LWN.net Logo

LWN.net Weekly Edition for October 2, 2003

LinkSys and the GPL - again

Last June, we published a story about LinkSys and its WRT54G wireless router product. That router runs Linux, but LinkSys was not making the source for its Linux kernel available as the GPL requires. In response to pressure from the community, LinkSys eventually released a kernel tarball, and it appeared that the episode had come to a close. Another apparent victory for the GPL.

In this case, however, it seems that the victory celebrations were a bit premature. A group of programmers has been working with the LinkSys tarball in the hopes of creating a new, more accessible firmware image for the WRT54G. Over time, this group has come to the conclusion that the kernel source released by LinkSys is incomplete. Efforts to resolve the situation with LinkSys have not been conclusive, so, on September 28, this group sent out a letter describing its findings.

Much of the code in the WRT54G kernel gets there by way of loadable modules. In particular, much of the truly interesting stuff - the code that implements the low-level wireless functionality - is packaged in modules. The question of whether loadable modules are a derived product of the kernel - and thus subject to the GPL - is a topic of ongoing debate; not all kernel hackers are happy to see their work used by binary-only modules. A definitive conclusion in that debate may never come about; in the real world, however, binary-only modules are tolerated. Nobody has made any serious public effort to get LinkSys to release the source to its binary kernel modules. (Update: it turns out that claim is not entirely true; see the comments added to this article for details).

The results of the investigation by the WRT54G hackers, however, indicate that the WRT54G kernel contains a substantial amount of built-in code. There is no ambiguity around code which is patched directly into the kernel; it is clearly a derived product. A kernel which is patched in this way can, by the GPL, only be distributed if the source for those patches is released under the same license. LinkSys (or the contractor which did its kernel work) has tried to slip in a kernel source tarball which does not include the code found in its binary image; that is a GPL violation, and the company has been caught. It is not clear how the people involved thought they would get away with this attempt; perhaps they thought nobody was really interested in looking at their source.

What happens now? The WRT54G hackers have released their information in the hope that a wider public awareness of the problem will help push LinkSys into living up to its obligations under the GPL. It turns out, however, that the Free Software Foundation is working on this case, and they are asking for patience.

GPL violations sometimes take time to resolve. We wish that we could force resolution quicker, but we haven't found a way to do that. We have, however, discovered a variant of Brooks's Law: adding more lawyers to a GPL violation usually makes it take longer. Lawyers are reluctant to admit to mistakes, because they fear it could be used against them. Engineers and product managers are typically interested in fixing mistakes, so we try our best to work with them first before escalating to legal teams on both sides. Such escalation has happened on this violation, so it will take additional time to resolve the matter.

The FSF also points out that the kernel is only a part of the GPL-licensed software running on a WRT54G router. The FSF is trying to represent the copyright holders of all the affected software and resolve the whole problem. They will, they say, keep the community informed as things progress.

The FSF's work on GPL enforcement is usually hard to see; it is done in a quiet and diplomatic manner that is invisible behind the rhetoric that comes out of other parts of that organization. The FSF claims to have built the free software community, but it toots its own horn rather less on the subject of GPL compliance. But the FSF's GPL work plays a crucial role in keeping the free software community going; we owe them a debt of gratitude for the work they do to ensure that the terms of our licenses are respected. In the LinkSys case, we also owe them some space and time to do their work. The FSF has been highly successful in resolving GPL violations without the need for long and expensive court cases. With some luck and patience, we can hope to see a similar resolution here.

Comments (35 posted)

This week in SCOland

As much as we might have wished that the SCO case would have gone away over the last week, it's still there. So here's the obligatory update on what has been happening...

IBM has filed a new set of counterclaims against SCO. The full, new filing is available in PDF format. The new material is relatively small, and makes three points.

The first of those points is a promissory estoppel claim. SCO, says IBM, promised that it would distribute Linux only under the terms of the GPL. IBM, acting on those promises, has now been burned, and has suffered an injury as a result. IBM claims damages to compensate for that injury, but the real purpose of the estoppel claim is to shut SCO up:

In addition to an award of damages, IBM is entitled to declaratory and injunctive relief, including but not limited to a declaration that SCO is not entitled to assert proprietary rights with respect to products distributed by SCO under the GPL except upon the terms set out in the GPL.

