| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for March 4, 2004
This week's SCO fun
It has been a busy week for people watching the rapidly growing set of SCO cases. Here we will try to summarize the current state of affairs.The company announced its first-quarter results, which were just as bad as had been expected. SCO's revenues are down almost 20% from one year ago, and the reported loss is $2.3 million. The actual loss, however, was $5.2 million; some residual accounting weirdness in the BayStar deal allowed SCO to paper over the difference. SCO will not be able to use that trick in the future, however; instead, the restructuring of the BayStar deal will likely force the reporting of a significant loss in the second quarter.
The end result is that SCO is not making any money. The Unix business is dying, helped along by SCO's "sue your customers" business model. The company has only managed to sell "a handful" (Darl McBride's word) of "Linux licenses" - $20,000 worth in the first quarter. The company's stock has fallen to about half of its peak value ($22.29, last October). Things are not looking good for the SCO group. In such a situation, the quarterly conference call did not look like it would be much fun for SCO's management. So it was time to set up a diversion.
That diversion came in the form of two new lawsuits - the long-promised end-user suits, sort of. The first is against AutoZone, a former SCO customer which switched to Linux. SCO claims "AutoZone violated SCO's UNIX copyrights by running versions of the Linux operating system that contain code, structure, sequence and/or organization from SCO's proprietary UNIX System V code in violation of SCO's copyrights." The actual complaint (available as an 8-page PDF file) is surprisingly vague; the core of the suit can be found in two paragraphs:
Defendant has infringed and will continue to infringe SCO's copyrights in and relating to Copyrighted Materials by using, copying, modifying, and/or distributing parts of the Copyrighted Materials, or derivative works based on the Copyrighted Materials in connection with its implementations of one or more versions of the Linux operating system, inconsistent with SCO's exclusive rights under the Copyright Act.
In the IBM case, SCO has alleged that IBM helped AutoZone misuse SCO's Unix shared libraries on Linux. When dealing directly with AutoZone, however, that claim has gone away. The complaint as a whole looks like a desultory effort, not something that was months in the making.
The second suit is against DaimlerChrysler. In this case, SCO is picking on a Unix licensee which has refused to answer SCO's "compliance certification" demand from last December. This suit is not directly related to Linux, yet; SCO is just trying to force compliance with a Unix license clause (allegedly) giving SCO the right to demand this sort of certification. Darl McBride admitted in the conference call that less than half of the recipients of the demand letter have responded to it. Conceivably, SCO might actually have a case here - but it has little to do with Linux users.
SCO did announce one new SCOsource customer: EV1Servers.Net. This company (formerly RackShack) bought a license to cover its 20,000-some Linux servers. EV1Servers claims that it is just trying to protect its customers, but quite a few of those customers have been rather vocal in their discontent. Surely EV1Server.Net's appearance in this Microsoft case study last September is purely coincidental.
The Novell case is currently waiting for SCO's response to Novell's motion to dismiss the case. SCO has asked for more time (until March 5) to put together this response; Novell has indicated that it will not oppose that request - but only as long as SCO files no other motions during that time. In this way, perhaps, Novell will be able to get quick consideration of its motion without being slowed down by the usual SCO delaying tactics.
In the IBM case, the long-awaited ruling on the various motions to compel discovery has finally been issued; we have it in PDF format. Both sides are ordered to come up with a lot of stuff. SCO is told to be very specific about what lines of code it's complaining about, and also "the lines of code that SCO distributed to other parties." IBM has to come up with a lot of AIX and Dynix code, and to talk more about its Linux contributions. The ruling does not appear to be a clear victory for either side.
The Utah court also allowed SCO to amend its complaint against IBM, deleting its trade secret claims and adding copyright violation claims. IBM had not contested this change, so there was no real reason for the court to turn it down.
The Red Hat case is still waiting for the judge to rule on SCO's motion to dismiss. This ruling should be easy; SCO, remember, claimed that it was not threatening Red Hat or its customers. Red Hat had plenty of evidence to the contrary already, but the fact that AutoZone was a Red Hat customer has clarified the situation even further.
