LWN.net Logo

LWN.net Weekly Edition for May 13, 2004

The Grumpy Editor's diagram editor followup

Last week's review of several diagram editors attempted to be comprehensive, but, inevitably, a few were missed. Here, your editor will attempt to do penance by looking at a few tools which were passed over last time. [Kivio]

Kivio had actually been considered for the previous article. Your editor, however, had seen a tool which, apparently, could only draw lines and text. Thinking that kivio must be a little too young for a real review, your editor set it aside and moved on. Kivio users will understand the problem at this point: your editor missed the little icon [Kivio icon] (shown at left) in the toolbar which loads stencils into the system. Kivio, the main purpose of which is the creation of flowcharts, is all about stencils. A large set of stencils is provided with the program; they include the full library of shapes from Dia, national flags, a map of Belgium, UML symbols, and "people shapes" including a woman in a bikini. Working with kivio is really a matter of finding the stencils you like, dragging them onto the screen, and drawing lines between them.

Strangely, there seems to be no mechanism built into kivio for the creation and editing of stencils; they all would appear to come from the outside. Nothing in the menus or online documentation says anything about how to get stencils into the system. Unless, of course, you want to buy the proprietary stencil builder or get some stencils on a per-seat license from theKompany.com.

Kivio has a number of the features your editor was looking for, including layers, attachment points, etc. But the simple fact is that kivio is an awkward and difficult tool to work with. Attributes (colors, line widths, arrowheads, etc.) must be set individually for every object; there appears to be no way to get kivio to apply user-specified attributes to new objects. There is no way to adjust the dimensions of arrowheads (and, interestingly, the "start arrowhead" appears at the second point of the connector). Connectors can only be straight lines. Alignment operations are done via a separate, popup dialog. The "docker" feature, which puts tools like the layer manager on the edge of the diagram, looks cute, but the tools are forever popping in and out when the diagram is being edited. Kivio cannot export to an image file; it is limited to KOffice format or (via the print operation) PostScript or PDF.

Kivio is a reasonable tool for some simple tasks now, and may well develop into a capable, general-purpose diagram editor eventually. But it is not up to your editor's needs at this time.

[Skencil] Skencil (formerly "sketch") was highly recommended by some LWN commenters. Skencil, in its stable version, is a Tk-based vector drawing package. This tool is currently being reworked to use GTK instead, but that version is not yet ready for release. Skencil has many of the typical drawing functions, and it supports layers. It does not support attachment points, and it cannot export to image formats.

Once again, your editor found this tool to be awkward and frustrating to work with. The interface is highly modal and confusing at times. Changing the default attributes of objects is hard. The arc-drawing tool is very confusing to use at the outset (though, once you get the hang of it, it turns out to be a powerful tool). The alignment operations require dealing with a separate dialog.

On the other hand, skencil has some slick features, such as the ability to draw text along an arbitrary path. There is a plugin mechanism allowing the addition of new features programmed in Python. Skencil also can import images in a number of formats. It may well be a useful tool for those engaged in more artistic pursuits; it is not, however, the best diagramming tool out there.

[Inkscape] Finally, your editor took a look at inkscape. As a drawing tool, inkscape has a nice feature set; it has a reasonable set of drawing options, a full set of path operations, etc. Perhaps the biggest omission is the lack of support for layers. For the creation of diagrams, however, inkscape is not the right tool. There are no attachment points, no arrowheads, and no image export. Inkscape's priorities are simply elsewhere.

Worth a quick mention: if your main interest is the creation of UML diagrams, Umbrello may be worth checking out. It is, however, very much a special-purpose tool, with UML assumptions wired deeply into it; as such, it's not suitable for more general purpose diagramming.

To conclude: your editor will stick with dia for now for his cheesy diagram creation needs. Of all the tools reviewed, dia stands out for its focus on this particular task, the quality of its output, and its ease of use. There is a lot of development happening in this area, however; the situation could well be different next year.

Comments (17 posted)

What's in store for GCC

May 12, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The 2004 GCC & GNU Toolchain Developers' Summit will take place June 2nd through June 4th in Ottawa, Canada. GCC developers from around the world will get together to discuss the "state of the art," and the long term roadmap for GCC.

The conference presentations give some insight into the focus of the developers who are working on GCC, and technical direction for the project. For example, last year's GCC Developers' Summit included three talks on support for 64-bit systems, including the IBM's S/390 and x86-64 architecture. If last year's Summit is any example, you can expect GCC to include many of the features that are being talked about this year at the Summit.

