LWN.net Logo

LWN.net Weekly Edition for January 15, 2004

Open Source in Politics

January 12, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Two of the Democratic candidates for president have announced open source efforts to help their campaigns. Howard Dean's campaign has launched DeanSpace, a software package for running websites for Dean supporters. Wesley Clark's campaign recently announced the creation of Clark's TechCorps, which is supposed to provide "a framework for involving open source software developers in the Clark campaign."

Since both campaigns are boasting their use of open source, we decided we should get in touch with the Clark and Dean campaigns to see where they stand on open source and related issues. The high-profile usage of open source by the Dean and Clark campaigns may have given the open source community the impression that 2004 might be "the year" that open source and tech issues will become a high profile issue in election-year debates. It might also cause people to get the impression that both candidates are staunch supporters of open source usage.

Unfortunately, that doesn't seem to be the case. We managed to get in touch with representatives from both campaigns, to find out if their use of open source would translate into advocating open source in government, and saner polices regarding tech policy We also wanted to get a lead on their positions on other issues, such as software patents and the Digital Millennium Copyright Act (DMCA). Due to the rigors of the campaign trail, neither candidate was personally available for questions.

We first spoke with Josh Lerner, who is the director of technology for the Clark campaign. Lerner said that they have "no bias in favor of, for or against any particular model, we can't afford to be religious about it." Lerner said that the Clark campaign had decided to use open source out of "expedience."

We didn't have the time to do a lot of evaluation of software, you go with what works. The OS and tools and all that stuff just works for the most part... we are [also] using proprietary software where it makes sense.

According to Lerner, Clark is "putting together a bunch of heavy-weight technology people" to form a policy on technology use in government. At this time, however, Clark has not yet put forth an official policy on tech issues and it may be some time before any policies are forthcoming. We also asked Lerner if he thought that these issues would play a big part in the upcoming election. He said that he thought it might be an issue, and that "people in the campaign are talking about it. Not everything makes it out the door."

Unfortunately, we were unable to schedule a phone interview with anyone from the Dean campaign. However, we did manage to track down Zephyr Teachout, the director of Internet Organizing & Outreach for the Dean campaign via e-mail. We asked why the campaign had chosen open source software for DeanSpace, whether cost was a factor or if proprietary software wasn't up to the task.

Cost is only one of the factors in our use of open-source software. We also greatly value the reliability and security that is inherent in mature open-source software. Additionally, using open-source allows us to focus our resources more effectively. Recently, we launched an official Dean web site for every state. Rather than building all of the site functionality from scratch, we chose to build on top of DeanSpace (an open-source tool developed by our grassroots supporters for creating Dean-related community websites). DeanSpace itself was built on top of the open-source Drupal community system. This is just one example of how open-source software has allowed us to focus our energy on getting Howard Dean elected.

Not everyone is a fan of the use of open source by the campaigns. Dave Winer had some harsh words for both campaigns, which elicited a response from Jim Moore -- the Director of Internet and Information Services for the Dean campaign:

At Dean for America, it is our policy to purchase software rather than to make it, and to work with vendors large and small to help them be successful while also pursuing our own success as a grassroots-powered presidential campaign. We strongly support small businesses for a variety of reasons, including that they are the major contributors to employment growth in our nation.

...Like most enterprises we prefer to buy software and services, but sometimes must make our own. The make/buy decision can be tough. In many cases, vendors do not provide solutions that integrate the features that campaigns need, and companies may not see campaigns as a particularly attractive market. In such cases we sometimes need to make internal changes to existing software and services or develop our own. This is particularly the case in a campaign like ours that is innovating in grassroots philosophy and the use of information and communication technology.

We asked the Dean campaign about Moore's response, and asked if they had a position on the use of open source in government.

We do not have a position on open-source in government.

Within our campaign, we use a mix of open-source and commercial software. Often, we work with commercial vendors when deploying open-source tools. We recently put our main website into the open-source Bricolage content management system, but did so with the assistance of Kineticode a vendor that supports this open-source product. Our primary goal is to focus our human and financial resources on winning the Democratic nomination and the election next November. Sometimes this goal is best accomplished by buying a commercial product, often it means deploying open-source, and other times it means developing tools in-house.