"Estoppel" says that a company cannot behave in one way, allow others to act based on that behavior, then change the rules afterwards. IBM is claiming that this is exactly what SCO is trying to do in this situation, and is asking the court to put a stop to it.

The second new counterclaim alleges copyright infringement based on violations of the GPL. This claim is different from (and additional to) the GPL violation claim in IBM's first counterfiling. Whereas the previous claim was a breach of contract claim (SCO did not live up to the obligations it took on when it accepted the GPL), the new one is a pure infringement claim. IBM lists several contributions for which it has registered its copyrights (they include EVMS, dynamic probes, PowerPC support, the Omni print driver, JFS, and others), and claims:

SCO has infringed and is infringing IBM's copyrights by copying, modifying, sublicensing and/or distributing Linux products except as expressly provided under the GPL. SCO has taken copyrighted source code made available by IBM under the GPL, included that code in SCO's Linux products, and copied modified, sublicensed and/or distributed those products other than as permitted under the GPL. SCO has no right - and has never had any right - to copy, modify, sublicense and/or distribute the IBM copyrighted code except pursuant to the GPL.

The last new counterclaim is a request for a declatory judgement along the line of Red Hat's suit. Essentially, IBM is asking the court to make SCO shut up.

SCO's response came in the form of yet another strange press release. SCO has nothing to say about IBM's description of its behavior; instead, the company has gone for a flat-out attack on the GPL:

IBM, not SCO, has brought the GPL into the legal controversy between the two companies. SCO believes that the GPL -- created by the Free Software Foundation to supplant current U.S. copyright laws -- is a shaky foundation on which to build a legal case. By contrast, SCO continues to base its legal claims on well-settled United States contract laws and United States copyright laws.

The GPL has never faced a full legal test, and SCO believes that it will not stand up in court.

We asked SCO how it is that the GPL serves "to supplant current US copyright laws" while its own software licenses do not, but SCO chose not to answer us. Regardless, what SCO hopes to gain by attacking the GPL is unclear; its legal theories on the subject are bizarre at best. But if the GPL fails, then SCO will never have had a valid license to distribute Linux at all. It would be interesting to hear how SCO justifies its continued distribution of the Linux kernel if it believes it lacks a valid license to do so.

Red Hat, meanwhile, has filed a "memorandum in opposition" of SCO's attempt to get Red Hat's lawsuit summarily dismissed. Groklaw has posted the motion in PDF format. Also on Groklaw is this detailed analysis of Red Hat's motion which covers the relevant points.

SCO also claimed that its speech was protected by the First Amendment. Frankly, that argument is so funny it seems pointless to stay up late to explain it to you... Red Hat had to actually research the point and answer it in detail. I'll bet they were rolling on the floor laughing though. Once they pulled themselves together, they point out to the judge that there are laws specifically written that forbid companies from making 'false or misleading statements' about another's product, and it's called the Lanham Act...

As expected, the SCO Group has also expanded the battle to include SGI. Very little has been said in public (we're waiting for the inevitable conference call), but a couple of alert readers found the following in SGI's annual report as filed with the U.S. Securities and Exchange Commission:

We have received a letter from SCO Group alleging that, as a result of our activities related to the Linux operating system, we are in breach of the fully-paid license under which we distribute our IRIX operating system. The letter purports to terminate our UNIX System V license effective October 14, 2003.

SGI believes, like IBM, that its Unix license cannot be terminated in this manner. SCO arguably has a better case against SGI, since SGI did actually allow a small amount of SYSV code to slip into its Linux kernel contributions. SCO will have a hard time talking a tiny infringement involving code that, by some reckoning, is in the public domain into a major case, however.

