The state of the SCO case
The whole SCO affair started as a breach-of-contract suit against IBM.
That suit is based on the language of the Unix contracts signed with ATT
almost two decades ago, which reads:
AT&T grants to Licensee a personal, nontransferable and
nonexclusive right to use Software Product solely for Licensee's
own internal business purposes and solely on or in conjunction with
Designated CPUs for such Software Product. Such right to use
includes the right to modify such Software Product and to prepare
derivative works based on such Software Product, provided the
resulting materials are treated hereunder as part of the original
Software Product.
The core of SCO's claim is that anything that IBM has ever allowed to be a
part of a Unix system has become a "derived product" of Unix and must be
treated as if it were Unix itself. SCO cannot make any ownership claims
over this code - a side letter to the contract makes that explicit - but it
does claim the right to keep IBM from disclosing its own code.
Through its public statements, SCO has since made claims of massive direct
copying of SYSV Unix code into Linux. There is still no court case where
SCO has made such claims, however. The company's experience at SCO Forum
and subsequent public statements suggest that the evidence for direct
copying of code - actual copyright violations - is weak at best. SCO
might have a small case against SGI, depending on how a judge might
choose to interpret the copyright status of 32V Unix and the true source of
the ate_malloc() code. But that is between those two companies;
the code in question has already been removed from current Linux kernels.
Increasingly, it seems that SCO is left with its original breach of
contract case. The recently issued open letter from Darl McBride
does nothing to change that impression; it mentions the
ate_malloc() case but does not allege any other direct copying.
Instead, the company's claims are expressed as follows:
To date, we claim that more than one million lines of UNIX System V
protected code have been contributed to Linux through this
model. The flaws inherent in the Linux process must be openly
addressed and fixed.
In SCO's view, "Unix System V protected code" is a rather wider set
than "SCO-owned code." In fact, at SCO Forum, the company put up a slide
discussing the "more than one million lines" that it claims. Here's where
they come from:
| Subsystem |
Files |
Lines |
|---|
| Read-copy-update |
46 |
109,688 |
| NUMA |
101 |
56,587 |
| JFS |
44 |
32,224 |
| XFS |
173 |
119,130 |
| Symmetric multiprocessing |
1,185 |
829,393 |
| TOTAL |
1,549 |
1,147,022 |
(SCO has posted the slides to its presentations on this page. You'll have to
click past the cheery warning that things are optimized for Internet
Explorer to view them, though.)
These claims are interesting in a number of ways. Let's look at the RCU
claim for a moment. In a modern Linux kernel (RCU does not appear in 2.4),
the RCU implementation is contained in two files
(include/linux/rcupdate.h and kernel/rcupdate.c), which
add up to an amazing 402 lines. That leaves us 44 files and 109,286 lines
short of the claim made by SCO. Clearly, SCO must also be making claims on
any code that uses RCU in any way. If you look for files that make
any use of the RCU subsystem, the results are:
| File | Lines |
|---|
| arch/i386/oprofile/nmi_timer_int.c |
57 |
| drivers/char/ipmi/ipmi_kcs_intf.c |
1275 |
| fs/dcache.c |
1641 |
| include/asm-x86_64/kdebug.h |
44 |
| include/linux/rcupdate.h |
135 |
| include/linux/dcache.h |
316 |
| include/linux/list.h |
565 |
| include/net/dst.h |
254 |
| init/main.c |
604 |
| ipc/util.c |
612 |
| kernel/rcupdate.c |
267 |
| kernel/module.c |
1949 |
| kernel/sched.c |
2594 |
| net/802/psnap.c |
160 |
| net/bridge/br_device.c |
147 |
| net/bridge/br_forward.c |
157 |
| net/bridge/br_if.c |
289 |
| net/bridge/br_ioctl.c |
309 |
| net/bridge/br_input.c |
159 |
| net/core/netfilter.c |
761 |
| net/core/dev.c |
3092 |
| net/ipv4/af_inet.c |
1250 |
| net/ipv4/icmp.c |
1120 |
| net/ipv4/ip_input.c |
433 |
| net/ipv4/route.c |
2797 |
| net/ipv6/af_inet6.c |
895 |
| net/ipv6/icmp.c |
787 |
| net/ipv6/ip6_input.c |
260 |
| net/decnet/dn_route.c |
1843 |
| TOTAL 29 files | 24,772 |
So, even with such an expansive interpretion of SCO's claim, there are 17
files missing. They must be big files as well, since they must account for
the remaining 84,916 lines. The "contamination" caused by RCU is evidently
a very broad thing.