We also asked if the Dean campaign had a position on the DMCA or digital rights, and got this response:

Issues of intellectual property are very important to a knowledge-based society. Ultimately we are going to need to find a solution that both encourages innovation and protects consumers from out-of-control corporate tactics.

Finally, since open source development is based on collaboration, we asked both campaigns if there was any cross-pollination between DeanSpace and TechCorps. At the moment, it would appear not. Neither campaign was aware of any collaboration between the two efforts. Lerner did say that his group is "hoping we can get some of these other independent efforts to join up, and we'll announce it as it happens." He also said that he wants to see TechCorps continue, even past Clark's campaign. "Our stuff is out there and it's going to stay out there... as a separate issue, we want the TechCorps site to live on and be self-sustaining."

Comments (34 posted)

G'Day from Linux.Conf.AU

Linux.Conf.AU (LCA) is the down-under implementation of the classic Linux developers' conference pattern. This conference takes an interesting approach in that it is organized by a different group of people, in a different city, every year. Linux Australia helps to ensure the continuity of the operation, and Rusty Russell, organizer of the first Linux.Conf.AU, maintains an influential presence. But the real work falls to a new set of volunteers each year. That organization ensures a steady supply of organizers with fresh energy, and gives each event a distinct feel.

The 2004 Linux.Conf.AU landed in Adelaide (2005 will be in Canberra; the rumor mill says that New Zealand is being considered for 2006). The conference facility, provided by the University of Adelaide, is beautiful, even if they won't let the attendees play with the gorgeous pipe organ in Elder Hall. Attendance, at just over 500 people, is the highest yet for this event. Just as significantly from the organizers' point of view, it seems, a dozen journalists have signed up to attend this year. Much of the media interest [Michael Davies] was due to the "open source in government" mini-conference held before LCA proper. But the simple fact is that Australia is a country with a large and increasing interest in Linux and free software.

As conference organizer Michael Davies stated in his opening remarks, the real purpose of LCA is to have fun. Sure, there is a whole series of technical talks, hacking sessions, etc. But the events that attendees are really looking forward to include the "dunk the speakers" tank (with non-speaker Linus as the guest of honor), the water gun wars, and the IBM-sponsored "penguin dinner." What other conference would hand out a ticket for four free ice creams? LCA does, indeed, look like fun.

LWN editor Jonathan Corbet is privileged to be here at LCA, thanks some generous support from HP. The conference is just getting started as the LWN Weekly Edition deadline hits, so there is not (yet) much opportunity for substantial reporting. That will come later, stay tuned.

Comments (2 posted)

Novell News

January 14, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Novell has been fairly busy on the Linux front the last few days. The company wrapped up its acquisition of SUSE Linux and announced an indemnification program for its enterprise Linux customers on Tuesday. The company has also released its correspondence with the SCO group from May 12, 2003 to January 7, 2004 concerning SCO's suit against IBM and other issues related to the suit.

For the most part, it would seem to be business as usual for SUSE. Novell spokesperson Bruce Lowry said that there are no changes afoot, at this time, for SUSE's product line as a result of the acquisition. Though some have expressed concern about SUSE's commitment to KDE now that Novell owns both SUSE and Ximian, Lowry said that there are no plans to cease the inclusion of KDE in SUSE's Linux distribution or SUSE's work on KDE.

We're about empowering choice, not eliminating it...it's something that we will be looking at, but our DNA would say that we want to continue to support choice. Both are great desktop solutions. We'll just have to evaluate how we want to proceed in the coming months.

Apparently, Novell has decided it needs to go ahead with an indemnification plan to assure its customers. The plan does not apply to all SUSE Linux customers. Instead, the plan covers customers who are using SUSE Enterprise Linux Server 8 and obtain "upgrade protection" from Novell and a technical support contract from Novell or SUSE channel partner. According to this article the indemnification is capped at 1.25 times the purchase price, or $1.5 million. It is interesting to note that Novell's indemnification plan announced this week covers claims of copyright infringement only, not patent suits. Since many have speculated that patent suits will be the next legal hurdle for Linux, Novell customers may not receive quite as much joy from the indemnification program as they might have hoped.

