Legislative fun in Europe
While the legal situation in the United States has been dominated by the
SCO case, many community members in Europe are more concerned by what is
happening on the legislative front. A couple of initiatives underway in
the European Parliament's Committee on Legal Affairs and the Internal
Market are worthy of attention - and activism.
The first of these, of course, is software patents. The Committee now
looks set to adopt the directive on software patents on
September 1. Opponents of software patents in Europe have been
working hard to raise awareness on the issue; protests on the net and in
Brussels happened on August 27. There is still time
to be heard on this issue and, perhaps, influence the outcome. It is worth
the effort; software patents are one American export that Europe can do
without.
Patents are just the beginning, however.
Starting, seemingly, on September 11, the Committee will begin discussing a
directive "on measures and procedures to ensure the enforcement of
intellectual property rights." The full (54-page) text of the directive
can be downloaded from this
EU page. Two parts of this directive are cause for concern:
- Article 9 requires identification of anybody who, in the view of a
copyright holder, is "thought to infringe upon an intellectual
property right". This article, it is expected, will lead to the same
sort of "subpoena storm" currently being engaged in by the recording
industry in the U.S.
- Article 21 includes a (criminal) prohibition of "illegal technical
devices." This is, of course, a DMCA-style anti-circumvention law,
which will lead to DMCA-style problems.
For a much more detailed look at the draft directive, see this
analysis by the Foundation for Information Policy Research. This
analysis also notes that there is, apparently, still time to bring about
major changes to this draft. With luck - and suitable pressure on members
of the European Parliament - the worst features of this directive can be
eliminated before it ever comes to a serious vote.
Comments (2 posted)
Who won the latest DeCSS skirmish?
[This article was contributed by Joe 'Zonker' Brockmeier]
The decision handed down by the California Supreme Court on Monday in
the DVD Copy Control Association v. Bunner case is being hailed
by many as a victory for the entertainment industry. In fact, the ruling
is far from a major victory for the DVD Copy Control Association. The
California Supreme Court has remanded the case back to the Court of
Appeal to "determine whether the evidence in the record supports the
factual findings necessary to establish that the preliminary injunction
was warranted under California's trade secret law."
For those not familiar with the case, the DVDCCA sued Andrew Bunner for
posting the DeCSS code posted by Jon Johansen. Johansen and others
reverse-engineered software created by Xing Technology corporation to
create the DeCSS package, which can decrypt DVDs for viewing. (Despite the
DVDCCA's repeated
assertions that DeCSS is used for copying DVDs, the software is not
necessary to copy a DVD -- only to view it.) The trial court sided with
the DVDCCA and issued a preliminary injunction against Bunner, which was
later overturned by the Court of Appeals. Interestingly, Bunner's case
is still winding through the American court system while Johansen has
already been acquitted in Norway of charges of using DeCSS for illegal purposes.
The California high court's ruling had very little to do with the
specifics of the DeCSS code or whether CSS is a legitimate trade secret.
The court simply accepted the trial court's findings that CSS is a trade
secret, and ruled on the question of whether it is a violation of the
First Amendment to issue a preliminary injunction in the interests of
protecting a trade secret. The Court of Appeals had ruled that trade
secrets were not as important as First Amendment protections and lifted
the injunction against Andrew Bunner posting the DeCSS source code. The
California Supreme Court, however, disagreed that First Amendment
considerations trump the protection of trade secrets:
Our decision today is quite limited. We merely hold that the preliminary
injunction does not violate the free speech clauses of the United States
and California Constitutions, assuming the trial court properly
issued the injunction under California's trade secret law. On remand,
the Court of Appeal should determine the validity of this assumption.
So, the fight over DeCSS is far from over, which is good news. The bad
news is that the California Supreme Court doesn't see any value in the
DeCSS code in the continuing debate over the entertainment industry's
use of encryption. From page 22 of the decision:
Disclosure of this highly technical information adds nothing to the
public debate over the use of encryption software or the DVD industry's
efforts to limit unauthorized copying of movies on DVD's. And the
injunction does not hamper Bunner's ability to "discuss and debate"
these issues as he has in the past in both an educational, scientific,
philosophical and political context. Bunner does not explain, and we do
not see, how any speech addressing a matter of public concern is
inextricably intertwined with and somehow necessitates disclosure of DVD
CCA's trade secrets.
