LWN.net Logo

LWN.net Weekly Edition for February 26, 2004

FOSDEM 2004 trip report

Your editor was once told by a free software conference organizer that charging a registration fee was mandatory; without the fee, potential attendees would not take the event seriously and would not show up. The Free and Open Source Developers' European Meeting (FOSDEM) shows that this view does not always match up to reality. Perhaps uniquely among major Linux events, FOSDEM charges no registration fee, and, indeed, dispenses with the registration process altogether. That did not stop some 2000 people from showing up last weekend and packing the lecture halls to a level that would have sent a U.S. fire marshal into a complete panic. FOSDEM, clearly, is a successful event.

FOSDEM is organized in a way which is well described by its name: it is a meeting of developers. As such, it features a series of talks which are likely to be of interest to the development community and a distinct lack of presentations on how to configure the print system or on how Linux will leverage your business paradigm shifts into the next generation. Additionally, a set of "developer rooms" was occupied by various projects and interest groups (Debian, KDE, embedded Linux, Tcl, etc.). Each of those rooms was a place to gather, and most put up their own schedules of talks as well. Throw in a (problematic) wireless network, a beautiful city with no shortage of good food and beer, and support from a set of sponsors, and you have all the makings of a free software conference with a distinctly European flavor.

Keynote speaker Tim O'Reilly told the gathering that, while it is clear that free software is changing the computing industry, nobody, least of all the free software community, knows how. He pointed out that there are already user-friendly Linux-based desktop applications which are used by millions of people; they go by names like Google, Amazon, and Yahoo. These companies are building massive proprietary applications with free software, and, in many cases, giving little back. Tim would like to see free software developers think more about the use of their code in web application settings. He is also concerned about the implications of the large databases being created by these companies; those databases, too, are proprietary, and they can pose serious privacy threats. Do we, asks Tim, need a "web services bill of rights" which is analogous to the licenses which accompany free software?

Tim was immediately followed by Richard Stallman, who gave a fairly predictable talk about the importance of freedom, "Linux" and "GNU/Linux," etc. The freedom issues are important, but will be familiar to most readers of LWN. More amusing, perhaps, was the final part of the talk, where Richard addressed charges that he adopts a "holier than thou" attitude. Says Richard: "It's my job to be holy, I'm a saint." He then donned his disk platter halo and proclaimed himself to be Saint Ignucius of the Church of Emacs. Anybody can be a saint in this church, it seems; all that is required is (1) to free your computers of all proprietary software, and (2) make the profession of faith: "There is no operating system but GNU, and Linux is one of its kernels." (In the same humorous vein, Richard proclaimed that use of vi is not a sin according to the Church of Emacs; it is, instead, a penance).

Richard did also address the web services issue. He is not concerned about companies like Google failing to share their own code; what Google runs on its servers is its own business, and has nothing to do with anybody else's freedom. He is concerned about data stored on other people's servers; his response is to not keep his data there. Richard allowed as to how there could be freedom issues with web services, but he does not see those as free software issues in particular. One gets the impression he thinks he has taken on a big enough fight as it is; web services will be somebody else's problem.

There have been persistent rumors that a third revision of the General Public License would require that changes to code which are deployed in public web services be released. When questioned about this idea, Richard did not have much to say; there has been little time to work on such ideas, apparently, though that could change soon. He did mention the possibility of a "download source" clause. With this clause, the author of web-oriented software could include a "download source" link which would do exactly that. An optional license feature would require those deploying that code to retain the source download capability - and to ensure that it provides the source for the actual, deployed application. It is hard to see such an intrusive license winning a lot of followers.

The final keynote speaker was, inevitably, Jon 'maddog' Hall. Maddog talks resemble sitting in front of the fire with Grandpa and hearing his stories from before you were born. The stories are interesting, well told, and fun, but after a while you realize you've heard most of them before. You're always there when Grandpa tells another set of stories, however.

