LinkSys and the GPL - again
Last June, we published
a story about
LinkSys and its WRT54G wireless router product. That router runs Linux,
but LinkSys was not making the source for its Linux kernel available as the
GPL requires. In response to pressure from the community, LinkSys
eventually released a kernel tarball, and it
appeared that the episode had come to a close. Another apparent victory
for the GPL.
In this case, however, it seems that the victory celebrations were a bit
premature. A group of programmers has been working with the LinkSys
tarball in the hopes of creating a new, more accessible firmware image for
the WRT54G. Over time, this group has come to the conclusion that the
kernel source released by LinkSys is incomplete. Efforts to resolve the
situation with LinkSys have not been conclusive, so, on September 28,
this group sent out a letter describing its
findings.
Much of the code in the WRT54G kernel gets there by way of loadable
modules. In particular, much of the truly interesting stuff - the code
that implements the low-level wireless functionality - is packaged in
modules. The question of whether loadable modules are a derived product of
the kernel - and thus subject to the GPL - is a topic of ongoing debate;
not all kernel hackers are happy to see their work used by binary-only
modules. A definitive conclusion in that debate may never come about; in
the real world, however, binary-only modules are tolerated. Nobody has
made any serious public effort to get LinkSys to release the source to its
binary kernel modules. (Update: it turns out that claim is not
entirely true; see the comments added to this article for details).
The results of the investigation by the WRT54G hackers, however, indicate
that the WRT54G kernel contains a substantial amount of built-in code.
There is no ambiguity around code which is patched directly into the
kernel; it is clearly a derived product. A kernel which is patched in this
way can, by the GPL, only be distributed if the source for those patches is
released under the same license. LinkSys (or the contractor which did its
kernel work) has tried to slip in a kernel source tarball which does not
include the code found in its binary image; that is a GPL violation, and
the company has been caught. It is not clear how the people involved
thought they would get away with this attempt; perhaps they thought nobody
was really interested in looking at their source.
What happens now? The WRT54G hackers have released their information in
the hope that a wider public awareness of the problem will help push
LinkSys into living up to its obligations under the GPL. It turns out,
however, that the Free Software Foundation is
working on this case, and they are asking for patience.
GPL violations sometimes take time to resolve. We wish that we
could force resolution quicker, but we haven't found a way to do
that. We have, however, discovered a variant of Brooks's Law:
adding more lawyers to a GPL violation usually makes it take
longer. Lawyers are reluctant to admit to mistakes, because they
fear it could be used against them. Engineers and product managers
are typically interested in fixing mistakes, so we try our best to
work with them first before escalating to legal teams on both
sides. Such escalation has happened on this violation, so it will
take additional time to resolve the matter.
The FSF also points out that the kernel is only a part of the GPL-licensed
software running on a WRT54G router. The FSF is trying to represent the
copyright holders of all the affected software and resolve the whole
problem. They will, they say, keep the community informed as things
progress.
The FSF's work on GPL enforcement is usually hard to see; it is done in a
quiet and diplomatic manner that is invisible behind the rhetoric that
comes out of other parts of that organization. The FSF claims to have built the free software
community, but it toots its own horn rather less on the subject of GPL
compliance. But the FSF's GPL work plays a crucial role in keeping the
free software community going; we owe them a debt of gratitude for the work
they do to ensure that the terms of our licenses are respected. In the
LinkSys case, we also owe them some space and time to do their work. The
FSF has been highly successful in resolving GPL violations without the need
for long and expensive court cases. With some luck and patience, we can
hope to see a similar resolution here.
Comments (35 posted)
This week in SCOland
As much as we might have wished that the SCO case would have gone away over
the last week, it's still there. So here's the obligatory update on what
has been happening...
IBM has filed a new set of counterclaims against SCO. The full, new filing
is available in PDF
format. The new material is relatively small, and makes three points.
The first of those points is a promissory estoppel claim. SCO, says IBM,
promised that it would distribute Linux only under the terms of the GPL.
IBM, acting on those promises, has now been burned, and has suffered an
injury as a result. IBM claims damages to compensate for that injury, but
the real purpose of the estoppel claim is to shut SCO up:
In addition to an award of damages, IBM is entitled to declaratory
and injunctive relief, including but not limited to a declaration
that SCO is not entitled to assert proprietary rights with respect
to products distributed by SCO under the GPL except upon the terms
set out in the GPL.
"Estoppel" says that a company cannot behave in one way, allow others to act
based on that behavior, then change the rules afterwards. IBM is claiming
that this is exactly what SCO is trying to do in this situation, and is
asking the court to put a stop to it.