Speaking of SGI's actions, the company has posted a letter to the Linux community from software VP Rich Altmaier. The letter admits that the ate_malloc() code shown by SCO could have been taken from SYSV, though SGI also reiterates the claim that the code in question may well have entered the public domain. SGI has sent patches to its customers removing the code in question, but it has not stopped there:

Following this occurrence, we continued our investigation to determine whether any other code in the Linux kernel was even conceivably implicated. As a result of that exhaustive investigation, SGI has discovered a few additional code segments (similar in nature to the segments referred to above and trivial in amount) that may arguably be related to UNIX code. We are in the process of removing and replacing these segments.

In other words, the Linux kernel has now been compared to the Unix code base by somebody other than SCO, and it has been given an (almost) clean bill of health.

SGI's letter also denies that SCO has any claim to the XFS filesystem. XFS is explicitly claimed as SGI's work.

It may be that SCO is taking the position that merely because XFS is also distributed along with IRIX it is somehow subject to the System V license. But if so, this is an absurd position, with no basis either in the license or in common sense. In fact, our UNIX license clearly provides that SGI retains ownership and all rights as to all code that was not part of AT&Ts UNIX System V.

The position described is, of course, exactly the claims SCO has made against IBM.

Finally, remember that the SCO City-to-City Tour starts on October 7. Those of you in or near Toronto, Boston, Chicago, Vancouver, Dallas, Orlando, Newark, Minneapolis, St. Louis, Irvine, or Atlanta may want to consider signing up to share your views with the company.

Comments (4 posted)

Distributing 2.6

As the 2.6 kernel slowly approaches release, it is natural that vendors and users are becoming more interested in what this kernel has to offer. But some distributors may be jumping the gun a bit with this kernel. Consider these announcements:

  • LynuxWorks announced that a beta version of BlueCat Linux 5.0, a 2.6-based embedded distribution, was available. Says LynuxWorks: "The embedded developer community has been eagerly anticipating the availability of the Linux 2.6 kernel and we are proud to offer the first embedded operating system ready for beta testing."

  • SuSE has stated that SuSE Linux 9.0 will have a 2.6 kernel option.

  • SnapGear has released SnapGear Embedded Linux 3.0, which is based on the 2.6 kernel. The company claims to have the "world's first production Linux system powered by the 2.6 kernel."

The only problem, of course, is that there is no 2.6 kernel. The 2.6.0-test series is not the 2.6 kernel. It remains in active development, and many parts of it are still volatile. The most recent release (2.6.0-test6) included a fundamental change in the dev_t device number type, a bunch of scheduler work, numerous power management patches, and a lot of other changes. A number of important kernel interfaces are still in flux. Auditing for security problems still needs to be done.

One should also bear in mind that most stable kernels do not truly stabilize until several releases after "dot-zero."

The 2.5 kernel development series looks to be one of the most successful in quite some time. Many important objectives have been attained, and the 2.6.0-test kernels appear to be quite stable for most users. It is certainly an appropriate time for distributors to consider offering a 2.6 preview kernel, as SuSE will do with its 9.0 release. But it is too soon to present a 2.6-based distribution as being "production ready." Any distributor which is offering the 2.6 kernel as anything other than an early preview for testing purposes is not being entirely honest. We'll have our stable, 2.6-based distributions sometime in 2004; some things cannot be rushed.

Comments (13 posted)

Page editor: Jonathan Corbet

Security

Security news

Vulnerabilities in OpenSSL

The National Infrastructure Security Co-ordination Centre (NISCC) is an organization within the UK Government, set up to defend against electronic attack. As part of that mandate, the NISCC recently prepared a test suite to check the operation of SSL/TLS software when presented with a wide range of malformed client certificates. Dr Stephen Henson of the OpenSSL core team identified and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code when running the test suite. Since these vulnerabilities were found during code review, there are no known exploits, and there won't be any as long as everyone updates their systems in a timely fashion. Many distributions have already provided updates for these problems, shown in the new vulnerability report listed below.

All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay are affected, as well as any application that makes use of OpenSSL's ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines.

From the advisory:

  1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0545 for this issue.

  2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. The Common Vulnerabilities and Exposures project has assigned the names CAN-2003-0543 and CAN-2003-0544 for this issue.

  3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability.