Keith Packard gave a heavily-attended talk on the future of the X server. In order to support many of the visually pleasing features envisioned for the future Linux desktop, some fundamental server changes will be required. In the new scheme, X clients no longer draw directly into the frame buffer; instead, they draw into off-screen memory which is then combined, under the control of a new "composition manager" process, into the screen seen by the users. Keith demonstrated some of his "eye candy" work which showed (1) how slick the Linux desktop can be, and (2) how slow it can be when all of this work is done in software.

In the future, Keith sees the X server moving into a fundamentally three-dimensional mode and speaking GL directly to the low-level graphics drivers. Many 3D applications will also be able to send GL directly to the hardware, and bypass the X server altogether. The current crop of two-dimensional applications will be handled in a compatibility mode. This change would pave the way for a new generation of 3D Linux applications, improve performance greatly, and would make vendor support easier; most video card vendors stopped wanting to deal with 2D modes years ago.

Keith also addressed the political issues currently being faced by the X community; see Zonker's article (below) for more information on that side of things.

LWN editor Jonathan Corbet presented two talks at FOSDEM; the slides from those talks are now available. The first was a variant on the "2.6 kernel changes from the inside" talk which has been presented at other events. Making its debut at FOSDEM was "kobjects, ksets, and ktypes: the device model from the bottom up," a low-level technical tutorial on the glue which holds the 2.6 device model together.

Other presentations seen by your editor include Robert Love on providing better support for the Linux desktop in the kernel (it is a good thing some developers are finally seeing this support as an important priority), Bill Haneman showing the features of the GNOME Onscreen Keyboard, Hans Reiser on the underpinnings of the Reiser4 filesystem, and an interesting developer room session on hacking into embedded Linux systems. There was far more going on than any one person could possibly see; FOSDEM is an event which truly showcases the vitality of the free software development community. It is not surprising that attendance has been growing strongly every year; this is one event which may have to find a larger venue for 2005.

Comments (9 posted)

X11: Where do we go from here?

February 25, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The XFree86 license change announced by the XFree86 project has caused a great deal of fuss in the development community. One month later, the new shape of things is beginning to come into focus. Unless something happens in the near future, the XFree86 Project's time as the custodian of the X Window System has come to an end, but X development will continue in a new home.

Ostensibly, the new license was to be applied as of the third XFree86 4.4.0 release candidate, but, according to longtime X developer Keith Packard, project leader David Dawes first checked in code under the license last September and updated the list of XFree86 licenses to include the license without any prior notice. Then the announcement that the new license was to be the "official" license for code copyrighted by the XFree86 Project was made by David Dawes at the end of January. The new license does not affect all code distributed by XFree86, but it touches enough code to create a major backlash among vendors and projects that are using and distributing XFree86.

The new license is a valid open source license, but it is a BSD-style license with an "advertising clause" that many find objectionable. The license is not GPL-compatible, which some say is a sure way to make a project irrelevant. Criticism of the new license is not limited to advocates of the GPL, however. It also seems to offend some ardent supporters of the BSD license, including Theo de Raadt:

Like other projects, we will not be incorporating new code from David Dawes into the XFree86 codebase used in OpenBSD. All such changes have to be skipped, rewritten, or you can contact the XFree86 group and place your own efforts to repair this damage.

This leaves the community at an impasse. With XFree86 sticking to the new license, and a large number of projects rejecting said license, other solutions must be sought. In the short term, many projects and vendors are planning on shipping XFree86 4.3 rather than using 4.4. Frederic Lepied, CTO of MandrakeSoft, says that Mandrake has reverted to XFree86 4.3 for the short term. Joseph Eckert, VP of corporate communications for SUSE, also confirms that SUSE will not be utilizing code licensed under the XFree86 1.1 license.

However, utilizing an older version of XFree86 is not a long-term solution. Daniel Stone, a Debian Developer, is one of many predicting a fork of the project to solve the long-term issues:

More than ever before, XFree86 has backed itself into a hole. The challenge now lies with the community to dig X out of the hole it's now in. Unfortunately, as kdrive and other solutions are not yet mature enough, it is my firm belief that this will only come about through a fork of XFree86. Sad, especially when you consider that that's how XFree86 came about; X.Org relicensed X, XFree86 got upset, and forked. We may be about to watch just a little bit of history repeating.

