| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for August 21, 2003
The Xouvert project
[This article was contributed by Joe 'Zonker' Brockmeier]
After the much-publicized controversy earlier this year
![[Xouvert]](/images/ns/xouvert.png){kind=small}
about the XFree86 Project's development process, it seemed inevitable
that there would eventually be a fork of the project. Though it's not
exactly a fork, an experimental branch of XFree86 is now in the works.
Called "Xouvert," the project wasn't officially announced so much as outed on Slashdot.
The Xouvert project (pronounced "Zoo-vaire") is looking to allow developers to add driver support and new features to XFree86 in a modular fashion that should be easy to track and re-apply to the official XFree86 tree. One complaint raised by Keith Packard, and others, is that it has been difficult for developers outside the core team to contribute to XFree86. Xouvert project coordinator Jonathan Walther says that a main goal of the Xouvert project is to make it easier:
Xouvert is being hosted on Savannah, though it's not an official GNU project. The project is not officially connected to XFree86 either. Walther says that the only communication between the XFree86 team and the Xouvert team, thus far, was when David Dawes "asked us to capitalize XFree86 correctly" and indicate that XFree86 is a trademark. Walther says he'd like to work with the XFree86 team in the long run, however.
The project is designed so that it is both easier to contribute to, and easier to download and install. Walther mentioned that compiling XFree86 has "often been a source of frustration," so Xouvert's Cameron Berkenpas is working on a HOWTO to make it easier on users looking to compile their X server from source. Walther also says that the Xouvert lead developer, William Lahti, is working on a developer's handbook that will cover Xouvert's overall architecture and API's, though it may not be ready until the second stable release.
Right now, there's no real difference between the XFree86 codebase and Xouvert's. Users eager to see the first release of Xouvert don't have too long to wait -- the first release is slated for October 1, and stable releases are expected every six months after that. According to Walther, the first release will only contain "small additions and changes" but the second release next April should contain more comprehensive changes like the DRI/DRM and Utah-glx projects.
New projects often fizzle before they reach maturity, so it's too soon to say whether the Xouvert project will become a mainstay of the Linux and open source community. However, given the importance of a free X Server to the long-term (and short-term, for that matter) health and success of Linux, one hopes that the project will be successful.
No escape from SCO
Here at LWN, we start each week in the hope that we'll be able to keep SCO off the front page. Each week, the company finds some way to make that impossible. This time around, there are two separate episodes which require attention, and thus two articles to look at them.First, we look at the interesting claim from SCO's lawyers that the GPL is not enforceable, since it is preempted by federal copyright law. This would appear to be a very difficult argument to back up, as has been established by a number of people. But a sinister agenda may yet lurk behind this goofy attack on the GPL; it bears watching.
Then, of course, there is our article on SCO's disastrous (for them) demonstration of "stolen" code. This article is responsible for the busiest day LWN's server has ever experienced. As this Weekly Edition goes to "press," this situation is still developing. SCO has not, yet, managed a response beyond the one they sent to us:
Chris Sontag, GM and SVP of SCOsource, said that not only are their assertions incorrect, but the code is absolutely owned by SCO. In fact SCO knows exactly which version of UNIX System V the code came from and which licensee was responsible for illegally contributing it to Linux.
Look for the inevitable "Chris and Darl" teleconference in the near future.
It is worth noting that the inclusion of BSD-licensed code into the Linux kernel without the accompanying copyright notice is, indeed, a copyright violation. It is something that absolutely should not be done; in cases where it has happened, it needs to be fixed. We need to take greater care with the licensing of code that we use.
But this has never been SCO's point. You don't hire brand-name lawyers over a missing attribution; a simple "please restore my copyright" email will do. A missing attribution does not justify billions of dollars in damages, or even a $699 license fee. There may well have been a copyright violation when BSD-licensed code was used without attribution. But SCO has managed to undermine its own case anyway.
(For more information on SCO's Las Vegas slide show, see this article by Bruce Perens, who gained access to the full set of slides presented there).
Aiming at the GPL?
It is time to have a look at some statements by Mark Heise of Boies, Schiller, & Flexner - SCO's outside law firm - which were initially reported in the Wall Street Journal and extensively repeated thereafter. According to Mr. Heise, the General Public License (GPL), under which the Linux kernel (and much other code) is licensed, is invalid because it is preempted by federal copyright law. The problem, it is said, is that the GPL allows unlimited copying of the software it covers (as long as its other terms are met) while federal law only allows the creation of a single copy for backup purposes.This is a breathtaking bit of legal reasoning. In one quick blow, Mr. Heise has blown away every free software license, every proprietary site license, and many other end user agreements that have been made over the years. We tried to discuss Mr. Heise's pathbreaking legal work with him, but he didn't feel the need to return our phone calls. So let's just have a quick look at the law he is talking about.
The relevant bit of law is section 117 of the U.S. copyright law. It reads (in part):
(a) Making of Additional Copy or Adaptation by Owner of Copy. -- Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:
- that such a new copy or adaptation is created as an essential
step in the utilization of the computer program in conjunction with
a machine and that it is used in no other manner, or
- that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful.