Many in the open source community would disagree that the disclosure of
the code "adds nothing to the public debate." Ed Felten writes
that access to the code is important factor in the debate over CSS:
CSS is a controversial technology, and information about how it works is
directly relevant to the debate about it. True, many people who are
interested in the debate will have to rely on experts to explain the
relevant parts of DeCSS to them; but the same is true of Enron's
accounting or the Shuttle's engineering.
Certainly the fact that CSS was so easily defeated is of public interest
when debating whether CSS qualifies as a "trade secret" or simply a
veiled attempt to rob users of their fair use rights over copyrighted
materials they've legally purchased. The code should also be of some
interest to those who wish to disprove the DVDCCA's continual claims
that DeCSS exists primarily for copying DVDs, rather than watching them.
Whether Bunner is legally permitted to post DeCSS or not, the cat is out
of the bag. For all practical purposes, anyone who wants to get access
to the DeCSS code is able to do so. However, the case will set
precedents that no doubt be revisited as the entertainment industry
rolls out new media formats, and new encryption schemes.
Comments (4 posted)
This week's SCO fun
It may have seemed like a relatively quiet week on the SCO front - to the
relief of many - but a number of things have been happening. It's time to
get caught up in the latest developments in this case.
People have continued to look at the code samples presented by SCO in Las
Vegas. Eric Raymond posted his own
analysis which included a comparison of the Linux atealloc()
code with the SYSV malloc() implementation - something that Eric
evidently has sitting around somewhere. Eric's conclusion was that the
Linux code derives from the ancient malloc() implementation found
in 32V Unix. LWN, looking at Eric's diff, came to a different conclusion;
the Linux code appears to have been taken from (proprietary) SYSV Unix.
See this article for a full description of
our reasoning. Since then, FreeBSD kernel hacker Greg Lehey has posted his analysis,
which also points to a SYSV derivation.
The sad fact is that this particular piece of code is problematic no matter
how you look at it. The alternatives are:
- The code was lifted from SYSV Unix, which makes it a direct
infringement of SCO's copyrights.
- The code actually derives from the ancient 32V Unix release. SCO,
back when it was called Caldera, released 32V under an older,
four-term BSD license; this license is incompatible with the GPL, due
to its advertising requirement. The code in Linux also lacked the
requisite copyright headers. In this scenario, the inclusion of this
code infringes SCO's copyrights (due to the missing copyright headers)
and also those of the other Linux kernel contributors (due to the GPL
incompatibility).
- There are other opinions on how 32V is really licensed. SCO has
started making noises to the effect that 32V was really only released
for 16-bit, non-commercial use, though the license letter that went
around (and, indeed, was sent to us anew by SCO PR person Blake
Stowell) says otherwise. Any attempt by SCO to "call back" this
release is likely to fail at this point.
Then, there is the assertion that 32V is actually public domain. This
conclusion comes from the March 3,
1993 ruling in the USL case, which reads: "...I find that
Plaintiff has failed to demonstrate a likelihood that it can
successfully defend its copyright in 32V. Plaintiff's claims of
copyright violations are not a basis for injunctive relief."
But saying that USL lacks evidence strong enough to justify a
preliminary injunction is different from a true finding that the 32V
code has gone into the public domain. Given the rather friendly
stance the courts have taken toward copyright holders in modern times,
relying on this preliminary ruling to hold in a new court case seems
risky at best.
It is thus hard to conclude that this code belongs in Linux. And, in fact,
it has already been removed from the 2.4 and 2.6-test branches. In any
case, it is a tiny piece of ancient code performing a trivial task; it is
not the basis of a $3 billion lawsuit. If this is the best that SCO
has, its case will not go that far.
SCO's other code sample, of course, was the Linux implementation of the
Berkeley Packet Filter (BPF) library. There appears to be no way that SCO
can claim ownership of this code; indeed, Greg Lehey's analysis suggests
that, perhaps, SCO has stripped the copyright headers from its copy of that
code, in violation of its (BSD) license. SCO would seem to have figured out
that it is on especially thin ice here; a
recent InfoWorld article quotes SCOSource VP Chris Sontag as follows:
But Sontag said the BPF routines were not intended to be an example
of stolen code, but rather a demonstration of how SCO was able to
detect 'obfuscated' code, or code that had been altered slightly to
disguise its origins. The slide displaying the code should have
been written differently to reflect that intention, he said.
