| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for January 22, 2004
Report from the SCO front
When SCO launched its SCOsource initiative one year ago, it must have known that it would encounter resistance at some point. Even so, the SCO Group may not have expected Novell to emerge as one of its largest obstacles. But Novell has done exactly that. Novell has disputed SCO's claims to the Unix copyright (and submitted copyright registrations in its own name), initiated audits of SCO's Unix licensing activities (with an eye, perhaps, on a 95% cut of the money from Sun and Microsoft), claimed - and exercised - the right to override SCO's actions against IBM and others, and acquired a Linux distributor of its own.As a result of Novell's actions, even the most weak-willed corporate officer will have to think twice about buying a "license" from SCO. Said officer may not feel capable of deciding whether SCO's claims have merit, but a disputed copyright is easy to understand. SCO's chances of prevailing on its claims are minimal even in Novell's absence, but Novell's entry into the game makes those claims moot for now. Given that, SCO's lawsuit against Novell is not particularly surprising. It was, instead, inevitable. SCO had to make a show of getting Novell out of its way.
SCO's full complaint is available as an 11-page PDF file. It is, in fact, a relatively straightforward suit, the sort of thing one would expect to see from a company which feels that its copyrights are being stolen in plain sight. It states that Novell has laid claim to the Unix copyrights, that it has made statements with the intent of causing people not to do business with SCO, and has damaged SCO's reputation and business. All of these claims are demonstrably true. Of course, SCO also states that Novell's copyright ownership claims are false, which is not so clear.
SCO is asking the court to find that the copyrights belong to SCO; force Novell to pay actual, special, and punitive damages; issue preliminary and permanent injunctions requiring Novell to assign copyrights and cease claiming to own those copyrights; and to make Novell retract its past claims.
Given that the relevant purchase agreement is available online, one would think that understanding what SCO really bought would not be that hard. In fact, the agreement is written in a sort of obscure legalese that would appear to invite misunderstandings and lawsuits from the beginning. To try to figure out what SCO bought, you have to read through to the very end; the assets to be transferred are listed in schedule 1.1(a):
This paragraph provides a lengthy list of things to be transferred to SCO, but "copyrights" does not appear on that list. So it would be up to a court to decide whether "all rights and ownership" include copyrights or not. SCO claims that the issue was clarified in Amendment 2 to the agreement, which revises Schedule 1.1(b). That section lists the things which were not sold to SCO; the wording was changed to read:
This language suggests that some copyrights would be transferred to SCO, but does not actually list those copyrights in any way. In summary, it is a messy agreement that will require a court to sort out.
The interesting thing is that SCO has not actually asked the court to sort it out. Regardless of what the agreement really says, one thing is strikingly clear: Novell has not actually assigned any copyrights to SCO. Novell might have signed a contract obligating it to assign copyrights to SCO, but SCO agrees that said assignment has not happened. Given that, SCO really needed to file a breach of contract suit to force Novell to live up to (what SCO sees as) its obligations. SCO's lawyers certainly know this; one wonders what they are really trying to accomplish.
More to the point, however, one might well wonder whether the end result of this suit matters to Linux users in the first place. In fact, this action is a significant development in the wider SCO affair. If Novell prevails, SCO's days of threatening Linux users will be done, and that would certainly be a good thing. The IBM case, which has nothing to do with copyrights, might continue, but it would be an isolated contract dispute. All Linux users would have to worry about at that point is what Novell intends to do with its newly-defended copyrights. As we have said before, Novell owes the community a statement regarding its intentions.
If SCO prevails - with an amended complaint bringing up the contract issue, presumably - Linux users would find their position unchanged. SCO would still have to prove that Linux contains its copyrighted code, something it has not done in any convincing way so far. It is increasingly apparent that, in fact, Linux contains no significant amount of copyrighted Unix code. So a Novell defeat would not really set back Linux users in any way.
It seems fairly clear, however, that no court will allow an SCO-initiated copyright suit to proceed until the Novell case is resolved. Until then, SCO's threats against users are even emptier than before.
Meanwhile, SCO has completed a new S-3 filing updating its "risk factors" to include a few marginally relevant items, like Novell's copyright claims. The fact that SCO has known about these claims for several months but only now updated its regulatory filings could come back to haunt it later on. Groklaw has put together a nice table of differences between the old and new filings; it paints a grim picture of where things are going with SCO. Worth a read.
