Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for July 31, 2003
Not just IBM's problem
The Ottawa Kernel Summit managed to get through its agenda with almost no discussion of SCO, despite the fact that SCO had just told those developers that they need to purchase a binary licence in order to be able to run their own code. The IBM employees present were, without exception, entirely quiet on the whole situation - but they also radiated a sort of calm confidence that was impossible to miss. In general, at both the Summit and OLS, it was difficult to find anybody who was genuinely worried about SCO and its actions.There are exceptions, of course, but it appears that much of the Linux community has come to the conclusion that IBM's lawyers will make the whole SCO problem go away. There are certainly reasons to feel that way. IBM's legal team inspires fear in many, especially when intellectual property issues are at stake. And IBM's interests align reasonably well with the wider community's interests in this case. IBM wants a commodity operating system platform which is free of external proprietary interests; with such a platform, IBM is well positioned to sell its hardware, services, and proprietary add-ons. So it would suit IBM to see SCO defeated in a manner that would strongly discourage any other enterprising bandits from attempting the same sort of heist.
Still, IBM is not the Linux community, and its interests are not exactly the same. It is conceivable (though unlikely) that IBM could eventually reach a settlement with SCO that ends the case, but leaves a number of users and developers in an uncertain legal position. And IBM has no particular incentive to defend Linux users against any future copyrights suits filed by SCO - especially if the victims are not IBM customers.
We all have high hopes for IBM's defense in this case. But the Linux community has a problem with SCO that is different from IBM's problem, and expecting IBM to fix it for us could prove to be a big mistake. We need to find ways of ending SCO's constant attacks on Linux developers and users. SCO's attempt to hijack and put a tax on Linux cannot be allowed to succeed.
The challenges which have quieted SCO in Germany (and, with luck, will have the same effect in Australia) show one way forward. SCO's attacks on Linux are slanderous, and its attacks on Linux developers head toward libel. The company needs to be made to put up its evidence or back down from its claims. This especially needs to happen in the U.S.
SCO also continues to distribute the 2.4 kernel - get your copy here. LWN downloaded a copy of this kernel on July 30, 2003; the date on SCO's server is May 9. This kernel lacks some of the disputed developments (e.g. RCU), but SCO has made it clear that it objects to code in all of the 2.4 kernels. So what we have here is SCO distributing code over which it claims proprietary rights as a derived product containing a great deal of uncontested, GPL-licensed code. That is, of course, a clear violation of the GPL. One can only hope that SCO's attitude toward copyright and licensing will come up at the IBM trial. But the situation would certainly be helped if one or more developers with copyrighted code in the kernel would bring an infringement case against SCO. That would be a counteroffensive which would attract some attention.
SCO is not just IBM's problem; the company has made it clear that it plans to cast its legal net far more widely than that. So it is important that IBM not be SCO's only problem. If we sit back and wait for IBM to clean up this mess, we may not get the thorough and complete job that we truly need.
Kroupware Kompleted
[This article was contributed by Joe 'Zonker' Brockmeier]
The Kroupware Project, announced last October, has been finished and released as Kolab. The project began last September when three companies, Erfrakon, Intevation GmbH and Klarälvdalens Datakonsult won a bid to create a free software groupware solution for Germany's federal agency for IT security, the Bundesamt für Sicherheit in der Informationstechnik (BSI). The goal was to create an end-to-end groupware solution, both client-side and server-side software, entirely from free software.
Instead of starting from scratch, which is where many free software projects fail, Kroupware was based on existing projects. The Kolab Server is made up of existing projects like Apache, Postfix, OpenLDAP and the Simple Authentication and Security Layer (SASL). The KDE Kolab client is made up of several existing programs for KDE, including KMail, Kontact and KDE PIM. Another project is underway to create an all-in-one groupware client for KDE called Kontact and work is being done on a webmail client as well.
The suite supports e-mail (POP3 and IMAP4), calendaring, global and private addressbooks, vacation notices, notes, synchronization with Palm OS devices, task lists and a number of other features that companies and organizations are looking for in a groupware suite. The server is managed using a Web-based interface. Almost all of the protocols used, with the notable exception of Palm's HotSync Protocol, are Internet Engineering Task Force (IETF) standards.
The project isn't aimed solely at any Linux distribution, or Linux alone for that matter. The Kolab server should run on just about any Unix-like system that runs Apache, Postfix, OpenLDAP and the other components that make up the server. On the client side, Windows users can fully access the Kolab Server groupware functions using Outlook and the Bynari Insight Connector Plugin. Note that the Bynari software is proprietary, but there is work being done by a third-party to create a free software connector. Other Windows groupware clients may work as well if an organization prefers to run Windows, or a mix of Windows and Linux, on the desktop.
