HR 3261 and the ownership of facts
The U.S. House Judiciary Committee approved HR 3261 (the "Database and
Collections of Information Misappropriation Act") on January 21. As
this bill represents yet another discouraging expansion of American copyright law, it
merits a look. For those who want to read the full text, it is available
in
PDF format.
Unlike many bad intellectual property ideas, database protection is an idea
being imported into the U.S. from Europe. Efforts to prevent the
"misappropriation" of databases have been ongoing for some time; the first
version of the current proposal - based on the 1996 EU
database directive
-- was considered in 1996. It did not pass, but anybody who has
watched the legislative system in operation has learned that these things
keep coming back until the interests behind them finally get what they
want. That would appear to be happening here.
The core of the proposed law can be found in Section 3:
Any person who makes available in commerce to others a
quantitatively substantial part of the information in a database
generated, gathered, or maintained by another person, knowing that
such making available in commerce is without the authorization of
that person (including a successor in interest) or that person's
licensee, when acting within the scope of its license, shall be
liable for the remedies set forth in Section 7...
In plain English, what this law is saying is that copyright protections
will be extended to databases, regardless of whether the information
contained within those databases is, itself, copyrightable. Collections of
information which is, itself, unprotected (pricing information, sports
scores, weather data, etc.) will become protected. In a sense, this law
allows somebody who compiles a database to own the facts found therein.
The definition of a "database" is reasonably broad; it is:
...a
collection of a large number of discrete items of information produced for
the purpose of bringing such discrete items of information together in one
place or through one source so that persons may access them...
There are some interesting exceptions: network routing information, for
example, is explicitly declared not to be a "database." The domain
name registration database is also excluded. Beyond that,
however, just about any collection of information counts.
Given the way other copyright laws have been stretched to the maximum, it
is worth considering what sorts of information could be considered a
database for the purposes of this law. Scientific, economic, and
geographic data is the obvious application. Less obvious, but clearly
covered, is a Linux distribution CD, or any collection of freely-available
software. Certain professional sports organizations have long fought for
ownership of game scores. Lists of audio CDs and the names of the tracks
on them could be included. Network routing tables may be excluded, but the
geographical location of IP addresses is a different story. The EU
directive has been held to outlaw "deep linking" into web sites.
If you go
about reproducing Linus Torvalds quotes, you better be prepared to prove
that they did not come from our definitive collection. And so on.
Hopefully many of these scenarios will not come to pass. But, even so, we
do not really need another expansion of copyright law at this time.
U.S. law has long held that expression is copyrightable, but ideas and
facts are not. HR 3261 overrides that tradition by giving database
creators a degree of control over the facts they have collected from
elsewhere. This bill, while improved over previous versions, is still not
something we want to see passed into law.
Comments (35 posted)
What's in KDE 3.2?
With a new release of KDE right around the corner, we thought we'd take the
first release candidate for a spin to see what KDE 3.2 has to offer.
I used
Konstruct
to build 3.2rc1, which took several hours on an Athlon XP 2600+ with 1GB of
RAM running SUSE 9. Though Konstruct is not new to 3.2, it still deserves a
mention. Konstruct allows the user to build and use a given KDE release (as
well as many KDE apps) without disturbing their current KDE installation,
and doesn't require root access. Users who are hesitant to try new KDE
releases for fear of breaking their current install need not worry.
The first things I noticed about 3.2 were some of the small changes. KDE
3.2 seems faster than the 3.1.4 release that comes with SUSE 9. The
KDE Kicker panel is finally Xinerama friendly again, allowing the user to
span multiple desktops with the Kicker panel if they wish to do so. The KDE
3.1 release forced a user to choose between desktops, and did not allow the
Kicker to span both desktops. The KDE start menu has also changed
slightly; it now includes built in separators between applications, "most
used" applications (as determined by apps launched using the menu), and
"actions." The KDE Menu Editor is largely unchanged from the 3.1.x release,
however.
In previous releases of KDE, users could switch between virtual desktops by
hovering the mouse cursor over the pager on the Kicker panel and scrolling
with the mouse wheel. With the 3.2 release, users can enable the feature
for the entire desktop -- so all a user needs to do is place the mouse
cursor over an empty space on the desktop and use the scroll wheel to move
between virtual desktops, which is an enormously useful feature for users
with several applications spread over multiple desktops.