Keith Packard made it clear at FOSDEM that he believes this fork has already taken place; it was done by David Dawes when he changed the license. So now the "trunk" development effort is moving to freedesktop.org. According to Packard:

X.org and various Linux vendors are busy putting together a copy of the XFree86 sources from before the license change and are planning on making that available for developers to work on in producing X releases in the traditional fashion -- a monolithic release of the entire tree. The goal of this process is to ensure continuity of the window system implementation and allow people to get an X server capable of supporting more recent hardware.

Packard also says that the freedesktop.org folks are working on improvements to the X architecture:

A related project that we're also working on is to take the monolithic X build architecture and splitting it into pieces. Libraries, fonts, servers and applications will be released separately. Periodically, released versions of the individual packages will be collected together and bundled as a unified release. The goal is to promote rapid development of some portions of the system (like video drivers) without requiring a rapid release schedule for the entire project.

As Stone said, we may be watching history repeat itself. Barring a change of heart on behalf of the XFree86 Project, it seems that projects and vendors making use of XFree86 will be looking elsewhere. The question is whether or not vendors will unify behind an X Window System produced by freedesktop.org, or another group -- or if the fork ends up creating several splinter projects. With X.org and several of the key developers behind it, freedesktop.org looks well placed to become the new home of X development.

Comments (31 posted)

On Orkut

Some weeks ago, your editor was invited to join the Orkut service. Having never played with a "friend of a friend" service before, your editor found the experience to be naturally gratifying. After all, a system which inspires others to make public declarations of friendship cannot fail to delight such a stereotypical, socially challenged, geekish sort of person. It's nice to know that somebody likes you after all, even if you can never aspire to the triple-digit circles of friends that the truly cool people have.

That said, the free software community may want to think before committing too much to services like Orkut. A good look at the Orkut terms of service would be a place to start. It includes some relatively interesting things, such as prohibitions on reverse engineering and even (surprising, for a Google-affiliated site) indexing the site. The truly fun language, however, is:

By submitting, posting or displaying any Materials on or through the orkut.com service, you automatically grant to us a worldwide, non-exclusive, sublicenseable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, publicly perform and display such Materials.

So this site which, among other things, is supposed to facilitate business networking claims the right to make use of any idea which any user might post there. These terms may seem familiar: Microsoft attempted to get Passport users to agree to something similar three years ago. The company backed down after a public outcry; so far, however, Orkut users have been rather more accommodating.

There is a more fundamental question to be asked, however: if we, as a community, really want to document our associations, interests, sexual orientation, editor preferences, etc., do we really want to do so in somebody else's proprietary database? Social networks seem like a field in need of a great deal of experimentation; few people would claim that the best ways to aggregate, represent, and work with such data have already been worked out. If we're going to create a social network database, we should be doing so in a public manner that will allow free software hackers to play around with interesting new applications. We would almost certainly be surprised at what they would come up with.

One effort worth looking at is the FOAF Project. Rather than create a central, proprietary, indexing-prohibited database, this project is pushing for a distributed database built on individual RDF files. Such a scheme puts each participant in charge of their own data while making the whole network available for those who would create interesting interfaces to it. This project shows one approach to the creation of social network databases which avoids the problems of proprietary databases and restrictive terms of use. Doubtless there are others out there as well. We, as a community, do not need to put our time into the creation of somebody else's proprietary database; we can do better than that.

Comments (4 posted)

Page editor: Jonathan Corbet

Security

Security news

The trouble with backporting fixes

Most Linux distributors, as a matter of standard procedure, do not fix security problems by upgrading their users to the latest version of the affected program. Instead, the specific fix is painstakingly backported to whatever version was originally shipped, and a minimally disruptive (one hopes) update is released. This approach does help protect users from dealing with new issues caused by unplanned software upgrades, but it poses some risks as well.

