| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for February 19, 2004
321 Studios and the free software community
In the Bunner DVD case, the DVD Copy Control Association attempted to suppress the distribution (or even linking to) of the DeCSS code (which decrypts content from DVDs) with the claim that the code contained trade secrets. The court's rulings suggested that the trade secret claim was not going to hold up, and the Bunner case was dropped last year. The trade secret weapon had proved ineffective in this case.The DVDCCA has responded with a change of direction: the group is now suing 321 Studios, which makes a proprietary DVD copying program, for patent infringement. 321 and its DVD Copy program have been in and out of the courts for a while; the company started the litigation with a suit which attempted to obtain a ruling stating that its products do not violate the DMCA. The bringing of a patent suit changes the nature of this battle, however. It is a living demonstration of one of the free software community's deepest fears: that software patents will be used to prevent us from programming our computers to work the way we want them to.
It is interesting to note that patents are incompatible with trade secrets. Patent applications require full disclosure of the technology for which protection is sought; any technology which has been publicly disclosed in this manner cannot, by definition, be a trade secret. Thus far, we have been unable to turn up a reference for the exact patent which is being claimed by the DVDCCA; if anybody has a pointer, we would appreciate hearing about it. Given the timing, however, the patent application must have been in the works while the trade secret case was pending. Filing trade secret suits while having already disclosed the relevant technology would be, at the least, an act of bad faith.
321 Studios is also being sued by Macrovision, which is also claiming patent infringement along with DMCA violations. 321 has just filed a response pointing out that, among other things, Macrovision's patents cover an analog copy-protection mechanism which is not relevant to a digital copying program.
This company has been fighting many of the same digital rights battles as the free software community. But there has been no big outpouring of support for 321 studios; for the most part, its battles have been ignored. 321 Studios has not been able to obtain the same level of interest and support as, say, Elcomsoft has. One might point out that 321 Studios is a proprietary software company; that is true, but so is Elcomsoft. The real answer, perhaps, is that the community has sensed that 321 Studios does not really share its values; 321 appears to have little interest in any issues beyond immediate sales of DVD copying software.
The difference in values has just become rather more apparent, however; see this triumphant press release from February 5. Therein, 321 notes that one of its customers was said to be using DVDXCopy for "piracy." The company responded by shutting down the software remotely. This program, it seems, puts a watermark into every disk it creates allowing the company to identify who performed the copy and, should it feel so inclined, to shut down the software altogether.
This feature highlights one of the largest differences between free software and (at least some of) its proprietary relatives. The DeCSS code does not come with watermarking and remote shutdown capabilities. The Gimp will not attempt to prevent its users from creating an image that might look like some nations' currencies, and Ghostscript will not try to prevent that user from printing such images. Neither Freevo nor MythTV will phone home with details of just how often the user replayed the latest banal Superbowl publicity stunt. Nothing prevents anybody from coding any such features, but, equally, nothing prevents the rest of the world from taking them back out. Free software evolves toward one specific end: meeting the needs of its users. There is no room for conflicts of interest, no space for the agendas of industry consortia, advertisers, or governments.
321 Studios is not fighting for that view of the software universe; the company simply wants to be able to sell its product. We can certainly sympathize with the company as it deals with familiar problems like the DMCA and software patents. But, while 321 is fighting many of the same battles as the free software community, it is fighting them as part of a different war.
SCO Weekly News
Let us start off this week's SCO update with some quotes:
-- ZDNet, November 18, 2003.
If someone says they want to see a court ruling before they pay, we'll say, "Fine, you're the lucky winner. We'll take you first.' I'd be surprised if we make it to the end of the year without filing a lawsuit.
-- Darl McBride, November 24, 2003
So we have basically said within the next few weeks, by February 18th we are going to be in the courtroom with an end user to go through the copyright-related problems that we are having from an infringement standpoint.
-- Darl McBride, February 2, 2004
There are many more quotes available on this theme, but certainly the idea is clear by now. Like so many other bits of SCO bluster, the threats of suits against end users have not been followed up by any sort of action. Yet.
