LWN.net Logo

LWN.net Weekly Edition for August 21, 2003

The Xouvert project

[This article was contributed by Joe 'Zonker' Brockmeier]

After the much-publicized controversy earlier this year [Xouvert] about the XFree86 Project's development process, it seemed inevitable that there would eventually be a fork of the project. Though it's not exactly a fork, an experimental branch of XFree86 is now in the works. Called "Xouvert," the project wasn't officially announced so much as outed on Slashdot.

The Xouvert project (pronounced "Zoo-vaire") is looking to allow developers to add driver support and new features to XFree86 in a modular fashion that should be easy to track and re-apply to the official XFree86 tree. One complaint raised by Keith Packard, and others, is that it has been difficult for developers outside the core team to contribute to XFree86. Xouvert project coordinator Jonathan Walther says that a main goal of the Xouvert project is to make it easier:

We want to lower the barrier to entry to contribute to X. That means not only being completely open in our source, but also doing other things. For instance, we use the arch revision control system instead of CVS, because this significantly lowers the barrier to participating. Anyone can come along, download our sources, then start committing their changes locally, keeping the sources under revision control, then at some later point knock on our door and say "hey, I've got this great new feature, please merge it back upstream" and it will be a snap, no history will get lost.

Xouvert is being hosted on Savannah, though it's not an official GNU project. The project is not officially connected to XFree86 either. Walther says that the only communication between the XFree86 team and the Xouvert team, thus far, was when David Dawes "asked us to capitalize XFree86 correctly" and indicate that XFree86 is a trademark. Walther says he'd like to work with the XFree86 team in the long run, however.

Over time as we prove ourselves, we hope to have more communication with the XFree86 team, and hope to be able to work closely with them...Xouvert is interested in accepting code from any of the XFree86 developers, whether current or former.

The project is designed so that it is both easier to contribute to, and easier to download and install. Walther mentioned that compiling XFree86 has "often been a source of frustration," so Xouvert's Cameron Berkenpas is working on a HOWTO to make it easier on users looking to compile their X server from source. Walther also says that the Xouvert lead developer, William Lahti, is working on a developer's handbook that will cover Xouvert's overall architecture and API's, though it may not be ready until the second stable release.

Right now, there's no real difference between the XFree86 codebase and Xouvert's. Users eager to see the first release of Xouvert don't have too long to wait -- the first release is slated for October 1, and stable releases are expected every six months after that. According to Walther, the first release will only contain "small additions and changes" but the second release next April should contain more comprehensive changes like the DRI/DRM and Utah-glx projects.

New projects often fizzle before they reach maturity, so it's too soon to say whether the Xouvert project will become a mainstay of the Linux and open source community. However, given the importance of a free X Server to the long-term (and short-term, for that matter) health and success of Linux, one hopes that the project will be successful.

Comments (10 posted)

No escape from SCO

Here at LWN, we start each week in the hope that we'll be able to keep SCO off the front page. Each week, the company finds some way to make that impossible. This time around, there are two separate episodes which require attention, and thus two articles to look at them.

First, we look at the interesting claim from SCO's lawyers that the GPL is not enforceable, since it is preempted by federal copyright law. This would appear to be a very difficult argument to back up, as has been established by a number of people. But a sinister agenda may yet lurk behind this goofy attack on the GPL; it bears watching.

Then, of course, there is our article on SCO's disastrous (for them) demonstration of "stolen" code. This article is responsible for the busiest day LWN's server has ever experienced. As this Weekly Edition goes to "press," this situation is still developing. SCO has not, yet, managed a response beyond the one they sent to us:

Attendees at SCO's annual conference, SCOForum, were shown samples of Linux code that were illegally copied from SCO intellectual property. Some Linux proponents are suggesting that SCO has no claim to this code.

Chris Sontag, GM and SVP of SCOsource, said that not only are their assertions incorrect, but the code is absolutely owned by SCO. In fact SCO knows exactly which version of UNIX System V the code came from and which licensee was responsible for illegally contributing it to Linux.