The second new counterclaim alleges copyright infringement based on
violations of the GPL. This claim is different from (and additional to)
the GPL violation claim in IBM's first counterfiling. Whereas the previous
claim was a breach of contract claim (SCO did not live up to the
obligations it took on when it accepted the GPL), the new one is a pure
infringement claim. IBM lists several contributions for which it has
registered its copyrights (they include EVMS, dynamic probes, PowerPC
support, the Omni print driver, JFS, and others), and claims:
SCO has infringed and is infringing IBM's copyrights by copying,
modifying, sublicensing and/or distributing Linux products except
as expressly provided under the GPL. SCO has taken copyrighted
source code made available by IBM under the GPL, included that code
in SCO's Linux products, and copied modified, sublicensed and/or
distributed those products other than as permitted under the
GPL. SCO has no right - and has never had any right - to copy,
modify, sublicense and/or distribute the IBM copyrighted code
except pursuant to the GPL.
The last new counterclaim is a request for a declatory judgement along the
line of Red Hat's suit. Essentially, IBM is asking the court to make SCO
shut up.
SCO's response came in the form of yet
another
strange press release. SCO has nothing to say about IBM's description
of its behavior; instead, the company has gone for a flat-out attack on the
GPL:
IBM, not SCO, has brought the GPL into the legal controversy
between the two companies. SCO believes that the GPL -- created by
the Free Software Foundation to supplant current U.S. copyright
laws -- is a shaky foundation on which to build a legal case. By
contrast, SCO continues to base its legal claims on well-settled
United States contract laws and United States copyright laws.
The GPL has never faced a full legal test, and SCO believes that it will
not stand up in court.
We asked SCO how it is that the GPL serves "to supplant current US
copyright laws" while its own software licenses do not, but SCO chose not
to answer us. Regardless,
what SCO hopes to gain by attacking the GPL is unclear; its
legal theories on the subject are bizarre at best. But if the GPL fails,
then SCO will never have had a valid license to distribute Linux at all.
It would be interesting to hear how SCO justifies its continued
distribution of the Linux kernel if it believes it lacks a valid license
to do so.
Red Hat, meanwhile, has filed a "memorandum in opposition" of SCO's
attempt to get Red Hat's lawsuit summarily dismissed. Groklaw has posted
the motion in
PDF format. Also on Groklaw is this
detailed analysis of Red Hat's motion which covers the relevant points.
SCO also claimed that its speech was protected by the First
Amendment. Frankly, that argument is so funny it seems pointless to
stay up late to explain it to you... Red Hat had to actually
research the point and answer it in detail. I'll bet they were
rolling on the floor laughing though. Once they pulled themselves
together, they point out to the judge that there are laws
specifically written that forbid companies from making 'false or
misleading statements' about another's product, and it's called the
Lanham Act...
As expected, the SCO Group has also expanded the battle to include SGI.
Very little has been said in public (we're waiting for the inevitable
conference call), but a couple of alert readers found the following in SGI's
annual report as filed with the U.S. Securities and Exchange
Commission:
We have received a letter from SCO Group alleging that, as a result
of our activities related to the Linux operating system, we are in
breach of the fully-paid license under which we distribute our IRIX
operating system. The letter purports to terminate our UNIX System
V license effective October 14, 2003.
SGI believes, like IBM, that its Unix license cannot be terminated in this
manner. SCO arguably has a better case against SGI, since SGI did actually
allow a small amount of SYSV code to slip into its Linux kernel
contributions. SCO will have a hard time talking a tiny infringement
involving code that, by some reckoning, is in the public domain into a
major case, however.
Speaking of SGI's actions, the company has posted a letter to the Linux
community from software VP Rich Altmaier. The letter admits that the
ate_malloc() code shown by SCO could have been taken from SYSV,
though SGI also reiterates the claim that the code in question may well
have entered the public domain. SGI has sent patches to its customers
removing the code in question, but it has not stopped there:
Following this occurrence, we continued our investigation to
determine whether any other code in the Linux kernel was even
conceivably implicated. As a result of that exhaustive
investigation, SGI has discovered a few additional code segments
(similar in nature to the segments referred to above and trivial in
amount) that may arguably be related to UNIX code. We are in the
process of removing and replacing these segments.
In other words, the Linux kernel has now been compared to the Unix code
base by somebody other than SCO, and it has been given an (almost) clean
bill of health.
SGI's letter also denies that SCO has any claim to the XFS filesystem. XFS
is explicitly claimed as SGI's work.
It may be that SCO is taking the position that merely because XFS
is also distributed along with IRIX it is somehow subject to the
System V license. But if so, this is an absurd position, with no
basis either in the license or in common sense. In fact, our UNIX
license clearly provides that SGI retains ownership and all rights
as to all code that was not part of AT&Ts UNIX System V.
The position described is, of course, exactly the claims SCO has made
against IBM.