We asked SCO where the missing files were, but were told only
"[T]his level of detail is something
that we will save for our court case in 2005." So we're going to
have to remain in suspense for a while. But one thing is clear: SCO claims
that the old AT&T licenses give it amazing powers over code that has
ever breathed the same air as SYSV Unix. Anybody who claims that the GPL
is overly "viral" or that it threatens intellectual property should take a
good look at the powers that SCO claims its license gives it. The GPL
can't compete in that league.
SCO's legal argument is interesting; the company claims that Linux hackers
have, while having never actually seen the SYSV Unix source, nontheless
created a derived product of SYSV Unix. They are accused of copying
something they never had access to. This argument seems destined to fail;
how can something which contains no SYSV code be a derived product of SYSV?
But that is the core of SCO's argument.
An interesting question comes out of this: what if SCO wins its case? SCO
will have then convinced a court that IBM released IBM's code in violation
of an agreement it had with SCO. The fact that IBM released IBM's code,
however, would not change. SCO does not own that code, how can it
claim a right to payments from Linux users? If SCO wins, it may get a
chunk of money from IBM. But it should still have nothing which entitles
it to license payment from Linux users.
Returning to Darl McBride's open letter, we note that there are no demands
that Linux users buy SCO "licenses," and no threats of suits against
users. Mr. McBride, instead, has taken a bit of a different approach:
A sustainable business model for software development can be built
only on an intellectual property foundation. I invite the Open
Source community to explore these possibilities for your own
benefit within an Open Source model. Further, the SCO Group is
open to ideas of working with the Open Source community to
monetize software technology and its underlying intellectual
property for all contributors, not just SCO.
One might point out that the free software world does, indeed, have an
"intellectual property foundation." It is based on copyright law, and free
licenses, including the GPL, which SCO has said it wants to break. One
might also point out that the community is not in much of a mood for
"working with" SCO at this point. But one's time might be better spent
pondering what SCO was thinking when it published those words.
SCO clearly wants to be able to put a tax on Linux systems. SCO also
clearly sees the GPL as an obstacle; there is no way to make a tax stick to
Linux as long as it remains freely redistributable. Could SCO be casting
around for a scheme to buy off free software developers should its
challenges to the GPL fail? A nice tax for SCO and a few bones tossed to
developers willing to relicense their code? It is hard to see how such a
scheme could possibly succeed, but it is also hard to find another way to
interpret the words quoted above.
In summary, the SCO case remains interesting. SCO has changed its tune
several times, but, for the moment, is back where it began: a breach of
contract suit against IBM. The company has yet to produce any evidence
that Linux users owe it money. It is also now interested in "working with
the open source community." But SCO remains unpredictable. We have not
yet seen the last strange twist in this case.
Comments (13 posted)
An opening for OpenOffice.org
[This article was contributed by Joe 'Zonker' Brockmeier]
For years now, Linux users have had to struggle with the omnipresent
Microsoft Office formats. Developers working on OpenOffice.org,
Abiword, KOffice, Gnumeric and other applications have had their hands
full trying to decipher the proprietary and obfuscated MS Office formats
so that users could read and exchange documents with their MS
Office-using colleagues. With Microsoft Office 2003, Redmond is taking
obfuscation to new levels that may mean legal problems for developers
who try to provide compatibility with Office, and huge fees for
companies that try to adopt it.
In addition to the usual slew of new features, Office 2003 Professional
comes with Information Rights Management (IRM) tools. (Users of Office
2003 Standard can not create IRM documents.) Basically, IRM is just
another name for Digital Rights Management (DRM), a term that Microsoft
is avoiding because of the negative connotations that DRM has already
picked up. IRM allows users to restrict what others can do with a
document. Without the proper permissions, recipients of IRM-restricted
documents will be unable to read or print them. Recipients of
IRM-restricted e-mails will be unable to forward them as well. And users
can set documents to expire.