Whether such a suit will eventually come remains an open question, however. SCO is currently fighting IBM, Red Hat, and Novell in three separate cases, and none of the three appear to be going particularly well. At some point SCO's management should be forced to conclude that the company simply does not have the resources to open any more legal fronts. Dividing SCO's scarce cash and (possibly not so scarce) lawyers among even more courtrooms would not appear to be a wise strategy.
On the other hand, few people have accused SCO of acting wisely in recent times. The company is due to post a quarterly earnings report that, by all estimates, will be dismal. SCO stock is well below the peak values it hit in September and October. The mainstream media is beginning to wake up, and its coverage is increasingly hostile. SCO's only hope for continued existence would appear to be to somehow shake money out of some easily-cowed Linux users, but those users are proving to have rather more backbone than SCO may have anticipated. The SCO Group may yet decide that its best interests lie in even more litigation.
One view into how the shakedown effort is proceeding can be found in Red Hat's motion to supplement its filings in its suit against SCO. That case is (still!) waiting for the judge to come to a conclusion on SCO's motion to dismiss the case, which was filed in September. Since then, a few things have happened which have made it increasingly clear that SCO does, indeed, intend to go after Red Hat and its customers. Red Hat's motion is an attempt to bring SCO's more recent actions to the judge's attention.
One of the things Red Hat is pointing out is a letter sent by SCO to Lehman Brothers Holdings. It is a variant on the standard SCO shakedown letter; the point here is that Lehman Brothers is a Red Hat customer. Happily, Lehman Brothers saw no point in giving in to SCO; its response is short and clear, and is best paraphrased as "go bug Red Hat."
Part of the problem for SCO is that Novell's claims on the Unix copyrights make it easy for prospective SCO victims to ignore the letters. If SCO can't put forward a clear claim to the Unix copyrights, it will have a hard time collecting from anybody regardless of the validity of its statements about the provenance of Linux. For that reason, the company was compelled to file suit against Novell, in hopes of clearing that obstruction.
Unfortunately for SCO, Novell has filed a compelling motion to dismiss the suit. Essentially, says Novell, the SCO suit is missing two things that are required in "slander of title" suits: proof that the defendant's statements are false, and a demonstration that actual damages have been suffered. As Novell points out, SCO's demand that the court force Novell to transfer the copyrights proves that Novell's claims are true; SCO's suit contradicts itself. See Groklaw for a far more detailed discussion of Novell's motion.
Meanwhile, as of this writing, the Utah court still has not issued any rulings regarding the motions to compel in the IBM case. There is no way to know what this delay means until the court speaks. Chances are it will be something interesting, however.
The Grumpy Editor's browser review - a followup
The review of Gecko-based browsers we ran last week generated a great deal of feedback; this is evidently an area of great interest to many users. We have just a few things to add to that review this time around.Thanks primarily to reader comments, your editor was able to resolve almost all of his complaints with the Firefox browser. Image animation can be controlled via the user-hostile about:config screen, the prefs.js file found in a randomly-named directory under ~/.phoenix, or via plugin extensions. Antialiased fonts are to be had by downloading the correct version of the browser. And so on. The situation has improved to the point where your editor is now using Firefox as his preferred browser.
The real key to the success of Firefox may well prove to be its extension architecture. History has shown many times that, if an application provides an easy mechanism for users to graft in additional or different functionality, those users will run with it. The lengthy list of extensions available for Firefox shows that this browser has reached a critical mass in this regard. Extensions are available to provide all kinds of navigation tools, to help with weblogging, to assist in web page authoring, and many other tasks including, inevitably, playing Tetris. It would be nice not to have to go find an extension to replace the missing "up" navigation button, but it's nice that you can. One can only hope that the security implications of encouraging users to download and install browser plugins have been thought through.
If last week's review were to be written today, the conclusion might have been written a little differently. Firefox has a level of performance, reliability, and features that well exceeds the other Gecko-based browsers available. One might well wonder why Galeon and Epiphany continue to exist; they appear to be trying to do the same thing as Firefox but - at this moment in time, anyway - they do it less reliably and with fewer features. (Do see, however, this posting on why Red Hat is shipping Epiphany for a different view). As we noted last week, there could well be a place for multiple browser projects, but each should be looking for a unique way to extend the state of the art.