It's good to see a fully open source, end-to-end, groupware solution being made available. Particularly one that allows Windows users and Linux users to share the same groupware server and allow companies to deploy Linux in some parts of their business without having to make an all-or-nothing commitment.
It will be interesting to see whether vendors are quick to embrace Kolab after developing their own groupware solutions. A single, standard, open source groupware solution could do a lot to boost Linux though it might hinder sales of products like Openexchange Server or Ximian Connector.
This is yet another piece of the puzzle that could allow Linux to gain significant share of the desktop market. At the moment, installation and configuration of the suite is still a bit rough for companies who are used to buying pre-packaged solutions. However, it should not be difficult for Linux distributors or other vendors to smooth over the installation process a bit and create a value-added product based on Kolab. And, of course, work continues on Kolab even though the Kroupware Project has been declared "complete." It seems as if legal challenges and perception are now the greatest obstacles to adoption of Linux on the desktop.
Trip report: the Ottawa Linux Symposium
The 2003 Ottawa Linux Symposium has run its course. Once again, OLS has established itself as the premier North American Linux developers' conference. A solid roster of speakers delivered four days' worth of![[Ottawa]](/images/ns/parliament-sm.jpg)
intensely technical talks on where Linux development (and kernel
development in particular) is headed. It is always nice to attend an event
where the talk is technical and nobody is trying to sell you anything.
Your editor was not able to attend all of the presentations, of course, and did not write up every one he attended. Below, however, you'll find quick summaries of several of the more interesting talks given at OLS this year. Those looking for all the details can find them in the OLS 2003 Proceedings.
In response to popular demand (i.e. somebody actually asked), I have also put up the slides for my talk on porting drivers to the new kernel. Giving this sort of talk at OLS is a unique challenge, given that, for any topic, there's certain to be at least one person in the audience who knows way more than the speaker. Happily, the hecklers were kind...
Thanks are due to the OLS organizers for putting together another high-quality event, for the event's sponsors for helping making it possible, and to all the speakers for presenting their work.
Ugly ducklings - resurrecting unmaintained code
Dave Jone's talk covered the work he has done in 2.5 to fix up the MTRR and AGPGART drivers. Dave has observed a common sort of lifecycle for drivers. A driver is initially written for a specific vendor's widget. Over time, it is extended to support compatible widgets from other vendors, then slightly different widgets from yet other vendors. The number of special cases increases. Meanwhile, the maintainer gets bored and moves on. Eventually you end up with thousands of lines of spaghetti which is unmaintainable.Dave's approach to such drivers includes splitting code into separate files by vendor (usually) and separating code which should never have been run together in the first place. "Useless abstractions" can be cleaned out. Eventually you end up with a code body which is sufficiently clean and understandable that it can be updated for modern hardware, new features, etc. But one should not underestimate the amount of work it can take to get there.
Large projects and bugzilla
Luis Villa discussed his experience working as GNOME's quality assurance person. He has, he estimates, read some 30,000 bug reports over the last few years. The experience appears to not have warped him too badly, though such things can take years to show.He is, as one might expect, a strong proponent of organized bug tracking. A good QA system, he says, makes writing software easier (through reductions in mailing list traffic, among other things), eases the release process, makes the software better, and, important, makes writing software more fun.
The key point of the talk, perhaps, was that QA people have less power in free software projects than they do in the proprietary world. That makes it even more imperative that they not forget that they are providing a service to the developers, and that they have to understand what the developers need from them. Filtering ("triage") is especially important; developers should not have to deal directly with the full flow of bug reports. If the bug trackers are providing the sort of bug filtering and categorization that the hackers need, all will be well. Otherwise the bug tracking system will degenerate into an unused pile of old information.
Interactive kernel performance
Robert Love's talk covered work done in the 2.5 kernel to improve interactive performance. What's interactive? Robert takes a wide view; interactive applications are "everything except Oracle." The topics covered will be familiar to LWN Kernel Page readers; they include the anticipatory disk scheduler, the O(1) process scheduler, the preemptible kernel and other low-latency work, etc. In his opinion, the single most important bit of work to go in this time around (with regard to interactive performance) is the anticipatory scheduler.
udev - devfs done right
Greg Kroah-Hartman described udev, his user-space devfs replacement (covered here last April) in a standing room only session. Progress on udev has been slow since April (Greg has been busy with other stuff), but some things have happened. There is now a set of configuration files to allow the user to specify how device naming and permissions should be handled; it uses various attributes of a device (it's serial number, label, position in the bus topology, etc.) to figure out what the system administrator would like it to be called. Future versions will use the "tdb" database to track devices and handle persistent naming.Future work includes changing udev to run as a daemon process; this change is required to properly handle out-of-order hotplug events. For those wanting to experiment with it, the udev code can be found on kernel.org in /pub/linux/utils/kernel/hotplug/.