In other words, the "backup copy" language is an additional right granted to users of copyrighted material. Nothing in the GPL attempts to restrict this right. The biggest danger posed by Mr. Heise's argument would seem to be the potential for contempt of court findings against those who are unable to control their laughter. (See this article by Eben Moglen for a more complete demolition of the preemption argument).
Bizarre statements out of the SCO camp are nothing new. But we should not let the clownish aspect of the SCO Group take attention away from what, increasingly, appears to be part of their real agenda: an attack on the GPL. Consider the latest from CEO Darl McBride, as reported in eWeek:
The "GPL and all it stands for" has made life difficult for SCO, and they want to take it out. The GPL stands for software which is free, software which is under the control of no company - not even SCO. It stands for a world where nobody can collect large taxes for the concept of "Unix-like systems on commodity hardware." The SCO Group evidently sees such taxes as its birthright. No wonder it wants to destroy "the GPL and all it stands for."
This campaign is off to an amateurish start, but it may not stay that way. It bears watching. The GPL is strong, and so are its defenders; it is telling that, over the better part of twenty years, nobody has thought it worthwhile to challenge the GPL in court. The GPL will almost certainly prove far stronger than SCO. But every trip to court has its dangers, and the community cannot affort to be complacent with this one. If SCO follows through on its rhetoric, we have a big and important fight ahead of us.
Why SCO won't show the code
At SCO's annual reseller show, the company's executives put up a couple of slides as a way of demonstrating how Unix code had been "stolen" and put into Linux. The two slides were photographed and have since appeared on Heise Online; see them here and here. The escape of these slides has allowed the Linux community to do something it has been craving since the beginning of the SCO case: track down the real origins of the code that SCO claims as its own. The results, in this case, came quick and clear. They do not bode well for SCO.
The code in question is found in arch/ia64/sn/io/ate_utils.c in the 2.4 tree. It carries an SGI copyright. It seems that SGI was not entirely forthcoming in documenting the source of its source; some of the code in question was, indisputably, not written at SGI. So where does it really come from?
This code is from sys/sys/malloc.c in V7 Unix. It has been widely published; among other things, it can be found in Lion's Commentary on Unix (if you can get a copy). It was featured in this 1984 Usenet posting. And, crucially, it has been circulated with the V7 Unix source, which was released by Caldera (now the SCO Group) under the BSD license. SCO would like the world to forget about that release now, but the Wayback Machine remembers.
So...SCO's code demonstration, the one that it put up to convince its resellers of its case, comes from a version of Unix which first came out in 1979. The code was publicly circulated in the 1980's, and explicitly released under the BSD license by [the company now known as] SCO at the beginning of 2002. SCO might well have a complaint that SGI did not properly give credit for the code it used. But there is no possible way the company can argue that this code's presence in Linux is an infringement of its copyrights.
And this, of course, is why SCO refuses to show the code that, it claims, is copied. These claims do not stand up to even a few hours' scrutiny on the net. SCO may yet have an interesting contract dispute with IBM, but, from what we have seen so far, its claims of direct copying of code are hollow.
(Many thanks to those who commented on an earlier LWN posting on this subject - those comments are the source for just about everything that appears in this article. Many thanks are due to LWN's readers; you have shown the best of what the community can do. Update: see also: this analysis of SCO's code by Bruce Perens.)
Page editor: Jonathan Corbet
Security
Security news
On the value of virus notifications
Many readers will, by now, be familiar with the results of "SoBig," this week's worm afflicting Microsoft systems. This worm, by some estimates, is accounting for some 70% of all email traffic on the net as this article is being written. Even those of us smugly running Linux, and who are thus not directly susceptible to this worm, have been affected by the flood of incoming email.Interestingly, here at LWN we might have remained almost unaware of this worm. SpamAssassin does a perfectly fine job of filtering out SoBig mail; it never made it to our mailbox. The same cannot be said for the steady stream of "your email contained a virus" mail which continues to pour in. Finding our real mail among all of the virus notifications has become a bit of a challenge.
The thing is, of course, that we have not sent infected mail to anybody. Honest. Neither have many of the other people who have gotten these notifications. The software sending these notifications is working on the assumption that email containing virulent malware will also be so polite as to contain a correct return address. SoBig is far from the first infestation which forges return addresses, and it will certainly not be the last.
If virus notification email ever served a purpose, it has long since outlived it. Virus/worm scanning software has its place in organizations which are running vulnerable software, but as soon as it starts sending mail to addresses found in hostile mail, it becomes part of the problem. If you have anything to do with the development, deployment, or administration of such software, please consider turning the notification feature off.