The new S-3 also discusses the strange accounting required by the BayStar investment. For each $1 drop in the company's stock price, SCO must record approximately $1 million in income. Don't be surprised if this phantom income somehow pushes the company into a paper profit in future quarters.
Red Hat has made a fair amount of noise about its new Open Source Assurance Program, which is automatically extended to all Enterprise Linux customers. The program, however, does not offer very much: it states that any code in Red Hat Enterprise Linux which is found to infringe upon intellectual property rights will be replaced. For users who fear, say, a patent problem, this warranty will be a comforting thing to have. It does not go far beyond what the community would do anyway, however.
Finally, it would appear that the SCO Group has sent a letter to the U.S. Congress (available in PDF format) describing the evils of free software. Among other things, it will destroy the U.S. economy and provide vital computing capabilities to America's enemies. And create some business discomfort for the SCO Group, of course. The letter is an impressive bit of work, worth a read. If you are an American citizen, you may want to consider writing a letter yourself to counter SCO's claims. The fact of the matter, however, is that SCO is unlikely to be able to out-lobby companies like IBM and HP.
Linux.Conf.Au trip report
Your editor is back and rested - if somewhat jet lagged - from the 2004![[Not a developer]](/images/ns/lca/didg-sm.jpg)
production of Linux.Conf.Au in
Adelaide. Some 540 people attended this event -- the highest attendance
in this conference's five-year history.
Here's a quick summary of what happened as seen by LWN.
Greg Ungerer gave an introductory talk on uClinux which will be interesting to those who haven't actually looked at how this kernel (which runs on systems without a memory management unit) works. Modern uClinux supports a vast number of architectures, and will run on systems with as little as 1MB of memory (though "you can't do much" on such a system). There's a few little things missing, of course: virtual memory support, the fork() system call (vfork() works), no dynamic stacks, no sbrk(), etc. And, of course, nothing protects the system and applications from each other. Even so, making applications work on uClinux is usually not a particularly big deal. Future plans for uClinux include supporting more hardware, adding to the list of ported applications, and integration with the RTAI real-time system.
Running device drivers in user mode was discussed by Peter Chubb.
This topic will get a more detailed treatment on this week's Kernel Page.
![[maddog]](/images/ns/lca/maddog.jpg)
Your editor has come to the conclusion that Jon 'maddog' Hall serves as a mutual exclusion mechanism for Linux conferences. Since he, inevitably, shows up at every Linux event, his scheduling constraints serve to keep multiple conferences from happening at the same time. In Adelaide, he discussed the differing expectations of developers, users, and managers. Among other things, he predicted that 2004 will be the year when the Linux desktop truly begins to take over. Maddog's talks are invariably fun to hear.
Greg Lehey discussed his Vinum volume manager. Vinum runs on FreeBSD and NetBSD, but a Linux port is in the works. It provides many of the usual features: disk concatenation and striping, along with implementations of the various RAID levels. Among other things, Vinum was intended to be easy to configure via a relatively straightforward text file. As Greg noted, however, "pilot errors" remain possible.
Bdale Garbee gave a wide-ranging talk covering a number of topics.
The core of the discussion, however, had to do with truly large-scale Linux
![[Bdale]](/images/ns/lca/bdale.jpg)
deployments, such as those which have happened in Extremadura (Spain), and
in Brazil. He notes that Linux has become an obvious first choice for
publicly-sponsored computing initiatives in many parts of the world -
especially the less rich areas. Use of Linux allows greater control,
doesn't require sending large amounts of hard currency to the United
States, and can help in the creation of local information technology
expertise. Bdale also noted, with visible pleasure, that the Debian
distribution (or a derivative thereof) tends to be chosen for this sort of
project. He sees Debian as embodying many of the free software community's
core concepts and being appealing for its essential openness.
Havoc Pennington touched on some similar concepts with his "state of
the Linux desktop" keynote. He repeatedly pointed out that, to achieve
true success on the desktop, the free software community must focus on what
![[Havoc]](/images/ns/lca/havoc.jpg)
it does best, rather than trying to imitate current proprietary offerings.
For example, since any interested party can add to free software and influence its
development, the very best translation and accessibility
support tend to be found in free systems. Many languages and user
communities are too small to be worth supporting for a proprietary software
company, but the users themselves don't care about that. Then, there are
projects like Dashboard and
GNOME Storage (among many others) which show that anybody can pursue interesting
ideas; if others like the results, those ideas will be enhanced by others
and eventually
incorporated. For this reason, it is important that the Linux desktop
remains 100% free software; as soon as proprietary components start to
appear, the advantages of free software are lost.
