drawing application that looks very promising. Sodipodi is similar to Adobe Illustrator or CorelDraw, though it's not quite in the same league as those applications just yet. Judging by the images in the Sodipodi gallery, however, it has plenty to offer. Right now, Sodipodi is at the 0.32 release. It has quite a few features, and it's very usable, but it still needs to mature a bit before it's ready for "prime time." For example, Sodipodi only saves in the SVG format, and exports to PNG. It doesn't handle EPS or PDF right now, though EPS is on the tasks list. However, it has a full enough feature set, and is stable enough, that it can be used to create some really nice graphics.

Another GPL'ed Illustrator-like application that's been coming along nicely is Sketch. Sketch is also at a very usable stage, though it, too, has a ways to go before it will give Illustrator a run for its money. Like Sodipodi and Scribus, Sketch seems to be maturing at a fairly steady pace. Sketch is implemented mostly in Python, and is very stable. Sketch does write to EPS and Adobe Illustrator format, and reads XFig files, Adobe Illustrator files, Corel CMX, SVG and its own format, though it lacks support for TrueType fonts which may be a drawback for some users.

If you're interested in older graphics apps for Linux, there's Xfig. Xfig has quite a few features, though it doesn't seem to be under active development and it isn't the most user-friendly application.

OpenOffice.org's Draw is a suitable replacement for applications like Microsoft Publisher. It doesn't do all the fancy text-wrangling and so-forth that you'll find in Sodipodi or Scribus, but it's a nice and simple application for folks who want to create a office flyer, flowcharts and similar projects. Dia is another good application for producing diagrams for print or electronic publishing.

If your tastes are a little more simple, there are a few apps that are aimed at less complex projects. KPaint is a straightforward application that can be used to create very simple graphics, much like the Microsoft Windows Paint program. For those looking for programs for small kids, Tux Paint is a kid-oriented drawing program with a simple interface, sound effects and a restricted file interface that prevents users from accessing the host filesystem. As much as professional-quality graphics apps are necessary for Linux to succeed on the desktop, the low-end graphics apps need to be there as well. After all, who would want to deny their five-year-old the ability to mouse around and create pictures to e-mail to grandma?

The good news is that Linux graphics applications are starting to mature to the point that they're suitable for a fair range of uses. They're certainly good enough for home use, creating Web graphics and low-end DTP. The bad news is that open source graphics apps still need some work before they'll be ready to replace programs like QuarkXPress or Adobe Illustrator. Given enough attention, though, open source graphics applications could start finding their way into professional publishing houses within a few years.

Comments (20 posted)

SCO insider trading watch

Things have been relatively quiet on the SCO front recently; one gets the sense that, perhaps, the company's lawyers were finally able to convince management that a bit of discretion might be helpful. Silence does not mean that nothing is going on, however. Among other things, SCO's executives continue to slowly cash in their stock to take advantage of its current, inflated price. Here's the latest insider trading roundup:

WhoRoleSharesIncomeFilings
Opinder Bawa VP Global Services 22,916 $142,200 1
Robert Bench CFO 25,100 $174,100 1, 2, 3
Reginald Charles Broughton VP International Sales 15,000 $161,600 1, 2, 3
Jeff Hunsaker VP Worldwide Marketing 10,000 $103,500 1, 2
Michael Olson VP Finance 14,000 $135,900 1, 2
Michael Sean Wilson VP Corporate Development 6000 $64,800 1

That's a total of 93,000 shares sold since the suit was filed, for a net of $782,000. This sum is a small down payment on the bonanza that SCO hopes to eventually enjoy as a result of its actions. The big payoff may remain in the future, but one could understand if even the most confident SCO executive feels the need to collect a little now, on the off chance that things fail to go as planned.

It's worth noting that Opinder Bawa has quietly left the company, shortly after selling all shares in his possession.

Finally, it has emerged that - as many had speculated - the "mystery licensee" is none other than Sun Microsystems. The Unix license purchased by Sun came with a nice bonus: an option to buy 210,000 shares of SCO stock for $1.83 per share. Neither company has yet made any statements about why things were done this way. Most software license agreements do not include stock options, after all. A high level of paranoia is not yet called for, but it is natural to wonder just what Sun is up to here.

