321 Studios and the free software community
In the Bunner DVD case, the DVD Copy Control Association attempted to
suppress the distribution (or even linking to) of the DeCSS code (which
decrypts content from DVDs) with the claim that the code contained trade
secrets. The court's rulings suggested that the trade secret claim was not
going to hold up, and the Bunner case was dropped last year. The trade
secret weapon had proved ineffective in this case.
The DVDCCA has responded with a change of direction: the group is now suing
321 Studios, which makes a proprietary DVD copying program, for patent
infringement. 321 and its DVD Copy program have been in and out of the
courts for a while; the company started the litigation with a suit which
attempted to obtain a ruling stating that its products do not violate the
DMCA. The bringing of a patent suit changes the nature of this battle,
however. It is a living demonstration of one of the free software
community's deepest fears: that software patents will be used to prevent us
from programming our computers to work the way we want them to.
It is interesting to note that patents are incompatible with trade
secrets. Patent applications require full disclosure of the technology for
which protection is sought; any technology which has been publicly
disclosed in this manner cannot, by definition, be a trade secret. Thus
far, we have been unable to turn up a reference for the exact patent which
is being claimed by the DVDCCA; if anybody has a pointer, we would
appreciate hearing about it. Given the timing, however, the patent application must
have been in the works while the trade secret case was pending. Filing
trade secret suits while having already disclosed the relevant technology
would be, at the least, an act of bad faith.
321 Studios is also being sued by Macrovision, which is also claiming
patent infringement along with DMCA violations. 321 has just filed a
response pointing out that, among other things, Macrovision's patents
cover an analog copy-protection mechanism which is not relevant to a
digital copying program.
This company has been fighting many of the same digital rights battles as
the free software community. But there has been no big outpouring of
support for 321 studios; for the most part, its battles have been ignored.
321 Studios has not been able to obtain the same level of interest and
support as, say, Elcomsoft has.
One might point out that 321 Studios is a proprietary software company;
that is true, but so is Elcomsoft. The real answer, perhaps, is that the
community has sensed that 321 Studios does not really share its values; 321
appears to have little interest in any issues beyond immediate sales of DVD
copying software.
The difference in values has just become rather more apparent, however; see
this triumphant
press release from February 5. Therein, 321 notes that one of its
customers was said to be using DVDXCopy for "piracy." The company
responded by shutting down the software remotely. This program, it seems,
puts a watermark into every disk it creates allowing the company to
identify who performed the copy and, should it feel so inclined, to shut
down the software altogether.
This feature highlights one of the largest differences between free
software and (at least some of) its proprietary relatives. The DeCSS code
does not come with watermarking and remote shutdown capabilities. The Gimp
will not attempt to prevent its users from creating an image that might
look like some nations' currencies, and Ghostscript will not try to prevent
that user from printing such images. Neither Freevo nor MythTV will phone
home with details of just how often the user replayed the latest banal
Superbowl publicity stunt. Nothing prevents anybody from coding any such
features, but, equally, nothing prevents the rest of the world from taking
them back out. Free software evolves toward one specific end: meeting the
needs of its users. There is no room for conflicts of interest, no space
for the agendas of industry consortia, advertisers, or governments.
321 Studios is not fighting for that view of the software universe; the
company simply wants to be able to sell its product. We can certainly
sympathize with the company as it deals with familiar problems like the
DMCA and software patents. But, while 321 is fighting many of the same
battles as the free software community, it is fighting them as part of a
different war.
Comments (5 posted)
SCO Weekly News
Let us start off this week's SCO update with some quotes:
SCO has since backed off the billing plan, but the company is
still serious about enforcing its copyrights, said Chris Sontag,
senior vice president in charge of SCO's legal efforts. He said
lawsuits targeting Linux users will be filed within 90 days, with
initial suits targeting 1,500 companies that have significant
Linux systems.
-- ZDNet, November
18, 2003.
If someone says they want to see a court ruling before they pay,
we'll say, "Fine, you're the lucky winner. We'll take you
first.' I'd be surprised if we make it to the end of the year
without filing a lawsuit.
-- Darl
McBride, November 24, 2003
So we have basically said within the next few weeks, by February
18th we are going to be in the courtroom with an end user to go
through the copyright-related problems that we are having from an
infringement standpoint.