Why doesn't my laptop suspend?
Pat Mochel's talk was on power management, or "why doesn't my laptop suspend?" He asked for a show of hands: how many in the audience have laptops? Well, this is OLS, so most of the attendees raised their hands. How many of those suspend correctly? Most hands went down.Older, APM-based machines would handle suspend operations entirely in the firmware; it "just worked" for most people. Newer ACPI systems, however, push the suspend task into the software; this is evidently an improvement. And Linux software has not yet caught up with that. ACPI support is pretty much in place, but that is the easy part. The harder part is working power management support into all the drivers, coming up with a reliable way of suspending the system, and implementing a reasonable user-level interface to it all.
Much of this work has been done for 2.5; it still languishes in Pat's tree, however, and has not been merged into the mainline. The changes include a new set of driver power management methods; there is also a cleaned up software suspend subsystem with a safer snapshot mechanism and the ability to write the system image to any persistent media.
Pat has said that he will finish this work, though it was clear that he would appreciate some help from other developers as well. His hope is to get the work merged by August 20. Should he be successful, appreciative users should send him a birthday present ("small, unmarked bills") on that day.
Toward an O(1) VM
Rik van Riel discussed recent work with virtual memory management; the talk covered page replacement strategies, the reverse mapping VM, etc. The key point of his talk, however, was this: by many metrics relevent to VM, our newer, "faster" machines are actually slower. Over the years, the time required to perform tasks like reading an entire disk, or writing a system's entire RAM to disk, has gone up by a couple of orders of magnitude or more. Much of the previous century's research into VM is losing its relevance as memory and disk sizes increases faster then the transfer speeds between them. VM hackers increasingly find themselves having to make things up as they go.
Integrating DMA into the device model
James Bottomley discussed the new generic DMA layer; these functions have been documented in this article, which is part of the LWN driver porting series. What was new in this talk is James's discussion of where the DMA API needs to go in the future. The current version has no way of returning a failure code from the DMA mapping routines. But failure can happen: a system can run out of I/O memory management unit space, a problem which will be exacerbated in the future as GART hardware is used as a poor man's IOMMU. At some point, that sort of failure must be communicated back to the caller.Device drivers can provide a DMA mask describing the range of addresses that their devices can handle. But there is no way for the system to pass back a mask saying which addresses the device needs to handle. Better performance can often be maintained when devices are operated in their smaller-memory modes; the system should provide the information that allows those modes to be used when they are applicable. Finally, the current approach to cache coherency needs some work; drivers should be able to find out just how coherency works on the host system. The means by which the CPU and peripherals share DMA buffers needs to be reorganized into a straightforward ownership model; in the current system, it is not always clear who has the right to change a buffer, and that can lead to data corruption.
The party
Your reporter was going to write up the legendary OLS closing party at the Black Thorn, but the whole event has become somewhat fuzzy and difficult to recall. Suffice to say that a lot of fun was had.
Page editor: Jonathan Corbet
Security
Security news
On quietly fixing security holes
A recent Bugtraq posting came with the following statement:
This bug allows a remote attacker who can send packets to an NFSv3 server to overwrite memory and bring the system down. It would appear to be a hard vulnerability to exploit for anything beyond a denial of service, however.
The problem was not fixed entirely silently in 2.4.21; the relevant changelog entry reads "Avoid oops when NFSD decodes enourmous filehandle." Still, the fix has not been all that widely advertised either; there have been no alerts reading "systems running 2.4.20 and prior kernels may be subject to a denial of service vulnerability." In that sense, this was a classic "quiet fix."
There are advantages to quiet fixes when nobody is known to be exploiting the problem. With luck, the fix will be widely deployed before anybody notices the problem. If all goes well, many vulnerable installations can be protected before anybody begins to exploit the problem, and without the need for a panic update. These advantages need to be weighed against a couple of problems with quiet fixes, however. One is that crackers do watch changelogs and patch releases, hoping to find just this sort of fix. And the other is that many sites may continue to run vulnerable code because nobody has told them that there is a problem.
If you run any NFS servers with kernels older than 2.4.21, this is your notice that you may want to look into an upgrade. So far, nobody has been hurt by the quiet nature of this particular fix. Even so, it would have been better to treat it as the true security hole that it is.