Naturally, these documents will be incompatible with previous versions
of Microsoft Office, to say nothing of competing tools like
OpenOffice.org, Gnumeric or Ximian's Evolution. In addition to the usual
format obfuscation, however, Microsoft also has the Digital Millenium
Copyright Act (DMCA) to protect it from competition. Since the format
includes encryption, Microsoft will be able to threaten developers with
the DMCA if they attempt to include support for IRM-restricted
documents.
Microsoft's IRM also depends on its server-based Rights Management
Services (RMS). This means that any company wanting to adopt IRM is
also forced to adopt Microsoft at the server. It doesn't preclude
companies using a mixture of Microsoft and Linux servers, but it does
mean that organizations that have only adopted Microsoft at the desktop
would be forced to make additional investments in Microsoft software.
Not only is the technology extremely restrictive, the price should be
enough to give any CFO or business owner pause. To deploy RMS within an
organization requires that you run Windows Server 2003. That brings some
hefty licensing fees on its own, but there's more. Every user who
connects to that server has to have a Windows Server 2003 Client Access
License (CAL) and a RMS User CAL, not to mention the licensing
fees for that user's copy of Windows XP and Office 2003 Professional.
The RMS CAL alone runs $37 for a single user, or $185 for a pack of five
CALs. No doubt, large organizations could get the CALs even cheaper, but
it still becomes very expensive. Note that this isn't just for users who
create IRM documents, but also for any user who views an IRM-restricted
document.
That's to use Microsoft's RMS within an organization. Companies that
want to share files with users outside the organization, will need yet
another license from Microsoft. According to Microsoft's pricing
and licensing overview page, this license alone will run an
organization $18,066 for the Windows RMS External Connector License. This
fee may not be a major obstacle for large organizations, but it would
certainly represent a major burden on small companies that need to share
documents with clients.
Believe it or not, Microsoft's new Office suite is potentially
good news for the open souce community. It creates yet another
opening for Linux vendors and proponents to make the case for free and
open software in business. Microsoft has laid out its vision for the
future of software, and it's filled with licensing fees stacked upon
licensing fees -- and technologies that suck the user deeper and deeper
into Microsoft's "stack" of solutions. Many organizations have been
content to adopt Windows on the desktop, and other technologies at the
server level. Redmond's all-or-nothing approach, attempting to force
their customers to adopt their toolchain entirely, may end up driving
them away completely.
To use IRM/RMS, an organization would have to adopt Microsoft across the
board -- and likely will require them to persuade their business
partners to do the same. Few organizations can get by without sharing
documents externally. Expect major levels of frustration when a company
adopts Office 2003 with IRM, and tries to share documents with others
using older versions of Office. Even if a company is gung-ho about IRM,
their business partners may not be.
If the Office 2003 strategy works, and organizations start jumping on
the IRM bandwagon, it's the ultimate lock-in for Microsoft. Game over
for Linux users (and vendors) trying to maintain compatibility with
Windows users. This would have the potential of breaking compatibility
even for reading e-mail, if you work with Outlook users who enable IRM.
But it also has the potential to cause some significant backlash against
Redmond when companies start tallying up the costs of switching and
being fully compatible with Microsoft's document DRM. Let's not forget
that most organizations are being much more stingy with their tech
purchases these days. Many companies are still smarting over Microsoft's
"new and improved" licensing programs and the recent security snafus. If
SoBig.F wasn't enough to send companies over to Linux, Office 2003 might
be the straw that broke the camel's back.
Comments (40 posted)
On giving back
On September 8, LynuxWorks
announced
the availability of a beta release of BlueCat Linux 5.0. BlueCat is
the company's embedded Linux distribution; 5.0, interestingly, is based on
the (still unreleased) 2.6 kernel. LynuxWorks claims to have applied a
lengthy series of "ISO 9001:2000" reliability tests to this kernel. The PR
also cites some of the features of this kernel which are of interest to the
embedded community, including kernel preemption, the O(1) scheduler, and
the improved threading support. LynuxWorks, they say, is the first
embedded systems company to make these features available in a Linux-based
system.