  4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication.
All OpenSSL users should upgrade to OpenSSL 0.9.7c or 0.9.6k and recompile any OpenSSL applications statically linked to OpenSSL libraries.

Comments (3 posted)

New vulnerabilities

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

freesweep: buffer overflow

Package(s):freesweep CVE #(s):CAN-2003-0828
Created:October 1, 2003 Updated:October 1, 2003
Description: freesweep contains a buffer overflow vulnerability which may be exploited by a local user to obtain access to the "games" group.
Alerts:
Debian DSA-391-1 2003-09-28

Comments (none posted)

lsh: remotely exploitable buffer overflow

Package(s):lsh CVE #(s):CAN-2003-0831
Created:October 1, 2003 Updated:October 1, 2003
Description: lsh (an ssh implementation) 1.5.2 and prior has a remotely exploitable buffer overflow vulnerability; see this advisory for details.
Alerts:
SuSE SuSE-SA:2003:041 2003-10-01

Comments (none posted)

marbles: buffer overflow

Package(s):marbles CVE #(s):CAN-2003-0830
Created:October 1, 2003 Updated:October 1, 2003
Description: The 'marbles' game contains a buffer overflow in its processing of the HOME environment variable. A local user can exploit this vulnerability to obtain access to the "games" group.
Alerts:
Debian DSA-390-1 2003-09-26

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

openssl: vulnerabilities in ASN.1 code

Package(s):openssl CVE #(s):CAN-2003-0543 CAN-2003-0544 CAN-2003-0545
Created:September 30, 2003 Updated:November 4, 2003
Description: Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay.

An attack against other applications that use OpenSSL could result in a Denial of Service. See CAN-2003-0543 and CAN-2003-0544.

It may be possible for an attacker to exploit this issue to execute arbitrary code. See CAN-2003-0545.

CERT has an updated OpenSSL advisory identifying additional OpenSSL vulnerabilities.

Alerts:
EnGarde ESA-20031104-029 2003-11-04
Debian DSA-394-1 2003-10-11
Conectiva CLA-2003:759 2003-10-03
EnGarde ESA-20031003-028 2003-10-03
Tawie 2003-0001 2003-10-02
SuSE SuSE-SA:2003:043 2003-10-01
Slackware SSA:2003-273-01 2003-09-30
Mandrake MDKSA-2003:098 2003-09-30
Gentoo 200309-19 2003-10-01
Debian DSA-393-1 2003-10-01
Conectiva CLA-2003:751 2003-09-30
EnGarde ESA-20030930-027 2003-09-30
Immunix IMNX-2003-7+-022-01 2003-09-29
OpenPKG OpenPKG-SA-2003.044 2003-09-30
Red Hat RHSA-2003:292-01 2003-09-30
Red Hat RHSA-2003:291-01 2003-09-30

Comments (none posted)

webfs: buffer overflows, file and directory exposure

Package(s):webfs CVE #(s):CAN-2003-0832 CAN-2003-0833
Created:September 29, 2003 Updated:October 1, 2003
Description: Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP server for static content.

CAN-2003-0832 - When virtual hosting is enabled, a remote client could specify ".." as the hostname in a request, allowing retrieval of directory listings or files above the document root.

CAN-2003-0833 - A long pathname could overflow a buffer allocated on the stack, allowing execution of arbitrary code. In order to exploit this vulnerability, it would be necessary to be able to create directories on the server in a location which could be accessed by the web server. In conjunction with CAN-2003-0832, this could be a world-writable directory such as /var/tmp.

Alerts:
Debian DSA-392-1 2003-09-29

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

autorespond: buffer overflow

Package(s):autorespond CVE #(s):CAN-2003-0654
Created:August 18, 2003 Updated:September 30, 2003
Description: Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.

