Debian: too free?
The Debian Project's
social
contract is that project's guiding philosophy. When the project
considers a decision or an action, consistency with the social contract is
one of the first requirements. Debian developers are also concerned with
freedom, as witnessed by the endless battles over what should be done with
the "non-free" repository.
These two issues came together this month when the
project's developers approved the first change to the contract since 1997.
Where
Version 1.0 read
"Debian will remain 100% free software," the new version says, instead,
"Debian will remain 100% free." The new wording requires that the Debian
system
and all its components conform to the Debian Free Software
Guidelines. This change was clearly aimed at bits and pieces of non-free
materials that have been present in Debian since the beginning: firmware in
device
drivers, GFDL-licensed manuals, etc.
Whether intended or not, the new wording has already claimed a big victim:
the upcoming "sarge" release. The next major release of Debian is already
far later than had been hoped - but that is not particularly surprising for
a Debian release. What is surprising is that release manager Anthony Towns has let it be known that the new social contract
will delay things further. The sarge release, as it stands now,
does not conform to the newly-reworded social contract. Given the overt
nature of the changes to the contract, Anthony does not believe he can just
look the other way and release regardless. Most Debian developers would
appear to agree with his interpretation of the contract.
In practical terms, this means that a lot of changes will have to be made
to sarge before it can go out. The GFDL-licensed documentation (for small
packages, like the C library) will have to be removed. Support for
hardware requiring binary-only firmware downloads will be removed. The
installer will have to be rewritten so that people who happen to have the
firmware for their (otherwise unsupported) hardware can install the
system. It has also been noted that a lot
of fonts may have to be removed from Debian as well. All in all, Anthony
figures that, with these changes, there is no chance that sarge will be
released this year.
The Debian Project, in other words, is in a bit of a bind. The current
Debian stable release is approaching a truly geriatric state; few users are
much interested in GNOME 1.4, KDE 2.2, XFree86 4.1,
Mozilla 1.0, Netscape 4.77 (!), gcc 3.0, or the 2.2
kernel at this point (though, in fairness, there are 2.4 kernels available
for woody as well). This release has done its time; it should not be
expected to last into 2005. Somehow, if Debian is to remain relevant
to anybody beyond those using the (occasionally scary but always highly useful) unstable
version, it is going to have to find a way around this problem and get a new
release out.
One possibility is this new general
resolution which is tentatively set for a vote in the second half of
May. This resolution would create a "sarge exception" by revoking the
social contract change - but only until the beginning of September, when
the new language would, once again take effect. This resolution would
enable the project to get a release out (and, incidentally, impose a deadline
on that release) under the old rules. Subsequent distributions could then be purged
of offending materials at relative leisure.
In the longer term, Debian is going to have to come to a conclusion about
where its priorities truly lie. Despite the incredible progress made over
the last 20 years, creating a 100% free system is still a very hard thing
to do. Most of us will never have the source to the firmware running in
our network controllers. Maybe someday we will have 100% free fonts, but
that is not this day. There will always be disagreements over which
licenses are truly free - as witnessed by the fact that Debian is fighting over
documentation licenses that have passed muster with Richard Stallman. Any distribution
which insists on 100% purity is going to have a hard time producing a
system that is actually useful in the near future.
As Ted Ts'o puts it, this episode may be a
fortunate thing in that it will force a debate over the project's goals. If Debian
is really about making the best possible system, the developers will
eventually get back to that task.
If instead, it turns out there are significant numbers of people
who believe their participation in Debian is really more about
proving that they are Holier Than Stallman, those that *are*
interested in making something useful for their users have their
choice of either (a) trying to see if they have the votes to
shut-out the fanatics, (b) try to build something useful that uses
Debian as a base, and leaves the insanity behind, or (c) join the
Fedora project, or some other distribution.
Others see things differently, however:
The goal of Debian is to have an excellent free operating system.