Meanwhile, your editor also found the time to get Konqueror 3.2 working. Konqueror is everything its proponents claim it is: a fast, powerful and robust tool for navigating through information, be it on the local system or on the net. Your editor has never had much use for file managers, and so does not place much value on Konqueror's implementation. He can see, however, that Konqueror does look like a very nice file manager. The web browser is capable and fast, and highly configurable. Some features, such as the ability to change the identification string to get past certain difficult web site programmers, are unique.
What Konqueror still seems to be lacking, however is a password manager. Security-conscious users may feel better off without this feature, but the simple fact is that it has gotten hard to keep track of the long list of usernames and passwords needed to access many useful sites on the web. A password manager can be most useful when trying to remember which login information was used to get into some obscure site with its own strange rules. It is surprising, really, that Konqueror has not picked up this capability yet.
That notwithstanding, if Konqueror were the only browser available for Linux systems, we would be in good shape. Linux is second to no other system now in the quality of its web browsing support. It will be more than interesting to see where things go from here as the various projects look for new ways to extend the state of the art.
FOSDEM 2004
The 2004 edition of the Free and Open Source Developers Meeting will be happening on February 21 and 22 in Brussels.![[FOSDEM]](/images/ns/fosdem.png)
LWN editor Jonathan Corbet will be there. In a moment of weakness last
month (he blames Australian wine), he agreed to give two different talks at
the event. Happily, FOSDEM has three tracks this year, so it should be
possible to avoid those talks and see something interesting. The schedule has the
details. Keynote speakers include Tim O'Reilly, Richard Stallman, and, of
course, Jon 'maddog' Hall. FOSDEM looks to be an interesting event.
For the first time, LWN is happy to be sponsoring this event. With luck, this sponsorship will allow us to help a community event while simultaneously bringing in more subscribers. If things work out, we'll be sponsoring more events in the future.
Meanwhile, we're looking forward to meeting some of our European readers; see you there.
Page editor: Jonathan Corbet
Security
Security news
A new mremap() vulnerability
The mremap() system call allows a process to change its virtual memory layout by adjusting the size and location of a virtual memory area. One of the things mremap() can do is move one virtual memory area (VMA) into the middle of another one. In that case, the target VMA will be split in two so that the space in the middle can be freed and reused for the VMA being moved. As long as the calling process knows what it is doing (it doesn't need the pages being replaced by the moved area, for example), all of this is fine.An interesting thing can happen in the 2.4.24 and 2.6.2 kernels, however. The kernel enforces a limit on the maximum number of VMAs that any one process can have. If the kernel attempts to split a VMA in response to the sort of mremap() call described above, it will check the process's VMA usage against the limit. Splitting requires the addition of a new VMA, so this check is necessary. If the limit has been reached, the internal call which splits the VMA (do_munmap()) will return a failure status. So far, so good.
The problem is that mremap() did not check to see if do_munmap() succeeded or not. If the split failed, mremap() would continue anyway. The end result is that the old target VMA would remain, with its existing permissions, but some of its associated page table entries would be overwritten by entries from the VMA being moved. In other words, an attacker can exploit this bug to obtain access to a set of pages which the kernel would not otherwise have allowed. This vulnerability can be exploited by a local hacker to obtain root access on any Linux system running a vulnerable kernel.
The solution is to upgrade to 2.4.25 or 2.6.3, or to apply the appropriate distributor security update. The LWN vulnerability entry tracks the available updates. For more information on the vulnerability, see this advisory from Paul Starzetz.
New vulnerabilities
cgiemail vulnerability allows unauthorized mail relaying
| Package(s): | cgiemail | CVE #(s): | CAN-2002-1575 | |||
| Created: | February 12, 2004 | Updated: | February 18, 2004 | |||
| Description: | A vulnerability in cgiemail, a cgi program, allows mail to be sent to arbitrary addresses, making the host capable of generating spam. New cgiemail packages fix open mail relaying. | |||||
| Alerts: |
| |||||
elm: vulnerability in frm command
| Package(s): | elm | CVE #(s): | CAN-2003-0966 | |||
| Created: | February 13, 2004 | Updated: | February 18, 2004 | |||
| Description: | Elm is a terminal mode email user agent. The frm command is provided as
part of the Elm packages and gives a summary list of the sender and subject
of selected messages in a mailbox or folder.