Look for the inevitable "Chris and Darl" teleconference in the near future.

It is worth noting that the inclusion of BSD-licensed code into the Linux kernel without the accompanying copyright notice is, indeed, a copyright violation. It is something that absolutely should not be done; in cases where it has happened, it needs to be fixed. We need to take greater care with the licensing of code that we use.

But this has never been SCO's point. You don't hire brand-name lawyers over a missing attribution; a simple "please restore my copyright" email will do. A missing attribution does not justify billions of dollars in damages, or even a $699 license fee. There may well have been a copyright violation when BSD-licensed code was used without attribution. But SCO has managed to undermine its own case anyway.

(For more information on SCO's Las Vegas slide show, see this article by Bruce Perens, who gained access to the full set of slides presented there).

Comments (2 posted)

Aiming at the GPL?

It is time to have a look at some statements by Mark Heise of Boies, Schiller, & Flexner - SCO's outside law firm - which were initially reported in the Wall Street Journal and extensively repeated thereafter. According to Mr. Heise, the General Public License (GPL), under which the Linux kernel (and much other code) is licensed, is invalid because it is preempted by federal copyright law. The problem, it is said, is that the GPL allows unlimited copying of the software it covers (as long as its other terms are met) while federal law only allows the creation of a single copy for backup purposes.

This is a breathtaking bit of legal reasoning. In one quick blow, Mr. Heise has blown away every free software license, every proprietary site license, and many other end user agreements that have been made over the years. We tried to discuss Mr. Heise's pathbreaking legal work with him, but he didn't feel the need to return our phone calls. So let's just have a quick look at the law he is talking about.

The relevant bit of law is section 117 of the U.S. copyright law. It reads (in part):

§ 117. Limitations on exclusive rights: Computer Programs

(a) Making of Additional Copy or Adaptation by Owner of Copy. -- Notwithstanding the provisions of section 106, it is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided:

  1. that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it is used in no other manner, or

  2. that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful.

In other words, the "backup copy" language is an additional right granted to users of copyrighted material. Nothing in the GPL attempts to restrict this right. The biggest danger posed by Mr. Heise's argument would seem to be the potential for contempt of court findings against those who are unable to control their laughter. (See this article by Eben Moglen for a more complete demolition of the preemption argument).

Bizarre statements out of the SCO camp are nothing new. But we should not let the clownish aspect of the SCO Group take attention away from what, increasingly, appears to be part of their real agenda: an attack on the GPL. Consider the latest from CEO Darl McBride, as reported in eWeek:

"In a nutshell, this litigation is essentially about the GNU General Public License and all it stands for. That license has not yet been challenged or tested in court, but it is now going to be. We are also firmly and aggressively challenging the notion that Linux is a free operating system," McBride said.

The "GPL and all it stands for" has made life difficult for SCO, and they want to take it out. The GPL stands for software which is free, software which is under the control of no company - not even SCO. It stands for a world where nobody can collect large taxes for the concept of "Unix-like systems on commodity hardware." The SCO Group evidently sees such taxes as its birthright. No wonder it wants to destroy "the GPL and all it stands for."

This campaign is off to an amateurish start, but it may not stay that way. It bears watching. The GPL is strong, and so are its defenders; it is telling that, over the better part of twenty years, nobody has thought it worthwhile to challenge the GPL in court. The GPL will almost certainly prove far stronger than SCO. But every trip to court has its dangers, and the community cannot affort to be complacent with this one. If SCO follows through on its rhetoric, we have a big and important fight ahead of us.

Comments (21 posted)

Why SCO won't show the code

At SCO's annual reseller show, the company's executives put up a couple of slides as a way of demonstrating how Unix code had been "stolen" and put into Linux. The two slides were photographed and have since appeared on Heise Online; see them here and here. The escape of these slides has allowed the Linux community to do something it has been craving since the beginning of the SCO case: track down the real origins of the code that SCO claims as its own. The results, in this case, came quick and clear. They do not bode well for SCO.