His call to go beyond imitation notwithstanding, Havoc is clearly very focused on where Microsoft is headed, especially with the forthcoming "Longhorn" release. He says that the delays in Longhorn give Linux a window of opportunity to step in (especially since moving to Longhorn looks like it will be no easier than switching to Linux), but we have to be aware of the sort of features Longhorn will offer and have something which will be a competitive alternative.
Jeff Waugh gave a high-energy talk on the GNOME project. His focus was on the decentralized nature of the project, the increasing number of developers, and the tightly-run six-month release schedule. He talked of some trends in GNOME development (the new "evolution data server" which will provide contact and calendar information; embracing of standards and code coming out of FreeDesktop.org; the commitment to ABI stability across GNOME 2.x, etc.) but it seems that nobody really knows what future GNOME releases will bring. The one sure thing, according to Jeff, is "we will rock you."
Beyond the talks, this conference included a well-developed
"partners program" for the families of attendees, dinner events put on by
![[Fearless leader]](/images/ns/lca/lt-grimace.jpg)
IBM and Oracle, and the now-famous dunk tank. The break area lacked
coffee (by American standards, anyway) but made up for it in free ice
cream. The venue was beautiful; Elder Hall with its woodwork and pipe
organ is far superior to the typical conference ballroom. And the whole
event was suffused by an Australian sense of humor and fun.
Also worthy of note was the "Miniconf" program which ran for two days before the main event (and which, unfortunately, your editor was unable to attend). The Linux and Open Source in Government miniconf, in particular, seems to have brought out many themes which resonated through the rest of the event.
In summary; Linux.Conf.Au was a great success. It was, as intended, a seriously fun gathering with much talk about the technology and no marketing. Let it never be said that volunteers cannot bring off a complex event of this type. Linux.Conf.Au is more volunteer-driven than most; it is run by a different committee in a different city every year. Despite the talk of heroic, last-minute, all-nighters put on by the conference staff, the attendee experience was smooth and seamless. Linux.Conf.Au came off better than many events run by "professionals." Great congratulations are due to the dedicated group of people who pulled this off.
LWN would like to thank HP one last time for making our presence at Linux.Conf.Au possible.
The MIT 2004 Spam Conference
You know that spam prevention efforts have reached fever pitch when a spam conference brings together lawyers, developers, economists, Eric Raymond and a representative from Microsoft to discuss the problem and ways to stop it. MIT hosted a conference on this topic on January 16, and we decided to check out the webcast to see what kind of work is being done in this area. The answer is, there's quite a bit of work going on, and the future looks much more encouraging than you might think.Lawyers Jon Praed and Matthew Prince both spoke about spam from the legal perspective. Praed discussed experiences in suing spammers. Interestingly, Praed wasn't as negative about the recent CAN-SPAM Act as many in the anti-spam community have been. Praed noted that legal solutions can often do something that technical solutions alone have failed to do: significantly drive up the cost of sending spam by requiring spammers to deal with legal bills. He also said that 2003 was a banner year for legal efforts against spam, because it brought the first arrests solely for spamming. According to Praed, the CAN-SPAM Act is effective, in that it makes it clear that spamming in and of itself is a crime.
Prince was less enthused with CAN-SPAM. Prince pointed out that 37 state spam laws have been passed prior to CAN-SPAM; now all 37 are pre-empted by federal law, which is weaker than most of the state laws. But even the stronger state laws have been largely ineffectual for stopping spam. He also noted that spam laws were not based on the volume of spam, which is the problem we now face, but were written to counter the problem of fraud in spam.
Prince did bring up the McCain amendment to CAN-SPAM for praise, and said it had received almost no coverage. Essentially, the McCain amendment says that when prosecutors are going after a spammer, they don't necessarily have to go after the sender. It allows prosecutors to attach liability to advertisers, which may be much more effective than having to go after the spammer.
Prince also said that we would have to remove anonymity of email to solve the legal problem of spam. Washington has been the most successful because its law includes a registry of email addresses that are located in the state of Washington. He said that it was necessary to establish a national do-not-spam registry which would establish jurisdiction to allow spammers to be sued and prosecuted.
Both Prince and Praed agreed that the important thing about legal solutions is that they impose costs on spammers.
Yahoo's Miles Libbey talked about trends in spam, as seen passing through Yahoo Mail. Like many other speakers, Libbey saw a emerging emphasis on spammers trying to hide their identity, and attempting to make messages more random to avoid filters. On a scary note, Libbey said that Yahoo! had found that spammers had reacted to their anti-spam filters within a space of two hours.