Naturally, SCO CEO Darl McBride couldn't resist commenting on Novell's indemnification plan:

We believe Novell's indemnification announcement is significant for a couple of reasons. By announcing the program they are acknowledging the problems with Linux. Through the restrictions and the limitations on the program, they are showing their unwillingness to bet very much on their position.

Lowry said that Novell's indemnification is not "to protect people from SCO, it's to give software buyers the same level of comfort" that they receive when purchasing proprietary software. Lowry said that Novell has no plans to contribute to the Open Source Development Labs' (OSDL) legal fund, though they are a member of OSDL, since they are offering their own indemnification plan.

Novell also released 31 pieces of correspondence between Novell and the SCO Group concerning Novell's contractual and ownership rights over UNIX. The filings are, to say the least, interesting reading. (LWN readers can find many of the letters in plain text format in this Groklaw posting.) Much of the correspondence is one-way, with no response from SCO on several issues raised by Novell.

After it was made public that Novell was planning to acquire SUSE, McBride said in a conference call that they would "take measures to enforce the noncompete agreement with Novell. I don't know that it will turn into a lawsuit. That depends upon how they respond, and if they put a competitive product in the marketplace."

One of the pieces of correspondence to SCO from Novell is a letter dated November 19, 2003, taking issue with McBride's claims that the acquisition would violate any non-compete provisions, and noting that SCO has not raised the issue directly with Novell. There is no response from SCO regarding that letter in the correspondence released by Novell. Despite a number of public threats of legal action made by SCO, and threats contained in SCO's correspondence with Novell, Lowry said that no legal filings had taken place in either direction at this time.

One concern that Linux users and companies might have is that, if Novell does have claim to the UNIX copyrights and other intellectual property, Novell could someday cause the same kinds of legal troubles that SCO has. Lowry said that he acknowledges that is a theoretical possibility, but notes that Novell has done nothing to indicate that it would want to harm Linux. "Novell has shown with its words and actions that it is 100 percent committed to promote Linux, not impede it."

At the moment, Novell's acquisition of SUSE appears to be a good thing for SUSE and the Linux community as a whole. Novell appears to have taken a mostly "hands-off" approach with Ximian, and may be prepared to do the same with SUSE. Novell's position in the industry is also likely to open doors for Linux that might not have been open otherwise.

Comments (3 posted)

The Secret Novell-SCO Correspondence

January 14, 2004

By Pamela Jones, Editor of Groklaw

[Editor's note: This article may seem similar to the previous article, however we believe it adds further clarification to the SCO/Novell dispute.]

There is a new front in the SCO wars, or more accurately a newly revealed front. The new player, stage front and center, is Novell. Some of SCO's otherwise puzzling decisions in the last nine months have become more comprehensible, now that Novell's behind-the-scenes role has come to light.

It turns out that Novell strongly challenged SCO each step of the way, based on contractual rights Novell says it retained in its 1995 deal with the Santa Cruz Organization (now Tarantella), which subsequently sold certain Unix assets to Caldera, which is now the SCO Group. SCO denies Novell retained those rights. Nevertheless, its decision not to go forward with mailing invoices in the fall and not to sue SGI, or file copyright infringement claims against IBM may be at least in part influenced by Novell's claims.

Some now expect legal action between the two companies, if only because Novell's asserted rights could pull the rug out from under SCO's law suit against IBM and prevent any copyright infringement action against Linux end users, if Novell's rights prove solid.

Everything came to light this week when Novell announced it had completed its SuSE acquisition and said that it will offer enterprise SuSE customers indemnification, covering legal fees and damage awards up to $1.5 million or 125% of a customer's contract with Novell. It also put up on its web site its increasingly cold correspondence with SCO, going back to May of 2003, when SCO sent it a Letter to Linux Customers. There is a connection between the correspondence and the indemnification. The foundation of Novell's confidence in offering indemnification is found in the legal analysis it sets forth in the correspondence.

Jack Messman, CEO of Novell, says the company is in a unique position and is able to indemnify customers because it retained the copyright to Unix in that 1995 deal and also has a contractual right to license Unix to its customers. In October, when SCO said it was about to send invoices to Linux users, Novell reminded them of the "Technology License Agreement", which it says gives Novell the license to not only use the "licensed technology" but also to "authorize its customers to use, reproduce and modify" it and to sublicense and distribute same "in source and binary form". Further, Novell points to a section II.B., where restrictions on Novell cease to exist in the event of a change of control of SCO, which Novell says the agreements define as such an event as Santa Cruz selling the assets it got from Novell to Caldera.