All three adjectives: excellent, free, and operating, are
non-negotiable. We will not sell out the second because you want
us to think it's a disaster if one or two fonts don't meet it.
In other words, the social contract change, its aftermath, and the
philisophical differences behind it
risk creating a fork in the Debian distribution. One might argue that
this fork has already happened; look at UserLinux, for example. Such a
fork would be an unfortunate thing; the Debian Project has been a
technological and philosophical leader of the community for many years.
One can only hope that Debian will figure out how to reconcile its goals
and continue in that role well into the future.
Comments (34 posted)
The 2004 Desktop Linux Summit
The 2nd annual
Desktop Linux Summit was held at the Del Mar
fairgrounds, North of San Diego, California on April 22 and 23, 2004.
The event was sponsored by
Lindows and
several other companies.
Attendance at the event was busy, but not overwhelming,
the folks at Lindows said that there were over 1000 attendees, about
twice the draw of the previous event.
There were relatively few Linux-specific companies and organizations in the
vendor booths, Lindows occupied many of the booths, and several
vendor-neutral hardware companies were present.
As the conference's name implied, the focus was about the placement
of Linux on the desktop, both in corporations and at home.
During the event, there were several recurring
ideas
coming from the panel members and the audience.
While many individuals and companies have been attempting to displace
Microsoft from its position of dominance on the desktop, there was a
growing feeling that doing so is an incredibly difficult task,
especially in the US market.
It is nonetheless, a task that many are still working hard at to accomplish.
A large percentage of individual and corporate computer users
have been tied to the Microsoft way of doing things for a long time,
and they are very resistant to change, even if it means saving a lot
of money. Never underestimate user inertia, as a former
co-worker of mine is fond of saying.
It's hard to compete with the big guys on their own turf.
Also, the perpetual inability to purchase both desktop and laptop
computers with Linux pre-loaded was brought up frequently. This is a major
factor that is slowing Linux adoption by the public sector.
|
| Clay Christensen |
A common theme in the event was that Linux has become a
Disruptive Technology,
that it may achieve world domination through a process other than
replacing the Microsoft-based PC.
The majority of the world's population has never had access to a computer
(or a phone line, or a power grid).
For people in this group who are just getting access to power and telecom
resources, the choice between a secure, free (as in beer and as in freedom) operating system with tons of free applications,
versus a virus-vulnerable, expensive, or pirated operating system is
fairly easy to make. For third-world and emerging countries with little
pre-existing technological infrastructure, Linux-based systems are a
fairly appealing solution. Linux is also acting in a disruptive manner
by entering in on the low end equipment such as PDAs and
cell phones. Over time, these devices have begun to perform an
ever-increasing share of the tasks formerly done by desktop computers.
Another observation is that Linux on the desktop has become fairly
mature, reliable, and repeatable. Most of the basic components are
already in place. The operating system is reliable, the basic desktop
components such as browsers, mail clients, and office suites are
available, and reliable. There is, on the other hand, a notable lack of financial
applications for Linux, none of the major commercial software vendors
have ported their applications to Linux.
Open file exchange formats were seen as both a strength and a weakness
for Linux. For those dealing with Linux, the ability to use
open file formats is a big plus, mainly because access to their own
information will be possible for the foreseeable future. Lock-out due
to changing proprietary file formats is not likely under Linux.
The inability to reliably
exchange files with the ever-changing proprietary formats from
Microsoft was seen as a big obstacle in the adoption of Linux.
That is also an obstacle to Microsoft's own customers,
locking them in to a never-ending path of buying upgrades and
having to convert older information forward.
There is a notable shift in the browser arena, desktop browsers are
rapidly losing ground to cell phone and PDA-based browsers.
This is causing
people who create web pages that are only viewable in Microsoft's
Internet Explorer to lose viewers.
On the amusing side, one of the popular T-shirts at the conference
referred to recent SCO actions with "So, Sue Me" in big
letters. The gun show that was being held in the adjacent building
was mentioned a few times.
