The Grumpy Editor goes 64-bit
Your editor did much of his early programming on a large, 60-bit computer.
"Large" as in "you could walk around inside it." Its six-bit character
set was challenged by exotic characters - like lower case. But it sure had
a fast card reader. Your editor has started a few articles by saying that
recent "progress" has made things worse, rather than better, but he won't
be saying that this time.
By the early 1980's, 32-bit systems had taken over much of the computing
world. And, with certain exceptions, 32 bits has been the way of things
for a good two decades. Processor speeds have gone up by three orders of
magnitude, as have disk sizes; main memory has grown by even a bit more.
But most systems sold today still use 32-bit words and addresses. The fact
is, 32 bits suffice for almost every quantity we need to manipulate with
computers. The exception, increasingly, is memory. We have hit the point
where we are running out of address space. The need to work with ever more
memory to run our increasingly bloated applications will eventually push
much of the industry over to 64-bit processors.
Your editor decided to be ahead of the curve, for once. So he ordered up a
new motherboard and Athlon64 processor. Before the process was done, he
also ended up buying a new video card, power supply, and disk drive. In
fact, the only original component left in the case (a holdover from when LWN
thought it might be a training company) is the diskette drive. But, the
new system is now up and running, and your editor has had a chance to get a
feel for what the 64-bit world has to offer.
The hardest question, perhaps, was the choice of distribution to run. The
new system replaces a Debian unstable box, so Debian was the obvious first
choice. The state of the Debian x86_64 port is a
little discouraging, however. Installation requires starting with the
basic x86 distribution, coming up with 64-bit versions of gcc and glibc,
building a new 64-bit kernel, booting that, and piecing together the rest
of the system with the other x86_64 packages that have become available.
More than ten years ago, your editor converted, by hand, his first Linux
box from a.out to ELF binaries; installing Debian x86_64 looks like a
similar process. Somehow, what looked like an interesting and instructive
adventure in the early 1990's is distinctly less appealing now.
MandrakeSoft and SUSE both offer x86_64 versions of their distributions. The
Gentoo port seems to be coming along reasonably well, but some time spent
digging through the Gentoo package
database shows that much of the software base still lacks x86_64 support. Your editor,
in the end, went with the Fedora Core 2 test 2 release, at least for
now. FC2t2 gives good visibility into the development process (as do
Mandrake and Gentoo), a familiar, Red Hat core, and the ability to play
around with some bleeding-edge features like SELinux. It also is designed
around the 2.6 kernel, which is an important feature.
When one leaves the x86 mainstream, it does not take long to realize that
the well-trodden pathways have been left behind. Mirrors for the x86_64
architecture are relatively scarce and often behind the times. Most
applications do not, yet, come prebuilt for this architecture.
Documentation on how to get x86_64 systems up and running is minimal. It
is all a bit of an adventure.
That said, the FC2t2 distribution works well - as well as could be expected
on any architecture for a development release. And the really nice thing
about the x86_64 architecture is that most 32-bit x86 binaries work just fine,
as long as you have 32-bit versions of the relevant libraries around. That
fact alone makes the transition to this architecture relatively easy.
The need for 32-bit libraries complicates system administration, however.
An x86_64 Fedora system has many duplicated packages installed, and working
with rpm can, occasionally, be a bit confusing. The rpm interface was not,
perhaps, designed for dealing with a world where two packages have the same
name and version number, but are still distinct. Unless you plan to leave
the 32-bit world behind entirely, however, you will need two versions of
the libraries. Chances are that most x86_64 systems will want to run
32-bit binaries for some time - in some cases, they perform better, and, in
any case, some programs in FC2t2 (e.g. OpenOffice.org) are still built that
way.
Building applications can also be a bit of a challenge, at least a first.
Quite a few makefiles and configure scripts assume that libraries live in
/usr/lib. On a Fedora system, /usr/lib has the 32-bit
versions of the libraries; the native versions live in
/usr/lib64. A makefile which uses the default gcc (which compiles
in 64-bit mode) and tries to explicitly link against things in
/usr/lib will fail. Once you learn to recognize this problem, it
gets easy to fix.