Comments (5 posted)

Conference season

The Ottawa Linux Symposium will be held July 23 to 26 in the Ottawa Conference Center. As always, OLS looks to be a strong, technical conference with a special emphasis on kernel development. Once again, LWN editor Jonathan Corbet will be there; be sure to get up early (10:00 AM) on Wednesday to catch his talk on driver porting.

OLS will be preceeded by a two-day kernel developers' summit, same as last year. The draft agenda includes a number of VM topics, "killing off devfs," power management, SCSI, asynchronous I/O, and numerous other topics. Once again, stay tuned to LWN for information from the meeting.

The LinuxWorld Conference and Expo takes place August 4 to 7 in San Francisco. LWN hasn't made it to LinuxWorld for a little bit, so we are pleased to note that Rebecca Sobol will be there this time around. It will be nice to be back.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Security news

Decreased security through monitoring

Worth a read: this Cringely column on electronic eavesdropping. The "Communications Assistance to Law Enforcement Act" (CALEA), passed in the mid 1990's, requires telecommunications providers to make life easy for law enforcement agencies wanting to listen to phone conversations. Apparently, the implementation of CALEA is not all that one might wish for:

The typical CALEA installation on a Siemens ESWD or a Lucent 5E or a Nortel DMS 500 runs on a Sun workstation sitting in the machine room down at the phone company. The workstation is password protected, but it typically doesn't run Secure Solaris. It often does not lie behind a firewall. Heck, it usually doesn't even lie behind a door. It has a direct connection to the Internet because, believe it or not, that is how the wiretap data is collected and transmitted.

CALEA systems have, according to Cringely, been hacked into by numerous bad guys, both domestic and foreign.

CALEA can be seen as a classic example of a bad governmental project gone worse, and as a dark omen of what the "total information awareness" system could bring. But there is a wider lesson here as well. Many organizations put monitoring capabilities into their networks as part of their security and policy enforcement operations. This monitoring can be performed by web proxies, mailers, intrusion detection systems, outsourced security services, and so on. Knowing what is happening on a network can be most helpful in keeping that network secure, but it is always worth remembering that these monitoring capabilities can be turned against you. Before putting in a facility that watches what you and your users are doing, it's worth putting some thought into how that facility will be secured and what could happen if it is compromised. Sometimes it might be better to watch a bit less.

Comments (1 posted)

New vulnerabilities

apache: multiple vulnerabilities in Apache HTTP server

Package(s):apache CVE #(s):CAN-2003-0192 CAN-2003-0253 CAN-2003-0254
Created:July 11, 2003 Updated:September 22, 2003
Description: The Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
Alerts:
Trustix 2003-0025 2003-07-11
Conectiva CLA-2003:698 2003-07-21
Mandrake MDKSA-2003:075 2003-07-21
Mandrake MDKSA-2003:075-1 2003-08-28
Red Hat RHSA-2003:240-01 2003-09-04
Red Hat RHSA-2003:243-01 2003-09-22

Comments (none posted)

Mozilla: heap-based buffer overflow in Mozilla-based browsers

Package(s):Mozilla CVE #(s):CAN-2002-1308
Created:July 15, 2003 Updated:July 21, 2003
Description: A heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL referencing a malformed .jar file, which overflows a buffer during decompression.

This has been fixed in Mozilla 1.0.2.

Alerts:
Red Hat RHSA-2003:162-01 2003-07-15
Red Hat RHSA-2003:162-02 2003-07-21

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Conectiva CLA-2003:695 2003-07-15
Mandrake MDKSA-2003:078 2003-07-23
Gentoo 200309-17 2003-09-30

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Red Hat RHSA-2003:206-01 2003-07-14
Debian DSA-349-1 2003-07-14
Slackware SSA:2003-195-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
Slackware SSA:2003-195-01b 2003-07-15
Yellow Dog YDU-20030718-1 2003-07-18
Gentoo 200307-07 2003-07-19
Mandrake MDKSA-2003:076 2003-07-21
Conectiva CLA-2003:700 2003-07-22
SCO Group CSSA-2003-037.0 2003-11-17
Trustix TSLSA-2004-0009 2004-03-05