The interesting thing, of course, is that all of those features were
developed at other companies. Kernel preemption, in particular, was done
by Nigel Gamble and Robert Love at MontaVista - a direct LynuxWorks
competitor. The extensive testing done by LynuxWorks must certainly have
turned up bugs; the 2.6 kernel is still an unreleased product, beta quality
at best. Yet no fixes appear to have been sent back to the community.
Over the last year, only one posting appeared on linux-kernel from either
lynuxworks.com or lnxw.com - a request for help with a compilation
problem. The 2.6 BitKeeper repository, containing all patches merged since
February 2002, shows one set of patches from LynuxWorks.com: a USB Pegasus
driver by Petko Manolov. The last patch was merged in May, 2002.
We asked LynuxWorks if it had a list of recent contributions (which could,
after all, have been sent in from a different email address), but got no
response.
LynuxWorks, in other words, is taking full advantage of the work of others
- including its competitors - to claim to be "first to market" with a set
of new features. And it has done so without contributing much of anything
back to the community from which it draws the software it is selling.
LynuxWorks is far from alone in this behavior, of course. LynuxWorks is
also acting
entirely within its rights. As long as they abide by the GPL, nobody can
complain if they use the software in this way. That is what free software
is all about.
It is also true, however, that being within your rights and being right are
not always the same thing. A company that is making money selling Linux
should feel some obligation to contribute back to Linux. Especially when
that company is in the operating systems business and clearly has the
technical resources to make that sort of contribution.
Contributing back is not just the right thing to do; it is also good
business. Customers feel better when they see that their suppliers have a
good relationship with the development community upon which they depend.
Customers also like the feeling that a supplier understands the software
well enough to make changes and get them accepted; it improves that chances
that bugs can be fixed and requested changes implemented. They feel better
about the software as a whole if the vendor cares enough to make it
better. Software with active support from those selling it has a better
chance of being around and still maintained a few years from now.
Many free software companies understand this well; they point to their free
software contributions as a source of pride. As users of free software
become more sophisticated, they will ask for that information. Customers
need to know that their suppliers can provide them with the support they
need, and that said suppliers are committed to the future of the software
they work with. A history of contributing back to the software in question
is one of the best ways to show customers what they want to see. It also
has the incidental benefits of making the software better and being the
right thing to do.
Comments (13 posted)
The Chamberlain v. Skylink DMCA ruling
One of the many DMCA cases circulating in the U.S. court system is
Chamberlain v. Skylink. Chamberlain manufactures garage door openers and,
of course, the remote units which are used to open and close the garage
door. Recent Chamberlain models use a "rolling code" system which is
intended to protect homeowners against playback attacks; the code
transmitted by the remote is different every time, so a thief with a
recorder would capture nothing useful. This system also has the incidental
result of preventing other companies from selling remotes that work with
Chamberlain openers.
Except that Skylink figured out a way to get around the code, and marketed
a working remote. Chamberlain then took Skylink to court, claiming that,
among other things, the Skylink remote violates the Digital Millennium
Copyright Act. The problem, it seems, is that the Skylink remote
circumvents the "technical measures" employed by Chamberlain to restrict
access to the copyrighted software in its openers. Chamberlain was
sufficiently confident of its position that it asked for a summary
judgement on the DMCA argument. At the end of August, the court denied
that request; the full text of the ruling is available in PDF format.
One might hope that this case would have been an opportunity for the court
to take a serious look at the DMCA. The DMCA, used in this way, is
an effective tool to prevent the creation of interoperable products in a
wide range of industries. All that's needed is a bit of internal code and
a simple "technical measure" to prevent interoperation; the DMCA does the
rest. Unfortunately, the ruling in this case does little to help those who
would like to see the power of the DMCA reduced.
