| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for December 24, 2003
Looking back at 2003
This is the last LWN.net Weekly Edition for 2003, so this is an appropriate time to look back at the last year and ponder what has happened. As a way of maximizing our own embarrassment, we'll start with the predictions we posted at the beginning of the year and see how we did.We predicted:
- Governmental use of Linux would increase. Nobody can say that
we missed on that one. Legislation requiring (at a minimum) proper
consideration of free software in public purchasing has been
introduced, and often passed, in many countries. Nations like Brazil
and South Korea have committed to increasing their use of free
software. Cities like Munich and Key Largo have made big jumps into
free software. All this goes to show: it's easier to make correct
predictions if you stick to obvious developments.
- There would be high-profile desktop deployments. Opinions
remain mixed on whether Linux is ready for serious desktop use now,
but few dispute that it is getting there. Desktop Linux provides all
the functionality that many users need, and it gets better every day.
Big deployments have happened in many places, perhaps topped by Sun's
large Linux sale in China, which could eventually add up to
millions of desktop systems.
- We predicted a major patent challenge for Linux. A big legal
challenge did come in the form of the SCO suit, but patents were not
involved. The stage remains set for serious patent problems in the
future, perhaps coming from Microsoft's increasing interest in its
patent portfolio. But 2003 wasn't the year for that.
- We also predicted "a watershed year" in intellectual property
law driven by a number of high-profile cases. Certainly a lot has
happened; the Grokster and Skylink rulings went against oppressive
copyright enforcement, UCITA died a well-deserved death, and, perhaps
most significantly, an attempt to impose software patents on Europe
was defeated - for now. On the other hand, the U.S. Supreme Court
refused to limit copyright terms in the Eldred case. All told, it was
not a watershed year, however; one year later, the situation is almost
the same as it was before. All of the problems we had a year ago are
still there.
- The 2.6 kernel would be released. That happened, of course,
though it wasn't that far from slipping into 2004. We did say
it would happen late in the year.
- We predicted a "SourceForge crisis." Some projects have moved
away from SourceForge, and the site now has a donation box out to help
cover its running expenses. But certainly there has been no "crisis."
- UnitedLinux would not save all four participants; at least one of them would exit the distribution business by the end of the year. Well, that happened, but not quite as we had envisioned. But UnitedLinux member SCO is certainly out of the distribution business, and UnitedLinux has passed into irrelevance. We also said that MandrakeSoft would find a way to pull through and become a viable company. That appears to be happening, albeit via a period in bankruptcy proceedings.
We also missed a few things. The small resurgence in acquisitions of Linux companies (Scyld, Ximian, SUSE, Sistina) was a pleasant surprise, for the people involved if nobody else. The importance and commercial success of "enterprise Linux" distributions, along with the resulting backlash, was and is an important story for 2003. The increasing level of attacks on the community's infrastructure was an ominous development. And the SCO Group's rampage took us by surprise, along with just about everybody else.
What we didn't even bother to predict was that development would continue, the code would get better, and that Linux would continue to grow. That was too obvious even for LWN. But it happened, and will continue to happen. It is still true that the free software story is just beginning.
(Tune in during next week's break, when we will publish our predictions for 2004. We're still trying to get the crystal ball booted up properly as of this writing; contrary to some rumors, the crystal ball has not been taken down by a security compromise. Trust us).
Johansen wins round two
Jon Johansen received an early Christmas present from the Norwegian appeals court in Oslo. Judge Wenche Skjeggestad handed down the unanimous decision of the seven-judge panel Monday, which upheld the lower court's ruling. According to the appeals court, Johansen had done nothing wrong in the creation and distribution of the DeCSS DVD descrambling code, and Norwegian citizens are free to access content and make personal copies of legally-purchased DVDs. While many have been watching the case with interest, it still came as a surprise that the verdict, which was not expected until January, was rendered so quickly.Johansen was charged with criminal violation of Norwegian law in 2000 for writing and publishing DeCSS. The case was set in motion after the DVD Copy Control Association (DVD CCA) and Motion Picture Association of America (MPAA) complained to the Norwegian Economic Crime Unit (Økokrim) about the distribution of DeCSS. According to the letter sent to Økokrim by the DVD CCA's lawyer, Simonsen Musæus:
However, the court noted that prosecutors had failed to prove that DeCSS had been used for copyright infringement, and that it was reasonable to make copies of DVDs for personal use. As the Electronic Frontier Foundation's Cindy Cohn noted when Johansen was first acquitted by the lower court, "It really feels like there is some sanity creeping in."