Finally, remember that the SCO City-to-City
Tour starts on October 7. Those of you in or near Toronto,
Boston, Chicago, Vancouver, Dallas, Orlando, Newark, Minneapolis,
St. Louis, Irvine, or Atlanta may want to consider signing up to share your
views with the company.
Comments (4 posted)
Distributing 2.6
As the 2.6 kernel slowly approaches release, it is natural that vendors and
users are becoming more interested in what this kernel has to offer. But
some distributors may be jumping the gun a bit with this kernel. Consider
these announcements:
- LynuxWorks announced
that a beta version of BlueCat Linux 5.0, a 2.6-based embedded
distribution, was available. Says LynuxWorks: "The embedded
developer community has been eagerly anticipating the availability of
the Linux 2.6 kernel and we are proud to offer the first embedded
operating system ready for beta testing."
- SuSE has stated that SuSE
Linux 9.0 will have a 2.6 kernel option.
- SnapGear has released
SnapGear Embedded Linux 3.0, which is based on the 2.6 kernel.
The company claims to have the "world's first production Linux system
powered by the 2.6 kernel."
The only problem, of course, is that there is no 2.6 kernel. The
2.6.0-test series is not the 2.6 kernel. It remains in active
development, and many parts of it are still volatile. The most recent
release (2.6.0-test6) included a fundamental change in the dev_t
device number type, a bunch of scheduler work, numerous power management
patches, and a lot of other changes. A number of important kernel
interfaces are still in flux. Auditing for security problems still needs
to be done.
One should also bear in mind that most stable kernels do not truly
stabilize until several releases after "dot-zero."
The 2.5 kernel development series looks to be one of the most successful in
quite some time. Many important objectives have been attained, and the
2.6.0-test kernels appear to be quite stable for most users. It is
certainly an appropriate time for distributors to consider offering a 2.6
preview kernel, as SuSE will do with its 9.0 release. But it is too soon
to present a 2.6-based distribution as being "production ready." Any
distributor which is offering the 2.6 kernel as anything other than an
early preview for testing purposes is not being entirely honest. We'll
have our stable,
2.6-based distributions sometime in 2004; some things cannot be rushed.
Comments (13 posted)
Page editor: Jonathan Corbet
Security
Security news
Vulnerabilities in OpenSSL
The National Infrastructure Security Co-ordination Centre (
NISCC) is an organization within the UK
Government, set up to defend against electronic attack. As part of that
mandate, the NISCC recently prepared a test suite to check the operation of
SSL/TLS software when presented with a wide range of malformed client
certificates. Dr Stephen Henson of the OpenSSL core team identified and
prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code
when running the test suite. Since these vulnerabilities were found during
code review, there are no known exploits, and there won't be any as long as
everyone updates their systems in a timely fashion. Many distributions
have already provided updates for these problems, shown in the new
vulnerability report listed below.
All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
versions of SSLeay are affected, as well as any application that makes use
of OpenSSL's ASN1 library to parse untrusted data. This includes all SSL or
TLS applications, those using S/MIME (PKCS#7) or certificate generation
routines.
From the advisory:
- Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6. The Common
Vulnerabilities and Exposures project has assigned the name
CAN-2003-0545 for this issue.
- Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.
The Common Vulnerabilities and Exposures project has assigned the names
CAN-2003-0543 and
CAN-2003-0544 for this issue.
- A malformed public key in a certificate will crash the verify code
if it is set to ignore public key decoding errors. Public key decode
errors are not normally ignored, except for debugging purposes, so this
is unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.
- Due to an error in the SSL/TLS protocol handling, a server will
parse a client certificate when one is not specifically requested. This
by itself is not strictly speaking a vulnerability but it does mean that
*all* SSL/TLS servers that use OpenSSL can be attacked using
vulnerabilities 1, 2 and 3 even if they don't enable client
authentication.
All OpenSSL users should upgrade to OpenSSL 0.9.7c or 0.9.6k and recompile
any OpenSSL applications statically linked to OpenSSL libraries.
Comments (3 posted)
New vulnerabilities
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
freesweep: buffer overflow
| Package(s): | freesweep |
CVE #(s): | CAN-2003-0828
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
freesweep contains a buffer overflow vulnerability which may be exploited by a local user to obtain access to the "games" group. |
| Alerts: |
|
Comments (none posted)
lsh: remotely exploitable buffer overflow
| Package(s): | lsh |
CVE #(s): | CAN-2003-0831
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
lsh (an ssh implementation) 1.5.2 and prior has a remotely exploitable buffer overflow vulnerability; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
marbles: buffer overflow
| Package(s): | marbles |
CVE #(s): | CAN-2003-0830
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
The 'marbles' game contains a buffer overflow in its processing of the HOME environment variable. A local user can exploit this vulnerability to obtain access to the "games" group. |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
openssl: vulnerabilities in ASN.1 code
| Package(s): | openssl |
CVE #(s): | CAN-2003-0543
CAN-2003-0544
CAN-2003-0545
|
| Created: | September 30, 2003 |
Updated: | November 4, 2003 |
| Description: |
Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a
Denial of Service. See
CAN-2003-0543 and
CAN-2003-0544.