Lastly, the current generation of PCs are increasingly being seen
as being too fat for the desktop, both in hardware and software.
Current PCs are power hungry devices that are loaded with
multimedia equipment, giant hard drives, big memory, etc.
Individual PCs now have hardware and software that
is as complicated as the servers of just a few years ago, along
with the associated systems administration requirements.
There is a push toward making corporate desktop machines into
simple, replaceable appliances. Of course, this may just be another
swing of the pendulum in the oft-repeated cycle
between centralized servers with dumb (X)terminals, and loaded desktops.
The fully loaded multi-media boxes are increasingly headed for use as
home entertainment centers.
A number of different platforms were discussed as lightweight
desktop appliances. Linux-based thin clients, diskless clients,
Sun's Java desktop system, and laptops were all contenders for this
space.
The Desktop Linux Summit
presentations and panel sessions
are covered in more detail. Take a look for coverage of
the international expansion of desktop Linux,
Ian Murdock's talk on Componentized Linux, Doc Searls on
making Linux the Chevy Cavalier of operating systems,
an analyst's view of the current state of Linux on the desktop,
mainstreaming the Linux desktop, Nat Friedman on the evolution
of the Linux desktop, and what Lindows is up to.
Comments (4 posted)
The JPEG patent
Just in case anyone needed further proof of the dangers of software patents,
along comes
Forgent
trying to wring money out of users of the JPEG standard long after it has
become entrenched. After two years of trying to wheedle licensing fees for
JPEG, the company announced last week that it was suing 31 companies,
including IBM, Apple, Xerox, Panasonic and Macromedia to name just a few,
for infringement of U.S. Patent 4,698,672, entitled "Coding System for
Reducing Redundancy."
The company has been trying to monetize the '672 patent since 2002, and has
managed to extract licensing fees from more than 30 companies, including
Sony, to the tune of $90
million for use of the JPEG format. Forgent isn't exactly modest in its claims. In
its press release, Forgent claims to have:
...the sole and exclusive right to use and license all the claims under the
'672 patent that implement JPEG in all "fields of use" except in the
satellite broadcast business. Forgent's "fields of use" for licensing
opportunities include digital cameras, digital still image devices,
personal digital assistants (PDAs), cellular telephones that download
images, browsers, digital camcorders with a still image function, scanners
and other devices used to compress, store, manipulate, print or transmit
digital images.
While Forgent presses on with its claims, others have expressed doubt as to
whether the patent claims would stand up. The JPEG committee has issued statement saying that the
committee "believes that prior art exists in areas in which the
patent might claim application to ISO/IEC 10918-1 [the JPEG standard] in
its baseline form." The statement was issued back in 2002, when
Forgent initially began asserting patent claims.
There seems to be some confusion over the actual expiration date of
Forgent's patent as well. According to Forgent, the patent expires in
October 2006. Others are saying that the patent is set to expire this
October, seventeen years from the date the patent was granted. The
U.S. Patent and Trademark Office's (USPTO) website seems to support
Forgent's position. According to the USPTO FAQ, patents granted prior to
June 8, 1995 "automatically have a term that is the greater of the
twenty year term discussed above [from the application date] or seventeen
years from the patent grant." The patent application was submitted
October 27, 1986 and granted October 6, 1987 which gives Forgent a little
more than two years to harass software companies making use of JPEG.
The Independent JPEG Group (IJG),
responsible for widely-used JPEG library (libjpeg), makes no mention of the
Forgent claims on its website. In fact, the IJG makes little mention of
anything on its website, including valid contact information. The README
that comes with the JPEG library says that the software avoids the
arithmetic coding of the JPEG specification due to patents owned by IBM,
AT&T and Mitsubishi. No mention is made of the '672 patent. However,
IJG organizer Tom Lane was quoted
two years ago as saying that Forgent's patent does not apply:
The patent describes an encoding method that is clearly not like what JPEG
does. The patent describes a three-way symbol classification; the closest
analog in JPEG is a two-way classification. If the jury can count higher
than two, the case will fail.