-- Darl
McBride, February 2, 2004
There are many more quotes available on this theme, but certainly the idea
is clear by now. Like so many other bits of SCO bluster, the threats of
suits against end users have not been followed up by any sort of action.
Yet.
Whether such a suit will eventually come remains an open question,
however. SCO is currently fighting IBM, Red Hat, and Novell in three
separate cases, and none of the three appear to be going particularly
well. At some point SCO's management should be forced to conclude that the
company simply does not have the resources to open any more legal fronts.
Dividing SCO's scarce cash and (possibly not so scarce) lawyers among even
more courtrooms would not appear to be a wise strategy.
On the other hand, few people have accused SCO of acting wisely in recent
times. The company is due to post a quarterly earnings report that, by all
estimates, will be dismal. SCO stock is well below the peak values it
hit in September and October. The mainstream media is beginning to wake
up, and its coverage is increasingly hostile. SCO's only hope for
continued existence would appear to be to somehow shake money out of
some easily-cowed Linux users, but those users are proving to have rather
more backbone than SCO may have anticipated. The SCO Group may yet decide
that its best interests lie in even more litigation.
One view into how the shakedown effort is proceeding can be found in Red Hat's
motion to supplement its filings in its suit against SCO. That case is
(still!) waiting for the judge to come to a conclusion on SCO's motion to
dismiss the case, which was filed in September. Since then, a few things
have happened which have made it increasingly clear that SCO does, indeed,
intend to go after Red Hat and its customers. Red Hat's motion is an
attempt to bring SCO's more recent actions to the judge's attention.
One of the things Red Hat is pointing out is a
letter sent by SCO to Lehman Brothers Holdings. It is a variant on the
standard SCO shakedown letter; the point here is that Lehman Brothers is a
Red Hat customer. Happily, Lehman Brothers saw no point in giving in to
SCO; its
response is short and clear, and is best paraphrased as "go bug Red
Hat."
Part of the problem for SCO is that Novell's claims on the Unix copyrights
make it easy for prospective SCO victims to ignore the letters. If SCO
can't put forward a clear claim to the Unix copyrights, it will have a hard
time collecting from anybody regardless of the validity of its statements
about the provenance of Linux. For that reason, the company was compelled
to file suit against Novell, in hopes of clearing that obstruction.
Unfortunately for SCO, Novell has filed a compelling motion to dismiss the
suit. Essentially, says Novell, the SCO suit is missing two things that
are required in "slander of title" suits: proof that the defendant's
statements are false, and a demonstration that actual damages have been
suffered. As Novell points out, SCO's demand that the court force Novell
to transfer the copyrights proves that Novell's claims are true; SCO's suit
contradicts itself. See Groklaw
for a far more detailed discussion of Novell's motion.
Meanwhile, as of this writing, the Utah court still has not issued any
rulings regarding the motions to compel in the IBM case. There is no way
to know what this delay means until the court speaks. Chances are it will
be something interesting, however.
Comments (6 posted)
The Grumpy Editor's browser review - a followup
The
review of Gecko-based browsers we ran
last week generated a great deal of feedback; this is evidently an area of
great interest to many users. We have just a few things to add to that
review this time around.
Thanks primarily to reader comments, your editor was able to resolve almost
all of his complaints with the Firefox browser. Image animation can be
controlled via the user-hostile about:config screen, the
prefs.js file found in a randomly-named directory under
~/.phoenix, or via plugin extensions. Antialiased fonts are to be
had by downloading the correct version of the browser. And so on. The
situation has improved to the point where your editor is now using Firefox
as his preferred browser.
The real key to the success of Firefox may well prove to be its extension
architecture. History has shown many times that, if an application
provides an easy mechanism for users to graft in additional or different
functionality, those users will run with it. The lengthy list of extensions
available for Firefox shows that this browser has reached a critical mass
in this regard. Extensions are available to provide all kinds of
navigation tools, to help with weblogging, to assist in web page authoring,
and many other tasks including, inevitably, playing Tetris. It would be
nice not to have to go find an extension to replace the missing "up"
navigation button, but it's nice that you can. One can only hope
that the security implications of encouraging users to download and install
browser plugins have been thought through.