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:October 1, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Conectiva CLA-2003:697 2003-07-16
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:703 2003-07-23
Debian DSA-365-1 2003-08-05

Comments (none posted)

traceroute-nanog: integer overflow

Package(s):traceroute-nanog CVE #(s):CAN-2003-0453
Created:July 16, 2003 Updated:July 16, 2003
Description: There is an integer overflow vulnerability in traceroute-nanog (an enhanced version of traceroute) which may be exploited to execute arbitrary code.
Alerts:
Debian DSA-348-1 2003-07-11

Comments (none posted)

ucd-snmp - heap overflow

Package(s):ucd-snmp CVE #(s):
Created:July 16, 2003 Updated:July 16, 2003
Description: The snmpnetstat tool (part of the ucd-snmp package) contains a heap overflow vulnerability which, when confronted with a hostile server, can be exploited to run arbitrary code.
Alerts:
Conectiva CLA-2003:696 2003-07-15

Comments (none posted)

Updated vulnerabilities

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
SuSE SuSE-SA:2002:041 2002-11-05
Gentoo 200211-001 2002-11-06
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200302-01 2003-02-02
Debian DSA-386-1 2003-09-18

Comments (none posted)

PHP: Cross site scripting vulnerability

Package(s):PHP CVE #(s):CAN-2003-0442
Created:July 2, 2003 Updated:August 13, 2003
Description: In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack.
Alerts:
Red Hat RHSA-2003:204-01 2003-07-02
OpenPKG OpenPKG-SA-2003.032 2003-07-07
Conectiva CLA-2003:691 2003-07-08
Debian DSA-351-1 2003-07-16
Yellow Dog YDU-20030710-2 2003-07-10
Mandrake MDKSA-2003:082 2003-08-04
Mandrake MDKSA-2003:082-1 2003-08-12

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
Debian DSA-208-1 2002-12-12
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Trustix 2002-0087 2002-12-19
Gentoo 200212-6 2002-12-20
SCO Group CSSA-2004-007.0 2004-02-20

Comments (none posted)

Xpdf - command execution vulnerability

Package(s):Xpdf CVE #(s):CAN-2003-0434
Created:June 18, 2003 Updated:July 24, 2003
Description: Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters.
Alerts:
Red Hat RHSA-2003:196-01 2003-06-18
Yellow Dog YDU-20030620-1 2003-06-20
Gentoo 200306-11 2003-06-25
Mandrake MDKSA-2003:071 2003-06-27
Conectiva CLA-2003:674 2003-07-04
Red Hat RHSA-2003:196-02 2003-07-17
Yellow Dog YDU-20030723-1 2003-07-23
Mandrake MDKSA-2003:071-1 2003-07-23

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
OpenPKG OpenPKG-SA-2002.006 2002-07-04
SuSE SuSE-SA:2002:026 2002-07-09
Conectiva CLA-2002:507 2002-07-11
Gentoo glibc-20020713 2002-07-13
Trustix 2002-0061 2002-07-15
Mandrake MDKSA-2002:043 2002-07-16
EnGarde ESA-20020724-018 2002-07-24
Red Hat RHSA-2002:139-10 2002-07-22
Eridani ERISA-2002:028 2002-07-25
Yellow Dog YDU-20020801-2 2002-08-01
SCO Group CSSA-2002-034.0 2002-08-05
Red Hat RHSA-2002:133-13 2002-08-08
Eridani ERISA-2002:035 2002-08-09
Yellow Dog YDU-20020810-3 2002-08-10
Mandrake MDKSA-2002:050 2002-08-13

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
Red Hat RHSA-2002:246-18 2002-12-04
Gentoo 200212-8 2002-12-20
Debian DSA-224-1 2002-01-08
SCO Group CSSA-2003-005.0 2003-01-21

Comments (none posted)

CUPS: vulnerability in the CUPS IPP implementation

Package(s):cups CVE #(s):CAN-2003-0195
Created:May 27, 2003 Updated:July 22, 2003
Description: Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
Red Hat RHSA-2003:171-01 2003-05-27
Slackware ssa:2003-149-01 2003-05-29
Mandrake MDKSA-2003:062 2003-05-29
Yellow Dog YDU-20030602-3 2003-06-02
SuSE SuSE-SA:2003:028 2003-06-06
Debian DSA-317-1 2003-06-11
Gentoo 200306-09 2003-06-14
Conectiva CLA-2003:702 2003-07-22