The court denied the judgement for two reasons. The first is that, in the
court's opinion, Chamberlain did not establish that the software inside its
garage door opener was actually protected by copyright - a crucial
precondition for DMCA applicability. This is a true technicality here; it
is difficult to believe that Chamberlain will not have a copyright interest
in the software it created.
The second reason is, essentially, that Chamberlain did not tell its
customers that they couldn't use competing remotes.
In this case, Plaintiff sells a GDO [garage door opener] to a
homeowner who then utilizes the product to access his or her own
garage. As pointed out above, there are no limitations placed on
the homeowner who buys the Chamberlain rolling code GDO, regarding
which type of replacement or additional transmitter he or she
purchases to access the GDO.
This second point may be enough to sink Chamberlain's DMCA argument, but it
leaves the DMCA itself untouched. A simple statement on the box that only
Chamberlain remotes may be used with the opener will close the hole in the
future. This ruling is a defeat for a company attempting to wield the DMCA
for its commercial benefit, but it will do nothing to stop this use of the
DMCA in the future.
Comments (5 posted)
Page editor: Jonathan Corbet
Security
Security news
The apache evasive maneuvers module
Jonathan Zdziarski
announced the release of
mod_dosevasive 1.8 at the beginning of September. mod_dosevasive is an
apache module, licensed under the GPL, which enables a web server to detect
certain kinds of denial-of-service attack and take appropriate action.
The core of mod_dosevasive is a set of hash tables keeping track of recent
page requests. If a particular system (as identified by its IP address)
starts requesting too many pages at once, or it requests the same page
repeatedly too often, the module decides an attack is underway. The next
request from that source will get back a 403 error response, and the site
goes into the blacklist. The default blacklist period is ten seconds; each
request received while the offending system is blacklisted extends its time
there.
mod_dosevasive can also send notification email when it detects an attack,
or execute an arbitrary command. The command capability is intended to
make the module work with firewalls; rather than continually failing
requests with 403 errors, an administrator can set up the firewall to
simply block traffic from the attacking system altogether. That approach,
clearly, will be more effective against large-scale distributed attacks
where the real purpose is to consume bandwidth.
The mod_dosevasive
web page has more information.
Comments (3 posted)
September CERT Summary
The September quarterly CERT Summary is out, discussing the security issues
which are currently worth noting. Most notable this time around is
the fact that Linux and free software do not figure into any of the
problems covered. According to this summary, all of the serious security
issues of the last three months affect only proprietary software. Enjoy it
while it lasts.
Full Story (comments: none)
New vulnerabilities
exim: buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2003-0743
|
| Created: | September 4, 2003 |
Updated: | September 30, 2003 |
| Description: |
A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.
CAN-2003-0743 |
| Alerts: |
|
Comments (none posted)
inetd: DoS attack
| Package(s): | inetd |
CVE #(s): | |
| Created: | September 8, 2003 |
Updated: | September 10, 2003 |
| Description: |
inetd has a hard-coded limit of 256 connections-per-minute, after which the
given service is disabled for ten minutes. An attacker could use a quick
burst of connections every ten minutes to effectively disable a service.
Once upon a time, this was an intentional feature of inetd, but in
today's world it has become a bug. Even having inetd look at the
source IP and try to limit only the source of the attack would be
problematic since TCP source addresses are so easily faked. |
| Alerts: |
|
Comments (3 posted)
mah-jong: buffer overflows, denial of service
| Package(s): | mah-jong |
CVE #(s): | CAN-2003-0705
CAN-2003-0706
|
| Created: | September 8, 2003 |
Updated: | September 10, 2003 |
| Description: |
Nicolas Boullis discovered two vulnerabilities in mah-jong, a
network-enabled game.
CAN-2003-0705 (buffer overflow): This vulnerability could be exploited
by a remote attacker to execute arbitrary code with the privileges of the
user running the mah-jong server.