One heavy focus that's carried over from last year is testing and benchmarking code produced by GCC. Árpád Beszédes of the University of Szeged will be speaking about the Code-Size Benchmark Environment (CSiBE) for GCC, which is used to measure the size of code produced by GCC. (Beszédes's paper from last year is available for those who are interested.) Paolo Carlini of SUSE is also focusing on performance in his presentation, on approaches being used to improve performance in the GNU Standard C++ Library v3 (libstdc++-v3).

David Edelsohn will present a paper on loop optimizations for GCC using high-level loop transformations. The loop optimizations described by Edelsohn are implemented on top of Tree SSA, which was an up-and-coming project for GCC when described at last year's GCC Developers' Summit. (Slides in PDF are available.) Now it's headed for inclusion in GCC 3.5. (See this week's Development Page for more information on Tree-SSA).

Diego Novillo will be speaking about the design and implementation of Tree SSA this year. According to Novillo, several other GCC optimizations are being implemented on top of Tree SSA as well. Dorit Naishlos will be speaking about another optimization technique, automatic vectorization, that is implemented on top of Tree SSA.

Users of the GNU Compiler for the Java Programming Language (GCJ) may be interested in Andrew Haley and Tom Tromey's paper on the new GCJ binary-compatibility ABI which will "let us upgrade the compiler and runtime library in many useful ways without requiring any application-level recompilation," instead of breaking binary compatibility with each new release. Nathan Sidwell's presentation will make the case for implementing statically typed trees in GCC, with an outline for a full conversion from dynamically typed trees.

In all, there are fifteen scheduled presentations, and two Birds of a Feather session, for the Summit. Abstracts for all of the paper presentations are available on the GCC Developers' Summit website. For those with a little extra time on their hands, registration for the event is open and it promises to be a fun three days for anyone interested in GCC and compiler development.

Comments (none posted)

Quick SCO notes

SCO's suit against Novell had a day in court on May 11, when two motions were heard. SCO is trying to get this case moved back to state court, where it expects a more friendly hearing and where certain awkward issues, such as whether copyrights were actually transferred from Novell, cannot be considered. Novell, meanwhile, is opposing the move and is, instead, trying to get the whole case dismissed. Judge Kimball - the same judge presiding over the IBM case - has not yet ruled on either motion as of this writing. Groklaw has an informal transcript of the proceedings.

The $50 million in capital which was pumped into SCO last October is usually termed the "BayStar investment," but, in fact, $30 million of that total came from the Royal Bank of Canada (RBC). RBC made a couple of interesting moves last week:

  • $10 million of that investment has been converted into ordinary SCO shares at $13.50 per share. The value of SCO's stock on the market was less than half that figure at the time, and has declined since; RBC, in other words, is taking a big loss on part of its investment.

  • The rest of RBC's investment has been sold to BayStar at an undisclosed price.

From RBC's point of view, the moves are perhaps understandable. The chances of ever getting the original investment back from SCO were small and shrinking; RBC (or whatever investor is hiding behind RBC) decided to cut its losses and get out while it still could.

BayStar's motivation is a little harder to comprehend. After all, BayStar stated last month that it wanted to redeem its investment in SCO and get out; now it has, instead, doubled the number of preferred shares it holds. One assumes that BayStar got the shares for less than their original price, but, given BayStar's public lack of confidence in SCO and its management, why is it increasing its stake in the company?

One possibility which has been raised is that BayStar wants to increase its leverage over the board of directors and thereby improve its chances of forcing management changes on SCO. The RBC shares, if converted, would give BayStar an approximately 20% stake in SCO; enough to be heard, but still nowhere near enough to dictate changes. Alternatively, BayStar may think that, by way of court, it can extract the full $40 million represented by those preferred shares from SCO.

The most ominous possibility, perhaps, is that BayStar may be maneuvering to take possession (or, at least, control) of the IBM suit after SCO collapses. That suit is, after all, the one SCO asset that BayStar sees as being worthwhile. In this scenario, the case could continue long after SCO collapses. BayStar could, conceivably, apply more financial resources to pursuing this case. But no amount of money can make SCO's claims any more legitimate.