Given that the slide in question reads "Obfuscated System V code has been
copied into Linux kernel releases 2.4x and 2.5x," one might well agree that
it should have been "written differently." One might well ask what other
parts of the company's recent output should be written differently.
Meanwhile, SCO lawyer Mark Heise is still taking potshots at the GPL; his
latest
assertion (from this
ZDNet interview) is that Section 301 of the U.S. Copyright Act preempts
the GPL. Now, one of the advantages of having an Internet around is that
one can go and check these things directly; the first part of Chapter 3 of
the Copyright Act reads:
§ 301. Preemption with respect to other laws
(a) On and after January 1, 1978, all legal or equitable rights
that are equivalent to any of the exclusive rights within the
general scope of copyright as specified by section 106 in works of
authorship that are fixed in a tangible medium of expression and
come within the subject matter of copyright as specified by
sections 102 and 103, whether created before or after that date and
whether published or unpublished, are governed exclusively by this
title. Thereafter, no person is entitled to any such right or
equivalent right in any such work under the common law or statutes
of any State.
Those of us who are unused to reading legalese will probably have to go
over this paragraph two or three times, but, in the end, the title sums it
up pretty well: this part of the copyright law states that it preempts
other laws at the state level. Since very few states have enacted
the GPL into law, the §301 preemption really is not relevant. The GPL
is a license in which the copyright holder waives certain rights under
certain conditions, as is allowed by the rest of the copyright law. If
§301 preempts the GPL, it preempts every other software license as
well. So Mr. Heise's reasoning remains unconvincing, to say the least.
However, he appears to be in charge of this case at this point; David Boies
would seem to have found more pressing engagements elsewhere.
Then, there is SCO CEO Darl McBride's amusing and paranoiac assertion (as
reported in InfoWorld) that IBM is behind the attacks on his company.
No further comment seems necessary there.
SCO's web site was evidently the target of a denial of service attack over
the weekend of August 23. The Linux community should have nothing to
do with such attacks. They do not help us in any way, and they go strongly
against the principles of openness and freedom upon which the community is
based. This sort of attack also gives SCO a great opportunity to portray
the community as a bunch of criminals. Taking down SCO's site is wrong; it
is a big mistake. Let us hope that it does not happen again.
Finally, Rob Landley and Eric Raymond have put together a response
to SCO's amended complaint in the IBM case. Think of it as the "Mystery
Science Theater 3000" version of the complaint; SCO's text is presented
with Rob and Eric ruthlessly heckling each paragraph as it comes. It is a good
resource for those wanting to put SCO's actual allegations in the IBM case
into perspective.
Comments (6 posted)
The Great Expiration
The
September 26, 2002 LWN Weekly Edition was
the beginning of a major change for this publication. Therein, we said:
We will now try to transition LWN into a subscription-based
publication, supported by the readers that benefit from it. If LWN
is valuable enough to its readers to earn that support, we will
continue to produce it - and try to make it better. If not, well,
then we will search for some other way to use our skills in the
free software community.
At the time, we concluded that we needed about 4000 subscribers to begin to
see LWN as a stable enterprise. We're still a bit short of that - there's
just under 3000 individual subscribers, currently - but we're still here.
Things seem to be headed in the right direction.
Much depends on what happens in the next month or so, however. Many of you
went for one-year subscriptions when they first became available. That
money has sustained us over the last year, and we are more than grateful
for that. But those subscriptions are now about to expire. Over the next
month or so, almost one third of our subscriptions will come to an end. If
the renewal rate is high enough, we should get a cash infusion that will
prove most helpful in taking LWN to the next level, and we can continue our
march toward 4000 subscribers (and beyond). If it's not, well...
We're optimistic. We came out of the "mini expiration" last spring (when
the first set of six-month subscriptions ran out) with as many subscribers as we
had going in. With luck, the same will hold true this time.
Please note that, if you signed up for an automatic monthly subscription,
you, too, will have to renew it. Some businesses, once they get your
credit card, feel entitled to keep charging to it until you show up on the
premises with a baseball bat and make them stop. We've never felt we had
that right, so automatic subscriptions include a maximum number of
authorized charges. That maximum was capped at twelve months (we've since
raised it to 24), and will be running
out for those of you who subscribed a year ago. Many of you will have
already received the "last charge" message we send when the authorized
payments run out. Renewing is just a matter of going to the My Account page and enabling more charges.
The rest of you will not get mail from us until your subscription actually
ends and the grace period begins.