The code in question is found in arch/ia64/sn/io/ate_utils.c in the 2.4 tree. It carries an SGI copyright. It seems that SGI was not entirely forthcoming in documenting the source of its source; some of the code in question was, indisputably, not written at SGI. So where does it really come from?

This code is from sys/sys/malloc.c in V7 Unix. It has been widely published; among other things, it can be found in Lion's Commentary on Unix (if you can get a copy). It was featured in this 1984 Usenet posting. And, crucially, it has been circulated with the V7 Unix source, which was released by Caldera (now the SCO Group) under the BSD license. SCO would like the world to forget about that release now, but the Wayback Machine remembers.

So...SCO's code demonstration, the one that it put up to convince its resellers of its case, comes from a version of Unix which first came out in 1979. The code was publicly circulated in the 1980's, and explicitly released under the BSD license by [the company now known as] SCO at the beginning of 2002. SCO might well have a complaint that SGI did not properly give credit for the code it used. But there is no possible way the company can argue that this code's presence in Linux is an infringement of its copyrights.

And this, of course, is why SCO refuses to show the code that, it claims, is copied. These claims do not stand up to even a few hours' scrutiny on the net. SCO may yet have an interesting contract dispute with IBM, but, from what we have seen so far, its claims of direct copying of code are hollow.

(Many thanks to those who commented on an earlier LWN posting on this subject - those comments are the source for just about everything that appears in this article. Many thanks are due to LWN's readers; you have shown the best of what the community can do. Update: see also: this analysis of SCO's code by Bruce Perens.)

Comments (71 posted)

Page editor: Jonathan Corbet

Security

Security news

On the value of virus notifications

Many readers will, by now, be familiar with the results of "SoBig," this week's worm afflicting Microsoft systems. This worm, by some estimates, is accounting for some 70% of all email traffic on the net as this article is being written. Even those of us smugly running Linux, and who are thus not directly susceptible to this worm, have been affected by the flood of incoming email.

Interestingly, here at LWN we might have remained almost unaware of this worm. SpamAssassin does a perfectly fine job of filtering out SoBig mail; it never made it to our mailbox. The same cannot be said for the steady stream of "your email contained a virus" mail which continues to pour in. Finding our real mail among all of the virus notifications has become a bit of a challenge.

The thing is, of course, that we have not sent infected mail to anybody. Honest. Neither have many of the other people who have gotten these notifications. The software sending these notifications is working on the assumption that email containing virulent malware will also be so polite as to contain a correct return address. SoBig is far from the first infestation which forges return addresses, and it will certainly not be the last.

If virus notification email ever served a purpose, it has long since outlived it. Virus/worm scanning software has its place in organizations which are running vulnerable software, but as soon as it starts sending mail to addresses found in hostile mail, it becomes part of the problem. If you have anything to do with the development, deployment, or administration of such software, please consider turning the notification feature off.

Comments (21 posted)

New vulnerabilities

autorespond: buffer overflow

Package(s):autorespond CVE #(s):CAN-2003-0654
Created:August 18, 2003 Updated:October 1, 2003
Description: Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.

CAN-2003-0654

Alerts:
Debian DSA-373-1 2003-08-16

Comments (none posted)

eroaster: insecure temporary file

Package(s):eroaster CVE #(s):CAN-2003-0656
Created:August 19, 2003 Updated:October 1, 2003
Description: A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

CAN-2003-0656

Alerts:
Debian DSA-366-1 2003-08-05
Mandrake MDKSA-2003:083 2003-08-19
Gentoo 200309-04 2003-09-02

Comments (none posted)

netris: buffer overflow

Package(s):netris CVE #(s):CAN-2003-0685
Created:August 18, 2003 Updated:October 1, 2003
Description: Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.