If you were wondering why SCO didn't sue SGI, an October 7 letter and another letter, dated October 10, shed some light. Novell first directed SCO "to waive any purported right SCO may claim to terminate SGI's SVRX license" and to "waive any purported right SCO may claim to require SGI to treat SGI Code itself as subject to the confidentiality obligations or use restrictions of SGI's SVRX license", saying that Section 2.01 of the license specifically states that 'ATT-IS claims no ownership interest in any portion of such a modification or derivative work that is not part of a SOFTWARE PRODUCT.'" SCO failed to waive as directed, so on October 10, Novell waived all SCO's purported rights to terminate SGI's license.

Novell flexed its muscles, based on its interpretation of the 1995 Asset Purchase Agreement, the Technology License Agreement, and Amendment 2, to the APA. On that basis, Novell in its June 9, 2003 letter says SCO has no right to unilaterally terminate IBM's SVRX Licenses and that it is inappropriate for SCO to make such threats. Amendment No. X granted IBM the "irrevocable, fully paid-up, perpetual rights". It eventually waived SCO's "termination" of IBM's license.

Additionally, as the annoyance level rose on both sides, each claiming the other was harming its business, hints of legal action began to appear. Aspects to their contract that Novell had apparently let slide for years, such as their right to audit SCO's collection of royalties for Novell, are now scrupulously being required by Novell. They began an audit of SCO in August, something that had not happened since 1998, for example. Novell also demanded SCO supply copies of the source and binary code for all versions of UNIX and UnixWare under SCO's control.

More significantly, Novell demanded copies of the Microsoft and Sun licenses with SCO and asked SCO to explain why SCO thinks the Asset Purchase Agreement allows them to do this. Novell demanded it cease "all such negotiations and other communications with licensees concerning any such transaction without Novell's prior written consent and continued participation". After they address any "violation of the Asset Purchase Agreement", there will be the matter of "royalties and other amounts owed to Novell based on the above-mentioned license agreements" to discuss. Insofar as the demand is to licensees of SVRX, SCO has, it believes, no right to proceed without Novell's approval, reminding SCO of Novell's 95% interest in revenues from preexisting SVRX licenses.

In turn, SCO has put up some documents on its web site. In the letter of June 11, SCO writes that it "acquired all of Novell's right, title and interest: (a) to the AT&T Software and Sublicensing Agreements, including the AT&T/IBM Software Agreement, and (b) to all claims against any parties. SCO therefore acquired all right, title and interest to enforce the Software and Sublicensing Agreements against IBM, without answering to Novell."

Not so, Novell replies. Novell retained certain rights "critical to protecting the interests that Novell retained as part of the Asset Purchase Agreement (including its interests in royalty payments and the contractual commitments Novell made in return for royalty payments)." SCO acquired certain assets from Novell but acquired those assets subject to certain rights of Novell. "You can't have one without the other," Novell asserts. "We don't agree with your interpretation of our contracts," SCO writes back. It appears to them, it says, that Novell "is acting in concert with IBM to destroy the value of SCO UNIX and UnixWare intellectual property acquired from Novell in the Asset Purchase Agreement."

SCO's copyrights in Unix are now in dispute. Novell lists all of its registered copyrights on its web site. What we now learn is that they have been in dispute consistently from day one. In a letter dated August 4, Novell writes to Darl McBride, SCO CEO, that according to their agreements, copyrights were not to be transferred to Santa Cruz Operation unless SCO could demonstrate that such a right was required. They never did that and they don't need copyrights, Novell says, "in order to exercise the limited rights granted SCO" and so unless or until SCO demonstrates such a need, all copyrights remain with Novell. Of course, SCO disagrees with Novell on this utterly.

Finally, Novell on SCO's behalf "waives any purported right SCO may claim to require IBM to treat IBM Code, that is code developed by IBM, or licensed by IBM from a third party, which IBM incorporated in AIX but which itself does not contain proprietary UNIX code supplied by AT&T under the license agreements between AT&T and IBM, itself as subject to the confidentiality obligations or use restrictions of the Agreements."