Many of you, however, will not get mail from us at all. We have never made
any attempt to force people to give us a real email address when they set
up an account; if you really don't want us to have it, we can live with
that. But, if we do not have your email address, we cannot communicate
with you regarding subscription expiration. Some of you may also lose our
email because your mailboxes are full of SoBig output; we also simply do
not have the time to be feeding cookies to challenge/response systems. If
any of the above situations apply to you, please keep an eye out for the
"renew your subscription" link that will show up in the left column. Or
just head over the the "My Account" page and top up your subscription ahead
of time.
Finally, please note that we will soon stop offering automatic monthly
subscriptions at the "starving hacker" level. When we make credit card
charges that small, the processing fees eat up a substantial amount of the
money we get. Honestly, we'd rather that subscriber money (your money!) went to us,
rather than credit card processing companies. The "starving hacker" level
will continue to exist, but subscriptions will need to be prepaid at least
three months at a time. Existing monthly subscriptions at that level will
not be affected as long as they are maintained.
Once again, please accept our thanks for supporting LWN so strongly over
the last year. We will continue to try to show our appreciation by making
LWN the best resource that it can be.
Comments (30 posted)
Page editor: Jonathan Corbet
Security
Security news
The police tap JAP
The
Java Anonymous
Proxy project is developing a proxy system which enables users to
access web sites in an anonymous manner. The JAP code is distributed under
a BSD-like license. The JAP project also runs a set of servers which
provide the actual anonymous web access.
It turns out, however, that access is not always anonymous; the JAP system
went down for a few days in mid-August for the addition of new "security
features." Those features, it seems, include a means by which the German
police can determine the real originating IP address for accesses to a
destination site of their choice. This access requires the usual
formalities - court orders and such - but it does, regardless, violate the
spirit of an anonymous proxy system. This is the sort of thing that users
of an anonymous proxy are trying to get away from.
Since JAP is free software, people who were paying attention were able to
see the new "security features" as they were checked in to the CVS
repository. This transparency is, of course, one of the reasons why we
like free software in the first place. We should remember, however, that
there was nothing forcing the JAP developers to commit their changes to a
public repository, and there is still no assurance that the JAP servers are
running the same software as that found in the repository or on the
download site. Entrusting your
privacy to a remote system over which you have no control remains a risky
thing to do.
See the
JAP project's press release for more information on this incident.
Comments (5 posted)
The most over- and under-rated vulnerabilities
ITSecurity.com has published
a look at the
most over- and under-rated vulnerabilities, as determined by Harris
Corporation. The list is worth a look; it is an attempt to clarify where
the real risks lie. Besides, a couple of the entries are rather amusing.
So what are the overrated vulnerabilities? A few selections from the list
include:
- PGP vulnerabilities. As the authors assert, there is no known
case of somebody having actually broken PGP's encryption.
- SNMP; "As long as the default community strings have been
changed, SNMP should be fairly safe. Actual exploitation using SNMP has
been rare."
- Cross-site scripting. Actual cross-site scripting exploits
are rare; there is usually a more direct route to what the crackers
want.
- Gopher vulnerabilities. Evidently some people are still
concerned about Gopher holes.
So, rather than running out to patch that Gopher server, what should you
really be worried about? The list includes:
- Remote procedure call vulnerabilities. RPC remains dangerous,
and certainly should not be exposed to the internet.
- Wireless networks which are easy to find and penetrate, and
which often live inside firewalls.
- Keystroke loggers and spyware.
- WebDAV servers. This one makes the list mostly due to the
potential of compromising the web server, and (on Windows, at least)
thus the whole machine.
Interestingly, virus-susceptible email systems do not make the list,
despite the fact that this type of vulnerability has probably created more
in the way of security costs - especially recently - than any other.
Clearly this vulnerability is underrated, given that it remains unclosed
after all these years. Risk, evidently, is still in the eye of
the beholder.
Comments (2 posted)
New vulnerabilities
GDM allows local user to read any file
| Package(s): | GDM, XDMCP |
CVE #(s): | CAN-2003-0547
CAN-2003-0548
CAN-2003-0549
|
| Created: | August 21, 2003 |
Updated: | August 29, 2003 |
| Description: |
GDM is the GNOME Display Manager for X.
Versions of GDM prior to 2.4.1.6 contain a bug where GDM will run as root
when examining the ~/.xsession-errors file when using the "examine session
errors" feature, allowing local users the ability to read any text file
on the system by creating a symlink. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0547 to this issue.