New vulnerabilities
autorespond: buffer overflow
| Package(s): | autorespond | CVE #(s): | CAN-2003-0654 | |||
| Created: | August 18, 2003 | Updated: | October 1, 2003 | |||
| Description: | Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply. | |||||
| Alerts: |
| |||||
eroaster: insecure temporary file
| Package(s): | eroaster | CVE #(s): | CAN-2003-0656 | |||||||||
| Created: | August 19, 2003 | Updated: | October 1, 2003 | |||||||||
| Description: | A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster. | |||||||||||
| Alerts: |
| |||||||||||
netris: buffer overflow
| Package(s): | netris | CVE #(s): | CAN-2003-0685 | |||
| Created: | August 18, 2003 | Updated: | October 1, 2003 | |||
| Description: | Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server. | |||||
| Alerts: |
| |||||
openslp: temporary file creation vulnerability
| Package(s): | openslp | CVE #(s): | ||||
| Created: | August 18, 2003 | Updated: | August 20, 2003 | |||
| Description: | According to this advisory there's a symbolic link vulnerability in one of the initscripts provided with openslp. The slpd.all_init file uses '/tmp/route.check' as a temporarily file in an unsafe manner. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PHP: Cross site scripting vulnerability
| Package(s): | PHP | CVE #(s): | CAN-2003-0442 | |||||||||||||||||||||
| Created: | July 2, 2003 | Updated: | August 13, 2003 | |||||||||||||||||||||
| Description: | In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache | CVE #(s): | CAN-2003-0192 CAN-2003-0253 CAN-2003-0254 | ||||||||||||||||||
| Created: | July 11, 2003 | Updated: | September 22, 2003 | ||||||||||||||||||
| Description: | The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
atari800: buffer overflows
| Package(s): | atari800 | CVE #(s): | CAN-2003-0630 | ||||||
| Created: | August 1, 2003 | Updated: | September 2, 2003 | ||||||
| Description: | Steve Kemp discovered multiple buffer overflows in atari800, an Atari emulator. In order to directly access graphics hardware, one of the affected programs is setuid root. A local attacker could exploit this vulnerability to gain root privileges. | ||||||||
| Alerts: |
| ||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fdclone: insecure temporary directory
| Package(s): | fdclone | CVE #(s): | CAN-2003-0596 | |||
| Created: | July 23, 2003 | Updated: | October 1, 2003 | |||
| Description: | fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control. | |||||
| Alerts: |
| |||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gallery: cross-site scripting
| Package(s): | gallery | CVE #(s): | CAN-2003-0614 | ||||||
| Created: | July 31, 2003 | Updated: | September 2, 2003 | ||||||
| Description: | Larry Nguyen discovered a cross site scripting vulnerability in gallery, a web-based photo album written in php. This security flaw can allow a malicious user to craft a URL that executes Javascript code on your website. | ||||||||
| Alerts: |
| ||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
man-db: buffer overflow, command execution
| Package(s): | man-db | CVE #(s): | CAN-2003-0620 CAN-2003-0645 | |||||||||
| Created: | August 5, 2003 | Updated: | August 18, 2003 | |||||||||
| Description: | man-db 2.4.1 and earlier contains two separate vulnerabilities. There are several buffer overflows which could perhaps be locally exploited, and some directives in ~/.manpath are executed when they should not be. These vulnerabilities only matter if the package has been installed in the setuid mode. | |||||||||||
| Alerts: |
| |||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123 - buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0577 | |||||||||
| Created: | July 16, 2003 | Updated: | September 30, 2003 | |||||||||
| Description: | The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. | |||||||||||
| Alerts: |
| |||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql | CVE #(s): | CAN-2003-0672 | |||
| Created: | August 11, 2003 | Updated: | October 1, 2003 | |||
| Description: | Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication. | |||||
| Alerts: |
| |||||
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl | CVE #(s): | CAN-2003-0615 | |||||||||||||||||||||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware | CVE #(s): | CAN-2003-0504 CAN-2003-0582 | ||||||||||||
| Created: | July 16, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies. See this Security Corportation report for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
semi: insecure temporary file
| Package(s): | semi, wemi | CVE #(s): | CAN-2003-0440 | ||||||||||||
| Created: | July 7, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug. | ||||||||||||||
| Alerts: |
| ||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sup: insecure temporary file
| Package(s): | sup | CVE #(s): | CAN-2003-0606 | |||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||
| Description: | sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup. | |||||
| Alerts: |
| |||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
teapop: SQL injection
| Package(s): | teapop | CVE #(s): | CAN-2003-0515 | ||||||
| Created: | July 9, 2003 | Updated: | October 1, 2003 | ||||||
| Description: | teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated. | ||||||||
| Alerts: |
| ||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
vixie-cron: Local vulnerability
| Package(s): | vixie-cron | CVE #(s): | CVE-2001-0559 | |||||||||
| Created: | April 17, 2003 | Updated: | October 3, 2003 | |||||||||
| Description: | From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page. | |||||||||||
| Alerts: |
| |||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||
| Alerts: |
| ||||||||
wget:directory traversal bug
| Package(s): | wget | CVE #(s): | CAN-2002-1344 |
| Created: | December 10, 2002 | Updated: | October 1, 2003 |
| Description: | Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). < | ||