Sanity has, apparently, failed to make a stop at the MPAA. The association has rushed to condemn the Norwegian court's decision and released a statement that dubbed Johansen a "serial hacker" and calling on the Norwegian parliament to "move quickly" to "correct this apparent weakness in Norwegian law." It is, unfortunately, also possible that Johansen's legal travails are not quite over yet. Norwegian prosecutors have two weeks to appeal the appellate court decision to Norway's supreme court.
If found guilty, Johansen could have been sentenced to two years in prison. Prosecutors, however, had asked the court for a lesser suspended sentence in the Johansen case, apparently aiming to set precedent rather than seeking to jail Johansen.
The Johansen case makes it quite clear that the entertainment industry is seeking more than a way to curtail illegal copying. While the prosecutors and the MPAA have claimed that DeCSS opens the door to copyright infringement, there is no need to decrypt DVD content to make copies of DVDs -- and no evidence that DeCSS is being used to "pirate" movies.
It is, however, necessary to use DeCSS or a similar tool to decrypt content to make use of the content legitimately on Linux or other systems that lack DVD playback software. The choices available to movie enthusiasts on Linux are somewhat unpalatable: Risk legal prosecution for creating or using tools such as DeCSS, use other operating systems to play movies on laptops and home PCs, or remain unable to watch legitimately-purchased movies on a computer at all.
The Johansen verdict is a welcome victory, but it is hardly a major one. While those in Norway may breathe easier (at least for the moment), those of us in other countries with more repressive laws still lack the legal ability to make copies of legitimately-purchased media.
Holiday cheer from the SCO Group
The SCO Group has kicked off the holiday season with a couple of new press releases, some interesting disclosures of which code it is claiming, its fourth quarter results, and, of course, the inevitable conference call. This article will look at all of the above, with an emphasis on the company's new copyright claims. Those claims look to be on shaky ground, to say the least.We'll start with the quarterly results, as described in this press release. The company lost $1.6 million on revenue of $24.3 million. Of that, $10.3 million came from licensing agreements - all from Microsoft and Sun. It would appear that there are still no other paying licensees. In the conference call, SCO management stated that license revenue in the next quarter would be "minimal." Some direct questions were asked about just what sort of revenue was being received by other licensees, but the answers were, to put it charitably, evasive.
The more interesting part of today's activity is a view into the claims SCO plans to make in the coming months. To that end, there has been another press release, and a new letter being sent to Linux users. What the letter makes clear is that SCO now considers part of the Unix application binary interface (ABI) to be its property. Linux implements the Unix ABI, so SCO has picked out several dozen files which, it claims, violate its copyright. The full list is in the letter, but what it comes down to is each architecture's version of errno.h, signal.h, ioctl.h, plus a few others.
These include files all have the same form: they are really just long lists of #define statements assigning values to symbols. They define the various error codes returned by the kernel, the numbers associated with signals, and the numbers for ioctl() commands. Many of these numbers have nothing in common with any version of Unix, but many others do. So, if you compare the first part of the definitions in the 32V version of user.h with a 2.4 errno.h, you see:
| 32V version | 2.4.x version | |
|---|---|---|
#define EPERM 1 #define ENOENT 2 #define ESRCH 3 #define EINTR 4 #define EIO 5 #define ENXIO 6 #define E2BIG 7 #define ENOEXEC 8 #define EBADF 9 #define ECHILD 10 #define EAGAIN 11 #define ENOMEM 12 #define EACCES 13 #define EFAULT 14 #define ENOTBLK 15 #define EBUSY 16 #define EEXIST 17 #define EXDEV 18 #define ENODEV 19 #define ENOTDIR 20 ... |
#define EPERM 1 #define ENOENT 2 #define ESRCH 3 #define EINTR 4 #define EIO 5 #define ENXIO 6 #define E2BIG 7 #define ENOEXEC 8 #define EBADF 9 #define ECHILD 10 #define EAGAIN 11 #define ENOMEM 12 #define EACCES 13 #define EFAULT 14 #define ENOTBLK 15 #define EBUSY 16 #define EEXIST 17 #define EXDEV 18 #define ENODEV 19 #define ENOTDIR 20 ... |
The 2.4 version has comments on each line which have been removed in the above listing, but, even taking those into account, there is clearly a high degree of similarity between the two. The definitions in Linux are obviously taken from older Unix systems. That is not surprising; Linux was intended to implement the same interface. Linux is not alone in having reproduced the Unix error numbers; if you look at the Minix version of errno.h, you see the same interface used. Microsoft uses the same numbers. Modern BSD systems also use the same definitions, of course. The basic Unix numbers for errors and signals have been widely reproduced, to say the least.