Additional problems may be found in the X Display Manager Control Protocol
(XDMCP) which allow a denial of service attack (DoS) by crashing the gdm
daemon. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names
CAN-2003-0548 and
CAN-2003-0549 to these issues. |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | September 30, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
sendmail: bad DNS reply causes crash
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0688
|
| Created: | August 26, 2003 |
Updated: | September 30, 2003 |
| Description: |
There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x
versions with respect to DNS maps. The bug did not exist in versions before
8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9,
released March 29, 2003. See this advisory for more
information.
CAN-2003-0688 |
| Alerts: |
|
Comments (none posted)
vmware-workstation: vulnerability allows full host access
| Package(s): | vmware-workstation |
CVE #(s): | CAN-2003-0480
CAN-2003-0631
|
| Created: | August 25, 2003 |
Updated: | September 2, 2003 |
| Description: |
According to this
advisory vulnerabilities exist in VMware GSX Server 2.5.1 and earlier,
and in VMware Workstation 4.0 and earlier releases. "By manipulating
the VMware GSX Server and VMware Workstation environment variables, a
program such as a shell session with root privileges could be started when
a virtual machine is launched. The user would then have full access to the
host."
See also
CAN-2003-0480 and
CAN-2003-0631 |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 23, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache |
CVE #(s): | CAN-2003-0192
CAN-2003-0253
CAN-2003-0254
|
| Created: | July 11, 2003 |
Updated: | September 22, 2003 |
| Description: |
The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
- Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite to
a strong one could result in the weak ciphersuite being used in place of
the strong one. [CAN-2003-0192]
- Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]
- Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket. [CAN-2003-0254]
- The server would crash when going into an infinite loop due to too
many subsequent internal redirects and nested subrequests. [VU#379828]
|
| Alerts: |
|
Comments (none posted)
atari800: buffer overflows
| Package(s): | atari800 |
CVE #(s): | CAN-2003-0630
|
| Created: | August 1, 2003 |
Updated: | September 2, 2003 |
| Description: |
Steve Kemp discovered multiple buffer overflows in atari800, an Atari
emulator. In order to directly access graphics hardware, one of the
affected programs is setuid root. A local attacker could exploit this
vulnerability to gain root privileges. |
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | September 30, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | September 30, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
gallery: cross-site scripting
| Package(s): | gallery |
CVE #(s): | CAN-2003-0614
|
| Created: | July 31, 2003 |
Updated: | September 2, 2003 |
| Description: |
Larry Nguyen discovered a cross site scripting vulnerability in gallery,
a web-based photo album written in php. This security flaw can allow a
malicious user to craft a URL that executes Javascript code on your
website. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 15, 2003 |
Updated: | November 17, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openslp: temporary file creation vulnerability
| Package(s): | openslp |
CVE #(s): | |
| Created: | August 18, 2003 |
Updated: | August 20, 2003 |
| Description: |
According to this
advisory there's a symbolic link vulnerability in one of the
initscripts provided with openslp. The slpd.all_init file uses
'/tmp/route.check' as a temporarily file in an unsafe manner. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | September 30, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | September 30, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
semi: insecure temporary file
| Package(s): | semi, wemi |
CVE #(s): | CAN-2003-0440
|
| Created: | July 7, 2003 |
Updated: | September 30, 2003 |
| Description: |
semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug.
CAN-2003-0440 |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
sup: insecure temporary file
| Package(s): | sup |
CVE #(s): | CAN-2003-0606
|
| Created: | July 29, 2003 |
Updated: | September 30, 2003 |
| Description: |
sup, a package used to maintain collections of files in identical
versions across machines, fails to take appropriate security
precautions when creating temporary files. A local attacker could
exploit this vulnerability to overwrite arbitrary files with the
privileges of the user running sup.
CAN-2003-0606 |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
teapop: SQL injection
| Package(s): | teapop |
CVE #(s): | CAN-2003-0515
|
| Created: | July 9, 2003 |
Updated: | September 30, 2003 |
| Description: |
teapop, a POP-3 server, includes modules for authenticating users
against a PostgreSQL or MySQL database. These modules do not properly
escape user-supplied strings before using them in SQL queries. This
vulnerability could be exploited to execute arbitrary SQL under the
privileges of the database user as which teapop has authenticated.
CAN-2003-0515 |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