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
Mandrake MDKSA-2003:070 2003-06-23
Conectiva CLA-2003:662 2003-06-25
Gentoo 200306-13 2003-06-25
Red Hat RHSA-2003:203-01 2003-07-03
Yellow Dog YDU-20030718-2 2003-07-18
SCO Group CSSA-2003-030.0 2003-11-07

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15
Red Hat RHSA-2005:005-01 2005-01-05

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Conectiva CLA-2002:554 2002-12-16
Red Hat RHSA-2002:293-09 2002-12-17
Debian DSA-216-1 2002-12-24
SuSE SuSE-SA:2003:001 2003-01-02
SCO Group CSSA-2003-001.0 2003-01-09
EnGarde ESA-20030127-002 2003-01-27
Mandrake MDKSA-2003:011 2003-01-27
Immunix IMNX-2003-7+-023-01 2003-10-17

Comments (3 posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Red Hat RHSA-2002:197-06 2002-10-03
Red Hat RHSA-2002:197-09 2002-11-06
Mandrake MDKSA-2004:009 2004-02-04

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
EnGarde ESA-20030515-016 2003-05-15
OpenPKG OpenPKG-SA-2003.029 2003-05-16
Gentoo 200305-04 2003-05-16
Red Hat RHSA-2003:175-01 2003-05-20
Slackware ssa:2003-141-04 2003-05-22
Mandrake MDKSA-2003:061 2003-05-22
Yellow Dog YDU-20030602-4 2003-06-02
Conectiva CLA-2003:694 2003-07-11
SCO Group CSSA-2003-034.0 2003-11-17

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Red Hat RHSA-2003:126-01 2003-04-14
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:264-01 2003-09-09
Conectiva CLA-2003:737 2003-09-12
Mandrake MDKSA-2003:093 2003-09-18
Debian DSA-710-1 2005-04-18

Comments (none posted)

gtksee: buffer overflow

Package(s):gtksee CVE #(s):CAN-2003-0444
Created:June 29, 2003 Updated:July 11, 2003
Description: Viliam Holub discovered a bug in gtksee whereby, when loading PNG images of certain color depths, gtksee would overflow a heap-allocated buffer. This vulnerability could be exploited by an attacker using a carefully constructed PNG image to execute arbitrary code when the victim loads the file in gtksee.
Alerts:
Debian DSA-337-1 2003-06-29
Gentoo 200307-05 2003-07-11

Comments (none posted)

imagemagick: insecure temporary file

Package(s):imagemagick CVE #(s):CAN-2003-0455
Created:June 29, 2003 Updated:July 10, 2003
Description: There are circumstances in which imagemagick's libmagick library creates temporary files without taking appropriate security precautions. This vulnerability could be exploited by a local user to create or overwrite files with the privileges of another user who is invoking a program using this library.
Alerts:
Debian DSA-331-1 2003-06-27
OpenPKG OpenPKG-SA-2003.034 2003-07-10

Comments (none posted)

kernel 2.4 - two new vulnerabilities

Package(s):kernel CVE #(s):CAN-2003-0244 CAN-2003-0246
Created:May 14, 2003 Updated:July 25, 2003
Description: The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
  • The ioperm() system call doesn't perform proper checking, allowing a local user to manipulate arbitrary I/O ports.

  • The networking code contains a remotely exploitable denial of service condition; see the May 24 Security Page for details.

Alerts:
Red Hat RHSA-2003:172-00 2003-05-14
EnGarde ESA-20030515-017 2003-05-15
Red Hat RHSA-2003:145-01 2003-05-27
Red Hat RHSA-2003:187-01 2003-06-03
Debian DSA-311-1 2003-06-08
Debian DSA-312-1 2003-06-09
Mandrake MDKSA-2003:066 2003-06-11
Slackware SSA:2003-168-01 2003-06-17
Mandrake MDKSA-2003:074 2003-07-15
Mandrake MDKSA-2003:066-1 2003-07-21
Conectiva CLA-2003:701 2003-07-22
Mandrake MDKSA-2003:066-2 2003-07-25