At the moment, open source developers do not seem to be in a rush to remove
JPEG capability from their projects, but are instead taking a
"wait-and-see" attitude. The topic has come up on Debian-legal,
the Gimp-developer
mailing list and other project lists. So far, no project has come out to
say that they would be pulling JPEG support, much to this writer's
relief. A quick count shows that more than 150 packages installed on my
system depend on libjpeg.
Even if Forgent's claims amount to nothing more than a nuisance for a
handful of proprietary software companies, they still highlight a problem
for open source software. Companies will continue to press software patent
claims so long as the legal system permits, and there's money to be
made. It's only a matter of time before one of the suits has a serious
impact on open source.
Comments (10 posted)
SCO Weekly News
Last week, we discussed BayStar's wish to reclaim its investment in the SCO
Group. Some observers may have thought that this move was a sign that
BayStar had figured out the true nature of the company it had invested in.
That may, in fact, be true, but not quite in the way some people had
imagined. BayStar's real problem, it would seem, is that SCO continues to
maintain the pretense of having a Unix business; BayStar sees that as a
distraction from the real "value" of the company: its lawsuits. To regain
BayStar's good favor, SCO would need to dump the Unix business and replace
its top management with people who know more about intellectual property
litigation and, while they're at it, have better control over what they say
in public. SCO seems unwilling to give in to those demands, but if BayStar
looks like it will go to court, SCO's board may find itself in a more
accommodating mood.
Groklaw has done some
research into the background of Bert Young, SCO's new chief financial
officer. Mr. Young, it seems, is not new to dishonest companies and legal
action. He should, indeed, be a good fit for SCO.
In the IBM case, SCO has filed a new
motion
asking that IBM's copyright-oriented counterclaims be dismissed or, failing
that, split into a separate trial. SCO claims that the copyright issue is
"pending in litigation in Nevada" and need not be considered separately in
Utah. The Nevada case is the AutoZone suit. Given that copyrights are an
issue in the IBM case, the chances of it being put aside for the
newly-filed AutoZone case seem pretty small.
...especially since AutoZone has filed a motion
of its own stating that SCO's suit should be put on hold pending the
outcomes of the IBM, Novell, and Red Hat cases. Since those cases touch on
issues like the validity of SCO's claimed copyrights and whether Linux
violates those copyrights, AutoZone seems to think that their outcome might
have some relevance to the charges it is facing. It will also, no doubt,
surprise readers to find out that AutoZone is having a little trouble
figuring out exactly which copyrights it is being accused of violating:
There is no reason for SCO to have been so obtuse in its pleading,
unless SCO is intentionally trying to avoid identifying the nature
and basis of its purported claims. The Linux code is freely
available to anyone to examine, and SCO has been in possession of
the code for years. Indeed, SCO was a distributor and developer of
Linux code until after it filed its lawsuit against IBM last
year. SCO therefore has substantial familiarity with, and can
readily identify, the lines, files, or organization of Linux code
that it claims infringes UNIX, and SCO can likewise readily
identify the corresponding lines, files, or organization of UNIX
that SCO claims to be infringed....
In other circumstances, AutoZone might elect to respond to SCO's
Complaint as best AutoZone could without clarification of SCO's
claims in confidence that it could later ascertain this information
from SCO in discovery. However, SCO's "hide-the-eight-ball" tactics
in the IBM case leave AutoZone with little realistic belief that
SCO will voluntarily identify the basis for its claims without this
Court's intervention. SCO filed its Complaint against IBM more than
a year ago; yet, at least as of April 18, 2004, SCO still had not
provided IBM with any reasonable identification of its claims.
One might conclude, from all of this, that AutoZone has been paying
attention to what has transpired thus far and is not in a mood to settle.