Consider, for example, this notice sent out to users of Solar Designer's Openwall Linux. On the topic of the recently discovered mremap() vulnerability (the second such), it states:

Luckily, Linux 2.4.23-ow2 and 2.4.24-ow1 are not affected as these patches already included a kernel bug fix which was later determined to be security-critical and needed to avoid this second mremap(2) system call vulnerability. In fact, it's the exact same fix which went into Linux 2.4.25.

We asked Solar how it was that his patch, which fixed the problem long before it was reported, was not more widely distributed. His response was that he had sent a patch around, but most distributors did not see at the time that the bug had security implications, so they left it out in order to distribute a minimal fix for the first mremap() problem. By insisting on a minimal patch, the distributors left their users open to another vulnerability, and forced them to deal with yet another security update shortly thereafter.

The free software community, in fact, has a long history of bug fixes which, at some later point, turn out to close a security hole. Certain members of the black hat community spend a lot of time digging through changelogs looking for just this sort of problem. Some of them have a true gift for seeing vulnerabilities where the original developers see only bugs. For these people, software changelogs are a roadmap of potentially exploitable bugs known to exist on most deployed Linux systems.

Few system administrators enjoy being forced to upgrade a package in a hurry. They have learned through hard experience that such upgrades can introduce no end of problems and make a serious dent in their weekend beer-drinking time. In the end, however, we may be forced to face a simple fact: any bug may potentially have security implications. It may be that the Fedora Project has the right idea: when a security hole must be closed, that should be done by upgrading the whole package to the current version. Relatively young software and the new and unknown bugs it is certain to have may turn out to be safer than staying with an older version, which has old and well-documented bugs.

Comments (9 posted)

New vulnerabilities

hsftp - format string vulnerability

Package(s):hsftp CVE #(s):CAN-2004-0159
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a format string vulnerability in hsftp. This vulnerability could be exploited by an attacker able to create files on a remote server with carefully crafted names, to which a user would connect using hsftp. When the user requests a directory listing, particular bytes in memory could be overwritten, potentially allowing arbitrary code to be executed with the privileges of the user invoking hsftp. Note that while hsftp is installed setuid root, it only uses these privileges to acquire locked memory, and then relinquishes them.
Alerts:
Debian DSA-447-1 2004-02-22

Comments (none posted)

lbreakout2 buffer overflow

Package(s):lbreakout2 CVE #(s):CAN-2004-0158
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a vulnerability in lbreakout2, a game, where proper bounds checking was not performed on environment variables. This bug could be exploited by a local attacker to gain the privileges of group "games".
Alerts:
Debian DSA-445-1 2004-02-21

Comments (none posted)

synaesthesia - insecure file creation

Package(s):synaesthesia CVE #(s):CAN-2004-0160
Created:February 23, 2004 Updated:February 25, 2004
Description: During an audit, Ulf Harnhammar discovered a vulnerability in synaesthesia, a program which represents sounds visually. synaesthesia created its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means.
Alerts:
Debian DSA-446-1 2004-02-21

Comments (none posted)

Updated vulnerabilities

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
Red Hat RHSA-2003:275-01 2003-11-03
Mandrake MDKSA-2003:104 2003-11-05
Conectiva CLA-2003:779 2003-11-07
SCO Group CSSA-2004-012.0 2004-03-03

Comments (none posted)

PWLib: possible Denial of Service

Package(s):PWLib CVE #(s):CAN-2004-0097
Created:February 13, 2004 Updated:April 9, 2004
Description: PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting.

A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue.

Alerts:
Red Hat RHSA-2004:048-01 2004-02-13
Red Hat RHSA-2004:047-01 2004-02-18
Whitebox WBSA-2004:047-01 2004-02-18
Debian DSA-448-1 2004-02-22
Fedora FEDORA-2004-078 2004-03-02
Mandrake MDKSA-2004:017 2004-03-03
Gentoo 200404-11 2004-04-09

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
Debian DSA-208-1 2002-12-12
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Trustix 2002-0087 2002-12-19
Gentoo 200212-6 2002-12-20
SCO Group CSSA-2004-007.0 2004-02-20

Comments (none posted)