There are a few accessibility-related applications in 3.2 that might be of
interest to users who have physical limitations. KMouseTool allows the user
to set the mouse to left-click after a set period of time. This is useful
for users with carpal tunnel syndrome, and may also be of interest to
users with touchpads or other non-traditional pointing devices. KMouseTool
also has a "smart drag" feature that takes a bit of getting used to. It
allows the user to hover over a title bar or other window element for a set
period of time and then drag the mouse as if the user were holding down the
left button without actually requiring the user to use the button.
KDE 3.2 includes an improved KHotKeys, which now has support for mouse
gestures. As a safety measure, the user must replicate a mouse gesture
three times before they can assign an action to a mouse gesture. Users can
also assign actions to hotkey combinations and other KDE events. I was able
to use KHotKeys to assign hotkey combinations to launch applications, but
wasn't successful in assigning a mouse gesture to an application. I may
have been doing something incorrectly, but it was hard to tell, as the
KHotKeys documentation was missing from the KDE Help Center.
Konqueror has a number of enhancements in 3.2 as well. First off, the
rendering speed for Konqueror 3.2 is noticeably faster than for Konqueror
3.1.4. Konqueror also has built-in spell checking, which is a nice touch
for anyone who uses a Web-based e-mail client, weblog client or any other
situation where you might be entering text in a form on the Web. Folks
using KDE 3.2 no longer have an excuse for poor spelling -- a quick spell
check is just one right-click away. After using Konqueror about five
minutes, I also discovered another new feature in KDE 3.2: integration with
KWallet. KWallet is an application that stores passwords for websites,
messaging
applications like Kopete and other apps. One difference between KWallet
and the Mozilla password feature, is that KWallet
requires the user to enter a separate password to obtain the
username/password combination for any given web page.
Web developers may find the Quanta 3.2 release interesting. It has a number
of improvements, including "Visual Page Layout," which allows users to edit
web pages in a WYSIWYG mode or a joint editing mode combining WYSIWYG and
traditional text-editing. For users who prefer to edit HTML source
directly, the joint mode offers the ability to immediately see changes
rendered without removing the direct control over the HTML that many
prefer. Quanta has quite a bit to offer, but it is still somewhat
buggy. Quanta locked up a few times during testing, and the application
consumed far more than its share of system resources during use.
With 3.2 KDE now has its own unified groupware suite, Kontact. Kontact
bundles KMail, KOrganizer, KNotes, KNode and the KAddressBook
applications. Right now, Kontact is a little rough around the edges, and
definitely not quite as polished as its GNOME counterpart,
Evolution. KNotes caused Kontact to lock up on more than one
occasion. Kontact also lacks a unified configuration menu -- meaning that
users still have to configure each application separately. However, KNotes
aside, it seems to be a very usable and full-featured groupware
suite. Unlike Evolution, Kontact does allow the user to de-integrate the
suite as well. For example, if a user prefers to use a different e-mail
client, they can disable KMail's integration and use Kontact without the
KMail component.
Though it was released separately, I also looked at some of the KOffice 1.3
components. KOffice 1.3 includes all the usual office suite suspects, a
word processor (KWord), spreadsheet (KSpread) and a presentation program
(KPresenter). It also includes five other productivity applications, including
Kivio for creating flowcharts and a vector drawing application called
Karbon14. I didn't have time to test all of the office applications
extensively,
but I did test out KWord and KSpread using a few Microsoft Office
docs. KSpread's import features have definitely improved, as have
KWord's. However, KWord still had problems with some Microsoft Word
![[Filelight]](/images/ns/filelight-sm.jpg)
documents that open fine in OpenOffice.org. KOffice 1.3 has been officially
released and is available now.
Ever wonder what's taking up so much disk space? 3.2 includes an
application called Filelight that generates an interactive graphical
representation of your file system, or just part of the filesystem. For
users with a large number of files, it may take some time. It took
Filelight about three minutes to generate a map of all 305,184 files in my
home directory. When a user drills down into the
file map generated by Firelight, it's possible to open files that KDE has
associations for. I stumbled on this feature by accident by clicking on an
HTML file in the Filelight map. Unfortunately, Filelight doesn't offer the
ability to delete files.