SCO's position regarding Novell's waivers on behalf of SGI and IBM? In an October 13 letter: "Novell is without authority to make such a waiver and thus it is of no force and effect."

So now you know the rest of the Novell-SCO story.

Comments (8 posted)

Page editor: Rebecca Sobol

Security

Security news

Vulnerabilities and updates in 2003

Sometimes it is worthwhile to step back and look at a condensed picture of the Linux and free software security situation. To that end, we have thrashed up our security database and produced a big table listing the vulnerabilities exposed in 2003 and the alerts issued by several major distributors in response. We turned up over 300 vulnerabilities which resulted in over 1200 security alerts. In other words, 2003 was a busy year.

Glancing through the table, one sees that certain packages are responsible for relatively large numbers of vulnerabilities; these include apache (6 vulnerabilities), ethereal (6), glibc (5), KDE (6), the kernel (6), and sendmail (5). The kernel wins the prize for the most security alerts, having been responsible for 47 of them - almost 4% of the total. The full picture, however, shows a vast number of security problems afflicting a wide range of packages. The security of our free operating system has some ground to cover yet before it will be something we can be truly proud of.

Here's the first part of the table:

Vulnerability Conectiva Debian Fedora Gentoo Mandrake Red Hat SuSE
apache X X X X
apache X X X X X
apache X X X X X
apache X
apache X X
apache X X X X X X X
apcupsd X X X X
at X X X X X X
atari800 X X
atftp X X
autorespond X

Those are all of the packages beginning with "A". The full table, in all its browser-straining glory, can be found on this page.

Comments (3 posted)

New vulnerabilities

inn: vulnerability in INN 2.4.0

Package(s):inn CVE #(s):
Created:January 8, 2004 Updated:January 15, 2004
Description: A buffer overflow has been discovered in a portion of the control message handling code introduced in INN 2.4.0. It is fairly likely that this overflow could be remotely exploited to gain access to the user innd runs as. INN 2.3.x and earlier are not affected. The INN CURRENT tree is affected. See this advisory for more details.
Alerts:
Slackware SSA:2004-014-02 2004-01-14
OpenPKG OpenPKG-SA-2004.001 2004-01-08

Comments (none posted)

mod-auth-shadow: password expiration

Package(s):mod-auth-shadow CVE #(s):CAN-2004-0041
Created:January 12, 2004 Updated:January 13, 2004
Description: David B Harris discovered a problem with mod-auth-shadow, an Apache module which authenticates users against the system shadow password database, where the expiration status of the user's account and password were not enforced. This vulnerability would allow an otherwise authorized user to successfully authenticate, when the attempt should be rejected due to the expiration parameters.
Alerts:
Debian DSA-421-1 2004-01-12

Comments (none posted)

phpgroupware: missing filename sanitizing, SQL injection

Package(s):phpgroupware CVE #(s):CAN-2004-0016 CAN-2004-0017
Created:January 9, 2004 Updated:January 13, 2004
Description: The authors of phpgroupware, a web based groupware system written in PHP, discovered several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following problems:

CAN-2004-0016: In the "calendar" module, "save extension" was not enforced for holiday files. As a result, server-side php scripts may be placed in directories that then could be accessed remotely and cause the webserver to execute those. This was resolved by enforcing the extension ".txt" for holiday files.

CAN-2004-0017: Some SQL injection problems (non-escaping of values used in SQL strings) the "calendar" and "infolog" modules.

Alerts:
Debian DSA-419-1 2003-01-09

Comments (none posted)

vbox3: privilege leak

Package(s):vbox3 CVE #(s):CAN-2004-0015
Created:January 8, 2004 Updated:January 13, 2004
Description: A bug was discovered in vbox3, a voice response system for isdn4linux, whereby root privileges were not properly relinquished before executing a user-supplied tcl script. By exploiting this vulnerability, a local user could gain root privileges.
Alerts:
Debian DSA-418-1 2004-01-07

Comments (none posted)