CAN-2003-0685

Alerts:
Debian DSA-372-1 2003-08-16

Comments (none posted)

openslp: temporary file creation vulnerability

Package(s):openslp CVE #(s):
Created:August 18, 2003 Updated:August 20, 2003
Description: According to this advisory there's a symbolic link vulnerability in one of the initscripts provided with openslp. The slpd.all_init file uses '/tmp/route.check' as a temporarily file in an unsafe manner.
Alerts:
Conectiva CLA-2003:723 2003-08-18

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:238-01 2003-07-21
EnGarde ESA-20032407-018 2003-07-24
Debian DSA-358-1 2003-07-31
Debian DSA-358-3 2003-08-04
Debian DSA-358-2 2003-08-05
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-4 2003-08-13
Gentoo 200308-01 2003-08-14
Red Hat RHSA-2003:408-00 2003-12-19

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
SuSE SuSE-SA:2002:041 2002-11-05
Gentoo 200211-001 2002-11-06
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200302-01 2003-02-02
Debian DSA-386-1 2003-09-18

Comments (none posted)

PHP: Cross site scripting vulnerability

Package(s):PHP CVE #(s):CAN-2003-0442
Created:July 2, 2003 Updated:August 13, 2003
Description: In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack.
Alerts:
Red Hat RHSA-2003:204-01 2003-07-02
OpenPKG OpenPKG-SA-2003.032 2003-07-07
Conectiva CLA-2003:691 2003-07-08
Debian DSA-351-1 2003-07-16
Yellow Dog YDU-20030710-2 2003-07-10
Mandrake MDKSA-2003:082 2003-08-04
Mandrake MDKSA-2003:082-1 2003-08-12

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
Debian DSA-208-1 2002-12-12
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Trustix 2002-0087 2002-12-19
Gentoo 200212-6 2002-12-20
SCO Group CSSA-2004-007.0 2004-02-20

Comments (none posted)

apache: multiple vulnerabilities in Apache HTTP server

Package(s):apache CVE #(s):CAN-2003-0192 CAN-2003-0253 CAN-2003-0254
Created:July 11, 2003 Updated:September 22, 2003
Description: The Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
Alerts:
Trustix 2003-0025 2003-07-11
Conectiva CLA-2003:698 2003-07-21
Mandrake MDKSA-2003:075 2003-07-21
Mandrake MDKSA-2003:075-1 2003-08-28
Red Hat RHSA-2003:240-01 2003-09-04
Red Hat RHSA-2003:243-01 2003-09-22

Comments (none posted)

atari800: buffer overflows

Package(s):atari800 CVE #(s):CAN-2003-0630
Created:August 1, 2003 Updated:September 2, 2003
Description: Steve Kemp discovered multiple buffer overflows in atari800, an Atari emulator. In order to directly access graphics hardware, one of the affected programs is setuid root. A local attacker could exploit this vulnerability to gain root privileges.
Alerts:
Debian DSA-359-1 2003-07-31
Gentoo 200309-07 2003-09-02

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
OpenPKG OpenPKG-SA-2002.006 2002-07-04
SuSE SuSE-SA:2002:026 2002-07-09
Conectiva CLA-2002:507 2002-07-11
Gentoo glibc-20020713 2002-07-13
Trustix 2002-0061 2002-07-15
Mandrake MDKSA-2002:043 2002-07-16
EnGarde ESA-20020724-018 2002-07-24
Red Hat RHSA-2002:139-10 2002-07-22
Eridani ERISA-2002:028 2002-07-25
Yellow Dog YDU-20020801-2 2002-08-01
SCO Group CSSA-2002-034.0 2002-08-05
Red Hat RHSA-2002:133-13 2002-08-08
Eridani ERISA-2002:035 2002-08-09
Yellow Dog YDU-20020810-3 2002-08-10
Mandrake MDKSA-2002:050 2002-08-13

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
Red Hat RHSA-2002:246-18 2002-12-04
Gentoo 200212-8 2002-12-20
Debian DSA-224-1 2002-01-08
SCO Group CSSA-2003-005.0 2003-01-21