With a few notable exceptions, the 3.2rc1 release has proved to be very
stable overall. It isn't a huge leap in functionality from the 3.1.x
releases, but 3.2 includes enough refinements and new features to make the
move from 3.1 to 3.2 well worth it. There are far too many improvements in
3.2 to go into here, but suffice it to say that KDE users are in for a
treat when the final 3.2 release goes "gold." According to the release
schedule, 3.2 final is slated to be released on Monday, February 2nd.
Comments (8 posted)
Just another Microsoft worm
Certainly the "MyDoom" worm has gotten our attention. By some accounts it
is the fastest-spreading email-based worm ever; there is no doubt that it
has filled our mailboxes with garbage - both the worm itself and the
inevitable piles of "virus notification" spam that this sort of worm
generates. Interestingly,
claims
have appeared in the media that this worm does not actually exploit any
Windows security holes. We know better, of course; the fact that a worm
like MyDoom can exist at all is a clear vulnerability.
So far, this episode just looks like yet another in the interminable series
of worms hosted by the Microsoft computing environment. The story gets
more interesting, however, with the fact that this worm seemingly contains
code to execute a denial-of-service attack against the SCO Group's web
site on February 1, thus ruining Darl McBride's Super Bowl
experience. This attack has, of course, been widely reported in the
mainstream media as an act carried out by the Linux community in
retaliation for SCO's attempts to steal or destroy our work. (SCO itself,
in its
press release offering a bounty for the worm writer's head, took a
relatively neutral tone: "We do not know the
origins or reasons for this attack, although we have our
suspicions.")
You knew this paragraph was coming: the free software community does not and cannot
go for attacks of this sort. This worm is an act of vandalism which does
not help our cause in any way. It will not affect SCO's legal campaign,
and can only help the company's PR campaign. Rather than try to silence
the company's web site, we need to let SCO's words be distributed as widely
as possible. The more they talk, the deeper they dig themselves in. It is
not for nothing that this
picture was recently circulated with the caption "SCO's legal team in
action." Trying to shut down SCO's web site via DOS attacks is morally
wrong and simply counterproductive.
The fact is that this worm almost certainly has nothing to do with SCO or
Linux. The SCO attack has does a good job of covering over a few other
little details about this worm: it does, after all, install a keystroke
logger, a spam relay, and an open port which can be used to feed arbitrary
code into the compromised system. MyDoom turns the system into a general
attack platform; the DOS attack looks thrown in as an afterthought. This
worm is not primarily a machine for attacking SCO; it is constructing a
large-scale distributed network of compromised systems.
The media likes the "SCO attack" story, however, and thus the damage is
done. The community has been portrayed as a set of outlaw crackers trying
to settle a grudge. In fact, we, too, are victims of this worm. Our
networks are flooded and our mailboxes are clogged, even though our Linux
systems are, as usual, immune to the worm itself. And our reputation has
taken a hit because it suits some people to portray this worm as furthering
our agenda. There is nothing about MyDoom which has been good for the
community.
There is little we can do to respond to this worm that we have not been
doing for some time. We can and will deplore this sort of attack,
regardless of who the victim is. We can try to raise awareness of the fact
that these worms are very much the product of one set of proprietary
operating systems with designed-in security problems, and we can let the
world know that we have an alternative which is not a worm-breeding
platform. This message may just be heard: companies dealing with the
consequences of MyDoom and its countless predecessors have suffered far
more than SCO will; they cannot help but be increasingly receptive to
alternative systems. And, most of all, we can continue to work to improve
our own security so that we have a chance of actually living up to our
promise of being a worm-free alternative.
Comments (30 posted)
LWN gets a new server
The folks at
Rackspace Managed Hosting have been
hosting the LWN.net front-line server for almost two years now - ever since
our un-acquisition from Tucows. We have never had anything but great
support and service from Rackspace during this time, despite the fact that
they have been donating this service to LWN in exchange for a few banner
ads. As LWN's traffic has
grown, however, we have overrun the capabilities of both our two-year-old
server and the bandwidth that was allotted to it. So we've had to put some
real thought into how to continue to provide a responsive site with all the
new features that readers have been requesting.
