| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for May 13, 2004
The Grumpy Editor's diagram editor followup
Last week's review of several diagram editors attempted to be comprehensive, but, inevitably, a few were missed. Here, your editor will attempt to do penance by looking at a few tools which were passed over last time.![[Kivio]](/images/ns/grumpy/kivio-sm.png)
Kivio had actually
been considered for the previous article. Your editor, however, had seen a
tool which, apparently, could only draw lines and text. Thinking that
kivio must be a little too young for a real review, your editor set it
aside and moved on. Kivio users will understand the problem at this point:
your editor missed the little icon
![[Kivio icon]](/images/ns/grumpy/kivio-stencil.png){kind=small}
(shown at left)
in the toolbar which loads stencils into the system. Kivio, the main
purpose of which is the creation of flowcharts, is all about stencils. A
large set of stencils is provided with the program; they include the full
library of shapes from Dia, national flags, a map of Belgium, UML symbols, and
"people shapes" including a woman in a bikini. Working with kivio is
really a matter of finding the stencils you like, dragging them onto the
screen, and drawing lines between them.
Strangely, there seems to be no mechanism built into kivio for the creation and editing of stencils; they all would appear to come from the outside. Nothing in the menus or online documentation says anything about how to get stencils into the system. Unless, of course, you want to buy the proprietary stencil builder or get some stencils on a per-seat license from theKompany.com.
Kivio has a number of the features your editor was looking for, including layers, attachment points, etc. But the simple fact is that kivio is an awkward and difficult tool to work with. Attributes (colors, line widths, arrowheads, etc.) must be set individually for every object; there appears to be no way to get kivio to apply user-specified attributes to new objects. There is no way to adjust the dimensions of arrowheads (and, interestingly, the "start arrowhead" appears at the second point of the connector). Connectors can only be straight lines. Alignment operations are done via a separate, popup dialog. The "docker" feature, which puts tools like the layer manager on the edge of the diagram, looks cute, but the tools are forever popping in and out when the diagram is being edited. Kivio cannot export to an image file; it is limited to KOffice format or (via the print operation) PostScript or PDF.
Kivio is a reasonable tool for some simple tasks now, and may well develop into a capable, general-purpose diagram editor eventually. But it is not up to your editor's needs at this time.
![[Skencil]](/images/ns/grumpy/skencil-sm.png)
Skencil (formerly
"sketch") was highly recommended by some LWN commenters. Skencil, in its
stable version, is a Tk-based vector drawing package. This tool is
currently being reworked to use GTK instead, but that version is not yet
ready for release. Skencil has many of the typical drawing functions, and
it supports layers. It does not support attachment points, and it cannot
export to image formats.
Once again, your editor found this tool to be awkward and frustrating to work with. The interface is highly modal and confusing at times. Changing the default attributes of objects is hard. The arc-drawing tool is very confusing to use at the outset (though, once you get the hang of it, it turns out to be a powerful tool). The alignment operations require dealing with a separate dialog.
On the other hand, skencil has some slick features, such as the ability to draw text along an arbitrary path. There is a plugin mechanism allowing the addition of new features programmed in Python. Skencil also can import images in a number of formats. It may well be a useful tool for those engaged in more artistic pursuits; it is not, however, the best diagramming tool out there.
![[Inkscape]](/images/ns/grumpy/inkscape-sm.png)
Finally, your editor took a look at inkscape. As a drawing tool, inkscape has
a nice feature set; it has a reasonable set of drawing options, a full set
of path operations, etc. Perhaps the biggest omission is the lack of
support for layers. For the creation of diagrams, however, inkscape is not
the right tool. There are no attachment points, no arrowheads, and no image
export. Inkscape's priorities are simply elsewhere.
Worth a quick mention: if your main interest is the creation of UML diagrams, Umbrello may be worth checking out. It is, however, very much a special-purpose tool, with UML assumptions wired deeply into it; as such, it's not suitable for more general purpose diagramming.