CAN-2003-0654

Alerts:
Debian DSA-373-1 2003-08-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:September 30, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:September 30, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

eroaster: insecure temporary file

Package(s):eroaster CVE #(s):CAN-2003-0656
Created:August 19, 2003 Updated:September 30, 2003
Description: A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

CAN-2003-0656

Alerts:
Gentoo 200309-04 2003-09-02
Mandrake MDKSA-2003:083 2003-08-19
Debian DSA-366-1 2003-08-05

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

exim: buffer overflows

Package(s):exim exim-tls CVE #(s):CAN-2003-0743
Created:September 4, 2003 Updated:September 30, 2003
Description: A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code.

CAN-2003-0743

Alerts:
Gentoo 200309-09 2003-09-15
Debian DSA-376-2 2003-09-07
Conectiva CLA-2003:735 2003-09-05
Debian DSA-376-1 2003-09-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:September 30, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gopherd: buffer overflow

Package(s):gopher CVE #(s):CAN-2003-0805
Created:September 24, 2003 Updated:September 24, 2003
Description: The University of Minnesota gopherd daemon has a set of remotely exploitable buffer overflows which can allow an attacker to execute code as the "gopher" user. Both remaining gopher servers are advised to upgrade in the near future.
Alerts:
Debian DSA-387-1 2003-09-18

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

hztty: buffer overflow vulnerability

Package(s):hztty CVE #(s):CAN-2003-0783
Created:September 24, 2003 Updated:September 24, 2003
Description: hztty (a program for translating Chinese character encodings) has a pair of buffer overflow vulnerabilities which can be exploited by a local attacker. This problem is compounded on Debian systems by the fact that hztty is (unnecessarily) installed setuid root. Version 2.0-6 has the fix.
Alerts:
Debian DSA-385-1 2003-09-18

Comments (none posted)

ipmasq: insecure packet filtering rules

Package(s):ipmasq CVE #(s):CAN-2003-0785
Created:September 22, 2003 Updated:September 24, 2003
Description: ipmasq is a package which simplifies configuration of Linux IP masquerading, a form of network address translation which allows a number of hosts to share a single public IP address. Due to use of certain improper filtering rules, traffic arriving on the external interface addressed for an internal host would be forwarded, regardless of whether it was associated with an established connection. This vulnerability could be exploited by an attacker capable of forwarding IP traffic with an arbitrary destination address to the external interface of a system with ipmasq installed.
Alerts:
Debian DSA-389-1 2003-09-20

Comments (none posted)

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 2003-12-19
Gentoo 200311-01 2003-11-15
Debian DSA-388-1 2003-09-19
Conectiva CLA-2003:747 2003-09-19
Mandrake MDKSA-2003:091 2003-09-16
Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpam-smb: exploitable buffer overflow

Package(s):libpam-smb, pam-smb CVE #(s):CAN-2003-0686
Created:August 26, 2003 Updated:September 30, 2003
Description: libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information.

CAN-2003-0686

Alerts:
Conectiva CLA-2003:734 2003-09-05
SuSE SuSE-SA:2003:036 2003-09-03
Gentoo 200309-01 2003-09-01
Red Hat RHSA-2003:261-01 2003-08-26
Debian DSA-374-1 2003-08-26

Comments (1 posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:September 30, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mindi: insecure file creations

Package(s):mindi CVE #(s):CAN-2003-0617
Created:September 2, 2003 Updated:September 30, 2003
Description: Mindi versions prior to 0.86 creates files in /tmp which could allow local user to overwrite arbitrary files.

CAN-2003-0617

Alerts:
Gentoo 200309-05 2003-09-02
Debian DSA-362-1 2003-08-02

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Gentoo 200309-17 2003-09-30
Mandrake MDKSA-2003:078 2003-07-23
Conectiva CLA-2003:695 2003-07-15

Comments (none posted)

mysql: arbitrary code execution

Package(s):mysql CVE #(s):CAN-2003-0780
Created:September 15, 2003 Updated:October 9, 2003
Description: Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem.
Alerts:
Red Hat RHSA-2003:281-01 2003-10-09
SuSE SuSE-SA:2003:042 2003-10-01
Mandrake MDKSA-2003:094 2003-09-18
Conectiva CLA-2003:743 2003-09-18
EnGarde ESA-20030918-025 2003-09-18
Trustix 2003-0034 2003-09-17
Gentoo 200309-08 2003-09-15
OpenPKG OpenPKG-SA-2003.038 2003-09-15
Debian DSA-381-1 2003-09-13

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netris: buffer overflow

Package(s):netris CVE #(s):CAN-2003-0685
Created:August 18, 2003 Updated:September 30, 2003
Description: Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.