We are now happy to acknowledge that Rackspace has not only given us a
newer, faster server, but it has also upped our monthly bandwidth limit
donation to a level that should be sufficient for a while. Rackspace has
done a lot over the last two years to help keep LWN on the net. We would
like to say "Thanks, Rackspace!" for continuing to come forward and help
keep the site alive.
Comments (7 posted)
Page editor: Jonathan Corbet
Security
Security news
The OWASP top ten web application vulnerabilities
The
Open Web Application Security
Project has issued a new version of its top-ten list of web application
security vulnerabilities; the full version is available from the
SourceForge download network
in
PDF format. The list is little changed from last year - web sites are
still being attacked using the same sorts of vulnerabilities. This year's
list is:
- Unvalidated input, usually in the form of playing with HTTP
requests. Many of the other problems on this list come down to input
validation problems in the end.
- Broken access control mechanisms. Access control is often an
oversight, and often implemented poorly.
- Broken authentication and session management. Among other
things, the study points out that identifiers like session cookies
must be protected by SSL or session hijacking is possible.
- Cross-site scripting. ("The likelihood that a site
contains XSS vulnerabilities is extremely high").
- Buffer overflows. Web applications are certainly not unique in
suffering from this class of vulnerabilities, of course. The paper
singles out Java-based web applications as being immune to buffer
overflow attacks.
- Injection flaws with SQL injection topping the list.
- Improper error handling which discloses internal information.
- Insecure storage; being the failure to use (good) encryption
when storing important information.
- Denial of service, in all the usual ways.
- Bad configuration management, such as the failure to apply
security updates and poor system administration in general.
This is a daunting list for anybody trying to deploy any sort of web
application in a secure manner. There are so many things which can go
wrong. The risks of running a web application can be managed, however.
The first step toward that end is developing an awareness of where the
pitfalls lie; OWASP, in compiling its list, has helped us to take a step in
that direction.
Comments (1 posted)
New vulnerabilities
gaim: remote overflows
| Package(s): | gaim |
CVE #(s): | CAN-2004-0006
CAN-2004-0007
CAN-2004-0008
|
| Created: | January 26, 2004 |
Updated: | February 16, 2004 |
| Description: |
Stefan Esser has discovered several vulnerabilities in Gaim 0.75. This advisory has details of 12 separate
vulnerabilities. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
trr19 - privilege leakage
| Package(s): | trr19 |
CVE #(s): | CAN-2004-0047
|
| Created: | January 28, 2004 |
Updated: | January 28, 2004 |
| Description: |
The trr19 utility fails to drop group privileges, thus giving group access to a local attacker. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
bind: cache poisoning
| Package(s): | bind |
CVE #(s): | CAN-2003-0914
|
| Created: | November 26, 2003 |
Updated: | February 19, 2004 |
| Description: |
A cache poisoning vulnerability in BIND may be exploited causing a
temporary denial of service until the bad record expires from the cache. |
| Alerts: |
|
Comments (none posted)
CUPS: denial of service
| Package(s): | CUPS |
CVE #(s): | CAN-2003-0788
|
| Created: | November 3, 2003 |
Updated: | March 4, 2004 |
| Description: |
Paul Mitcheson reported a situation where the CUPS Internet Printing
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get
into a busy loop. This could result in a denial of service. In order to
exploit this bug an attacker would need to have the ability to make a TCP
connection to the IPP port (by default 631).
|
| Alerts: |
|
Comments (none posted)
cvs: possible root compromise
| Package(s): | cvs |
CVE #(s): | CAN-2003-0977
|
| Created: | December 29, 2003 |
Updated: | February 13, 2004 |
| Description: |
Stable CVS 1.11.11 has been released,
adding code to the CVS server to prevent it from continuing as root after a
user login, as an extra failsafe against a compromise of the CVSROOT/passwd
file. |
| Alerts: |
|
Comments (none posted)
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0925
CAN-2003-0926
CAN-2003-0927
CAN-2003-1012
CAN-2003-1013
|
| Created: | December 18, 2003 |
Updated: | February 13, 2004 |
| Description: |
Serious issues have been discovered in two ethereal protocol dissectors.