In Australia, CyberKnights has taken the next step and filed a formal complaint with the Australian Competition and Consumer Commission. The ACCC has already been sitting on one complaint; time will tell if the second complaint results in action. In Germany, SCO reached an out-of-court settlement with Univention stating that SCO will refrain from making claims against Linux without evidence. It is a minimal agreement which does little to truly shut the company up, however.
Increasingly, the SCO story looks as if it is entering the final chapters. Regardless of how many more suits the company files, it appears unable to halt the decline of its stock price and of how the company and its claims are perceived (the questions at the latest conference call were rather less friendly than in the past). SCO, by all appearances, is going down; unfortunately, the company may well be able to make quite a bit more trouble before its story ends.
The Committee for Economic Development on digital copyright
The Committee for Economic Development is a 60-year-old pro-business think tank. This group has recently dedicated some of its resources to the problems associated with intellectual property rights in a digital setting. The resulting report could easily have become another rabid missive on the evils of "piracy" and the need for heavy governmental involvement. But the CED took a different approach. The report (available as a 100-page PDF file) takes a surprisingly broad view of the situation. It contains little that is truly new for people who have been following the situation, but it does show that the business community is beginning to figure out that there is more to think about than the entertainment industry's immediate complaints.The introduction talks about the challenges posed to publishers by ubiquitous computers and high-speed networking. It notes that sales of audio CDs have dropped significantly, but also discusses a number of (non-piracy) reasons for why that is happening. Movie sales, in contrast, are better than ever; bandwidth limitations have something to do with that, but the fact that movie customers feel they are getting their money's worth also is relevant.
Potential responses to unwanted copying of copyrighted materials are discussed. The report notes, however:
The report then goes into a detailed history of copyright law. The authors are clear on the fact that the real purpose of modern copyright law is to promote artistic and scientific advancement; the provision of certain monopoly rights to copyright holders is simply a means to that end. It is often repeated that creators of copyrighted materials rely heavily on work that was done before; there is little that is truly and completely original. The importance of fair use rights and the public domain is discussed several times.
There is a discussion of responses to piracy which covers most of the usual topics: the DMCA, various other legislative efforts (broadcast flag, the CBDTPA), enforcement actions, digital rights management schemes, etc. The authors are not enthusiastic about legislative "solutions" to the problem; they see laws like the DMCA and state "super DMCA" proposals as anti-competitive, inimical to fair use rights and the public domain, and ineffective. Among other things, they point out that legally-required copy protection schemes can enshrine weak technology and inhibit the development of stronger alternatives.
The report has little good to say about digital rights management (DRM) systems. For starters, DRM systems usually fail in the long term; once a DRM system has been broken, the exploit code can be spread far and wide over the net. DeCSS is used as an example - and the authors even note that DeCSS was created to play DVDs on Linux systems rather than as a piracy tool. Privacy issues with DRM systems are mentioned. The report talks about the innovation which has resulted from the widespread dissemination of general-purpose computers, and how legally-mandated DRM threatens to put an end to that.
There are a few paragraphs dedicated to the effect on free software:
There are also societal costs to be paid. Widespread use of DRM systems threatens the public domain and fair use rights, and will thus inhibit further development.
Almost every innovation is "subsequent" to many others, and, as the authors point out, this subsequent innovation is usually done by new, unrelated creators. Allowing creators to choke off subsequent works will thus result in fewer works being created, which is contradictory to the original purpose of copyright protection.
The biggest complaint that the authors have with DRM, however, would appear to be the fact that such systems shift copy protection costs from copyright holders to consumer electronics manufacturers and users.
Finally, the report points out that oppressive DRM (and rights enforcement in general) is bad for the social contract which holds the whole system together:
One might well argue that we have already proceeded far down that path.
The report concludes with a set of recommendations:
- No quick legislative schemes. The report proposes a two-year
moratorium in legal "fixes" while a broader consensus on digital
copyright protection is worked out.
- A high priority should be placed on the development of new business
models around creative content. There should be no legal protection
for any particular business model.
- Existing enforcement and education efforts should continue. In
particular, the industry should use the legal tools it has against
commercial pirates.
- Despite the report's criticism of DRM systems, it recommends that DRM
efforts should continue, but that such systems must respect the fair
use and first sale rights of users. The report suggests that the DMCA
anti-circumvention clause should be reconsidered.