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
Mandrake MDKSA-2003:070 2003-06-23
Conectiva CLA-2003:662 2003-06-25
Gentoo 200306-13 2003-06-25
Red Hat RHSA-2003:203-01 2003-07-03
Yellow Dog YDU-20030718-2 2003-07-18
SCO Group CSSA-2003-030.0 2003-11-07

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15
Red Hat RHSA-2005:005-01 2005-01-05

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:October 1, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Conectiva CLA-2002:554 2002-12-16
Red Hat RHSA-2002:293-09 2002-12-17
Debian DSA-216-1 2002-12-24
SuSE SuSE-SA:2003:001 2003-01-02
SCO Group CSSA-2003-001.0 2003-01-09
EnGarde ESA-20030127-002 2003-01-27
Mandrake MDKSA-2003:011 2003-01-27
Immunix IMNX-2003-7+-023-01 2003-10-17

Comments (3 posted)

gallery: cross-site scripting

Package(s):gallery CVE #(s):CAN-2003-0614
Created:July 31, 2003 Updated:September 2, 2003
Description: Larry Nguyen discovered a cross site scripting vulnerability in gallery, a web-based photo album written in php. This security flaw can allow a malicious user to craft a URL that executes Javascript code on your website.
Alerts:
Debian DSA-355-1 2003-07-30
Gentoo 200309-06 2003-09-02

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Red Hat RHSA-2002:197-06 2002-10-03
Red Hat RHSA-2002:197-09 2002-11-06
Mandrake MDKSA-2004:009 2004-02-04

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
EnGarde ESA-20030515-016 2003-05-15
OpenPKG OpenPKG-SA-2003.029 2003-05-16
Gentoo 200305-04 2003-05-16
Red Hat RHSA-2003:175-01 2003-05-20
Slackware ssa:2003-141-04 2003-05-22
Mandrake MDKSA-2003:061 2003-05-22
Yellow Dog YDU-20030602-4 2003-06-02
Conectiva CLA-2003:694 2003-07-11
SCO Group CSSA-2003-034.0 2003-11-17

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Red Hat RHSA-2003:126-01 2003-04-14
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:264-01 2003-09-09
Conectiva CLA-2003:737 2003-09-12
Mandrake MDKSA-2003:093 2003-09-18
Debian DSA-710-1 2005-04-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Debian DSA-213-1 2002-12-19
Red Hat RHSA-2003:006-06 2003-01-09
SuSE SuSE-SA:2003:0004 2003-01-14
Yellow Dog YDU-20030114-2 2002-01-14
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Mandrake MDKSA-2003:008 2003-01-20
Conectiva CLA-2003:564 2003-01-23
Red Hat RHSA-2004:249-01 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-176 2004-06-18
Whitebox WBSA-2004:249-01 2004-06-21
Mandrake MDKSA-2004:063 2004-06-29
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Gentoo 200407-06 2004-07-08

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
SCO Group CSSA-2002-049.0 2002-11-18
Debian DSA-210-1 2002-12-13
Trustix 2002-0085 2002-12-19
Red Hat RHSA-2003:029-06 2003-02-12
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Mandrake MDKSA-2003:023 2003-02-24
Conectiva CLA-2003:720 2003-08-11

Comments (none posted)

man-db: buffer overflow, command execution

Package(s):man-db CVE #(s):CAN-2003-0620 CAN-2003-0645
Created:August 5, 2003 Updated:August 18, 2003
Description: man-db 2.4.1 and earlier contains two separate vulnerabilities. There are several buffer overflows which could perhaps be locally exploited, and some directives in ~/.manpath are executed when they should not be. These vulnerabilities only matter if the package has been installed in the setuid mode.
Alerts:
Debian DSA-364-1 2003-08-04
Debian DSA-364-2 2003-08-08
Debian DSA-364-3 2003-08-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Debian DSA-320-1 2003-06-13
Gentoo 200307-01 2003-07-02
Fedora FEDORA-2005-404 2005-06-09
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-405 2005-06-16

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Conectiva CLA-2003:695 2003-07-15
Mandrake MDKSA-2003:078 2003-07-23
Gentoo 200309-17 2003-09-30