Another presentation focused on finding economic means to deal with spam. Thede Loder, Marshall Van Alstyne, and Rick Wash outlined the Attention Bond Mechanism (ABM) where senders would have to put up a "bond" where users could charge the sender a sum of money for unwanted messages or release the money if the message was wanted.
Assuming a working model could be found and implemented, they say this would be of benefit to users and marketers. According to Loder, Van Alstyne and Wash, it could be cheaper than direct mail, while giving the recipient an incentive not to block the email automatically. Either the message would be of benefit to the user, or the user could reap a small financial gain by accepting the message. Most importantly, this model would return the control of a user's inbox to the user where it belongs and shift the burden to marketers.
Along the same lines, Eric Johansson of CAMRAM talked about a hybrid system that would add a money-free sender-pays type of system incrementally to email. Instead of being a money-based system, the stamp creation would be time-based. That is to say, that each "stamped" email would contain a 22-bit or 23-bit stamp that costs a given amount of time to generate. Adding that amount of time to generate each email would be somewhat prohibitive for spammers, as spammers need to send email in volume to make money.
Of course, there were also many discussions of technical means to filter and block spam. William Yerazunis spoke about ways to go beyond the accuracy of Bayesian and Markovian spam filtering. One interesting note from Yerazunis' talk is that he noted that some spammers are getting desperate enough to actually sign up for "well-credentialed" email lists in an effort to penetrate those lists and send spam to the mailing list members. He also noted that the "Habeas Haiku" method of whitelisting mail has actually become an indicator of spam rather than an indicator that the email is clean, as spammers have been brazenly using the Haikus in their spam.
Marty Lamb spoke about Martian Software's TarProxy, or "creating pain for spammers." TarProxy is a method for throttling connections between the spammer and an SMTP server by slowing the rate at which a spammer can send spam, and thereby make it more costly. It also would cause headaches for administrators of open relays, with the eventual goal of forcing them to fix the configuration of their server.
Jonathan Zdziarski managed to present two topics in the allotted 20 minute space. Zdziarski spoke about using "chained tokens" to provide more information when filtering spam, rather than using a single word as a token. The "chained token" technique basically works on the concept that it is easier and less risky to identify spam by multiple words or tokens rather than a single word or token. Tokens can include mail headers, HTML fragments and other bits of an e-mail. A white paper discussing the technique can be found on the DSPAM website in PDF.
Zdziarski is also working with Bill Yerazunis on an RFC for MIME Encoding for message inoculation, create a message format that allows different spam filters on different servers to share inoculation information.
John Graham-Cumming taped his presentation beforehand. Instead of discussing how to block spam, Graham-Cumming's presentation focused on how spammers could beat spam filters by using filters like POPFile to detect "good" words to get through a spam filter. Graham-Cumming predicts that spammers will continue to react to adaptive filtering, and said that it would be possible for a spammer to insert "web bugs" into spam to help train filters to see which messages are delivered and which are not. Graham-Cumming said that it would be necessary to choke off feedback to spammers, such as bounces and SMTP error messages, to prevent adaptive filtering to work against spam filtering.
Eric Raymond was also on hand at the conference, and spoke about several topics. One topic Raymond discussed is a provision in the CAN-SPAM Act that requires the Department of Commerce to consult with the IETF on spam-labeling standards. While the CAN-SPAM Act directs the department to consult with the IETF on this issue, the IETF does not have any labeling standards at the moment. Raymond says he is working on a draft RFC that could "pass constitutional muster" that could be used.
Raymond also discussed Sender Permitted From (SPF). SPF allows a server to query whether something is a valid IP address, and to set policies based on that information. To use SPF, you add information to DNS that informs the world which IP addresses are valid for sending e-mail from your domain. When spammers attempt to spoof "from" headers and so on, a server using SPF can check to see whether or not the IP addresses match the valid IP addresses listed in DNS records.
Raymond admitted that there are compatibility problems with SPF. For example, SPF breaks forwarding and causes problems for roving users who need to send mail from different IP addresses. He noted that no one technology for stopping spam is perfect, but several tactics can work together as a "drug cocktail" to help end the spam problem.
For those interested in attending an anti-spam conference before MIT's 2005 conference, several speakers plugged the First Conference on Email and Anti-Spam (CEAS), which is scheduled for July 30 and 31 in Mountain View, California. For those working on anti-spam technologies or in related areas, there is a call for papers with a deadline of April 16.