CAN-2003-0685

Alerts:
Debian DSA-372-1 2003-08-16

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1 and 3.7.1p1

Package(s):openssh CVE #(s):
Created:September 23, 2003 Updated:October 1, 2003
Description: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). See this advisory for details.
Alerts:
Trustix 2003-0036 2003-09-27
Slackware SSA:2003-266-01 2003-09-24
OpenPKG OpenPKG-SA-2003.042 2003-09-24
Gentoo 200309-14 2003-09-23

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSH: buffer management error

Package(s):OpenSSH CVE #(s):CAN-2003-0693
Created:September 16, 2003 Updated:September 30, 2003
Description: All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details.

CAN-2003-0693

Alerts:
SCO Group CSSA-2003-027.0 2003-10-02
Debian DSA-383-2 2003-09-21
Debian DSA-382-3 2003-09-21
SuSE SuSE-SA:2003:039 2003-09-18
EnGarde ESA-20030918-024 2003-09-18
Yellow Dog YDU-20030917-1 2003-09-17
Conectiva CLA-2003:741 2003-09-17
Debian DSA-383-1 2003-09-17
Sorcerer SORCERER2003-09-17 2003-09-17
Slackware SSA:2003-260-01 2003-09-17
Red Hat RHSA-2003:279-02 2003-09-17
Mandrake MDKSA-2003:090-1 2003-09-17
Trustix 2003-0033 2003-09-17
OpenPKG OpenPKG-SA-2003.040 2003-09-17
Immunix IMNX-2003-7+-020-02 2003-09-16
Gentoo 200309-12 2003-09-16
Debian DSA-382-2 2003-09-17
SuSE SuSE-SA:2003:038 2003-09-16
Slackware SSA:2003-259-01 2003-09-16
Mandrake MDKSA-2003:090 2003-09-16
Immunix IMNX-2003-7+-020-01 2003-09-16
Debian DSA-382-1 2003-09-16
Red Hat RHSA-2003:279-01 2003-09-16
EnGarde ESA-20030916-023 2003-09-16
Conectiva CLA-2003:739 2003-09-16

Comments (none posted)

pam-pgsql: format string vulnerability

Package(s):pam-pgsql CVE #(s):CAN-2003-0672
Created:August 11, 2003 Updated:September 30, 2003
Description: Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication.

CAN-2003-0672

Alerts:
Debian DSA-370-1 2003-08-08

Comments (none posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):perl CVE #(s):CAN-2003-0615
Created:July 29, 2003 Updated:September 30, 2003
Description: obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

CAN-2003-0615

Alerts:
Red Hat RHSA-2003:256-02 2003-10-03
Red Hat RHSA-2003:256-01 2003-09-22
OpenPKG OpenPKG-SA-2003.039 2003-09-15
Mandrake MDKSA-2003:084 2003-08-20
Debian DSA-371-1 2003-08-11
OpenPKG OpenPKG-SA-2003.036 2003-08-06
Conectiva CLA-2003:713 2003-07-29

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:September 30, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:September 30, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Debian DSA-365-1 2003-08-05
Conectiva CLA-2003:703 2003-07-23
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:697 2003-07-16

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

proftpd: remote root shell

Package(s):proftpd CVE #(s):CAN-2003-0831
Created:September 24, 2003 Updated:January 2, 2004
Description: The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:
Mandrake MDKSA-2003:095-1 2003-12-31
Conectiva CLA-2003:750 2003-09-29
Gentoo 200309-16 2003-09-28
Trustix 2003-0037 2003-09-27
Mandrake MDKSA-2003:095 2003-09-26
OpenPKG OpenPKG-SA-2003.043 2003-09-25
Slackware SSA:2003-259-02 2003-09-23

Comments (2 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:September 30, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-2