- There should be "economic incentives" for copyright holders to facilitate further use of their works. Compulsory licensing is one idea mentioned in the report. It should also be easier for works to enter the public domain; the report mentions the idea of requiring periodic, low-cost renewals to keep copyrights in force.
For those of us who are concerned about ever-increasing copyright terms, criminal charges against software developers, and the lack of ability to use and control our computers as we see fit, this report will fall short of what we would like to see. It is, however, a clear sign that the wider business community is starting to become aware of the costs of unrestricted copyright rights. We are seeing the beginning of a real debate where, before, there was only the illusion of consensus. That can only be a step in the right direction.
FreeS/wansong
The FreeS/WAN project is winding down after five years. For those unfamiliar with the project, FreeS/WAN was created by John Gilmore, who has contributed more than his share to the Internet era. He helped create the "alt" newsgroups, co-founded the Electronic Frontier Foundation and Cygnus Solutions (now part of Red Hat), and has contributed to a number of other important projects.FreeS/WAN was designed to provide a Secure Wide Area Network (S/WAN), and has been widely used to deploy IPSec Virtual Private Networks (VPNs). But Gilmore was looking to go beyond VPNs with FreeS/WAN and to push the concept of Opportunistic Encryption (OE). The idea behind OE was to provide software that would encrypt packets, without intervention from the user, when communicating with machines that support encryption. Using OE, a FreeS/WAN machine would automatically create an ad hoc Virtual Private Network (VPN) when encryption was available at both ends, and send data in the clear when encryption was not available. Either way, the operation would be transparent to the user. Gilmore was optimistic that OE would offer the "fax effect" for encryption:
Gilmore wanted to secure 5% of Internet traffic against passive wiretapping by 1999, and eventually all communications on the net. Perhaps someday FreeS/WAN, or similar software, will drive widespread adoption of encrypted communications. But users have been slow to utilize FreeS/WAN for OE, even within the Linux community. FreeS/WAN has been popular for setting up VPNs, but OE just hasn't caught on in a big way. This is one of the FreeS/WAN project's stated reasons for quitting:
Gilmore also wanted to challenge U.S. crypto export regulations with FreeS/WAN, and barred U.S.-based developers from contributing code to the project. While there have been some small victories, including the U.S. government's retreat in the Bernstein case (which Gilmore was heavily involved in), the ability to export strong cryptography from the U.S. is far from guaranteed:
This comfortable situation has perhaps created a false sense of security. The catch? Export regulations are not laws. The US government still reserves the right to change its export regulations on short notice, and there is no facility to challenge them directly in a court of law. This leaves the US crypto community and US Linux distributions in a position which seems safe, but is not legally protected -- where the US government might at any time *retroactively* regulate previously released code, by prohibiting its future export. This is why FreeS/WAN has always been developed outside the US (in Canada and in Greece), and why it has never (to the best of our knowledge) accepted US patches.
It probably shouldn't be surprising, then, that FreeS/WAN suffered from lack of community support. The decision to exclude U.S.-based developers from working on FreeS/WAN meant that many kernel developers, including Linus himself, would be unable to contribute to the project. But while U.S.-based developers were barred from contributing to FreeS/WAN, they were not barred from working on other implementations of IPSec. The 2.6 kernel now includes an IPSec implementation of its own, negating the need for an add-in implementation like FreeS/WAN.
Though the FreeS/WAN project is ending, the situation is not as dramatic as it sounds. No open source application is dead if the community does not wish it so, and FreeS/WAN will live on for some time after the last official release. The FreeS/WAN team plans to push out at least one more release, including changes to allow its use with the 2.6 kernel series. Openswan, a fork of the FreeS/WAN project, seems poised to continue development where FreeS/WAN leaves off.
Linux users are not being left out in the unencrypted cold. The code remains, and development of IPSec VPNs for Linux continues without a hitch. At some point, we may even realize Gilmore's goals of a fully-encrypted Internet.