If the files in question were, indeed, copied from an ancient Unix distribution, then the Linux developers have arguably violated the associated BSD license by leaving out the copyright headers. This is a copyright violation, but it is also easy to fix by simply restoring those headers. There are enough other sources for these numbers, however, that proving that they came into Linux via any particular path could be hard.
There are a couple of things that one should keep in mind, however, when evaluating SCO's new claims. One is that the copyright status of ancient Unix is uncertain at best, as has been reported many times. The judge in the BSDI case came to the conclusion that USL's chances of enforcing its copyrights were poor. SCO will not have improved those chances. Novell's recent reassertion of its claim to still own the Unix copyrights could also complicate matters for SCO.
The truly important issue, however, is that the old Unix ABI is exactly that: a well established ABI. Copyright law allows for the protection of expressions of an idea, but not the idea itself. Concepts used in an ABI, like "the number 12 means no memory is available," can be very difficult to copyright. If there is only one way to express an idea, you cannot get copyright protection for that expression. In this case, there are truly few alternatives to:
#define ENOMEM 12
SCO will have a hard time convincing a judge anywhere that copyrights can protect this sort of code - especially given that the error names (but not the associated numbers) are part of the POSIX standard.
SCO seemingly intends to try, however - at least for as long as it takes to shake down some nervous users. To that end, the company is taking two approaches. One is to threaten anybody who distributes Linux with the offending files; that is what the letter was sent out for. From statements made in the conference call, one could conclude that SCO thinks it has users in a bind; constants like error and signal numbers cannot be changed without breaking binary applications. By claiming something that cannot be easily removed, SCO apparently hopes to inspire companies to pay up instead.
The other approach is described in the second press release: SCO is sending notices to its Unix licensees requiring them to "certify" that they are in compliance with the Unix agreement. The letter requires a long list of promises from Unix licensees, including:
It has long been clear that signing a contract with the SCO Group is a Bad Idea. The SCO Group is using its contracts to go after its customers - something which does not generally inspire those customers to buy anything else. The Unix contract is being used as a lever to force those customers to "certify" that they are not running Linux. Needless to say, at this point, few of these customers will be in a position to do that. They are now in a bit of a difficult situation; they can refuse to certify, pay SCO, or claim that Linux does not actually contain any copyrighted ABI code.
As a short-term strategy for SCO, this move must look pretty good. The use of the existing contracts in this way may well succeed in applying enough pressure to make some customers give in. None of those customers are going to appreciate this behavior, however; one would assume that many of them will decide (if they have not already) that entering into any other agreements with the SCO Group is not in their best interests. SCO is destroying whatever future business it may have still had to expedite a short-term shakedown.
A couple of other notes from the conference call are in order. It began with a statement that the call is copyrighted by SCO, and any reproduction ("in whole or in part") is prohibited. Transcripts will certainly be posted; it will be interesting to see if SCO tries to get them taken down. Analyst Dion Cornett (Decatur Jones Equity) appears to be getting a clue: he asked SCO whether it really believed it had a valid license to distribute Samba. Strangely enough, SCO's answer did not address that question at all. Finally, Darl McBride presented the SCO litigation scheme as "a model many companies will adopt" in the near future. If SCO succeeds in its attempts, that statement could well come true. The foundation of SCO's new claims appears weak at best, however. SCO is more likely to become a very different sort of example.
More SCO cheer
Since the above article was published, a few more things have happened on the SCO front...Linus has posted a response to SCO's claims of ownership of various include files in the Linux kernel. In particular, he examines the "ctype" macros, which he wrote personally, tracing their development from very early kernels. Needless to say, he does not concur with SCO's claims in this regard.
Since then, a significant effort has been underway to find the true origins of the errno.h include file. This file, it turns out, was added in version 0.97 of the kernel; Linus has concluded that it was automatically generated from libc-2.2.2 (note that's "libc", not "glibc", which came much later). Tracking down the source for that version of the library was a challenge, but, once it turned up on an FTP site, Linus was able to verify that it was the source for errno.h. The next question would be how the error numbers and descriptions got into libc, but, as Linus says:
In any case, errno.h was not copied from anything owned by SCO.