Your editor was naturally interested in performance issues. To that end,
he built a version of bzip2 in both 64-bit and 32-bit mode and compared the
results. Both compression and decompression ran about 10% faster in the
64-bit mode. With the x86_64 processor, better performance is generally expected in
the native mode, mainly due to the additional registers which
are available. The executable size and memory usage in 64-bit mode were
larger, but not by much. A second test, using the SoundTouch
library yielded a surprise, however: changing the tempo of a large sound
file ran in less than 1/5 the time in 32-bit mode. The Athlon64 processor,
it would seem, runs certain operations far more slowly in 64-bit mode; your
editor has not, yet, had the time to track this one down.
Despite the paucity of mirrors, the glitches, and the surprises, the x86_64
platform makes for a very nice Linux system. The kernel support for this
architecture is outstanding, the performance is good, and the expanded
address space renders concepts like "high memory" obsolete. After all,
we'll never need more memory than can be addressed with 64 bits...
Seriously, however, this architecture has helped to realize one of the
great promises of Linux: a freedom of choice in hardware as well as
software. 64-bit systems are now available at a price even an LWN editor
can afford. This editor, who just shifted his old Pentium 450 box over to
sacrificial kernel testing duty, is distinctly less grumpy.
Comments (39 posted)
HTML editors: Nvu and Bluefish
A new version of the much-hyped Nvu "Web Authoring System" is out, as well
as an updated version of the popular Bluefish editor. Since Web development
is an essential component to the success of Linux on the desktop, we
thought we'd take a look at these two releases as a gauge of Web
development tools available for Linux users.
The Nvu web site promises "A
complete Web Authoring System for Linux
Desktop users to rival programs like FrontPage and Dreamweaver." How
close does Nvu come to delivering on that promise?
To evaluate Nvu, one must first install the software. At the time of this
writing, the Nvu website offers packages for Lindows, Fedora Core 2 test 1
and Windows. Other interested parties must compile the application from
source. While this does not usually present a major hurdle for Linux users,
Nvu is not available in anything so straightforward as a source
tarball. The instructions, such as they are, instruct the user to pull
Mozilla from CVS, save a modified .mozconfig into the Mozilla source
directory, download a separate patch from Nvu and finally compile the
![[Nvu screenshot]](/images/ns/Nvu-sm.jpg)
software. One almost gets the impression that the Nvu developers are
looking to make life difficult for non-Lindows users.
After jumping through the numerous hoops required to compile Nvu, we set
about evaluating the software. Since Nvu is derived from Mozilla's
Composer, we decided to open both applications up side-by-side to see what
improvements had been made to Composer. Nvu is not drastically different
from Composer, but there are a few new features worth noting. Nvu has some
obvious cosmetic differences, and offers an improved tabbed interface for
multiple document editing. It also includes a "Site Manager" Sidebar, which
is not available in Composer.
Another feature touted for Nvu is the ability to create templates that have
read-only sections and editable sections. Unfortunately, our attempts to
work with templates were less than successful. After creating and saving a
template, an attempt to create a new document based on a simple template
caused Nvu to promptly crash.
Nvu also includes "CaScadeS," a CSS editor that allows fine-grained control
over the styles applied to elements in your documents. The feature is
interesting, but slightly counter-intuitive. To invoke the editing menu for
a specific element, the user must right-click on an element displayed in a
menu displayed at the bottom of the editor. If the user is unaware of the
feature, it's quite likely that it will go completely unnoticed. Once one
is aware of the feature, it is easy to use. However, it would be much more
intuitive if the user was able to right-click on the element itself in the
editing pane to bring up the CaScadeS menu.
Nvu shows a great deal of promise, but it's not quite ready for a showdown
with Macromedia's Dreamweaver.