The full presentations from the MIT conference are available in RealPlayer format at the Spam Conference website.
Page editor: Jonathan Corbet
Security
Security news
A weak cryptoloop implementation in Linux?
The "cryptoloop" code in the Linux kernel allows "loopback" mounts of filesystems. Essentially, cryptoloop looks like a block driver which encrypts data on its way through. It can thus be used to add encryption to any of the standard Linux filesystems without changing the filesystem code itself.Recently, in response to a bug report with the 2.6.1-mm3 cryptoloop implementation, Jari Ruusu made a disturbing claim:
It will come as no surprise that this message was followed by requests for more details on the "back-doored" cryptoloop. Jari obliged with a clear, technical explanation of what is going on. If you are using (or considering) cryptoloop. it is worth a look, even if there may be no need for immediate panic.
The problem, it seems, is that cryptoloop is susceptible to a certain kind of known plaintext attack. For any given filesystem type, the contents of certain sectors will be easy to predict. Given some time and an idle processor, an attacker can generate an exhaustive dictionary of likely passwords and the resulting ciphertext that will appear on disk. With access to the actual, encrypted disk, a quick lookup in the dictionary will yield the password and enable decryption of the entire filesystem. This attack is not practical for casual snoopers, but it would not be entirely surprising if government agencies and other, relatively organized groups had this sort of dictionary handy.
There are two ways of getting around this sort of problem. One is to choose a lengthy, non-obvious password. The other is to use salted passwords, where the password is modified by a randomly-chosen value before the data is encrypted. The salt value has to be retrievable, but it has the effect of requiring an attacker to create a separate dictionary for every possible number. If the range of salt values is large enough, salting the password will render the dictionary attack impractical.
The end result is that most cryptoloop users need not go into an immediate panic, but this weakness is worth being aware of. It would also be a good idea to get a stronger mechanism into the mainline kernel. There is little to be gained and much to be lost by shipping crypto code with known weaknesses.
IBM and SUSE get EAL3+ certification
IBM and SUSE have sent out an announcement stating that SUSE LINUX Enterprise Server 8 ("with service pack 3"), when running on IBM eServer systems, has been awarded Common Criteria EAL3+ certification. This certification is a step beyond the EAL2 level reached last year. SUSE's distribution, once again, becomes the first to achieve this level of security certification.
New vulnerabilities
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim | CVE #(s): | CAN-2003-0988 | |||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: privilege vulnerability on AMD64
| Package(s): | kernel | CVE #(s): | CAN-2004-0001 | ||||||
| Created: | January 16, 2004 | Updated: | February 17, 2004 | ||||||
| Description: | On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue. | ||||||||
| Alerts: |
| ||||||||
mc: arbitrary code execution
| Package(s): | mc | CVE #(s): | CAN-2003-1023 | ||||||||||||||||||||||||||||||
| Created: | January 16, 2004 | Updated: | April 5, 2004 | ||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
qmail: integer overflow
| Package(s): | qmail | CVE #(s): | |
| Created: | January 21, 2004 | Updated: | January 21, 2004 |
| Description: | The qmail-smtpd server suffers from an integer overflow which may be exploited to crash (one instance of) the server process. It is not clear, at this point, whether the overflow may be exploited for more useful ends; the claims made in this advisory regarding overwriting of memory have been disputed. A patch has been posted which fixes the problem. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
slocate: buffer overflow
| Package(s): | slocate | CVE #(s): | CAN-2003-0848 | ||||||||||||||||||||||||
| Created: | January 20, 2004 | Updated: | February 16, 2004 | ||||||||||||||||||||||||
| Description: | A vulnerability was discovered in slocate, a program to index and search for files, whereby a specially crafted database could overflow a heap-based buffer. This vulnerability could be exploited by a local attacker to gain the privileges of the "slocate" group, which can access the global database containing a list of pathnames of all files on the system, including those which should only be visible to privileged users. This problem, and a category of potential similar problems, can be fixed by modifying slocate to drop privileges before reading a user-supplied database. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump | CVE #(s): | CAN-2003-0989 CAN-2004-0057 CAN-2004-0055 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | April 6, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Updated vulnerabilities
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP | CVE #(s): | CAN-2003-0935 | ||||||||||||
| Created: | December 2, 2003 | Updated: | February 13, 2004 | ||||||||||||
| Description: | The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
bind: cache poisoning
| Package(s): | bind | CVE #(s): | CAN-2003-0914 | ||||||||||||||||||