DaimlerChrysler has filed a
response to SCO's complaint (which, remember, is all about
DaimlerChrysler's failure to provide the "certification" demanded by SCO).
The text of that response is not yet available, though Groklaw may well
have it by the time you read this. DaimlerChrysler has, evidently, raised
a long list of affirmative defenses, and is asking for a summary dismissal
of the case with prejudice.
Worth a quick note: according
to the NASDAQ, there were almost 4 million shares of SCO stock
sold short as of the middle of April - an all-time high. Despite the fact
that the company's stock is pushing toward its lowest levels in almost a
year, many people seem to expect it to go lower. LWN is not in the
business of giving investment advice, and you would be well advised to
ignore us if we were. But it is worth noting that, at current volume
levels, it would take almost three weeks of trading to cover all of those
short positions. That is a recipe for a "short squeeze" and a stock price
spike. Be careful out there.
Comments (1 posted)
Page editor: Jonathan Corbet
Security
Review: Exploiting Software
![[Cover]](/images/ns/exploiting-software.png)
The world is full of books on how to secure systems, how to write secure
code, and how to deal with breakins. There are rather fewer books that go
into details of how to compromise software and carry out breakins. That
gap has now been filled by
Exploiting Software: How To Break Code by
Greg Hoglund and Gary McGraw. This book's purpose is not to help the
crackers; those people, according to the authors, already know about the
techniques described here. Instead, the authors wish to help programmers
and system administrators achieve better security through an understanding
of how security failures happen.
To that end, this book covers a number of ways of attacking software.
Direct reverse engineering gets a full chapter, much of which is dedicated
to things you can do with the Windows debugger. There is a chapter on
server attacks; it looks at carefully crafted input, configuration attacks,
filesystem browsing, poor authentication schemes, etc. The chapter on
client-side attacks covers cross-site scripting, embedded control
characters, and more. The creation of malicious input gets a chapter of
its own, where issues of how to track what a server does with input, tricks
with character encodings, and more are discussed; this chapter also looks
at how to get malicious input past intrusion detection systems. Buffer
overflows and format string vulnerabilities are discussed in detail;
interestingly, the authors claim that format string vulnerabilities were
known to the "black hats" for years before being more widely "discovered"
and, mostly, fixed. The book finishes with a discussion of root kits.
If you are a cracker wannabe looking to learn the trade, this book might
provide a good start - though you will still have to fill in a lot of the
details yourself. This book is not a simple cookbook for crackers, though
some of its advice ("Also, remember that a Web server will create log
files of all injection activity, which tends to stick out like a sore
thumb. If this pattern is used, clean the log files as soon as
possible.") is not necessarily useful for anybody else. The
coverage of the book is not entirely complete either; it has little space
for kernel attacks, SQL injection, or exploit generation tools, for
example. While Linux is often mentioned, the bulk of the discussion uses
Windows for its examples (though almost all of the concepts discussed apply
equally to either system). Even so, Exploiting Software is a
worthwhile addition to the bookshelf of anybody interested in security
issues - as most of us should be.
Comments (3 posted)
Quick review: Secure Architectures with OpenBSD
One other book that recently showed up in our mailbox is
Secure
Architectures With OpenBSD by Brandon Palmer and Jose Nazario. This
book is, primarily, a system administration manual, but, since it's for
OpenBSD, it is strongly oriented toward running secure systems. It covers
all of the usual topics, though often a bit more superficially than one
might like. The range of topics is wide, however, extending into
firewalling, Kerberos, S/Key, IPSec, IPv6, intrusion detection, etc. If
you're looking for a pure BSD administration manual, you may want to
supplement this one with the
Unix Administration Handbook or
something similar. This book, however, is a good, thorough overview of how
the OpenBSD variant of BSD is put together and how to keep it secure.