If last week's review were to be written today, the conclusion
might have been written a little differently. Firefox has a level of
performance, reliability, and features that well exceeds the other
Gecko-based browsers available. One might well wonder why Galeon and
Epiphany continue to exist; they appear to be trying to do the same thing
as Firefox but - at this moment in time, anyway - they do it less reliably
and with fewer features. (Do see, however, this posting on why Red Hat is shipping
Epiphany for a different view).
As we noted last week, there could well be a
place for multiple browser projects, but each should be looking for a
unique way to extend the state of the art.
Meanwhile, your editor also found the time to get Konqueror 3.2 working. Konqueror is
everything its proponents claim it is: a fast, powerful and robust tool for
navigating through information, be it on the local system or on the net.
Your editor has never had much use for file managers, and so does not place
much value on Konqueror's implementation. He can see, however, that
Konqueror does look like a very nice file manager. The web browser is
capable and fast, and highly configurable. Some features, such as the
ability to change the identification string to get past certain difficult
web site programmers, are unique.
What Konqueror still seems to be lacking, however is a password manager.
Security-conscious users may feel better off without this feature, but the
simple fact is that it has gotten hard to keep track of the long list of
usernames and passwords needed to access many useful sites on the web. A
password manager can be most useful when trying to remember which login
information was used to get into some obscure site with its own strange
rules. It is surprising, really, that Konqueror has not picked up this
capability yet.
That notwithstanding, if Konqueror were the only browser available for
Linux systems, we would be in good shape. Linux is second to no other
system now in the quality of its web browsing support. It will be more
than interesting to see where things go from here as the various projects
look for new ways to extend the state of the art.
Comments (20 posted)
FOSDEM 2004
The 2004 edition of the
Free and Open Source
Developers Meeting will be happening on February 21 and 22 in
Brussels.
![[FOSDEM]](/images/ns/fosdem.png)
LWN editor Jonathan Corbet will be there. In a moment of weakness last
month (he blames Australian wine), he agreed to give two different talks at
the event. Happily, FOSDEM has three tracks this year, so it should be
possible to avoid those talks and see something interesting.
The schedule has the
details. Keynote speakers include Tim O'Reilly, Richard Stallman, and, of
course, Jon 'maddog' Hall. FOSDEM looks to be an interesting event.
For the first time, LWN is happy to be sponsoring this event. With luck,
this sponsorship will allow us to help a community event while
simultaneously bringing in more subscribers. If things work out, we'll be
sponsoring more events in the future.
Meanwhile, we're looking forward to meeting some of our European readers;
see you there.
Comments (2 posted)
Page editor: Jonathan Corbet
Security
Security news
A new mremap() vulnerability
The
mremap() system call allows a process to change its virtual
memory layout by adjusting the size and location of a virtual memory area.
One of the things
mremap() can do is move one virtual memory area
(VMA) into the middle of another one. In that case, the target VMA will be
split in two so that the space in the middle can be freed and reused for
the VMA being moved. As long as the calling process knows what it is doing
(it doesn't need the pages being replaced by the moved area, for example),
all of this is fine.
An interesting thing can happen in the 2.4.24 and 2.6.2 kernels, however.
The kernel enforces a limit on the maximum number of VMAs that any one
process can have. If the kernel attempts to split a VMA in response to the
sort of mremap() call described above, it will check the process's
VMA usage against the limit. Splitting requires the addition of a new VMA,
so this check is necessary. If the limit has been reached, the internal
call which splits the VMA (do_munmap()) will return a failure
status. So far, so good.
The problem is that mremap() did not check to see if
do_munmap() succeeded or not. If the split failed,
mremap() would continue anyway. The end result is that the old
target VMA would remain, with its existing permissions, but some of its
associated page table entries would be overwritten by entries from the VMA
being moved. In other words, an attacker can exploit this bug to obtain
access to a set of pages which the kernel would not otherwise have
allowed. This vulnerability can be exploited by a local hacker to obtain
root access on any Linux system running a vulnerable kernel.
The solution is to upgrade to 2.4.25 or 2.6.3, or to apply the appropriate
distributor security update. The LWN
vulnerability entry tracks the available updates. For more information
on the vulnerability, see this advisory from
Paul Starzetz.
Comments (6 posted)
New vulnerabilities
cgiemail vulnerability allows unauthorized mail relaying
| Package(s): | cgiemail |
CVE #(s): | CAN-2002-1575
|
| Created: | February 12, 2004 |
Updated: | February 18, 2004 |
| Description: |
A vulnerability in cgiemail, a cgi program, allows mail to be sent
to arbitrary addresses, making the host capable of generating spam.