![[Bluefish]](/images/ns/bluefish-sm.jpg)
The Bluefish Web development
tool takes a different approach with its
"What You See is What You Need" interface. Users who wish to try out the
recent 0.13 release will appreciate that Bluefish is provided in a
straight-forward source tarball. Unlike Nvu, Bluefish's feature set is more
appropriate for the experienced Web developer working on more advanced
projects, including dynamic sites that make use of PHP, Perl, Python and
other scripting languages. Bluefish includes syntax highlighting for a host
of languages, everything from HTML to ColdFusion is represented.
It takes some time to fully explore Bluefish and all its features. Bluefish
provides a number of wizards and dialogs that make it much easier to add
forms, tables and so forth to a document. This writer particularly likes
Bluefish's custom menu, which allows the user to create their own dialogs
to generate snippets of code. The "Quickbar," which allows users to add
frequently-used buttons from other toolbars, is also a favorite.
Bluefish offers Web developers as much, or as little, assistance as they
need. A user can opt to use Bluefish as a souped-up text editor with
excellent syntax highlighting, or rely on Bluefish to generate much of
their code through wizards and dialogs.
Another nice thing about Bluefish is that it integrates well with other
tools that Web developers often use. Users can pipe their files in Bluefish
through HTML Tidy, Weblint and other programs to validate their HTML, or
easily configure Bluefish to open their work in their browser(s) of choice.
Despite the low version number, Bluefish is fairly mature and very
stable. It's well worth a look for users who want a flexible Web
development environment.
There are, of course, a number of other open source Web development tools
for Linux. The Screem website
development package is fairly popular, as is Quanta Plus, which we touched on when KDE 3.2
was released. For many, no IDE or GUI-based tool can replace Emacs or Vim
for churning out websites.
None of the tools available for Linux are quite slick and polished as
Dreamweaver, but there are certainly plenty of options for users who are
looking for a suitable open source Web development tool.
Comments (3 posted)
Free software and malevolent code
The CEO of Green Hills Software, a proprietary embedded software company,
has sent out
an
amazing press release on how the use of free software in defense
systems "violates every principle of security." The PR tells us about how
"developers in Russia and China" are contributing to Linux, and the
horrible fate that awaits us:
Linux in the defense environment is the classic Trojan horse
scenario -- a gift of 'free' software is being brought inside our
critical defenses. If we proceed with plans to allow Linux to run
these defense systems without demanding proof that it contains no
subversive or dangerous code waiting to emerge after we bring it
inside, then we invite the fate of Troy.
The strident tone of the release, combined with the focus on threats from
Russia and China, makes it look like something from the Reagan
administration. It's hard to take this thing seriously.
The press release has been quickly written off as a desperate outburst from
a proprietary company that is losing business to Linux. And that is
probably exactly what it is. It would be interesting to hear how Green
Hills would explain this
Cisco security alert which came out on the same day as the anti-Linux
press release. Some of Cisco's products, it would seem, were shipped with a back
door which gives attackers full access; "there is no workaround." It is
also worth noting that the InterBase backdoor
existed in the proprietary product for years, but was discovered when the
product went open source. The remote shutdown "feature" found in a number
of software products is also relevant here. Proprietary software is not
immune to backdoors and Trojan horses; indeed, the opaque nature of
closed-source programs would seem to encourage that sort of misfeature.
Another point worthy of note: attempts to place back doors in free software
have mostly been carried out via the distribution network. Last year's kernel backdoor attempt tried to slip the code
in after compromising a CVS server. Trojan horse attacks on tcpdump, sendmail, OpenSSH, and others have worked by corrupting
distribution files, again via a compromised server. On the other hand, it
is very hard to find any record of an attempt to insert any sort of back
door via the free software development process. Such an attack, it would
seem, is not that easy to carry out; if it were, why would attackers prefer
direct assaults on infrastructure and distribution files - an approach
which is certain to lead to quick detection?