Finally, SCO's second fiscal quarter ended on April 30; an earnings report is due within the next few weeks. One assumes that its results will be something other than spectacular. Expect the usual theatrics as SCO's management attempts to distract attention from the fact that the company is losing its traditional customers, is not selling "Linux licenses," and continues to bleed cash.

Comments (8 posted)

Page editor: Jonathan Corbet

Security

Compromised systems: $0.10 each

Much attention has been given to the arrest of the Sasser worm author, but, as this Register article notes, the arrest of the author of Phatbot may be more significant. Phatbot, as described by CERT, propagates from one Windows system to the next via a whole set of vulnerabilities. Once established, it connects to an IRC server and awaits orders on what to do next. Systems compromised by Phatbot can be used for spamming, DOS attacks, and more.

The interesting thing, perhaps, is the note that there is a market for access to Phatbot zombie systems; the going price for "non-exclusive" use of a compromised box is estimated to be about 10 cents.

The emergence of a market for compromised systems has the potential to change the dynamics of the security landscape somewhat. Many compromises are carried out by "script kiddies" who are breaking into systems for the fun of it. Others are attacked by crackers with specific goals: access to supercomputers or confidential information, for example. People who "have nothing worth stealing" on their systems have often taken a relaxed approach to security; even if they get broken into, they claim, there is very little that can actually happen.

In a world where zombie systems can be sold, everybody has something worth stealing. As this market develops, expect an increase in attacks as crackers race each other to control vulnerable systems and the money-making potential they represent. Sooner or later, a niche market for compromised Linux systems is almost certain to come into being as well. That will not be a welcome development for system administrators who were not looking for additional motivation for attacks on their systems.

Comments (4 posted)

New vulnerabilities

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CAN-2003-0993 CAN-2003-0020 CAN-2003-0987 CAN-2004-0174
Created:May 12, 2004 Updated:May 26, 2004
Description: Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details.
Alerts:
Gentoo 200405-22 2004-05-26
Mandrake MDKSA-2004:046-1 2004-05-20
Mandrake MDKSA-2004:046 2004-05-17
Trustix TSLSA-2004-0027 2004-05-13
Slackware SSA:2004-133-01 2004-05-12
OpenPKG OpenPKG-SA-2004.021 2004-05-12

Comments (none posted)

clamav: improper string checking

Package(s):clamav CVE #(s):
Created:May 12, 2004 Updated:May 12, 2004
Description: Versions of clamav prior to 0.70 fail to check filenames when responding to viruses; with certain configurations, this failure can allow an attacker to execute arbitrary commands.
Alerts:
Gentoo 200405-03 2004-05-11

Comments (none posted)

exim: stack-based buffer overflows

Package(s):exim exim-tls CVE #(s):CAN-2004-0399 CAN-2004-0400
Created:May 7, 2004 Updated:May 14, 2004
Description: Georgi Guninski discovered two stack-based buffer overflows.

CAN-2004-0399: When "sender_verify = true" is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4.

CAN-2004-0400: When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4.

Alerts:
Gentoo 200405-07 2004-05-14
Debian DSA-502-1 2004-05-11
Debian DSA-501-1 2004-05-07

Comments (none posted)

SUSE Live CD: no-password root access

Package(s):SUSE Live CD CVE #(s):
Created:May 12, 2004 Updated:May 12, 2004
Description: The SUSE 9.1 live CD boots with ssh connections enabled and no root password; as a result, a remote attacker can gain privileged access simply by logging in as root.
Alerts:
SuSE SuSE-SA:2004:011 2004-05-06

Comments (none posted)

Updated vulnerabilities

apache - denial of service in mod_ssl

Package(s):apache CVE #(s):CAN-2004-0113
Created:April 13, 2004 Updated:May 25, 2004
Description: A memory leak has been discovered in mod_ssl that may be triggered by sending normal HTTP requests to the Apache HTTPS port. An attacker can exploit this vulnerability to consume all memory available in the server, thus causing a denial of service condition. This problem has been fixed in Apache 2.0.49.
Alerts:
Fedora FEDORA-2004-117 2004-05-25
Mandrake MDKSA-2004:043 2004-05-10
Red Hat RHSA-2004:182-01 2004-04-30
Conectiva CLA-2004:839 2004-04-13