New cgiemail packages fix open mail relaying. |
| Alerts: |
|
Comments (none posted)
elm: vulnerability in frm command
| Package(s): | elm |
CVE #(s): | CAN-2003-0966
|
| Created: | February 13, 2004 |
Updated: | February 18, 2004 |
| Description: |
Elm is a terminal mode email user agent. The frm command is provided as
part of the Elm packages and gives a summary list of the sender and subject
of selected messages in a mailbox or folder.
A buffer overflow vulnerability was found in the frm command. An attacker
could create a message with an overly long Subject line such that when the
frm command is run by a victim arbitrary code is executed. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0966 to this issue. |
| Alerts: |
|
Comments (1 posted)
kernel: local root exploit
Comments (none posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: directory traversal
| Package(s): | phpMyAdmin |
CVE #(s): | |
| Created: | February 17, 2004 |
Updated: | February 18, 2004 |
| Description: |
A component of the phpMyAdmin software package (export.php) does not
properly verify input that is passed to it from a remote user. Since the
input is used to include other files, it is possible to launch a directory
traversal attack. |
| Alerts: |
|
Comments (none posted)
PWLib: possible Denial of Service
| Package(s): | PWLib |
CVE #(s): | CAN-2004-0097
|
| Created: | February 13, 2004 |
Updated: | April 9, 2004 |
| Description: |
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue. |
| Alerts: |
|
Comments (none posted)
samba: access to disabled accounts
| Package(s): | samba |
CVE #(s): | CAN-2004-0082
|
| Created: | February 18, 2004 |
Updated: | February 19, 2004 |
| Description: |
Samba 3.0.0 and 3.0.1 contains a difficult-to-exploit vulnerability which could give an attacker access to a disabled account. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
CUPS: denial of service
| Package(s): | CUPS |
CVE #(s): | CAN-2003-0788
|
| Created: | November 3, 2003 |
Updated: | March 4, 2004 |
| Description: |
Paul Mitcheson reported a situation where the CUPS Internet Printing
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get
into a busy loop. This could result in a denial of service. In order to
exploit this bug an attacker would need to have the ability to make a TCP
connection to the IPP port (by default 631).
|
| Alerts: |
|
Comments (none posted)
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP |
CVE #(s): | CAN-2003-0935
|
| Created: | December 2, 2003 |
Updated: | February 13, 2004 |
| Description: |
The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition,
Net-SNMP 5.0.9 fixes a number of other minor bugs. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
XFree86: buffer overflow
| Package(s): | XFree86 |
CVE #(s): | CAN-2004-0083
CAN-2004-0084
CAN-2004-0106
|
| Created: | February 11, 2004 |
Updated: | February 23, 2004 |
| Description: |
The XFree86 code which reads "fonts.alias" files suffers from a buffer overflow which may be turned into a local root exploit; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
bind: cache poisoning
| Package(s): | bind |
CVE #(s): | CAN-2003-0914
|
| Created: | November 26, 2003 |
Updated: | February 19, 2004 |
| Description: |
A cache poisoning vulnerability in BIND may be exploited causing a
temporary denial of service until the bad record expires from the cache. |
| Alerts: |
|
Comments (none posted)
cvs: possible root compromise
| Package(s): | cvs |
CVE #(s): | CAN-2003-0977
|
| Created: | December 29, 2003 |
Updated: | February 13, 2004 |
| Description: |
Stable CVS 1.11.11 has been released,
adding code to the CVS server to prevent it from continuing as root after a
user login, as an extra failsafe against a compromise of the CVSROOT/passwd
file. |
| Alerts: |
|
Comments (none posted)
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0925
CAN-2003-0926
CAN-2003-0927
CAN-2003-1012
CAN-2003-1013
|
| Created: | December 18, 2003 |
Updated: | February 13, 2004 |
| Description: |
Serious issues have been discovered in two ethereal protocol dissectors.