Updated vulnerabilities

jitterbug: improperly sanitized input

Package(s):jitterbug CVE #(s):CAN-2004-0028
Created:January 12, 2004 Updated:January 13, 2004
Description: Steve Kemp discovered a security related problem in jitterbug, a simple CGI based bug tracking and reporting tool. Program executions may use improperly sanitized input which allows an attacker to execute arbitrary commands on the server hosting the bug database. As mitigating factors these attacks are only available to non-guest users, and accounts for these people must be setup by the administrator making them "trusted".
Alerts:
Debian DSA-420-1 2004-01-12

Comments (none posted)

apache: buffer overflows in mod_alias, mod_rewrite

Package(s):apache CVE #(s):CAN-2003-0542 CAN-2003-0789
Created:October 28, 2003 Updated:February 13, 2004
Description: André Malo discovered buffer overflows in the mod_alias and mod_rewrite modules of the Apache webserver. These occurred if a regular expression with more than 9 capturing parenthesis was configured. To exploit this, an attacker would need to be able to locally create a carefully crafted configuration file (.htaccess or httpd.conf). CAN-2003-0542

Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789.

Alerts:
Whitebox WBSA-2004:015-01 2004-02-12
Fedora FEDORA-2003-004 2004-01-08
Red Hat RHSA-2003:405-00 2003-12-18
Red Hat RHSA-2003:320-01 2003-12-16
Red Hat RHSA-2003:360-01 2003-12-10
Gentoo 200310-03 2003-10-28
Trustix 2003-0041 2003-11-15
Conectiva CLA-2003:775 2003-11-05
Slackware SSA:2003-308-01 2003-11-03
EnGarde ESA-20031105-030 2003-11-05
Mandrake MDKSA-2003:103 2003-11-03
Gentoo 200310-04 2003-10-31
Immunix IMNX-2003-7+-025-01 2003-10-28
OpenPKG OpenPKG-SA-2003.046 2003-10-28

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

bind: cache poisoning

Package(s):bind CVE #(s):CAN-2003-0914
Created:November 26, 2003 Updated:February 19, 2004
Description: A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.
Alerts:
SCO Group CSSA-2004-003.0 2004-02-19
Debian DSA-409-1 2004-01-05
SuSE SuSE-SA:2003:047 2003-11-28
Trustix 2003-0044 2003-11-27
Immunix IMNX-2003-7+-024-01 2003-10-27
EnGarde ESA-20031126-031 2003-11-26

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
SCO Group CSSA-2004-012.0 2004-03-03
Conectiva CLA-2003:779 2003-11-07
Mandrake MDKSA-2003:104 2003-11-05
Red Hat RHSA-2003:275-01 2003-11-03

Comments (none posted)

cvs: possible root compromise

Package(s):cvs CVE #(s):CAN-2003-0977
Created:December 29, 2003 Updated:February 13, 2004
Description: Stable CVS 1.11.11 has been released, adding code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file.
Alerts:
Whitebox WBSA-2004:004-01 2004-02-12
Fedora-Legacy FLSA:1207 2004-01-28
Conectiva CLA-2004:808 2004-01-20
Debian DSA-422-1 2004-01-13
Red Hat RHSA-2004:003-01 2004-01-09
Gentoo 200312-08 2003-12-28

Comments (none posted)

ethereal: protocol dissector and other vulnerabilities

Package(s):ethereal CVE #(s):CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013
Created:December 18, 2003 Updated:February 13, 2004
Description: Serious issues have been discovered in two ethereal protocol dissectors. Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. (CAN-2003-1012 and CAN-2003-1013)
Alerts:
Whitebox WBSA-2004:002-01 2004-02-12
Fedora-Legacy FLSA:1193 2004-01-31
Red Hat RHSA-2004:002-01 2004-01-05
Mandrake MDKSA-2004:002 2004-01-13
Conectiva CLA-2004:801 2004-01-07
Red Hat RHSA-2004:001-01 2004-01-07
Debian DSA-407-1 2004-01-05
Fedora FEDORA-2003-040 2003-12-18

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 16, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

fsp: buffer overflow and directory traversal

Package(s):fsp CVE #(s):CAN-2003-1022 CAN-2004-0011
Created:January 7, 2004 Updated:January 7, 2004
Description: fsp suffers from both a buffer overflow vulnerability (which can be exploited to run arbitrary code) and a directory traversal problem.
Alerts:
Debian DSA-416-1 2004-01-06