The free software development process is, perhaps, more robust than its
detractors would have people believe. But, once we're done patting
ourselves on the back (and let's not be too long about it) we have to face
a fundamental fact: code containing security vulnerabilities is committed
to project repositories every day. These vulnerabilities do not result
from deliberate attacks; they are, instead, simple bugs. But they get
into the code base, despite our heavily promoted review process.
It is also true that, sooner or later, somebody will certainly attempt to
get bad code accepted by a free software project. That code may contain a
back door, or it may be one of those "intellectual property" violations
that some people would so dearly love to find in Linux. Given that we
prove on a daily basis that insecure code is able to survive our
development process, how confident are we, really, that we'll trap a
deliberate, well-hidden hole? There are reasons to believe that our
processes are better than the proprietary variety; at least some outsiders
are looking at the code, and the chances that a backdoor will lurk for
years are small. But we cannot simply write off this threat; sooner or
later, it is going to come back to us.
Comments (17 posted)
Page editor: Jonathan Corbet
Security
Security news
Rapid security patches considered harmful?
When a security vulnerability is found, the right thing to do is to prepare
a patch and circulate it as quickly as possible. At least, that would
appear to be the prevailing wisdom.
This
ComputerWorld article, however, takes a different approach: in many
cases, patch circulation should be slowed down, not sped up.
The author is talking, in particular, about vulnerabilities which are found
by "white hat" hackers, as opposed to those which are already being
actively exploited. These vulnerabilities are, presumably, unknown to the
cracker community at the time the patch is prepared. But a security patch
provides an instant road map for anybody looking for vulnerabilities.
Rather than put in some honest work digging through and understanding a
large program, a cracker need only look at the piece of code which is
fixed. The release of a security patch allows administrators to close a
hole, but it also tells the world about the existence and location of that hole. At that
point, the race begins: administrators try to get the patch deployed before
the crackers get their exploits working.
What's needed is a way to give the defenders a larger window of time to
obtain patches before information about the vulnerability they fix is
distributed. Various approaches have been tried to accomplish that goal.
The "vendor-sec" mailing list, for example, helps Linux distributors and
other operating system vendors to all have their updates ready by the time
a vulnerability is announced. Vendor-sec helps, but it does not solve the
problem of actually distributing an update to millions of users.
The OpenSSH project once took a different approach and pushed a major update on users in an attempt to
deploy a security fix without saying what it was; this move was received
poorly, however.
What the ComputerWorld article suggests is that patches should be
distributed in encrypted form. For some period of time, the encrypted
patch is just a useless pile of bits sitting on the disk. This time would
be the window which allows the patch to be distributed without disclosing
the problem which is being fixed. After a given period of time, a key is
distributed which enables the decryption of the patch; at that time, clear
versions of the patch could also be made available. In theory, this
approach would enable the security-conscious users on the net to update
their systems nearly simultaneously as soon as the nature of the problem is
disclosed.
This is a solution which could perhaps work, though steps would have to be
taken to fend off denial-of-service attacks aimed at preventing the
distribution of the decryption key. The provision of encrypted patches
does go somewhat against the spirit of the free software community, and it
could, by some readings, be taken as a violation of the GPL. For almost
all of the security vulnerabilities which are reported, the encrypted patch
mechanism would be far more trouble than it would be worth. The next time
an easily-exploitable vulnerability turns up in a utility like bind or ssh,
however, it might be a nice option to have.