Both vulnerabilities will make the Ethereal application crash. The Q.931
vulnerability also affects Tethereal. It is not known if either
vulnerability can be used to make Ethereal or Tethereal run arbitrary
code. (CAN-2003-1012 and CAN-2003-1013) |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 16, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
gaim: remote overflows
| Package(s): | gaim |
CVE #(s): | CAN-2004-0006
CAN-2004-0007
CAN-2004-0008
|
| Created: | January 26, 2004 |
Updated: | February 16, 2004 |
| Description: |
Stefan Esser has discovered several vulnerabilities in Gaim 0.75. This advisory has details of 12 separate
vulnerabilities. |
| Alerts: |
|
Comments (none posted)
gallery: code injection
| Package(s): | gallery |
CVE #(s): | |
| Created: | February 11, 2004 |
Updated: | February 11, 2004 |
| Description: |
Gallery (through versions 1.4.1) suffers from a PHP code injection vulnerability which can provide a remote attacker with access to the web server process. |
| Alerts: |
|
Comments (none posted)
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0971
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to
ElGamal sign+encrypt keys. This
email message from Werner Koch contains more information. "Phong
Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead to
a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within a
few seconds." |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: privilege vulnerability on AMD64
| Package(s): | kernel |
CVE #(s): | CAN-2004-0001
|
| Created: | January 16, 2004 |
Updated: | February 17, 2004 |
| Description: |
On AMD64 systems, a fix was made to the eflags checking in
32-bit ptrace emulation that could have allowed local users
to elevate their privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0001 to this issue. |
| Alerts: |
|
Comments (none posted)
kernel: local root exploit in 2.4.22
| Package(s): | kernel |
CVE #(s): | CAN-2003-0961
|
| Created: | December 1, 2003 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. |
| Alerts: |
|
Comments (1 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
lftp buffer overflows
| Package(s): | lftp |
CVE #(s): | CAN-2003-0963
|
| Created: | December 15, 2003 |
Updated: | February 13, 2004 |
| Description: |
According to this advisory versions of lftp
prior to 2.6.10 are vulnerable to two exploitable buffer overflow
problems. Both occur when you connect to a web server with lftp using HTTP
or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared
directories on the web server. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libtool - Insecure handling of temporary files
| Package(s): | libtool |
CVE #(s): | |
| Created: | February 5, 2004 |
Updated: | March 8, 2004 |
| Description: |
GNU libtool consists of a set of shell scripts used to build shared
libraries.
Joseph S. Myers
and Stefan
Nordhausen independently found a vulnerability in the way
the ltmain.sh script (which is part of the libtool package) creates
temporary directories for its use.
A local attacker could exploit this vulnerability to change/delete
arbitrary files in the system on behalf of the user who is calling the
script. The vulnerability has been fixed in the 1.5.2 version of libtool. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2003-0965
CAN-2003-0992
|
| Created: | February 6, 2004 |
Updated: | March 5, 2004 |
| Description: |
Dirk Mueller discovered a cross-site scripting bug in the admin interface
in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to
this issue.
A cross-site scripting bug in the 'create' CGI script affects versions of
Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0992 to this issue. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
mc: arbitrary code execution
| Package(s): | mc |
CVE #(s): | CAN-2003-1023
|
| Created: | January 16, 2004 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
monkeyd: denial of service
| Package(s): | monkeyd |
CVE #(s): | |
| Created: | February 11, 2004 |
Updated: | February 11, 2004 |
| Description: |
The monkeyd HTTP server suffers from a parsing bug which can be exploited to crash the server process. Upgrading to version 0.8.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
mpg123: heap overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0865
|
| Created: | November 12, 2003 |
Updated: | February 19, 2004 |
| Description: |
Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
mutt: buffer overflow
| Package(s): | mutt |
CVE #(s): | CAN-2004-0078
|
| Created: | February 11, 2004 |
Updated: | March 26, 2004 |
| Description: |
mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
PHP setting leaks from .htaccess files on virtual hosts
| Package(s): | php |
CVE #(s): | |
| Created: | February 9, 2004 |
Updated: | February 11, 2004 |
| Description: |
If the server configuration "php.ini" file has "register_globals = on"
and a request is made to one virtual host (which has "php_admin_flag
register_globals off") and the next request is sent to the another
virtual host (which does not have the setting) through the same Apache
child, the setting will persist.
Depending on the server and site, an attacker may be able to exploit
global variables to gain access to reserved areas, such as MySQL
passwords, or this vulnerability may simply cause a lack of
functionality. As a result, users are urged to upgrade their PHP
installations. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|