XFree86: buffer overflow

Package(s):XFree86 CVE #(s):CAN-2004-0083 CAN-2004-0084 CAN-2004-0106
Created:February 11, 2004 Updated:February 23, 2004
Description: The XFree86 code which reads "fonts.alias" files suffers from a buffer overflow which may be turned into a local root exploit; see this advisory for details.
Alerts:
Gentoo 200402-02 2004-02-11
Slackware SSA:2004-043-02 2004-02-12
Immunix IMNX-2004-73-002-01 2004-02-12
Red Hat RHSA-2004:059-01 2004-02-13
Red Hat RHSA-2004:060-01 2004-02-13
Mandrake MDKSA-2004:012 2004-02-14
Fedora FEDORA-2004-069 2004-02-13
Red Hat RHSA-2004:061-01 2004-02-13
Whitebox WBSA-2004:061-01 2004-02-17
Conectiva CLA-2004:821 2004-02-20
Debian DSA-443-1 2004-02-19
SuSE SuSE-SA:2004:006 2004-02-23

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Mandrake MDKSA-2003:096 2003-09-26
Mandrake MDKSA-2003:096-1 2003-10-24
Netwosix NW-2004-0006 2004-03-25
Gentoo 200403-04 2004-03-22

Comments (none posted)

bind: cache poisoning

Package(s):bind CVE #(s):CAN-2003-0914
Created:November 26, 2003 Updated:February 19, 2004
Description: A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.
Alerts:
EnGarde ESA-20031126-031 2003-11-26
Immunix IMNX-2003-7+-024-01 2003-10-27
Trustix 2003-0044 2003-11-27
SuSE SuSE-SA:2003:047 2003-11-28
Debian DSA-409-1 2004-01-05
SCO Group CSSA-2004-003.0 2004-02-19

Comments (none posted)

cgiemail vulnerability allows unauthorized mail relaying

Package(s):cgiemail CVE #(s):CAN-2002-1575
Created:February 12, 2004 Updated:February 18, 2004
Description: A vulnerability in cgiemail, a cgi program, allows mail to be sent to arbitrary addresses, making the host capable of generating spam. New cgiemail packages fix open mail relaying.
Alerts:
Debian DSA-437-1 2004-02-11

Comments (none posted)

elm: vulnerability in frm command

Package(s):elm CVE #(s):CAN-2003-0966
Created:February 13, 2004 Updated:February 18, 2004
Description: Elm is a terminal mode email user agent. The frm command is provided as part of the Elm packages and gives a summary list of the sender and subject of selected messages in a mailbox or folder.

A buffer overflow vulnerability was found in the frm command. An attacker could create a message with an overly long Subject line such that when the frm command is run by a victim arbitrary code is executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0966 to this issue.

Alerts:
Whitebox WBSA-2004:009-01 2004-02-12

Comments (1 posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15
Red Hat RHSA-2005:005-01 2005-01-05

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 16, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
Mandrake MDKSA-2003:101 2003-10-16
Slackware SSA:2003-300-02 2003-10-22
SCO Group CSSA-2004-004.0 2004-02-19
Netwosix NW-2004-0002 2004-02-20
Gentoo 200403-10 2004-03-30
OpenPKG OpenPKG-SA-2004.012 2004-04-08

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
Conectiva CLA-2003:768 2003-10-22
Conectiva CLA-2003:771 2003-10-24
Immunix IMNX-2003-7+-026-01 2003-10-31
Red Hat RHSA-2003:309-01 2003-11-03
Mandrake MDKSA-2003:106 2003-11-12
Trustix 2003-0042 2003-11-15
SCO Group CSSA-2004-006.0 2004-03-01

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
Mandrake MDKSA-2003:109 2003-11-28
SuSE SuSE-SA:2003:048 2003-12-03
Conectiva CLA-2003:798 2003-12-09
Red Hat RHSA-2003:390-01 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Fedora FEDORA-2003-025 2003-12-10
Gentoo 200312-05 2003-12-12
Debian DSA-429-1 2004-01-26
Debian DSA-429-2 2004-02-13
SCO Group CSSA-2004-009.0 2004-03-02