Page editor: Jonathan Corbet
Security
Security news
Keeping spamassassin current
Longtime users of SpamAssassin know that it can do an outstanding job of identifying spam. They also know, however, that the effectiveness of any particular SpamAssassin release tends to decline over time as spammers figure out how to craft messages which get past the rules. The Bayesian filter buried inside SpamAssassin can help a lot; it catches a fair amount of spam which evades the rules, and it evolves over time to keep up with what the spammers are doing - especially if you make a point of training the filter with its mistakes. Even so, frustrating amounts of spam can get through.The situation is not helped much by the fact that the SpamAssassin rule base seems to be evolving slowly in recent times. The SpamAssassin developers have too many other things to do, perhaps, or maybe they would rather see the work done by the filter. In any case, some users would certainly like to see the rules updated more frequently.
The maintenance of an up-to-the-second set of SpamAssassin rules could well be a business opportunity for somebody, if the licensing issues could be worked out. But SpamAssassin users should also be aware of the custom rulesets page hosted on the SpamAssassin Wiki. This is a place where additional rules can be found to deal with specific problems; some of them might cut your spam load considerably.
Currently available rulesets include:
- One aimed at "pill spam." Those of us not looking to fill our
prescriptions over the net may welcome this one.
- "Bigevil" simply contains URLs found in spam; it's a sort of
content-based blacklist.
- There is a set of rules for filtering out virus warnings.
- "Tripwire" looks for combinations of letters which do not appear in English text, normally.
Several others exist as well; there is also a "RulesDuJour" script which can be used to automatically keep up to date with the rulesets as they are maintained. The custom rulesets won't solve the spam problem, but they can help to keep a mailbox a bit cleaner.
New vulnerabilities
libxml2 - arbitrary code execution
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0110 | |||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2004 | Updated: | July 21, 2004 | |||||||||||||||||||||||||||||||||||||||
| Description: | Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
xboing - buffer overflows
| Package(s): | xboing | CVE #(s): | CAN-2004-0149 | |||
| Created: | February 27, 2004 | Updated: | March 3, 2004 | |||
| Description: | Steve Kemp discovered a number of buffer overflow vulnerabilities in xboing, a game, which could be exploited by a local attacker to gain gid "games". | |||||
| Alerts: |
| |||||
Updated vulnerabilities
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
PWLib: possible Denial of Service
| Package(s): | PWLib | CVE #(s): | CAN-2004-0097 | |||||||||||||||||||||
| Created: | February 13, 2004 | Updated: | April 9, 2004 | |||||||||||||||||||||
| Description: | PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg | CVE #(s): | CAN-2003-0971 | ||||||||||||||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||
| Description: | A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
hsftp - format string vulnerability
| Package(s): | hsftp | CVE #(s): | CAN-2004-0159 | |||
| Created: | February 23, 2004 | Updated: | February 25, 2004 | |||
| Description: | During an audit, Ulf Harnhammar discovered a format string vulnerability in hsftp. This vulnerability could be exploited by an attacker able to create files on a remote server with carefully crafted names, to which a user would connect using hsftp. When the user requests a directory listing, particular bytes in memory could be overwritten, potentially allowing arbitrary code to be executed with the privileges of the user invoking hsftp. Note that while hsftp is installed setuid root, it only uses these privileges to acquire locked memory, and then relinquishes them. | |||||
| Alerts: |
| |||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim | CVE #(s): | CAN-2003-0988 | |||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: local root exploit
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 CAN-2003-0985 CAN-2004-0077 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 18, 2004 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Another vulnerability has been found in the 2.4.24 and 2.6.2 mremap() system call; once again, this hole can be exploited by a local user to obtain root access. See this advisory from Paul Starzetz for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: local root exploit in 2.4.22
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2003 | Updated: | April 5, 2004 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
lbreakout2 buffer overflow
| Package(s): | lbreakout2 | CVE #(s): | CAN-2004-0158 | |||
| Created: | February 23, 2004 | Updated: | February 25, 2004 | |||
| Description: | During an audit, Ulf Harnhammar discovered a vulnerability in lbreakout2, a game, where proper bounds checking was not performed on environment variables. This bug could be exploited by a local attacker to gain the privileges of group "games". | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libtool - Insecure handling of temporary files
| Package(s): | libtool | CVE #(s): | |||||||
| Created: | February 5, 2004 | Updated: | March 8, 2004 | ||||||
| Description: | GNU libtool consists of a set of shell scripts used to build shared
libraries.