Comments (2 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Debian DSA-213-1 2002-12-19
Red Hat RHSA-2003:006-06 2003-01-09
SuSE SuSE-SA:2003:0004 2003-01-14
Yellow Dog YDU-20030114-2 2002-01-14
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Mandrake MDKSA-2003:008 2003-01-20
Conectiva CLA-2003:564 2003-01-23
Red Hat RHSA-2004:249-01 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-176 2004-06-18
Whitebox WBSA-2004:249-01 2004-06-21
Mandrake MDKSA-2004:063 2004-06-29
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Gentoo 200407-06 2004-07-08

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
SCO Group CSSA-2002-049.0 2002-11-18
Debian DSA-210-1 2002-12-13
Trustix 2002-0085 2002-12-19
Red Hat RHSA-2003:029-06 2003-02-12
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Mandrake MDKSA-2003:023 2003-02-24
Conectiva CLA-2003:720 2003-08-11

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Debian DSA-320-1 2003-06-13
Gentoo 200307-01 2003-07-02
Fedora FEDORA-2005-404 2005-06-09
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-405 2005-06-16

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Red Hat RHSA-2002:228-11 2002-12-17
Conectiva CLA-2003:778 2003-11-07

Comments (none posted)

nethack: buffer overflow

Package(s):nethack, slashem, falconseye CVE #(s):CAN-2003-0358 CAN-2003-0359
Created:February 18, 2003 Updated:July 15, 2003
Description: Overflowing a buffer in nethack may lead to privilege escalation to games uid.

Read the the full advisory for the details.

Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages.

Alerts:
Gentoo 200302-08 2003-02-18
Debian DSA-316-1 2003-06-11
Debian DSA-316-2 2003-06-11
Debian DSA-316-3 2003-06-17
Debian DSA-350-1 2003-07-15

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Gentoo 200305-01 2002-03-05
Gentoo 200305-02 2003-05-13
Red Hat RHSA-2003:222-01 2003-07-29
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Ubuntu USN-34-1 2004-11-30

Comments (1 posted)

pam_xauth: root exploit

Package(s):pam_xauth CVE #(s):CAN-2002-1160
Created:February 13, 2003 Updated:July 10, 2003
Description: The pam_xauth module is used to forward xauth information from user to user in applications such as 'su'.

Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker.

Alerts:
Red Hat RHSA-2003:035-10 2003-02-12
Mandrake MDKSA-2003:017-1 2003-04-28
Conectiva CLA-2003:693 2003-07-10

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
Red Hat RHSA-2002:213-06 2002-11-11
Conectiva CLA-2002:545 2002-11-13
EnGarde ESA-20021122-031 2002-11-22
Gentoo 200211-005 2002-11-20
SCO Group CSSA-2003-008.0 2003-03-04

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Mandrake MDKSA-2002:062-1 2003-02-11
Trustix 2003-0004 2003-02-20
Immunix IMNX-2003-7+-005-01 2003-04-08
Debian DSA-397-1 2003-11-07

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Debian DSA-159-1 2002-08-28
Debian DSA-159-2 2002-09-09
Conectiva CLA-2002:527 2002-10-01
Gentoo python-20021003 2002-10-03
Trustix 2002-0073 2002-10-17
SCO Group CSSA-2002-045.0 2002-11-14
Mandrake MDKSA-2002:082 2002-11-25
Mandrake MDKSA-2002:082-1 2002-12-09
Red Hat RHSA-2002:202-25 2003-01-21
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-33 2003-02-12

Comments (none posted)

radiusd-cistron: possible remote system compromise

Package(s):radiusd-cistron CVE #(s):CAN-2003-0450
Created:June 13, 2003 Updated:July 11, 2003
Description: The package radiusd-cistron is an implementation of the RADIUS protocol. Unfortunately the RADIUS server handles large NAS numbers incorrectly. This leads to overwriting internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on.
Alerts:
SuSE SuSE-SA:2003:030 2003-06-13
Debian DSA-321-1 2003-06-13
Conectiva CLA-2003:664 2003-06-27
Gentoo 200307-03 2003-07-11

Comments (none posted)

semi: insecure temporary file

Package(s):semi, wemi CVE #(s):CAN-2003-0440
Created:July 7, 2003 Updated:October 1, 2003
Description: semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker.

wemi is a fork of semi, and contains the same bug.