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Red Hat RHSA-2002:228-11 2002-12-17
Conectiva CLA-2003:778 2003-11-07

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Red Hat RHSA-2003:206-01 2003-07-14
Debian DSA-349-1 2003-07-14
Slackware SSA:2003-195-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
Slackware SSA:2003-195-01b 2003-07-15
Yellow Dog YDU-20030718-1 2003-07-18
Gentoo 200307-07 2003-07-19
Mandrake MDKSA-2003:076 2003-07-21
Conectiva CLA-2003:700 2003-07-22
SCO Group CSSA-2003-037.0 2003-11-17
Trustix TSLSA-2004-0009 2004-03-05

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Gentoo 200305-01 2002-03-05
Gentoo 200305-02 2003-05-13
Red Hat RHSA-2003:222-01 2003-07-29
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Ubuntu USN-34-1 2004-11-30

Comments (1 posted)

pam-pgsql: format string vulnerability

Package(s):pam-pgsql CVE #(s):CAN-2003-0672
Created:August 11, 2003 Updated:October 1, 2003
Description: Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication.

CAN-2003-0672

Alerts:
Debian DSA-370-1 2003-08-08

Comments (none posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):perl CVE #(s):CAN-2003-0615
Created:July 29, 2003 Updated:October 1, 2003
Description: obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

CAN-2003-0615

Alerts:
Conectiva CLA-2003:713 2003-07-29
OpenPKG OpenPKG-SA-2003.036 2003-08-06
Debian DSA-371-1 2003-08-11
Mandrake MDKSA-2003:084 2003-08-20
OpenPKG OpenPKG-SA-2003.039 2003-09-15
Red Hat RHSA-2003:256-01 2003-09-22
Red Hat RHSA-2003:256-02 2003-10-03

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
Red Hat RHSA-2002:213-06 2002-11-11
Conectiva CLA-2002:545 2002-11-13
EnGarde ESA-20021122-031 2002-11-22
Gentoo 200211-005 2002-11-20
SCO Group CSSA-2003-008.0 2003-03-04

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:October 1, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Conectiva CLA-2003:697 2003-07-16
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:703 2003-07-23
Debian DSA-365-1 2003-08-05

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Debian DSA-363-1 2003-08-03
Red Hat RHSA-2003:251-01 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Conectiva CLA-2003:717 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
Trustix 2003-0029 2003-08-04
Mandrake MDKA-2004:028 2004-05-26

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Mandrake MDKSA-2002:062-1 2003-02-11
Trustix 2003-0004 2003-02-20
Immunix IMNX-2003-7+-005-01 2003-04-08
Debian DSA-397-1 2003-11-07

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Debian DSA-159-1 2002-08-28
Debian DSA-159-2 2002-09-09
Conectiva CLA-2002:527 2002-10-01
Gentoo python-20021003 2002-10-03
Trustix 2002-0073 2002-10-17
SCO Group CSSA-2002-045.0 2002-11-14
Mandrake MDKSA-2002:082 2002-11-25
Mandrake MDKSA-2002:082-1 2002-12-09
Red Hat RHSA-2002:202-25 2003-01-21
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-33 2003-02-12

Comments (none posted)

semi: insecure temporary file

Package(s):semi, wemi CVE #(s):CAN-2003-0440
Created:July 7, 2003 Updated:October 1, 2003
Description: semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker.

wemi is a fork of semi, and contains the same bug.

CAN-2003-0440

Alerts:
Debian DSA-339-1 2003-07-06
Red Hat RHSA-2003:234-01 2003-07-23
Yellow Dog YDU-20030723-2 2003-07-23
Gentoo 200308-02 2003-08-14

Comments (none posted)

stunnel: signal handler reentrancy DoS

Package(s):stunnel CVE #(s):CAN-2002-1563
Created:July 25, 2003 Updated:November 25, 2003
Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over a secure connection (encrypted using SSL or TLS) or to provide a secure means of connecting to services that do not natively support encryption.