A buffer overflow vulnerability was found in the frm command. An attacker could create a message with an overly long Subject line such that when the frm command is run by a victim arbitrary code is executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0966 to this issue. | |||||
| Alerts: |
| |||||
kernel: local root exploit
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2004 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Another vulnerability has been found in the 2.4.24 and 2.6.2 mremap() system call; once again, this hole can be exploited by a local user to obtain root access. See this advisory from Paul Starzetz for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
metamail: integer and buffer overflows
| Package(s): | metamail | CVE #(s): | CAN-2004-0104 CAN-2004-0105 | |||||||||||||||
| Created: | February 18, 2004 | Updated: | May 21, 2004 | |||||||||||||||
| Description: | Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpMyAdmin: directory traversal
| Package(s): | phpMyAdmin | CVE #(s): | ||||
| Created: | February 17, 2004 | Updated: | February 18, 2004 | |||
| Description: | A component of the phpMyAdmin software package (export.php) does not properly verify input that is passed to it from a remote user. Since the input is used to include other files, it is possible to launch a directory traversal attack. | |||||
| Alerts: |
| |||||
PWLib: possible Denial of Service
| Package(s): | PWLib | CVE #(s): | CAN-2004-0097 | |||||||||||||||||||||
| Created: | February 13, 2004 | Updated: | April 9, 2004 | |||||||||||||||||||||
| Description: | PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
samba: access to disabled accounts
| Package(s): | samba | CVE #(s): | CAN-2004-0082 | ||||||
| Created: | February 18, 2004 | Updated: | February 19, 2004 | ||||||
| Description: | Samba 3.0.0 and 3.0.1 contains a difficult-to-exploit vulnerability which could give an attacker access to a disabled account. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP | CVE #(s): | CAN-2003-0935 | ||||||||||||
| Created: | December 2, 2003 | Updated: | February 13, 2004 | ||||||||||||
| Description: | The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
XFree86: buffer overflow
| Package(s): | XFree86 | CVE #(s): | CAN-2004-0083 CAN-2004-0084 CAN-2004-0106 | ||||||||||||||||||||||||||||||||||||
| Created: | February 11, 2004 | Updated: | February 23, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | The XFree86 code which reads "fonts.alias" files suffers from a buffer overflow which may be turned into a local root exploit; see this advisory for details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
bind: cache poisoning
| Package(s): | bind | CVE #(s): | CAN-2003-0914 | ||||||||||||||||||
| Created: | November 26, 2003 | Updated: | February 19, 2004 | ||||||||||||||||||
| Description: | A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cvs: possible root compromise
| Package(s): | cvs | CVE #(s): | CAN-2003-0977 | ||||||||||||||||||
| Created: | December 29, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||
| Description: | Stable CVS 1.11.11 has been released, adding code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013 | ||||||||||||||||||||||||
| Created: | December 18, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||
| Description: | Serious issues have been discovered in two ethereal protocol dissectors. Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. (CAN-2003-1012 and CAN-2003-1013) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
gaim: remote overflows
| Package(s): | gaim | CVE #(s): | CAN-2004-0006 CAN-2004-0007 CAN-2004-0008 | ||||||||||||||||||||||||||||||||||||
| Created: | January 26, 2004 | Updated: | February 16, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Stefan Esser has discovered several vulnerabilities in Gaim 0.75. This advisory has details of 12 separate vulnerabilities. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
gallery: code injection
| Package(s): | gallery | CVE #(s): | ||||
| Created: | February 11, 2004 | Updated: | February 11, 2004 | |||
| Description: | Gallery (through versions 1.4.1) suffers from a PHP code injection vulnerability which can provide a remote attacker with access to the web server process. | |||||
| Alerts: |
| |||||
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg | CVE #(s): | CAN-2003-0971 | ||||||||||||||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||
| Description: | A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim | CVE #(s): | CAN-2003-0988 | |||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: privilege vulnerability on AMD64
| Package(s): | kernel | CVE #(s): | CAN-2004-0001 | ||||||
| Created: | January 16, 2004 | Updated: | February 17, 2004 | ||||||
| Description: | On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue. | ||||||||
| Alerts: |
| ||||||||
kernel: local root exploit in 2.4.22
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2003 | Updated: | April 5, 2004 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
lftp buffer overflows
| Package(s): | lftp | CVE #(s): | CAN-2003-0963 | ||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | According to this advisory versions of lftp prior to 2.6.10 are vulnerable to two exploitable buffer overflow problems. Both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libtool - Insecure handling of temporary files
| Package(s): | libtool | CVE #(s): | |||||||
| Created: | February 5, 2004 | Updated: | March 8, 2004 | ||||||
| Description: | GNU libtool consists of a set of shell scripts used to build shared
libraries.