New vulnerabilities
Apache: denial of service vulnerabilities
| Package(s): | apache | CVE #(s): | CAN-2003-0460 | |||
| Created: | July 24, 2003 | Updated: | July 30, 2003 | |||
| Description: | The Apache Software Foundation and The Apache Server Project
released
a new version of the Apache webserver which addresses the
following security vulnerabilities:
Denial of service (VU #379828) Ryan O'Neill reported that it is possible to make the httpd server enter infinite loops and crash under certain circumstances. A new configuration directive has been created (LimitInternalRecursion) to avoid these infinite loops and abort the request which caused them if the configured limit has been reached. File descriptor leak Leaks of several file descriptors to child processes, such as CGI scripts, were fixed. | |||||
| Alerts: |
| |||||
konqueror: information disclosure vulnerability
| Package(s): | kde konqueror | CVE #(s): | CAN-2003-0459 | |||||||||||||||
| Created: | July 30, 2003 | Updated: | August 11, 2003 | |||||||||||||||
| Description: | All versions of Konqueror through KDE 3.1.2 contain a vulnerability wherein the browser could (in rare situations) send authentication information on an unrelated web site. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mnogosearch: Remote buffer overflow vulnerabilities
| Package(s): | mnogosearch | CVE #(s): | CAN-2003-0436 CVE-2002-0789 | |||
| Created: | July 28, 2003 | Updated: | July 30, 2003 | |||
| Description: | Buffer overflow in the "ul" variable
(CAN-2003-0436) pokleyzz <pokleyzz -at- scan-associates.net> reported a
buffer overflow vulnerability in mnoGoSearch which can be exploited
remotely to execute arbitrary commands with the privileges of the
webserver.
Buffer overflow in the query variable ("q") (CVE-2002-0789) qitest1 <qitest1 -at- bespin.org> reported a buffer overflow vulnerability in the query variable ("q") which can be exploited remotely to execute arbitrary commands with the privileges of the webserver. | |||||
| Alerts: |
| |||||
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl | CVE #(s): | CAN-2003-0615 | |||||||||||||||||||||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sup: insecure temporary file
| Package(s): | sup | CVE #(s): | CAN-2003-0606 | |||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||
| Description: | sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PHP: Cross site scripting vulnerability
| Package(s): | PHP | CVE #(s): | CAN-2003-0442 | |||||||||||||||||||||
| Created: | July 2, 2003 | Updated: | August 13, 2003 | |||||||||||||||||||||
| Description: | In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Xpdf - command execution vulnerability
| Package(s): | Xpdf | CVE #(s): | CAN-2003-0434 | ||||||||||||||||||||||||
| Created: | June 18, 2003 | Updated: | July 24, 2003 | ||||||||||||||||||||||||
| Description: | Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache | CVE #(s): | CAN-2003-0192 CAN-2003-0253 CAN-2003-0254 | ||||||||||||||||||
| Created: | July 11, 2003 | Updated: | September 22, 2003 | ||||||||||||||||||
| Description: | The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fdclone: insecure temporary directory
| Package(s): | fdclone | CVE #(s): | CAN-2003-0596 | |||
| Created: | July 23, 2003 | Updated: | October 1, 2003 | |||
| Description: | fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control. | |||||
| Alerts: |
| |||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gnupg: gpg setgid
| Package(s): | gnupg | CVE #(s): | ||||
| Created: | July 21, 2003 | Updated: | July 23, 2003 | |||
| Description: | gpg needs to be setuid to make use of protected memory space, however the setgid bit allowed the gpg user to overwrite files owned by the group root. | |||||
| Alerts: |
| |||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123 - buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0577 | |||||||||
| Created: | July 16, 2003 | Updated: | September 30, 2003 | |||||||||
| Description: | The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. | |||||||||||
| Alerts: |
| |||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware | CVE #(s): | CAN-2003-0504 CAN-2003-0582 | ||||||||||||
| Created: | July 16, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies. See this Security Corportation report for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
semi: insecure temporary file
| Package(s): | semi, wemi | CVE #(s): | CAN-2003-0440 | ||||||||||||
| Created: | July 7, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug. | ||||||||||||||
| Alerts: |
| ||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
teapop: SQL injection
| Package(s): | teapop | CVE #(s): | CAN-2003-0515 | ||||||
| Created: | July 9, 2003 | Updated: | October 1, 2003 | ||||||
| Description: | teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated. | ||||||||
| Alerts: |
| ||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | |||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | |||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | |||||||||||||||||||
| Alerts: |
| |||||||||||||||||||