It is also worth looking into ancient history (October, 2003) to review a quote by SCO's spokesperson Blake Stowell:
Files like errno.h have been in the kernel since well before 2.2, which, apparently, "includes no infringing code." Either SCO has changed its mind in the last couple of months, or they know that this code does not actually infringe upon any copyrights owned by the SCO group. We requested clarification from Mr. Stowell, but, predictably, got no response.
Meanwhile, SCO has announced the abrupt departure of Steve Cakebread from its board of directors, ostensibly due to "personal time constraints." We note (thanks to a pointer from Don Marti) that Mr. Cakebread's day job is Chief Financial Officer at Salesforce.com, which is a heavily Linux-based application service provider. Could it be that Salesforce.com got a shakedown letter from SCO, and has given its response?
SCO's offices are, apparently, shutting down for the holidays. Expect more interesting developments in January after they return to work and, according to the Monday conference call, set a significantly larger staff on the task of shaking money out of Linux users.
Interview: Public Patent Foundation's Dan Ravicher
While the SCO saga is absorbing our attention in the short term, many are concerned about software patents and they worry that the real test for GNU/Linux will be in the future, from patent lawsuits. There have been numerous patents granted that to programmers seem to have been wrongly issued. The Amazon One Click patent springs to mind. Now Microsoft has announced it will be charging for use of the FAT filesystem, and that too makes some worry.
The Public Patent Foundation has recently been established for the purpose, as its web site puts it, of protecting "civil liberties and free markets from wrongly issued patents and unsound patent policy by providing those persons and businesses otherwise economically, politically, and socially deprived of access to the system governing patents with representation, advocacy and education."
Dan Ravicher is the patent attorney -- and programmer, incidentally -- who started PubPat, and he is its Executive Director. He was kind enough to answer some questions about patents and the work his organization is doing to educate the public and counter patent abuses. He says he is looking into the Microsoft FAT patents situation and has about a hundred pieces of prior art which were not reviewed by the examiner which they are currently reviewing. Dan was kind enough to answer the following questions.
What made you decide to start your foundation and can you tell us what it does?
In information technology industries, abuse of the patent system means illicit restraint of civil liberties and unjustified disproportionate burdening of small businesses. In life science industries, abuse of the patent system has even more devastating results, including the exacerbation of pain and suffering by those who cannot afford medical technologies covered by undeserved patents. This situation is abhorrent and the Public Patent Foundation is beginning a campaign against such abuses.
PubPat's four core activities are (1) challenging patents that threaten the public's health, freedom, or other interests, (2) helping small businesses defend themselves from patents being asserted against them, (3) establishing patent commons within markets crippled by patent thickets, and (4) educating the public regarding these issues and advocating for reform of the patent system.
If you plan on contesting any patents, can you tell us what patents you have in mind currently? And what would the process involve, from your standpoint?
To expand on one of the examples above, the Microsoft FAT patents are part of Microsoft's first attempt at building a licensing line of business akin to the one rolled out by IBM several decades ago. This causes concern for us because Microsoft is an admitted monopolist with a proven track record of driving competition from various markets through any mechanism available to it. They may now be focussing on patents as yet another avenue to foreclose competition, including specifically that from free software.
Beyond these atmospheric concerns, our analysis of the FAT patents has produced a substantial amount of prior art that was not before the patent office when it issued those patents to Microsoft. For a company with a nefarious past to be seeking revenue for patents that very likely did not deserve to be issued, is a malign scenario indeed. PubPat intends to ensure that the public's interest in being protected from such bahavior is properly represented.
Should there be software patents at all?
One thing the Public Patent Foundation is doing is compiling the data and performing the analysis I mentioned above, so that all reasonable persons can be presented with evidence supporting or condemning the policy decision made by the courts that "anything under the sun made by man" is patent eligible.
What is the international impact of American patent law on world business?
Computers are extensions of the human brain; computer storage is an extension of human reading and writing; electronic communication is an extension of the human voice. How do you feel about patents which use computers to do things that humans have been doing for millennia?
If a patented technology accomplishes a very old function, but with structure that is new and unobvious, then that satisfies the requirements for patentability. Further, one may need to recognize that functions are not necessarily the same simply because their result is the same. For instance, few humans who can do in a day (week, year) the complex calculations machines do today in mere nanoseconds. The function, in that case, is not getting the answer; it is getting the answer in virtual real time, which is something that humans have never done.