Joseph S. Myers and Stefan Nordhausen independently found a vulnerability in the way the ltmain.sh script (which is part of the libtool package) creates temporary directories for its use. A local attacker could exploit this vulnerability to change/delete arbitrary files in the system on behalf of the user who is calling the script. The vulnerability has been fixed in the 1.5.2 version of libtool. | ||||||||
| Alerts: |
| ||||||||
mailman: cross-site scripting vulnerabilities
| Package(s): | mailman | CVE #(s): | CAN-2003-0965 CAN-2003-0992 | ||||||||||||
| Created: | February 6, 2004 | Updated: | March 5, 2004 | ||||||||||||
| Description: | Dirk Mueller discovered a cross-site scripting bug in the admin interface
in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to
this issue.
A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mailman denial of service
| Package(s): | mailman | CVE #(s): | CAN-2003-0991 | ||||||||||||
| Created: | February 9, 2004 | Updated: | May 25, 2004 | ||||||||||||
| Description: | Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mc: arbitrary code execution
| Package(s): | mc | CVE #(s): | CAN-2003-1023 | ||||||||||||||||||||||||||||||
| Created: | January 16, 2004 | Updated: | April 5, 2004 | ||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: denial of service vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2003-0973 | |||||||||||||||||||||
| Created: | January 27, 2004 | Updated: | October 4, 2004 | |||||||||||||||||||||
| Description: | Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
monkeyd: denial of service
| Package(s): | monkeyd | CVE #(s): | ||||
| Created: | February 11, 2004 | Updated: | February 11, 2004 | |||
| Description: | The monkeyd HTTP server suffers from a parsing bug which can be exploited to crash the server process. Upgrading to version 0.8.2 fixes the problem. | |||||
| Alerts: |
| |||||
mpg123: heap overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0865 | |||||||||
| Created: | November 12, 2003 | Updated: | February 19, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mutt: buffer overflow
| Package(s): | mutt | CVE #(s): | CAN-2004-0078 | ||||||||||||||||||||||||||||||
| Created: | February 11, 2004 | Updated: | March 26, 2004 | ||||||||||||||||||||||||||||||
| Description: | mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
perl information leak
| Package(s): | perl | CVE #(s): | CAN-2003-0618 | ||||||
| Created: | February 2, 2004 | Updated: | April 21, 2004 | ||||||
| Description: | Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users. | ||||||||
| Alerts: |
| ||||||||
PHP setting leaks from .htaccess files on virtual hosts
| Package(s): | php | CVE #(s): | ||||
| Created: | February 9, 2004 | Updated: | February 11, 2004 | |||
| Description: | If the server configuration "php.ini" file has "register_globals = on"
and a request is made to one virtual host (which has "php_admin_flag
register_globals off") and the next request is sent to the another
virtual host (which does not have the setting) through the same Apache
child, the setting will persist.
Depending on the server and site, an attacker may be able to exploit global variables to gain access to reserved areas, such as MySQL passwords, or this vulnerability may simply cause a lack of functionality. As a result, users are urged to upgrade their PHP installations. | |||||
| Alerts: |
| |||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 |
| Created: | August 5, 2003 | Updated: | May 27, 2004 |
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||
| Alerts: | |||