CAN-2003-0706 (denial of service): This vulnerability could be
exploited by a remote attacker to cause the mah-jong server to enter a
tight loop and stop responding to commands. |
| Alerts: |
|
Comments (none posted)
wu-ftpd: insecure program execution
| Package(s): | wu-ftpd |
CVE #(s): | CVE-1999-0997
|
| Created: | September 5, 2003 |
Updated: | September 24, 2003 |
| Description: |
wu-ftpd, an FTP server, implements a feature whereby multiple files
can be fetched in the form of a dynamically constructed archive file,
such as a tar archive. The names of the files to be included are
passed as command line arguments to tar, without protection against
them being interpreted as command-line options. GNU tar supports
several command line options which can be abused, by means of this
vulnerability, to execute arbitrary programs with the privileges of
the wu-ftpd process. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 23, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache |
CVE #(s): | CAN-2003-0192
CAN-2003-0253
CAN-2003-0254
|
| Created: | July 11, 2003 |
Updated: | September 22, 2003 |
| Description: |
The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
- Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite to
a strong one could result in the weak ciphersuite being used in place of
the strong one. [CAN-2003-0192]
- Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]
- Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket. [CAN-2003-0254]
- The server would crash when going into an infinite loop due to too
many subsequent internal redirects and nested subrequests. [VU#379828]
|
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | September 30, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | September 30, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
gkrellm: buffer overflow
| Package(s): | gkrellm |
CVE #(s): | |
| Created: | August 29, 2003 |
Updated: | September 3, 2003 |
| Description: |
A buffer overflow was discovered in gkrellmd, the server component of the
gkrellm monitor package, in versions of gkrellm 2.1.x prior to 2.1.14.
This buffer overflow occurs while reading data from connected gkrellm
clients and can lead to possible arbitrary code execution as the user
running the gkrellmd server. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 15, 2003 |
Updated: | November 17, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
horde: session hijacking
| Package(s): | horde |
CVE #(s): | |
| Created: | September 1, 2003 |
Updated: | September 3, 2003 |
| Description: |
According to this
advisory an attacker could send an email to a victim who used HORDE
MTA, to get the victim to visit a website, which then logs all available
information about the victim's system. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | September 30, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mindi: insecure file creations
| Package(s): | mindi |
CVE #(s): | CAN-2003-0617
|
| Created: | September 2, 2003 |
Updated: | September 30, 2003 |
| Description: |
Mindi versions prior to 0.86 creates files in /tmp which could allow local
user to overwrite arbitrary files.
CAN-2003-0617 |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
node: buffer overflow, format string
| Package(s): | node |
CVE #(s): | |
| Created: | September 1, 2003 |
Updated: | September 3, 2003 |
| Description: |
Morgan alias SM6TKY discovered and fixed several security related
problems in LinuxNode, an Amateur Packet Radio Node program. The
buffer overflow he discovered can be used to gain unauthorised root
access and can be remotely triggered. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam_ldap: non-functioning host restrictions
| Package(s): | pam_ldap |
CVE #(s): | |
| Created: | September 3, 2003 |
Updated: | September 3, 2003 |
| Description: |
pam_ldap 161 contains a bug in the pam_filter module which prevents host-based restrictions from working as advertised; version 1.62 fixes the problem. |
| Alerts: |
|
Comments (none posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | September 30, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | September 30, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
phpwebsite: SQL Injection, DoS and XSS Vulnerabilities
| Package(s): | phpwebsite |
CVE #(s): | |
| Created: | September 2, 2003 |
Updated: | September 3, 2003 |
| Description: |
phpwebsite contains an sql injection vulnerability in the calendar
module which allows the attacker to execute sql queries. In addition
phpwebsite is also vulnerable to XSS. More information can be found in the
full
advisory. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
semi: insecure temporary file
| Package(s): | semi, wemi |
CVE #(s): | CAN-2003-0440
|
| Created: | July 7, 2003 |
Updated: | September 30, 2003 |
| Description: |
semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug.
CAN-2003-0440 |
| Alerts: |
|
Comments (none posted)
sendmail: bad DNS reply causes crash
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0688
|
| Created: | August 26, 2003 |
Updated: | September 30, 2003 |
| Description: |
There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x
versions with respect to DNS maps. The bug did not exist in versions before
8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9,
released March 29, 2003. See this advisory for more
information.
CAN-2003-0688 |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