Comments (9 posted)
New vulnerabilities
apache - denial of service in mod_ssl
| Package(s): | apache |
CVE #(s): | CAN-2004-0113
|
| Created: | April 13, 2004 |
Updated: | May 25, 2004 |
| Description: |
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49. |
| Alerts: |
|
Comments (none posted)
automake: symbolic link attack
| Package(s): | automake |
CVE #(s): | |
| Created: | April 8, 2004 |
Updated: | April 14, 2004 |
| Description: |
Automake may be vulnerable to a symbolic link attack which may allow an
attacker to modify data or escalate their privileges. This is due to
the insecure way Automake creates directories during compilation. An
attacker may be able to create symbolic links in the place of files
contained in the affected directories, which may potentially lead to
elevated privileges due to modification of data. |
| Alerts: |
|
Comments (none posted)
cvs: client-side file overwrite vulnerability
| Package(s): | cvs |
CVE #(s): | CAN-2004-0180
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: format string vulnerabilities
| Package(s): | neon |
CVE #(s): | CAN-2004-0179
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. |
| Alerts: |
|
Comments (none posted)
Scorched3D: format string vulnerability
| Package(s): | Scorched 3D |
CVE #(s): | |
| Created: | April 9, 2004 |
Updated: | April 14, 2004 |
| Description: |
The server from the game Scorched 3D is vulnerable to a
format string attack that can lead to a denial of service and
possibly to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | |
| Created: | April 7, 2004 |
Updated: | April 7, 2004 |
| Description: |
The Clam AntiVirus utility through version 0.68 is vulnerable to a denial of service attack. |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 16, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fte buffer overflows
| Package(s): | fte |
CVE #(s): | CAN-2003-0648
|
| Created: | April 5, 2004 |
Updated: | April 7, 2004 |
| Description: |
Steve Kemp and Jaguar discovered a number of buffer overflow
vulnerabilities in vfte, a version of the fte editor which runs on the
Linux console, found in the package fte-console. This program is
setuid root in order to perform certain types of low-level operations
on the console. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
heimdal cross-realm vulnerability
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0371
|
| Created: | April 6, 2004 |
Updated: | April 9, 2004 |
| Description: |
According to a security
advisory from the heimdal project: All releases prior to 0.6.1 and
0.5.3 have a cross-realm vulnerability allowing someone with control over a
realm to impersonate anyone in the cross-realm trust path. |
| Alerts: |
|
Comments (none posted)
interchange missing input sanitizing
| Package(s): | interchange |
CVE #(s): | CAN-2004-0374
|
| Created: | April 2, 2004 |
Updated: | April 7, 2004 |
| Description: |
A vulnerability was discovered recently in Interchange, an e-commerce
and general HTTP database display system. This vulnerability can be
exploited by an attacker to expose the content of arbitrary variables.
An attacker may learn SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
monit: buffer overflow and DOS
| Package(s): | monit |
CVE #(s): | |
| Created: | March 31, 2004 |
Updated: | April 19, 2004 |
| Description: |
The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.
Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PWLib: possible Denial of Service
| Package(s): | PWLib |
CVE #(s): | CAN-2004-0097
|
| Created: | February 13, 2004 |
Updated: | April 9, 2004 |
| Description: |
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
samba privilege escalation
| Package(s): | samba |
CVE #(s): | CAN-2004-0186
|
| Created: | March 15, 2004 |
Updated: | April 20, 2004 |
| Description: |
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system. |
| Alerts: |
|
Comments (none posted)
shar: buffer overflow
| Package(s): | sharutils |
CVE #(s): | |
| Created: | April 7, 2004 |
Updated: | April 7, 2004 |
| Description: |
The shar utility (as found in the sharutils package through version 4.2.1) suffers from a stack-based buffer overflow vulnerability; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
squid - vulnerability in URL decoding
| Package(s): | squid |
CVE #(s): | CAN-2004-0189
|
| Created: | March 29, 2004 |
Updated: | April 20, 2004 |
| Description: |
A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump |
CVE #(s): | CAN-2003-0989
CAN-2004-0057
CAN-2004-0055
|
| Created: | January 15, 2004 |
Updated: | April 6, 2004 |
| Description: |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user. |
| Alerts: |
|
Comments (none posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
util-linux: information leak in the login program
| Package(s): | util-linux |
CVE #(s): | CAN-2004-0080
|
| Created: | February 3, 2004 |
Updated: | April 8, 2004 |
| Description: |
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.
In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage. |
| Alerts: |
|