Comments (none posted)

cvs: client-side file overwrite vulnerability

Package(s):cvs CVE #(s):CAN-2004-0180
Created:April 14, 2004 Updated:May 18, 2004
Description: The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem.
Alerts:
Fedora FEDORA-2004-110 2004-04-22
Whitebox WBSA-2004:153-01 2004-04-19
Slackware SSA:2004-108-02 2004-04-17
Netwosix NW-2004-0011 2004-04-18
Debian DSA-486-1 2004-04-16
Gentoo 200404-13 2004-04-14
OpenPKG OpenPKG-SA-2004.013 2004-04-14
Red Hat RHSA-2004:153-01 2004-04-14
Red Hat RHSA-2004:154-01 2004-04-14
SuSE SuSE-SA:2004:008 2004-04-14
Mandrake MDKSA-2004:028 2004-04-14

Comments (none posted)

eterm: command execution

Package(s):eterm CVE #(s):CAN-2003-0068
Created:April 29, 2004 Updated:May 5, 2004
Description: eterm has a vulnerability in which escape codes can be inserted by an attacker to cause the user to execute malicious commands.
Alerts:
Debian DSA-496-1 2004-04-29

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

racoon: denial of service vulnerability

Package(s):ipsec-tools racoon iputils CVE #(s):CAN-2004-0403
Created:April 26, 2004 Updated:July 29, 2004
Description: racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details.
Alerts:
Red Hat RHSA-2004:308-01 2004-07-29
Mandrake MDKSA-2004:069 2004-07-14
Fedora FEDORA-2004-197 2004-06-28
Whitebox WBSA-2004:165-01 2004-06-10
Fedora FEDORA-2004-132 2004-05-19
Red Hat RHSA-2004:165-01 2004-05-11
Gentoo 200404-17 2004-04-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

kernel - root exploit in MCAST_MSFILTER

Package(s):kernel CVE #(s):CAN-2004-0424
Created:April 22, 2004 Updated:June 11, 2004
Description: A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges.
Alerts:
Whitebox WBSA-2004:183-01 2004-06-10
SuSE SuSE-SA:2004:010 2004-05-05
Slackware SSA:2004-119-01 2004-04-28
Mandrake MDKSA-2004:037 2004-04-27
Red Hat RHSA-2004:183-01 2004-04-22
Fedora FEDORA-2004-111 2004-04-22
Trustix TSLSA-2004-0022 2004-04-21

Comments (1 posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

kolab: password disclosure

Package(s):kolab CVE #(s):
Created:May 5, 2004 Updated:May 27, 2004
Description: Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information.
Alerts:
Mandrake MDKSA-2004:052 2004-05-26
OpenPKG OpenPKG-SA-2004.019 2004-05-05

Comments (3 posted)

LHA: stack buffer overflows and directory traversal flaws

Package(s):LHA CVE #(s):CAN-2004-0234 CAN-2004-0235
Created:April 30, 2004 Updated:June 11, 2004
Description: LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. See this advisory+patch for more details.

CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim.

CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory.

Alerts:
Whitebox WBSA-2004:178-01 2004-06-10
Debian DSA-515-1 2004-06-05
Red Hat RHSA-2004:178-01 2004-05-26
Fedora FEDORA-2004-119 2004-05-11
Gentoo 200405-02 2004-05-09
Conectiva CLA-2004:840 2004-05-06
Slackware SSA:2004-125-01 2004-05-04
Red Hat RHSA-2004:179-01 2004-04-30

Comments (2 posted)

libpng: denial of service vulnerability.

Package(s):libpng CVE #(s):CAN-2004-0421
Created:April 29, 2004 Updated:June 11, 2004
Description: The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file.
Alerts:
Whitebox WBSA-2004:180-01 2004-06-10
Red Hat RHSA-2004:180-01 2004-05-19
Gentoo 200405-06 2004-05-14
Fedora FEDORA-2004-106 2004-05-05
Fedora FEDORA-2004-105 2004-05-05
Slackware SSA:2004-124-04 2004-05-02
Red Hat RHSA-2004:181-01 2004-04-30
Trustix TSLSA-2004-0025 2004-04-30
Debian DSA-498-1 2004-04-30
Mandrake MDKSA-2004:040 2004-04-29
OpenPKG OpenPKG-SA-2004.017 2004-04-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: multiple vulnerabilities