It may be possible for an attacker to exploit this issue to execute
arbitrary code. See
CAN-2003-0545.
CERT has an updated OpenSSL advisory
identifying additional OpenSSL vulnerabilities. |
| Alerts: |
|
Comments (none posted)
webfs: buffer overflows, file and directory exposure
| Package(s): | webfs |
CVE #(s): | CAN-2003-0832
CAN-2003-0833
|
| Created: | September 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP
server for static content.
CAN-2003-0832 - When virtual hosting is enabled, a remote client could
specify ".." as the hostname in a request, allowing retrieval of directory
listings or files above the document root.
CAN-2003-0833 - A long pathname could overflow a buffer allocated on
the stack, allowing execution of arbitrary code. In order to exploit this
vulnerability, it would be necessary to be able to create directories on
the server in a location which could be accessed by the web server. In
conjunction with CAN-2003-0832, this could be a world-writable directory
such as /var/tmp. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 23, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | September 30, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2003-0743
|
| Created: | September 4, 2003 |
Updated: | September 30, 2003 |
| Description: |
A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.
CAN-2003-0743 |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | September 30, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 15, 2003 |
Updated: | November 17, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gopherd: buffer overflow
| Package(s): | gopher |
CVE #(s): | CAN-2003-0805
|
| Created: | September 24, 2003 |
Updated: | September 24, 2003 |
| Description: |
The University of Minnesota gopherd daemon has a set of remotely exploitable buffer overflows which can allow an attacker to execute code as the "gopher" user. Both remaining gopher servers are advised to upgrade in the near future. |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hztty: buffer overflow vulnerability
| Package(s): | hztty |
CVE #(s): | CAN-2003-0783
|
| Created: | September 24, 2003 |
Updated: | September 24, 2003 |
| Description: |
hztty (a program for translating Chinese character encodings) has a pair of buffer overflow vulnerabilities which can be exploited by a local attacker. This problem is compounded on Debian systems by the fact that hztty is (unnecessarily) installed setuid root. Version 2.0-6 has the fix. |
| Alerts: |
|
Comments (none posted)
ipmasq: insecure packet filtering rules
| Package(s): | ipmasq |
CVE #(s): | CAN-2003-0785
|
| Created: | September 22, 2003 |
Updated: | September 24, 2003 |
| Description: |
ipmasq is a package which simplifies configuration of Linux IP
masquerading, a form of network address translation which allows a
number of hosts to share a single public IP address. Due to use of
certain improper filtering rules, traffic arriving on the external
interface addressed for an internal host would be forwarded,
regardless of whether it was associated with an established
connection. This vulnerability could be exploited by an attacker
capable of forwarding IP traffic with an arbitrary destination address
to the external interface of a system with ipmasq installed. |
| Alerts: |
|
Comments (none posted)
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | September 30, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mindi: insecure file creations
| Package(s): | mindi |
CVE #(s): | CAN-2003-0617
|
| Created: | September 2, 2003 |
Updated: | September 30, 2003 |
| Description: |
Mindi versions prior to 0.86 creates files in /tmp which could allow local
user to overwrite arbitrary files.
CAN-2003-0617 |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
mysql: arbitrary code execution
| Package(s): | mysql |
CVE #(s): | CAN-2003-0780
|
| Created: | September 15, 2003 |
Updated: | October 9, 2003 |
| Description: |
Frank Denis
reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and
earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users
are stored in the "Password" field of the "User" table, part of the "mysql"
database. The passwords are hashed and stored as a 16 characters long
hexadecimal value. Unfortunately, a function involved in password checking
misses correct bounds checking. By filling a "Password" field a value
wider than 16 characters, a buffer overflow will occur. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0780 to the problem. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1
and 3.7.1p1
| Package(s): | openssh |
CVE #(s): | |
| Created: | September 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with privsep disabled).
See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSH: buffer management error
| Package(s): | OpenSSH |
CVE #(s): | CAN-2003-0693
|
| Created: | September 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
All versions of
OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is
uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete.
See the second advisory for details.
CAN-2003-0693 |
| Alerts: |
|
Comments (none posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | September 30, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | September 30, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
proftpd: remote root shell
| Package(s): | proftpd |
CVE #(s): | CAN-2003-0831
|
| Created: | September 24, 2003 |
Updated: | January 2, 2004 |
| Description: |
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