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Red Hat RHSA-2003:126-01 2003-04-14
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:264-01 2003-09-09
Conectiva CLA-2003:737 2003-09-12
Mandrake MDKSA-2003:093 2003-09-18
Debian DSA-710-1 2005-04-18

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Red Hat RHSA-2003:316-01 2003-11-24
Gentoo 200404-10 2004-04-09
Debian DSA-492-1 2004-04-18
Fedora FEDORA-2004-115 2004-05-11
Fedora FEDORA-2004-154 2004-06-03
Mandrake MDKSA-2004:148 2004-12-13

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Red Hat RHSA-2004:006-01 2004-01-07
Mandrake MDKSA-2004:003 2004-01-14
Slackware SSA:2004-014-01 2004-01-14
Conectiva CLA-2004:810 2004-01-20
Whitebox WBSA-2004:005-01 2004-02-12
Gentoo 200404-02 2004-04-06
Fedora FEDORA-2004-133 2004-05-19

Comments (none posted)

kernel: local root exploit

Package(s):kernel CVE #(s):CAN-2003-0961 CAN-2003-0985 CAN-2004-0077
Created:February 18, 2004 Updated:March 8, 2004
Description: Another vulnerability has been found in the 2.4.24 and 2.6.2 mremap() system call; once again, this hole can be exploited by a local user to obtain root access. See this advisory from Paul Starzetz for details.
Alerts:
Debian DSA-440-1 2004-02-18
Debian DSA-439-1 2004-02-18
Red Hat RHSA-2004:065-01 2004-02-18
Debian DSA-438-1 2004-02-18
Slackware SSA:2004-049-01 2004-02-18
Trustix 2004-0007 2004-02-18
Debian DSA-441-1 2004-02-18
Fedora FEDORA-2004-079 2004-02-18
Red Hat RHSA-2004:069-01 2004-02-18
SuSE SuSE-SA:2004:005 2004-02-18
Fedora FEDORA-2004-080 2004-02-18
Red Hat RHSA-2004:066-01 2004-02-19
Conectiva CLA-2004:820 2004-02-20
Debian DSA-444-1 2004-02-20
Whitebox WBSA-2004:066-01 2004-02-19
Netwosix NW-2004-0003 2004-02-20
Trustix 2004-0008 2004-02-23
Mandrake MDKSA-2004:015 2004-02-24
Mandrake MDKSA-2004:015-1 2004-02-25
Immunix IMNX-2004-7+-001-01 2004-02-26
Debian DSA-450-1 2004-02-27
Debian DSA-453-1 2004-03-02
Debian DSA-454-1 2004-03-02
Fedora-Legacy FLSA:1284 2004-03-02
Debian DSA-456-1 2004-03-06
Gentoo 200403-02 2004-03-06

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-403-1 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Trustix 2003-0046 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Slackware SSA:2003-336-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Red Hat RHSA-2003:389-01 2003-12-01
Yellow Dog YDU-20031203-1 2003-12-03
SuSE SuSE-SA:2003:049 2003-12-04
Gentoo 200312-02 2003-12-04
Conectiva CLA-2003:796 2003-12-05
Red Hat RHSA-2003:368-01 2003-12-19
Debian DSA-423-1 2004-01-15
Debian DSA-433-1 2004-02-04
Debian DSA-442-1 2004-02-19
Debian DSA-470-1 2004-04-01
Debian DSA-475-1 2004-04-05

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Debian DSA-213-1 2002-12-19
Red Hat RHSA-2003:006-06 2003-01-09
SuSE SuSE-SA:2003:0004 2003-01-14
Yellow Dog YDU-20030114-2 2002-01-14
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Mandrake MDKSA-2003:008 2003-01-20
Conectiva CLA-2003:564 2003-01-23
Red Hat RHSA-2004:249-01 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-176 2004-06-18
Whitebox WBSA-2004:249-01 2004-06-21
Mandrake MDKSA-2004:063 2004-06-29
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Gentoo 200407-06 2004-07-08

Comments (none posted)

libtool - Insecure handling of temporary files

Package(s):libtool CVE #(s):
Created:February 5, 2004 Updated:March 8, 2004
Description: GNU libtool consists of a set of shell scripts used to build shared libraries.