Package(s):mc CVE #(s):CAN-2004-0226 CAN-2004-0231 CAN-2004-0232
Created:April 29, 2004 Updated:May 26, 2004
Description: Midnight Commander has multiple vulnerabilities including buffer overflows, insecure temp files, and format string problems.
Alerts:
Gentoo 200405-21 2004-05-26
Red Hat RHSA-2004:172-01 2004-05-19
Slackware SSA:2004-136-01 2004-05-14
SuSE SuSE-SA:2004:012 2004-05-14
Red Hat RHSA-2004:173-01 2004-04-30
Mandrake MDKSA-2004:039 2004-04-29
Debian DSA-497-1 2004-04-29

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: format string vulnerabilities

Package(s):neon CVE #(s):CAN-2004-0179
Created:April 14, 2004 Updated:May 18, 2004
Description: The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org.
Alerts:
Fedora FEDORA-2004-103 2004-04-14
Gentoo 200405-04 2004-05-11
Gentoo 200405-01 2004-05-09
Red Hat RHSA-2004:163-01 2004-04-30
Whitebox WBSA-2004:160-01 2004-04-19
Mandrake MDKSA-2004:032 2004-04-19
Gentoo 200404-14 2004-04-19
OpenPKG OpenPKG-SA-2004.016 2004-04-16
Netwosix NW-2004-0012 2004-04-18
Debian DSA-487-1 2004-04-16
Red Hat RHSA-2004:159-01 2004-04-15
Red Hat RHSA-2004:160-01 2004-04-14
Red Hat RHSA-2004:157-01 2004-04-14
Red Hat RHSA-2004:158-01 2004-04-14

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

proftpd privilege escalation

Package(s):proftpd CVE #(s):
Created:April 30, 2004 Updated:May 19, 2004
Description: A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this. See this bug report.
Alerts:
Gentoo 200405-09 2004-05-19
Mandrake MDKSA-2004:041 2004-04-30
OpenPKG OpenPKG-SA-2004.018 2004-04-30

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

rsync remote file write attack

Package(s):rsync CVE #(s):CAN-2004-0426
Created:April 30, 2004 Updated:July 12, 2004
Description: See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected."
Alerts:
Gentoo 200407-10 2004-07-12
Fedora FEDORA-2004-116 2004-07-01
Whitebox WBSA-2004:192-01 2004-06-10
Debian DSA-499-2 2004-06-02
OpenPKG OpenPKG-SA-2004.025 2004-05-21
Red Hat RHSA-2004:192-01 2004-05-19
Mandrake MDKSA-2004:042 2004-05-10
Slackware SSA:2004-124-01 2004-05-02
Debian DSA-499-1 2004-05-01
Trustix TSLSA-2004-0024 2004-04-29

Comments (none posted)

samba: local root and symlink vulnerabilities

Package(s):samba CVE #(s):
Created:April 29, 2004 Updated:May 5, 2004
Description: Two vulnerabilities in Samba have been found. Smbfs has a setuid root exploit problem, and smbprint has a tempfile symlink vulnerability.
Alerts:
Netwosix NW-2004-0013 2004-05-01
Gentoo 200404-21 2004-04-29

Comments (none posted)

ssmtp format string vulnerability

Package(s):ssmtp CVE #(s):CAN-2004-0156
Created:April 15, 2004 Updated:May 7, 2004
Description: Max Vozeler discovered two format string vulnerabilities in ssmtp, a simple mail transport agent. Untrusted values in the functions die() and log_event() were passed to printf-like functions as format strings. These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root).
Alerts:
OpenPKG OpenPKG-SA-2004.020 2004-05-07
Gentoo 200404-18 2004-04-26
Debian DSA-485-1 2004-04-14

Comments (none posted)

sysklogd: heap overflow

Package(s):sysklogd CVE #(s):
Created:April 29, 2004 Updated:May 5, 2004
Description: Sysklogd has a memory allocation vulnerability that can allow a malicious attacker to write to unallocated memory and crash sysklogd.
Alerts:
Slackware SSA:2004-124-02 2004-05-02
Mandrake MDKSA-2004:038 2004-04-28

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

utempter problems with symlink and strncpy

Package(s):utempter CVE #(s):CAN-2004-0233
Created:April 19, 2004 Updated:June 11, 2004
Description: Steve Grubb discovered two potential issues in the utempter program:
  1. If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to.