Joseph S. Myers and Stefan Nordhausen independently found a vulnerability in the way the ltmain.sh script (which is part of the libtool package) creates temporary directories for its use. A local attacker could exploit this vulnerability to change/delete arbitrary files in the system on behalf of the user who is calling the script. The vulnerability has been fixed in the 1.5.2 version of libtool. | ||||||||
| Alerts: |
| ||||||||
mailman: cross-site scripting vulnerabilities
| Package(s): | mailman | CVE #(s): | CAN-2003-0965 CAN-2003-0992 | ||||||||||||
| Created: | February 6, 2004 | Updated: | March 5, 2004 | ||||||||||||
| Description: | Dirk Mueller discovered a cross-site scripting bug in the admin interface
in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to
this issue.
A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mailman denial of service
| Package(s): | mailman | CVE #(s): | CAN-2003-0991 | ||||||||||||
| Created: | February 9, 2004 | Updated: | May 25, 2004 | ||||||||||||
| Description: | Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mc: arbitrary code execution
| Package(s): | mc | CVE #(s): | CAN-2003-1023 | ||||||||||||||||||||||||||||||
| Created: | January 16, 2004 | Updated: | April 5, 2004 | ||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
metamail: integer and buffer overflows
| Package(s): | metamail | CVE #(s): | CAN-2004-0104 CAN-2004-0105 | |||||||||||||||
| Created: | February 18, 2004 | Updated: | May 21, 2004 | |||||||||||||||
| Description: | Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: denial of service vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2003-0973 | |||||||||||||||||||||
| Created: | January 27, 2004 | Updated: | October 4, 2004 | |||||||||||||||||||||
| Description: | Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mutt: buffer overflow
| Package(s): | mutt | CVE #(s): | CAN-2004-0078 | ||||||||||||||||||||||||||||||
| Created: | February 11, 2004 | Updated: | March 26, 2004 | ||||||||||||||||||||||||||||||
| Description: | mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
perl information leak
| Package(s): | perl | CVE #(s): | CAN-2003-0618 | ||||||
| Created: | February 2, 2004 | Updated: | April 21, 2004 | ||||||
| Description: | Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users. | ||||||||
| Alerts: |
| ||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
rsync - remotely exploitable heap overflow
| Package(s): | rsync | CVE #(s): | CAN-2003-0962 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
screen: privilege escalation
| Package(s): | screen | CVE #(s): | CAN-2003-0972 | ||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||
| Description: | According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
synaesthesia - insecure file creation
| Package(s): | synaesthesia | CVE #(s): | CAN-2004-0160 | |||
| Created: | February 23, 2004 | Updated: | February 25, 2004 | |||
| Description: | During an audit, Ulf Harnhammar discovered a vulnerability in synaesthesia, a program which represents sounds visually. synaesthesia created its configuration file while holding root privileges, allowing a local user to create files owned by root and writable by the user's primary group. This type of vulnerability can usually be easily exploited to execute arbitrary code with root privileges by various means. | |||||
| Alerts: |
| |||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump | CVE #(s): | CAN-2003-0989 CAN-2004-0057 CAN-2004-0055 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | April 6, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
util-linux: information leak in the login program
| Package(s): | util-linux | CVE #(s): | CAN-2004-0080 | |||||||||||||||
| Created: | February 3, 2004 | Updated: | April 8, 2004 | |||||||||||||||
| Description: | The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.
In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current 2.6 release is 2.6.4-rc1, which was announced by Linus on February 27. This large patch contains support for Intel's "ia32e" architecture, a new syscalls.h include file with prototypes for the various sys_* functions, various network driver fixes, a UTF-8 tty mode, dynamic PTY allocation (allowing up to a million PTY devices), sysfs support for SCSI tapes and bluetooth devices, the "large number of groups" patch (covered in the October 2 Kernel Page), the generic kernel thread code (January 7 Kernel Page), an HFS filesystem rewrite, and a massive number of other fixes. See the long-format changelog for the details.Linus's BitKeeper tree contains a number of parallel port fixes, various architecture updates, the reversion of a patch which had removed threads from /proc (and broke gdb), an XFS update, a FireWire update (including one which notes that IEEE1394 support is no longer experimental), and numerous fixes.
The current kernel tree from Andrew Morton is 2.