Both vulnerabilities will make the Ethereal application crash. The Q.931
vulnerability also affects Tethereal. It is not known if either
vulnerability can be used to make Ethereal or Tethereal run arbitrary
code. (CAN-2003-1012 and CAN-2003-1013) |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 16, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0971
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to
ElGamal sign+encrypt keys. This
email message from Werner Koch contains more information. "Phong
Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead to
a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within a
few seconds." |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
jabber: denial of service
| Package(s): | jabber |
CVE #(s): | CAN-2004-0013
|
| Created: | January 7, 2004 |
Updated: | January 26, 2004 |
| Description: |
A vulnerability was discovered in jabber, an instant messaging server,
whereby a bug in the handling of SSL connections could cause the
server process to crash, resulting in a denial of service. |
| Alerts: |
|
Comments (1 posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: privilege vulnerability on AMD64
| Package(s): | kernel |
CVE #(s): | CAN-2004-0001
|
| Created: | January 16, 2004 |
Updated: | February 17, 2004 |
| Description: |
On AMD64 systems, a fix was made to the eflags checking in
32-bit ptrace emulation that could have allowed local users
to elevate their privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0001 to this issue. |
| Alerts: |
|
Comments (none posted)
kernel: local root exploit in 2.4.22
| Package(s): | kernel |
CVE #(s): | CAN-2003-0961
|
| Created: | December 1, 2003 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. |
| Alerts: |
|
Comments (1 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
lftp buffer overflows
| Package(s): | lftp |
CVE #(s): | CAN-2003-0963
|
| Created: | December 15, 2003 |
Updated: | February 13, 2004 |
| Description: |
According to this advisory versions of lftp
prior to 2.6.10 are vulnerable to two exploitable buffer overflow
problems. Both occur when you connect to a web server with lftp using HTTP
or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared
directories on the web server. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
mc: arbitrary code execution
| Package(s): | mc |
CVE #(s): | CAN-2003-1023
|
| Created: | January 16, 2004 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mpg123: heap overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0865
|
| Created: | November 12, 2003 |
Updated: | February 19, 2004 |
| Description: |
Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP |
CVE #(s): | CAN-2003-0935
|
| Created: | December 2, 2003 |
Updated: | February 13, 2004 |
| Description: |
The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition,
Net-SNMP 5.0.9 fixes a number of other minor bugs. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
qmail: integer overflow
| Package(s): | qmail |
CVE #(s): | |
| Created: | January 21, 2004 |
Updated: | January 21, 2004 |
| Description: |
The qmail-smtpd server suffers from an integer overflow which may be
exploited to crash (one instance of) the server process. It is not clear,
at this point, whether the overflow may be exploited for more useful ends;
the claims made in this
advisory regarding overwriting of memory have been disputed.
A patch
has been posted which fixes the problem. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
rsync - remotely exploitable heap overflow
| Package(s): | rsync |
CVE #(s): | CAN-2003-0962
|
| Created: | December 4, 2003 |
Updated: | March 3, 2004 |
| Description: |
An advisory has gone out warning of a
remotely exploitable heap overflow vulnerability in rsync versions 2.5.6
and prior. If you are running an rsync server, you will want to apply a
distributor patch or upgrade to 2.5.7 in the near future. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
screen: privilege escalation
| Package(s): | screen |
CVE #(s): | CAN-2003-0972
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another
user's screen. The problem is that you have to transfer around 2-3 gigabytes
of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and
older versions are vulnerable. |
| Alerts: |
|
Comments (none posted)
slocate: buffer overflow
| Package(s): | slocate |
CVE #(s): | CAN-2003-0848
|
| Created: | January 20, 2004 |
Updated: | February 16, 2004 |
| Description: |
A vulnerability was discovered in slocate, a program to index and
search for files, whereby a specially crafted database could overflow
a heap-based buffer. This vulnerability could be exploited by a local
attacker to gain the privileges of the "slocate" group, which can
access the global database containing a list of pathnames of all files
on the system, including those which should only be visible to
privileged users. This problem, and a category of potential similar
problems, can be fixed by modifying slocate to drop privileges before
reading a user-supplied database. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump |
CVE #(s): | CAN-2003-0989
CAN-2004-0057
CAN-2004-0055
|
| Created: | January 15, 2004 |
Updated: | April 6, 2004 |
| Description: |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