  2. Several calls to strncpy without a manual termination of the string. This would most likely crash utempter.
Alerts:
Whitebox WBSA-2004:174-01 2004-06-10
Red Hat RHSA-2004:174-01 2004-05-26
Fedora-Legacy FLSA:1546 2004-05-18
Gentoo 200405-05 2004-05-13
Red Hat RHSA-2004:175-01 2004-04-30
Mandrake MDKSA-2004:031-1 2004-04-21
Fedora FEDORA-2004-108 2004-04-21
Slackware SSA:2004-110-01 2004-04-19
Mandrake MDKSA-2004:031 2004-04-19

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: malicious code execution

Package(s):xine-lib CVE #(s):CAN-2004-0433
Created:May 3, 2004 Updated:May 28, 2004
Description: A vulnerability exists in xine-lib where playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream. More details can be found in this advisory. The problem has been fixed in xine-lib 1-rc4.
Alerts:
Gentoo 200405-24 2004-05-28
Slackware SSA:2004-124-03 2004-05-02

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Resources

The Hackademy Journal

The Hackademy Journal is a new subscription publication aimed at coverage of security issues at a high technical level. Click below for more information.

Full Story (comments: 2)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.6, which was announced by Linus on May 9. Changes since the last prepatch include an NTFS update, an XFS update, some small virtual memory patches, an ACPI update, various architecture updates, and lots of fixes. The list of changes since 2.6.5 is much more extensive, including POSIX message queues, significant ext2 and ext3 filesystem performance improvements, the "laptop mode" patch, 4KB stacks for the i386 architecture, non-executable stack support for several architectures, a big reiserfs update, the lightweight auditing framework, the "completely fair queueing" I/O scheduler, TCP "Vegas" congestion avoidance, and much more. The long-format changelog has the details.

As of this writing, no 2.6.7 prepatches have been released. Patches are accumulating in Linus's BitKeeper repository, however; they include a libata update, some architecture updates, the scheduling domains patch set (covered here last month), the removal of the Intermezzo filesystem due to lack of use and support, a sysctl variable giving "huge page" access to a administrator-specified group (see below), the ability to re-enable interrupts while waiting in spin_lock_irqsave() (for all architectures now), support in reiserfs for quotas and external attributes (added over Hans Reiser's objections), and lots of fixes.

The current prepatch from Andrew Morton is 2.6.6-mm1. Recent additions to -mm include backing store for sysfs (covered here last February), a number of patches for shrinking the heavily-used dentry structure, another set of (relatively small) virtual memory patches, ia64 hotplug CPU support, a generic qsort() function for the kernel, and the usual pile of fixes.

The current 2.4 kernel is 2.4.26; no 2.4.27 prepatches have been released since 2.4.27-pre2 came out on May 3.

Comments (4 posted)

Kernel development news

Magic groups in 2.6

The 2.6.6-mm1 tree includes, among many other things, patches which add two new /proc/sys variables. They are:

/proc/sys/vm/hugetlb_shm_group
If this value is non-zero, it is interpreted as a group ID which gives access to the the "huge pages" feature of the 2.6 VM.

/proc/sys/vm/mlock_group
This variable behaves similarly, but it controls access to the mlock() system call (which locks memory into physical RAM) instead.

The current Linux kernel will not allow a process to perform either of the above actions unless that process has the CAP_IPC_LOCK capability; in practice, this means that the process needs to run as root. The main user of huge pages would appear to be a small program called "Oracle," which is something that many users would rather not run with root privileges. The new sysctl variables allow an administrator to give the ability to use huge pages (and mlock()) to a specific group; if Oracle runs within that group, it will be able to do what it needs without higher privileges.

These patches are not universally popular; the addition of "magic groups" with special meaning inside the kernel strikes many developers as an inelegant, un-Unix-like solution to the problem. So these developers were not happy when the hugetlb_vm_group patch was merged for 2.6.7 shortly after appearing in the -mm tree. Rather than rush an ugly hack into the kernel (which will then have to be supported indefinitely into the future), they argue, it would have been better to come up with a proper solution.

The problem, it seems, is that there are no better solutions on the horizon. Says Andrew Morton:

Capabilities are broken and don't work. Nobody has a clue how to provide the required services with SELinux and nobody has any code and we need the feature *now* before vendors go shipping even more ghastly stuff.

The problems with capabilities were covered here back in April, when this issue last came up. SELinux can, in principle, solve this problem, but there is the little disadvantage that nobody has been able to put together a production-ready, working distribution with SELinux yet. The distributors have been creating their own patches to enable Oracle to use the huge pages feature, and many of those are seen as being worse than the "magic groups" approach. Rather than see each distribution take the kernel in a different direction, Andrew merged the magic groups patch as the least evil alternative:

Nasty workarounds will be shipped to end users by vendors. That's a certainty. We cannot change this now. What I wish to do is to ensure that all users receive the *same* nasty workaround. Call it damage control.