To conclude: your editor will stick with dia for now for his cheesy diagram creation needs. Of all the tools reviewed, dia stands out for its focus on this particular task, the quality of its output, and its ease of use. There is a lot of development happening in this area, however; the situation could well be different next year.
What's in store for GCC
The 2004 GCC & GNU Toolchain Developers' Summit will take place June 2nd through June 4th in Ottawa, Canada. GCC developers from around the world will get together to discuss the "state of the art," and the long term roadmap for GCC.The conference presentations give some insight into the focus of the developers who are working on GCC, and technical direction for the project. For example, last year's GCC Developers' Summit included three talks on support for 64-bit systems, including the IBM's S/390 and x86-64 architecture. If last year's Summit is any example, you can expect GCC to include many of the features that are being talked about this year at the Summit.
One heavy focus that's carried over from last year is testing and benchmarking code produced by GCC. Árpád Beszédes of the University of Szeged will be speaking about the Code-Size Benchmark Environment (CSiBE) for GCC, which is used to measure the size of code produced by GCC. (Beszédes's paper from last year is available for those who are interested.) Paolo Carlini of SUSE is also focusing on performance in his presentation, on approaches being used to improve performance in the GNU Standard C++ Library v3 (libstdc++-v3).
David Edelsohn will present a paper on loop optimizations for GCC using high-level loop transformations. The loop optimizations described by Edelsohn are implemented on top of Tree SSA, which was an up-and-coming project for GCC when described at last year's GCC Developers' Summit. (Slides in PDF are available.) Now it's headed for inclusion in GCC 3.5. (See this week's Development Page for more information on Tree-SSA).
Diego Novillo will be speaking about the design and implementation of Tree SSA this year. According to Novillo, several other GCC optimizations are being implemented on top of Tree SSA as well. Dorit Naishlos will be speaking about another optimization technique, automatic vectorization, that is implemented on top of Tree SSA.
Users of the GNU Compiler for the Java Programming Language (GCJ) may be interested in Andrew Haley and Tom Tromey's paper on the new GCJ binary-compatibility ABI which will "let us upgrade the compiler and runtime library in many useful ways without requiring any application-level recompilation," instead of breaking binary compatibility with each new release. Nathan Sidwell's presentation will make the case for implementing statically typed trees in GCC, with an outline for a full conversion from dynamically typed trees.
In all, there are fifteen scheduled presentations, and two Birds of a Feather session, for the Summit. Abstracts for all of the paper presentations are available on the GCC Developers' Summit website. For those with a little extra time on their hands, registration for the event is open and it promises to be a fun three days for anyone interested in GCC and compiler development.
Quick SCO notes
SCO's suit against Novell had a day in court on May 11, when two motions were heard. SCO is trying to get this case moved back to state court, where it expects a more friendly hearing and where certain awkward issues, such as whether copyrights were actually transferred from Novell, cannot be considered. Novell, meanwhile, is opposing the move and is, instead, trying to get the whole case dismissed. Judge Kimball - the same judge presiding over the IBM case - has not yet ruled on either motion as of this writing. Groklaw has an informal transcript of the proceedings.The $50 million in capital which was pumped into SCO last October is usually termed the "BayStar investment," but, in fact, $30 million of that total came from the Royal Bank of Canada (RBC). RBC made a couple of interesting moves last week:
- $10 million of that investment has been
converted into ordinary SCO shares at $13.50 per share. The value
of SCO's stock on the market was less than half that figure at the time,
and has declined since; RBC, in other words, is taking a big loss on
part of its investment.
- The rest of RBC's investment has been sold to BayStar at an undisclosed price.
From RBC's point of view, the moves are perhaps understandable. The chances of ever getting the original investment back from SCO were small and shrinking; RBC (or whatever investor is hiding behind RBC) decided to cut its losses and get out while it still could.
BayStar's motivation is a little harder to comprehend. After all, BayStar stated last month that it wanted to redeem its investment in SCO and get out; now it has, instead, doubled the number of preferred shares it holds. One assumes that BayStar got the shares for less than their original price, but, given BayStar's public lack of confidence in SCO and its management, why is it increasing its stake in the company?