| Created: | November 26, 2003 | Updated: | February 19, 2004 | ||||||||||||||||||
| Description: | A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cvs: possible root compromise
| Package(s): | cvs | CVE #(s): | CAN-2003-0977 | ||||||||||||||||||
| Created: | December 29, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||
| Description: | Stable CVS 1.11.11 has been released, adding code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013 | ||||||||||||||||||||||||
| Created: | December 18, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||
| Description: | Serious issues have been discovered in two ethereal protocol dissectors. Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. (CAN-2003-1012 and CAN-2003-1013) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg | CVE #(s): | CAN-2003-0971 | ||||||||||||||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||
| Description: | A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
inn: vulnerability in INN 2.4.0
| Package(s): | inn | CVE #(s): | |||||||
| Created: | January 8, 2004 | Updated: | January 15, 2004 | ||||||
| Description: | A buffer overflow has been discovered in a portion of the control message handling code introduced in INN 2.4.0. It is fairly likely that this overflow could be remotely exploited to gain access to the user innd runs as. INN 2.3.x and earlier are not affected. The INN CURRENT tree is affected. See this advisory for more details. | ||||||||
| Alerts: |
| ||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
jabber: denial of service
| Package(s): | jabber | CVE #(s): | CAN-2004-0013 | ||||||
| Created: | January 7, 2004 | Updated: | January 26, 2004 | ||||||
| Description: | A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service. | ||||||||
| Alerts: |
| ||||||||
jitterbug: improperly sanitized input
| Package(s): | jitterbug | CVE #(s): | CAN-2004-0028 | |||
| Created: | January 12, 2004 | Updated: | January 13, 2004 | |||
| Description: | Steve Kemp discovered a security related problem in jitterbug, a simple CGI based bug tracking and reporting tool. Program executions may use improperly sanitized input which allows an attacker to execute arbitrary commands on the server hosting the bug database. As mitigating factors these attacks are only available to non-guest users, and accounts for these people must be setup by the administrator making them "trusted". | |||||
| Alerts: |
| |||||
kernel: two vulnerabilities in 2.4.23
| Package(s): | kernel | CVE #(s): | CAN-2003-0984 CAN-2003-0985 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 5, 2004 | Updated: | January 19, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0985 to this issue. There is also a minor information leak in the real time clock (rtc) routines. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0984 to this issue. See this advisory for more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: local root exploit in 2.4.22
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2003 | Updated: | April 5, 2004 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
lftp buffer overflows
| Package(s): | lftp | CVE #(s): | CAN-2003-0963 | ||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | According to this advisory versions of lftp prior to 2.6.10 are vulnerable to two exploitable buffer overflow problems. Both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod-auth-shadow: password expiration
| Package(s): | mod-auth-shadow | CVE #(s): | CAN-2004-0041 | |||
| Created: | January 12, 2004 | Updated: | January 13, 2004 | |||
| Description: | David B Harris discovered a problem with mod-auth-shadow, an Apache module which authenticates users against the system shadow password database, where the expiration status of the user's account and password were not enforced. This vulnerability would allow an otherwise authorized user to successfully authenticate, when the attempt should be rejected due to the expiration parameters. | |||||
| Alerts: |
| |||||
mpg123: heap overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0865 | |||||||||
| Created: | November 12, 2003 | Updated: | February 19, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpgroupware: missing filename sanitizing, SQL injection
| Package(s): | phpgroupware | CVE #(s): | CAN-2004-0016 CAN-2004-0017 | |||
| Created: | January 9, 2004 | Updated: | January 13, 2004 | |||
| Description: | The authors of phpgroupware, a web based groupware system written in PHP,
discovered several vulnerabilities. The Common Vulnerabilities and
Exposures project identifies the following problems:
CAN-2004-0016: In the "calendar" module, "save extension" was not enforced for holiday files. As a result, server-side php scripts may be placed in directories that then could be accessed remotely and cause the webserver to execute those. This was resolved by enforcing the extension ".txt" for holiday files. CAN-2004-0017: Some SQL injection problems (non-escaping of values used in SQL strings) the "calendar" and "infolog" modules. | |||||
| Alerts: |
| |||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
rsync - remotely exploitable heap overflow
| Package(s): | rsync | CVE #(s): | CAN-2003-0962 | |||||||||||||||||||||||
| Created: | December 4, 2003 | Updated: | March 3, 2004 | |||||||||||||||||||||||
| Description: | An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future. | |||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||