Joseph S. Myers and Stefan Nordhausen independently found a vulnerability in the way the ltmain.sh script (which is part of the libtool package) creates temporary directories for its use.

A local attacker could exploit this vulnerability to change/delete arbitrary files in the system on behalf of the user who is calling the script. The vulnerability has been fixed in the 1.5.2 version of libtool.

Alerts:
Conectiva CLA-2004:811 2004-02-05
OpenPKG OpenPKG-SA-2004.004 2004-03-08

Comments (none posted)

mailman: cross-site scripting vulnerabilities

Package(s):mailman CVE #(s):CAN-2003-0965 CAN-2003-0992
Created:February 6, 2004 Updated:March 5, 2004
Description: Dirk Mueller discovered a cross-site scripting bug in the admin interface in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to this issue.

A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue.

Alerts:
Red Hat RHSA-2004:020-01 2004-02-05
Debian DSA-436-1 2004-02-08
Debian DSA-436-2 2004-02-21
Fedora FEDORA-2004-060 2004-03-04

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Red Hat RHSA-2004:019-01 2004-02-09
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:156-01 2004-04-14
Conectiva CLA-2004:842 2004-05-25

Comments (1 posted)

mc: arbitrary code execution

Package(s):mc CVE #(s):CAN-2003-1023
Created:January 16, 2004 Updated:April 5, 2004
Description: A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander.
Alerts:
Debian DSA-424-1 2004-01-16
Red Hat RHSA-2004:034-01 2004-01-19
Mandrake MDKSA-2004:007 2004-01-26
Red Hat RHSA-2004:035-01 2004-01-19
Fedora FEDORA-2004-058 2004-02-09
Whitebox WBSA-2004:035-01 2004-02-12
SCO Group CSSA-2004-014.0 2004-03-25
Conectiva CLA-2004:833 2004-03-31
Gentoo 200403-09 2004-03-29
OpenPKG OpenPKG-SA-2004.009 2004-04-05

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Red Hat RHSA-2004:073-01 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Mandrake MDKSA-2004:014 2004-02-18
Debian DSA-449-1 2004-02-24
Gentoo 200405-17 2004-05-21

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Debian DSA-320-1 2003-06-13
Gentoo 200307-01 2003-07-02
Fedora FEDORA-2005-404 2005-06-09
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-405 2005-06-16

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Gentoo 200401-03 2004-01-27
Red Hat RHSA-2004:063-01 2004-02-26
Red Hat RHSA-2004:058-01 2004-02-26
Debian DSA-452-1 2004-02-29
Whitebox WBSA-2004:058-01 2004-03-01
Conectiva CLA-2004:837 2004-04-12
Fedora-Legacy FLSA:1325 2004-10-03

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
Conectiva CLA-2003:781 2003-11-12
Debian DSA-435-1 2004-02-06
SCO Group CSSA-2004-002.0 2004-02-19

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Debian DSA-411-1 2004-01-05
Gentoo 200503-34 2005-03-28

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Gentoo 200309-15 2003-09-27
Mandrake MDKSA-2003:097 2003-09-30
Conectiva CLA-2003:760 2003-10-06
Gentoo 200403-13 2004-03-31
Mandrake MDKSA-2004:026 2004-04-05

Comments (none posted)

mutt: buffer overflow

Package(s):mutt CVE #(s):CAN-2004-0078
Created:February 11, 2004 Updated:March 26, 2004
Description: mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details.
Alerts:
Fedora FEDORA-2004-061 2004-02-11
Red Hat RHSA-2004:050-01 2004-02-11
Red Hat RHSA-2004:051-01 2004-02-11
Slackware SSA:2004-043-01 2004-02-12
Mandrake MDKSA-2004:010 2004-02-11
Whitebox WBSA-2004:050-01 2004-02-12
Trustix 2004-0006 2004-02-13
Netwosix NW-2004-0001 2004-02-16
OpenPKG OpenPKG-SA-2004.005 2004-03-09
SCO Group CSSA-2004-013.0 2004-03-25