Comments (none posted)
New vulnerabilities
ident2 buffer overflow
| Package(s): | ident2 |
CVE #(s): | CAN-2004-0408
|
| Created: | April 22, 2004 |
Updated: | April 28, 2004 |
| Description: |
Jack <jack -AT- rapturesecurity.org> discovered a buffer overflow in
ident2, an implementation of the ident protocol (RFC1413), where a
buffer in the child_service function was slightly too small to hold
all of the data which could be written into it. This vulnerability
could be exploited by a remote attacker to execute arbitrary code with
the privileges of the ident2 daemon (by default, the "identd" user). |
| Alerts: |
|
Comments (none posted)
kernel - root exploit in MCAST_MSFILTER
| Package(s): | kernel |
CVE #(s): | CAN-2004-0424
|
| Created: | April 22, 2004 |
Updated: | June 11, 2004 |
| Description: |
A locally exploitable integer overflow has been found the multicast code
of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A
successful exploit could lead to full superuser privileges. |
| Alerts: |
|
Comments (1 posted)
LCDproc: Buffer overflows and format string vulnerabilities
| Package(s): | LCDproc |
CVE #(s): | |
| Created: | April 27, 2004 |
Updated: | April 28, 2004 |
| Description: |
Due to insufficient checking of client-supplied data, the LCDd server
is susceptible to two buffer overflows and one string buffer
vulnerability. If the server is configured to listen on all network
interfaces (see the Bind parameter in LCDproc configuration), these
vulnerabilities can be triggered remotely. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
XFree86 minor DoS vulnerability
| Package(s): | XFree86 |
CVE #(s): | CAN-2004-0093
CAN-2004-0094
|
| Created: | April 22, 2004 |
Updated: | April 28, 2004 |
| Description: |
XFree86 is an implementation of the X Window System, providing the core
graphical user interface and video drivers.
Flaws in XFree86 4.1.0 allow local or remote attackers who are able to
connect to the X server to cause a denial of service via an out-of-bounds
array index or integer signedness error when using the GLX extension and
Direct Rendering Infrastructure (DRI). |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
apache - denial of service in mod_ssl
| Package(s): | apache |
CVE #(s): | CAN-2004-0113
|
| Created: | April 13, 2004 |
Updated: | May 25, 2004 |
| Description: |
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49. |
| Alerts: |
|
Comments (none posted)
cvs: client-side file overwrite vulnerability
| Package(s): | cvs |
CVE #(s): | CAN-2004-0180
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
kernel: ext3 information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0177
|
| Created: | April 21, 2004 |
Updated: | April 26, 2004 |
| Description: |
Solar Designer turned up a bug in the ext3 filesystem where blocks allocated to the journal file are not properly cleaned prior to use. This failure could expose some (random) kernel memory to an attacker, but only if that attacker can perform raw I/O to the device. |
| Alerts: |
|
Comments (1 posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: format string vulnerabilities
| Package(s): | neon |
CVE #(s): | CAN-2004-0179
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
ssmtp format string vulnerability
| Package(s): | ssmtp |
CVE #(s): | CAN-2004-0156
|
| Created: | April 15, 2004 |
Updated: | May 7, 2004 |
| Description: |
Max Vozeler discovered two format string vulnerabilities in ssmtp, a
simple mail transport agent. Untrusted values in the functions die()
and log_event() were passed to printf-like functions as format
strings. These vulnerabilities could potentially be exploited by a
remote mail relay to gain the privileges of the ssmtp process
(including potentially root). |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
utempter problems with symlink and strncpy
| Package(s): | utempter |
CVE #(s): | CAN-2004-0233
|
| Created: | April 19, 2004 |
Updated: | June 11, 2004 |
| Description: |
Steve Grubb discovered two potential issues in the utempter program:
- If the path to the device contained /../ or /./ or //, the program
was not exiting as it should. It would be possible to use something like
/dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to
another important file, programs that have root privileges that do no
further validation can then overwrite whatever the symlink pointed to.
- Several calls to strncpy without a manual termination of the string.
This would most likely crash utempter.
|
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 14, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|