When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits.

Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service.

Alerts:
Red Hat RHSA-2003:221-01 2003-07-25
EnGarde ESA-20030806-020 2003-08-06
Trustix 2003-0030 2003-08-07
Conectiva CLA-2003:736 2003-09-05
SCO Group CSSA-2003-026.0 2003-10-03
Red Hat RHSA-2003:296-01 2003-11-24

Comments (none posted)

sup: insecure temporary file

Package(s):sup CVE #(s):CAN-2003-0606
Created:July 29, 2003 Updated:October 1, 2003
Description: sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup.

CAN-2003-0606

Alerts:
Debian DSA-353-1 2003-07-29

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Red Hat RHSA-2002:096-24 2002-09-18
Gentoo tar-20021001 2002-10-01
Gentoo unzip-20021001 2002-10-01
EnGarde ESA-20021003-022 2002-10-03
Mandrake MDKSA-2002:065 2002-10-10
Mandrake MDKSA-2002:066 2002-10-10
Conectiva CLA-2002:538 2002-10-29
Red Hat RHSA-2006:0195-01 2006-02-21
Fedora-Legacy FLSA:183571-1 2006-04-04

Comments (1 posted)

teapop: SQL injection

Package(s):teapop CVE #(s):CAN-2003-0515
Created:July 9, 2003 Updated:October 1, 2003
Description: teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

CAN-2003-0515

Alerts:
Debian DSA-347-1 2003-07-08
Gentoo 200309-18 2003-09-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
SCO Group CSSA-2001-030.0 2001-08-10
Conectiva CLA-2001:413 2001-08-24
Debian DSA-075-1 2001-08-14
Debian DSA-075-2 2001-08-14
HP HPSBTL0202-023 2002-02-12
Mandrake MDKSA-2001:068 2001-08-13
Mandrake MDKSA-2001:093 2001-12-17
Progeny PROGENY-SA-2001-27 2001-08-14
Red Hat RHSA-2001:099-06 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:100-02 2001-08-09
Slackware sl-997726350 2001-08-09
SuSE SuSE-SA:2001:029 2001-09-03
Yellow Dog YDU-20010810-1 2001-08-10
Yellow Dog YDU-20010810-2 2001-08-10
Gentoo 200410-03 2004-10-05

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
Red Hat RHSA-2003:199-01 2003-07-01
Immunix IMNX-2003-7+-017-01 2003-07-02
Conectiva CLA-2003:672 2003-07-02
Mandrake MDKSA-2003:073 2003-07-07
Debian DSA-344-1 2003-07-08
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Gentoo 200307-02 2003-07-11
Yellow Dog YDU-20030710-1 2003-07-10
Red Hat RHSA-2003:199-02 2003-08-15
Conectiva CLA-2003:724 2003-08-18
Mandrake MDKSA-2003:073-1 2003-08-19
Slackware SSA:2003-237-01 2003-08-25
Debian DSA-344-2 2003-08-26
SCO Group CSSA-2003-031.0 2003-11-07

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Red Hat RHSA-2002:297-17 2003-01-15
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Gentoo 200301-13 2003-01-22
Yellow Dog YDU-20030127-3 2003-01-27
Mandrake MDKSA-2003:012 2003-02-03
Conectiva CLA-2004:812 2004-02-10

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):vixie-cron CVE #(s):CVE-2001-0559
Created:April 17, 2003 Updated:October 3, 2003
Description: From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root."

Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.

Alerts:
Conectiva CLA-2003:628 2003-04-17
Conectiva CLA-2003:757 2003-10-03
Conectiva CLA-2003:758 2003-10-03

Comments (none posted)

webmin: session ID spoofing

Package(s):webmin CVE #(s):CAN-2003-0101
Created:June 13, 2003 Updated:November 18, 2003
Description: miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:
Debian DSA-319-1 2003-06-12
SCO Group CSSA-2003-035.0 2003-11-17

Comments (none posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). <