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Debian DSA-426-1 2004-01-18
Red Hat RHSA-2004:031-01 2004-01-22
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:030-01 2004-02-05
Mandrake MDKSA-2004:011 2004-02-11
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011-1 2004-09-27
Gentoo 200410-02 2004-10-04
Conectiva CLA-2004:909 2004-12-29

Comments (1 posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Red Hat RHSA-2003:206-01 2003-07-14
Debian DSA-349-1 2003-07-14
Slackware SSA:2003-195-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
Slackware SSA:2003-195-01b 2003-07-15
Yellow Dog YDU-20030718-1 2003-07-18
Gentoo 200307-07 2003-07-19
Mandrake MDKSA-2003:076 2003-07-21
Conectiva CLA-2003:700 2003-07-22
SCO Group CSSA-2003-037.0 2003-11-17
Trustix TSLSA-2004-0009 2004-03-05

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Gentoo 200305-01 2002-03-05
Gentoo 200305-02 2003-05-13
Red Hat RHSA-2003:222-01 2003-07-29
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Ubuntu USN-34-1 2004-11-30

Comments (1 posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-1 2004-02-01
Debian DSA-431-2 2004-04-16

Comments (none posted)

phpMyAdmin: directory traversal

Package(s):phpMyAdmin CVE #(s):
Created:February 17, 2004 Updated:February 18, 2004
Description: A component of the phpMyAdmin software package (export.php) does not properly verify input that is passed to it from a remote user. Since the input is used to include other files, it is possible to launch a directory traversal attack.
Alerts:
Gentoo 200402-05 2004-02-17

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Debian DSA-363-1 2003-08-03
Red Hat RHSA-2003:251-01 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Conectiva CLA-2003:717 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
Trustix 2003-0029 2003-08-04
Mandrake MDKA-2004:028 2004-05-26

Comments (none posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
Slackware SSA:2003-337-01 2003-12-03
Trustix 2003-0048 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
Debian DSA-404-1 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Gentoo 200312-03 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Mandrake MDKSA-2003:111 2003-12-04
Immunix IMNX-2003-73-001-01 2003-12-05
SCO Group CSSA-2004-010.0 2004-03-02

Comments (none posted)

samba: access to disabled accounts

Package(s):samba CVE #(s):CAN-2004-0082
Created:February 18, 2004 Updated:February 19, 2004
Description: Samba 3.0.0 and 3.0.1 contains a difficult-to-exploit vulnerability which could give an attacker access to a disabled account.
Alerts:
Red Hat RHSA-2004:064-01 2004-02-18
Whitebox WBSA-2004:064-01 2004-02-18

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
Debian DSA-379-1 2003-09-11
Red Hat RHSA-2003:278-01 2003-10-07
Mandrake MDKSA-2003:099 2003-10-09
Conectiva CLA-2003:769 2003-10-22
SuSE SuSE-SA:2003:046 2003-11-18
SCO Group CSSA-2004-005.0 2004-02-19

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
OpenPKG OpenPKG-SA-2003.050 2003-11-28
Mandrake MDKSA-2003:113 2003-12-08
Debian DSA-408-1 2004-01-05
Conectiva CLA-2004:809 2004-01-20
Fedora-Legacy FLSA:1187 2004-01-26
SCO Group CSSA-2004-011.0 2004-03-02

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Red Hat RHSA-2002:096-24 2002-09-18
Gentoo tar-20021001 2002-10-01
Gentoo unzip-20021001 2002-10-01
EnGarde ESA-20021003-022 2002-10-03
Mandrake MDKSA-2002:065 2002-10-10
Mandrake MDKSA-2002:066 2002-10-10
Conectiva CLA-2002:538 2002-10-29
Red Hat RHSA-2006:0195-01 2006-02-21
Fedora-Legacy FLSA:183571-1 2006-04-04

Comments (1 posted)

tcpdump: flaws in the ISAKMP decoding routines

Package(s):tcpdump CVE #(s):CAN-2003-0989