One possibility which has been raised is that BayStar wants to increase its leverage over the board of directors and thereby improve its chances of forcing management changes on SCO. The RBC shares, if converted, would give BayStar an approximately 20% stake in SCO; enough to be heard, but still nowhere near enough to dictate changes. Alternatively, BayStar may think that, by way of court, it can extract the full $40 million represented by those preferred shares from SCO.
The most ominous possibility, perhaps, is that BayStar may be maneuvering to take possession (or, at least, control) of the IBM suit after SCO collapses. That suit is, after all, the one SCO asset that BayStar sees as being worthwhile. In this scenario, the case could continue long after SCO collapses. BayStar could, conceivably, apply more financial resources to pursuing this case. But no amount of money can make SCO's claims any more legitimate.
Finally, SCO's second fiscal quarter ended on April 30; an earnings report is due within the next few weeks. One assumes that its results will be something other than spectacular. Expect the usual theatrics as SCO's management attempts to distract attention from the fact that the company is losing its traditional customers, is not selling "Linux licenses," and continues to bleed cash.
Page editor: Jonathan Corbet
Security
Compromised systems: $0.10 each
Much attention has been given to the arrest of the Sasser worm author, but, as this Register article notes, the arrest of the author of Phatbot may be more significant. Phatbot, as described by CERT, propagates from one Windows system to the next via a whole set of vulnerabilities. Once established, it connects to an IRC server and awaits orders on what to do next. Systems compromised by Phatbot can be used for spamming, DOS attacks, and more.The interesting thing, perhaps, is the note that there is a market for access to Phatbot zombie systems; the going price for "non-exclusive" use of a compromised box is estimated to be about 10 cents.
The emergence of a market for compromised systems has the potential to change the dynamics of the security landscape somewhat. Many compromises are carried out by "script kiddies" who are breaking into systems for the fun of it. Others are attacked by crackers with specific goals: access to supercomputers or confidential information, for example. People who "have nothing worth stealing" on their systems have often taken a relaxed approach to security; even if they get broken into, they claim, there is very little that can actually happen.
In a world where zombie systems can be sold, everybody has something worth stealing. As this market develops, expect an increase in attacks as crackers race each other to control vulnerable systems and the money-making potential they represent. Sooner or later, a niche market for compromised Linux systems is almost certain to come into being as well. That will not be a welcome development for system administrators who were not looking for additional motivation for attacks on their systems.
New vulnerabilities
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CAN-2003-0993 CAN-2003-0020 CAN-2003-0987 CAN-2004-0174 | ||||||||||||||||||
| Created: | May 12, 2004 | Updated: | May 26, 2004 | ||||||||||||||||||
| Description: | Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: improper string checking
| Package(s): | clamav | CVE #(s): | ||||
| Created: | May 12, 2004 | Updated: | May 12, 2004 | |||
| Description: | Versions of clamav prior to 0.70 fail to check filenames when responding to viruses; with certain configurations, this failure can allow an attacker to execute arbitrary commands. | |||||
| Alerts: |
| |||||
exim: stack-based buffer overflows
| Package(s): | exim exim-tls | CVE #(s): | CAN-2004-0399 CAN-2004-0400 | |||||||||
| Created: | May 7, 2004 | Updated: | May 14, 2004 | |||||||||
| Description: | Georgi Guninski discovered two stack-based buffer overflows.
CAN-2004-0399: When "sender_verify = true" is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4. CAN-2004-0400: When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4. | |||||||||||
| Alerts: |
| |||||||||||
SUSE Live CD: no-password root access
| Package(s): | SUSE Live CD | CVE #(s): | ||||
| Created: | May 12, 2004 | Updated: | May 12, 2004 | |||
| Description: | The SUSE 9.1 live CD boots with ssh connections enabled and no root password; as a result, a remote attacker can gain privileged access simply by logging in as root. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
LHA: stack buffer overflows and directory traversal flaws
| Package(s): | LHA | CVE #(s): | CAN-2004-0234 CAN-2004-0235 | ||||||||||||||||||||||||
| Created: | April 30, 2004 | Updated: | June 11, 2004 | ||||||||||||||||||||||||
| Description: | LHA is an archiving and compression utility for LHarc format archives. Ulf
Harnhammar discovered two stack buffer overflows and two directory
traversal flaws in LHA. See this advisory+patch for more details.
CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
apache - denial of service in mod_ssl
| Package(s): | apache | CVE #(s): | CAN-2004-0113 | ||||||||||||
| Created: | April 13, 2004 | Updated: | May 25, 2004 | ||||||||||||
| Description: | A memory leak has been discovered in mod_ssl that may be triggered by sending normal HTTP requests to the Apache HTTPS port. An attacker can exploit this vulnerability to consume all memory available in the server, thus causing a denial of service condition. This problem has been fixed in Apache 2.0.49. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cvs: client-side file overwrite vulnerability
| Package(s): | cvs | CVE #(s): | CAN-2004-0180 | |||||||||||||||||||||||||||||||||
| Created: | April 14, 2004 | Updated: | May 18, 2004 | |||||||||||||||||||||||||||||||||
| Description: | The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
eterm: command execution
| Package(s): | eterm | CVE #(s): | CAN-2003-0068 | |||
| Created: | April 29, 2004 | Updated: | May 5, 2004 | |||
| Description: | eterm has a vulnerability in which escape codes can be inserted by an attacker to cause the user to execute malicious commands. | |||||
| Alerts: |
| |||||
ethereal - multiple vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2004-0176 CAN-2004-0365 CAN-2004-0367 | ||||||||||||||||||||||||
| Created: | March 29, 2004 | Updated: | June 2, 2004 | ||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon | CVE #(s): | CAN-2004-0155 | |||||||||
| Created: | April 7, 2004 | Updated: | August 19, 2004 | |||||||||
| Description: | Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils | CVE #(s): | CAN-2004-0403 | |||||||||||||||||||||
| Created: | April 26, 2004 | Updated: | July 29, 2004 | |||||||||||||||||||||
| Description: | racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kdelibs: cookie disclosure
| Package(s): | kdelibs | CVE #(s): | CAN-2003-0592 | |||||||||||||||
| Created: | March 10, 2004 | Updated: | August 24, 2004 | |||||||||||||||
| Description: | kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim | CVE #(s): | CAN-2003-0988 | |||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel | CVE #(s): | CAN-2004-0109 | |||||||||||||||||||||||||||||||||||||||
| Created: | April 14, 2004 | Updated: | July 15, 2004 | |||||||||||||||||||||||||||||||||||||||
| Description: | The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kernel - root exploit in MCAST_MSFILTER
| Package(s): | kernel | CVE #(s): | CAN-2004-0424 | |||||||||||||||||||||
| Created: | April 22, 2004 | Updated: | June 11, 2004 | |||||||||||||||||||||
| Description: | A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 | CVE #(s): | CAN-2004-0077 | ||||||
| Created: | March 18, 2004 | Updated: | June 4, 2004 | ||||||
| Description: | A local root exploit is possible due to early flushing of the TLB. | ||||||||
| Alerts: |
| ||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
kolab: password disclosure
| Package(s): | kolab | CVE #(s): | |||||||
| Created: | May 5, 2004 | Updated: | May 27, 2004 | ||||||
| Description: | Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information. | ||||||||
| Alerts: |
| ||||||||
libpng: denial of service vulnerability.