Page editor: Jonathan Corbet
Security
Security news
Linux security in 2003
Here in the free software world, we had no shortage of security problems in 2003. Vulnerabilities were announced in many packages, including (but not limited to) apache (several), balsa, bind, bugzilla, cdrecord, cfengine, cron, cups, cvs, ethereal (many), evolution, exim, fetchmail (many), fileutils, gdm, ghostscript, glibc, gnupg, gzip, hylafax, inetd, iproute, KDE, kerberos, kernel (several), lprng, lsh, lynx, mailman, man, mozilla, mpg123, mplayer, mutt, MySQL, openssh, openssl (several), perl, pine, PHP, postfix, PostgreSQL, proftpd, python, rsync, samba, screen, sendmail, snort, stunnel, sudo, tcpdump, vim, webmin, wget, wu-ftpd, xchat, XFree86, xinetd, xpdf, and zlib. All told, 304 entries were added to LWN's vulnerability database in 2003. Needless to say, that is far too many - and it does not count all of the problems which were silently fixed without going though a security alert process. As a community, we have to strive to do better in 2004. For all that we believe Linux and free software are more secure, there is no doubt that they are not, yet, secure enough.The truly worrisome security trend in 2003, however, is the increasing level of attacks on the community's infrastructure. Servers were compromised at the GNU Project (twice) and the Debian Project (multiple servers in one incident). A mirror server for the Gentoo distribution was also broken into. There was also a compromise of the kernel's CVS server and an attempt to insert a trojan horse into the kernel itself. None of these attacks ended up with compromised code being made available to users, but most of them could have been exploited in that way.
Maybe these are all just random attacks (though an attempt to trojan the kernel can only be so random), or maybe somebody is making an attempt to mess with the server structure which holds this community together. Either way, chances are that, eventually, one of these attacks will succeed in causing serious damage, far beyond the service disruptions and lost time we have seen so far. The real lesson from 2003 is that there really are people out there with evil intent, and they are looking our way.
New vulnerabilities
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013 | ||||||||||||||||||||||||
| Created: | December 18, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||
| Description: | Serious issues have been discovered in two ethereal protocol dissectors. Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. (CAN-2003-1012 and CAN-2003-1013) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
irssi: remote denial of service
| Package(s): | irssi | CVE #(s): | ||||
| Created: | December 23, 2003 | Updated: | December 23, 2003 | |||
| Description: | Versions of irssi prior to 0.8.9 have a remotely exploitable denial of service vulnerability - but only on non-x86 systems. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP | CVE #(s): | CAN-2003-0935 | ||||||||||||
| Created: | December 2, 2003 | Updated: | February 13, 2004 | ||||||||||||
| Description: | The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
bind: cache poisoning
| Package(s): | bind | CVE #(s): | CAN-2003-0914 | ||||||||||||||||||
| Created: | November 26, 2003 | Updated: | February 19, 2004 | ||||||||||||||||||
| Description: | A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cvs: unauthorized file creation
| Package(s): | cvs | CVE #(s): | ||||||||||||||||
| Created: | December 9, 2003 | Updated: | December 17, 2003 | |||||||||||||||
| Description: | Stable CVS 1.11.10 has been released, fixing a security issue with no known exploits (as of this writing) that could cause previous versions of CVS to attempt to create files and directories in the filesystem root. This release also fixes several issues relevant to case insensitive filesystems and some other bugs. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ethereal: multiple remote and local vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 | |||||||||||||||
| Created: | November 10, 2003 | Updated: | December 17, 2003 | |||||||||||||||
| Description: | Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg | CVE #(s): | CAN-2003-0971 | ||||||||||||||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||
| Description: | A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel: local root exploit in 2.4.22
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2003 | Updated: | April 5, 2004 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
lftp buffer overflows
| Package(s): | lftp | CVE #(s): | CAN-2003-0963 | ||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | According to this advisory versions of lftp prior to 2.6.10 are vulnerable to two exploitable buffer overflow problems. Both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libnids: remotely exploitable buffer overflow
| Package(s): | libnids | CVE #(s): | CAN-2003-0850 | |||||||||
| Created: | October 29, 2003 | Updated: | January 6, 2004 | |||||||||
| Description: | libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123: heap overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0865 | |||||||||
| Created: | November 12, 2003 | Updated: | February 19, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
rsync - remotely exploitable heap overflow
| Package(s): | rsync | CVE #(s): | CAN-2003-0962 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
screen: privilege escalation
| Package(s): | screen | CVE #(s): | CAN-2003-0972 | ||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||
| Description: | According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 |
| Created: | October 1, 2002 | Updated: | April |