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

jabber: denial of service

Package(s):jabber CVE #(s):CAN-2004-0013
Created:January 7, 2004 Updated:January 26, 2004
Description: A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service.
Alerts:
Mandrake MDKSA-2004:005 2004-01-23
Debian DSA-414-1 2004-01-06

Comments (1 posted)

kernel: two vulnerabilities in 2.4.23

Package(s):kernel CVE #(s):CAN-2003-0984 CAN-2003-0985
Created:January 5, 2004 Updated:January 19, 2004
Description: Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0985 to this issue. There is also a minor information leak in the real time clock (rtc) routines. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0984 to this issue. See this advisory for more information.
Alerts:
Debian DSA-427-1 2004-01-19
SuSE SuSE-SA:2004:003 2004-01-15
Debian DSA-417-2 2004-01-09
Slackware SSA:2004-008-01 2004-01-08
Gentoo 200401-01 2004-01-08
Mandrake MDKSA-2004:001 2004-01-07
Slackware SSA:2004-006-01 2004-01-06
Red Hat RHSA-2003:416-01 2004-01-07
Fedora FEDORA-2003-047 2004-01-07
Debian DSA-417-1 2004-01-07
Immunix IMNX-2004-73-001-01 2004-01-05
SuSE SuSE-SA:2004:001 2004-01-05
Fedora FEDORA-2003-046 2004-01-05
Debian DSA-413-1 2004-01-06
Trustix 2004-0001 2004-01-05
Conectiva CLA-2004:799 2004-01-05
EnGarde ESA-20040105-001 2003-01-05
Red Hat RHSA-2003:419-01 2004-01-05
Red Hat RHSA-2003:418-01 2004-01-05
Red Hat RHSA-2003:417-01 2004-01-05

Comments (1 posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lftp buffer overflows

Package(s):lftp CVE #(s):CAN-2003-0963
Created:December 15, 2003 Updated:February 13, 2004
Description: According to this advisory versions of lftp prior to 2.6.10 are vulnerable to two exploitable buffer overflow problems. Both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server.
Alerts:
Whitebox WBSA-2003:404-01 2003-12-17
Conectiva CLA-2004:800 2004-01-06
Debian DSA-406-1 2004-01-05
Gentoo 200312-07 2003-12-16
OpenPKG OpenPKG-SA-2003.053 2003-12-17
Red Hat RHSA-2003:404-01 2003-12-16
Red Hat RHSA-2003:403-01 2003-12-16
Mandrake MDKSA-2003:116 2003-12-15
Fedora FEDORA-2003-034 2003-12-15
SuSE SuSE-SA:2003:051 2003-12-15
Immunix IMNX-2003-73-002-01 2003-12-09
Slackware SSA:2003-346-01 2003-12-12

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
SCO Group CSSA-2004-002.0 2004-02-19
Debian DSA-435-1 2004-02-06
Conectiva CLA-2003:781 2003-11-12

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

nd: buffer overflows

Package(s):nd CVE #(s):CAN-2004-0014
Created:January 6, 2004 Updated:January 7, 2004
Description: Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd.
Alerts:
Debian DSA-412-1 2004-01-05

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

Net-SNMP: security bugs in versions before 5.0.9

Package(s):Net-SNMP CVE #(s):CAN-2003-0935
Created:December 2, 2003 Updated:February 13, 2004
Description: The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view.

Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs.

Alerts:
Whitebox WBSA-2004:023-01 2004-02-12
Red Hat RHSA-2004:023-01 2004-01-15
Mandrake MDKSA-2003:115 2003-12-11
Red Hat RHSA-2003:335-01 2003-12-02

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
SCO Group CSSA-2004-010.0 2004-03-02
Immunix IMNX-2003-73-001-01 2003-12-05
Mandrake MDKSA-2003:111 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Gentoo 200312-03 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Debian DSA-404-1 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
Trustix 2003-0048 2003-12-04
Slackware SSA:2003-337-01 2003-12-03

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
SCO Group CSSA-2004-011.0 2004-03-02
Fedora-Legacy FLSA:1187 2004-01-26
Conectiva CLA-2004:809 2004-01-20
Debian DSA-408-1 2004-01-05
Mandrake