| Package(s): | libpng | CVE #(s): | CAN-2004-0421 | |||||||||||||||||||||||||||||||||
| Created: | April 29, 2004 | Updated: | June 11, 2004 | |||||||||||||||||||||||||||||||||
| Description: | The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2 - arbitrary code execution
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0110 | |||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2004 | Updated: | July 21, 2004 | |||||||||||||||||||||||||||||||||||||||
| Description: | Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
mailman denial of service
| Package(s): | mailman | CVE #(s): | CAN-2003-0991 | ||||||||||||
| Created: | February 9, 2004 | Updated: | May 25, 2004 | ||||||||||||
| Description: | Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mc: multiple vulnerabilities
| Package(s): | mc | CVE #(s): | CAN-2004-0226 CAN-2004-0231 CAN-2004-0232 | |||||||||||||||||||||
| Created: | April 29, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | Midnight Commander has multiple vulnerabilities including buffer overflows, insecure temp files, and format string problems. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
metamail: integer and buffer overflows
| Package(s): | metamail | CVE #(s): | CAN-2004-0104 CAN-2004-0105 | |||||||||||||||
| Created: | February 18, 2004 | Updated: | May 21, 2004 | |||||||||||||||
| Description: | Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: denial of service vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2003-0973 | |||||||||||||||||||||
| Created: | January 27, 2004 | Updated: | October 4, 2004 | |||||||||||||||||||||
| Description: | Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mozilla: multiple vulnerabilties
| Package(s): | mozilla | CVE #(s): | CAN-2003-0594 CAN-2003-0564 | ||||||||||||
| Created: | March 10, 2004 | Updated: | August 19, 2004 | ||||||||||||
| Description: | Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
MySQL: temporary file vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0381 CAN-2004-0388 | ||||||||||||
| Created: | April 14, 2004 | Updated: | August 18, 2004 | ||||||||||||
| Description: | The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
neon: format string vulnerabilities
| Package(s): | neon | CVE #(s): | CAN-2004-0179 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | April 14, 2004 | Updated: | May 18, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
proftpd privilege escalation
| Package(s): | proftpd | CVE #(s): | ||||||||||
| Created: | April 30, 2004 | Updated: | May 19, 2004 | |||||||||
| Description: | A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this. See this bug report. | |||||||||||
| Alerts: |
| |||||||||||
python: buffer overflow
| Package(s): | python | CVE #(s): | CAN-2004-0150 | |||||||||||||||
| Created: | March 10, 2004 | Updated: | October 11, 2004 | |||||||||||||||
| Description: | Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
rsync remote file write attack
| Package(s): | rsync | CVE #(s): | CAN-2004-0426 | ||||||||||||||||||||||||||||||
| Created: | April 30, 2004 | Updated: | July 12, 2004 | ||||||||||||||||||||||||||||||
| Description: | See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
samba: local root and symlink vulnerabilities
| Package(s): | samba | CVE #(s): | |||||||
| Created: | April 29, 2004 | Updated: | May 5, 2004 | ||||||
| Description: | Two vulnerabilities in Samba have been found. Smbfs has a setuid root exploit problem, and smbprint has a tempfile symlink vulnerability. | ||||||||
| Alerts: |
| ||||||||
ssmtp format string vulnerability
| Package(s): | ssmtp | CVE #(s): | CAN-2004-0156 | |||||||||
| Created: | April 15, 2004 | Updated: | May 7, 2004 | |||||||||
| Description: | Max Vozeler discovered two format string vulnerabilities in ssmtp, a simple mail transport agent. Untrusted values in the functions die() and log_event() were passed to printf-like functions as format strings. These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root). | |||||||||||
| Alerts: |
| |||||||||||
sysklogd: heap overflow
| Package(s): | sysklogd | CVE #(s): | |||||||
| Created: | April 29, 2004 | Updated: | May 5, 2004 | ||||||
| Description: | Sysklogd has a memory allocation vulnerability that can allow a malicious attacker to write to unallocated memory and crash sysklogd. | ||||||||
| Alerts: |
| ||||||||
sysstat: temporary file vulnerability
| Package(s): | sysstat | CVE #(s): | CAN-2004-0107 CAN-2004-0108 | ||||||||||||||||||||||||
| Created: | March 10, 2004 | Updated: | October 4, 2004 | ||||||||||||||||||||||||
| Description: | The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump | CVE #(s): | CAN-2004-0183 CAN-2004-0184 | |||||||||||||||||||||||||||
| Created: | March 30, 2004 | Updated: | September 30, 2004 | |||||||||||||||||||||||||||
| Description: | TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||
| Alerts: |
| ||||||||||||||