CAN-2003-0440

Alerts:
Debian DSA-339-1 2003-07-06
Red Hat RHSA-2003:234-01 2003-07-23
Yellow Dog YDU-20030723-2 2003-07-23
Gentoo 200308-02 2003-08-14

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Red Hat RHSA-2002:096-24 2002-09-18
Gentoo tar-20021001 2002-10-01
Gentoo unzip-20021001 2002-10-01
EnGarde ESA-20021003-022 2002-10-03
Mandrake MDKSA-2002:065 2002-10-10
Mandrake MDKSA-2002:066 2002-10-10
Conectiva CLA-2002:538 2002-10-29
Red Hat RHSA-2006:0195-01 2006-02-21
Fedora-Legacy FLSA:183571-1 2006-04-04

Comments (1 posted)

tcptraceroute: problems dropping root privileges

Package(s):tcptraceroute CVE #(s):CAN-2003-0489
Created:June 28, 2003 Updated:July 10, 2003
Description: tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets. This may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute.
Alerts:
Debian DSA-330-1 2003-06-23
Gentoo 200306-14 2003-06-28

Comments (none posted)

teapop: SQL injection

Package(s):teapop CVE #(s):CAN-2003-0515
Created:July 9, 2003 Updated:October 1, 2003
Description: teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

CAN-2003-0515

Alerts:
Debian DSA-347-1 2003-07-08
Gentoo 200309-18 2003-09-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
SCO Group CSSA-2001-030.0 2001-08-10
Conectiva CLA-2001:413 2001-08-24
Debian DSA-075-1 2001-08-14
Debian DSA-075-2 2001-08-14
HP HPSBTL0202-023 2002-02-12
Mandrake MDKSA-2001:068 2001-08-13
Mandrake MDKSA-2001:093 2001-12-17
Progeny PROGENY-SA-2001-27 2001-08-14
Red Hat RHSA-2001:099-06 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:100-02 2001-08-09
Slackware sl-997726350 2001-08-09
SuSE SuSE-SA:2001:029 2001-09-03
Yellow Dog YDU-20010810-1 2001-08-10
Yellow Dog YDU-20010810-2 2001-08-10
Gentoo 200410-03 2004-10-05

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
Red Hat RHSA-2003:199-01 2003-07-01
Immunix IMNX-2003-7+-017-01 2003-07-02
Conectiva CLA-2003:672 2003-07-02
Mandrake MDKSA-2003:073 2003-07-07
Debian DSA-344-1 2003-07-08
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Gentoo 200307-02 2003-07-11
Yellow Dog YDU-20030710-1 2003-07-10
Red Hat RHSA-2003:199-02 2003-08-15
Conectiva CLA-2003:724 2003-08-18
Mandrake MDKSA-2003:073-1 2003-08-19
Slackware SSA:2003-237-01 2003-08-25
Debian DSA-344-2 2003-08-26
SCO Group CSSA-2003-031.0 2003-11-07

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Red Hat RHSA-2002:297-17 2003-01-15
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Gentoo 200301-13 2003-01-22
Yellow Dog YDU-20030127-3 2003-01-27
Mandrake MDKSA-2003:012 2003-02-03
Conectiva CLA-2004:812 2004-02-10

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):vixie-cron CVE #(s):CVE-2001-0559
Created:April 17, 2003 Updated:October 3, 2003
Description: From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root."

Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.

Alerts:
Conectiva CLA-2003:628 2003-04-17
Conectiva CLA-2003:757 2003-10-03
Conectiva CLA-2003:758 2003-10-03

Comments (none posted)

webmin: session ID spoofing

Package(s):webmin CVE #(s):CAN-2003-0101
Created:June 13, 2003 Updated:November 18, 2003
Description: miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:
Debian DSA-319-1 2003-06-12
SCO Group CSSA-2003-035.0 2003-11-17

Comments (none posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Red Hat RHSA-2002:229-10 2002-12-04
Mandrake MDKSA-2002:086 2002-12-11
Debian DSA-209-1 2002-12-12
Conectiva CLA-2002:552 2002-12-13