To some, however, the control appears worse than the damage. If vendors add their own hacks, they take responsibility for maintaining those hacks, or for weaning users off of them at some future time. Pulling features out of the mainline kernel is harder. Be that as it may, for lack of a better short-term solution the "magic groups" patch is now part of 2.6.

Comments (13 posted)

4K Stacks in 2.6

Traditionally, the Linux kernel has used 8KB kernel stacks on most architectures. That stack must suffice for any sequence of calls that may result from a system call - plus the needs of any (hard or soft) interrupt handlers that may be invoked at the same time. In practice, stack overflows are pretty much unheard of in stable kernels; the kernel developers have long since learned to avoid large automatic variables, recursive functions, and other things which can use large amounts of stack space.

There have been patches circulating for some time now which reduce the kernel stack to 4KB. It is generally understood that the switch to smaller stacks will happen at some point; as a result, much work has recently gone into finding code paths in the kernel which are overly stack-hungry. Part of that effort is simply lots of testing; for that reason, recent -mm kernels no longer even offer an 8KB stack option. The hope is that, if enough people try out the smaller stacks and shake out the bugs, 4KB stacks can be merged into 2.6 in the near future.

The smaller stacks are scary to some people; it is hard to be certain that all of the possible paths through the kernel have actually been tested. 4KB stacks also break binary modules, and the nVidia drivers in particular. So there is a certain amount of pressure to defer this change into 2.7.

One might well wonder why the kernel hackers are trying to put this sort of change into a stable kernel series. The problem with 8KB stacks is that they require an "order 1" memory allocation: two pages which are contiguous in physical memory. Order 1 allocations can be very hard to satisfy once the system has been running for a while; physical memory can become so fragmented that two adjacent free pages simply do not exist. The kernel will try hard to free up pages to satisfy larger allocations; the result can be a slow, painful, thrashing system.

Each process on the system has its own kernel stack, which is used whenever the system goes into kernel mode while that process is running. Since each process requires a kernel stack, the creation of a new process requires an order 1 allocation. So the two-page kernel stacks can limit the creation of new processes, even though the system as a whole is not particularly short of resources. Shrinking kernel stacks to a single page eliminates this problem and makes it easy for Linux systems to handle far more processes at any given time.

Arjan van de Ven also made the interesting claim that the 4KB stacks are actually safer. His reasoning has to do with one other aspect of the 4KB stack patch: it moves interrupt handling onto a separate, dedicated stack. Software interrupts also get their own stack. Since interrupt handling has been moved away from the per-process kernel stack, the amount of space for system call handling remains about the same, and the stack space for interrupts has been increased.

The final decision on the integration of 4KB stacks has not yet been made; there are, seemingly, a few problems which still need to be tracked down. If things settle out, however, this fairly significant change could yet be merged into 2.6.

Comments (2 posted)

Deleting timers quickly

Kernel timers are a mechanism which allows kernel code to request that a function be called, in software interrupt context, after a given period of time has passed. They are heavily used for all sorts of delays and deferred actions within the kernel. The timer interface has been relatively stable for some time; it has not changed greatly in 2.6. Linux Device Drivers, Chapter 6 covers the timer interface in some detail.

Often, kernel code which has queued a timer finds that it needs to delete that timer. There are two functions which perform this task:

    int del_timer(struct timer_list *timer);
    int del_timer_sync(struct timer_list *timer);

del_timer() ensures that the given timer is not queued to run anywhere in the system; it returns a non-zero value if the timer actually had to be dequeued. del_timer_sync() performs the same function, but it also guarantees that the timer is not actually running on any processor in the system; it will block the current process if necessary while it waits for a running timer to complete. The stronger guarantee is often needed; an unexpected timer running in the corner can create no end of unpleasant race conditions.

Geoff Gustafson recently discovered that del_timer_sync() was one of the biggest kernel CPU hogs on a 32-processor NUMA system running "an enterprise database application." The problem is that del_timer_sync() must query each processor to ensure that the given timer is not currently running there. As the number of processors grows, this query loop takes longer to run. The situation is even worse on NUMA systems, since the loop must look at non-local (read "slow") memory for each processor.

Geoff posted a patch which solved the problem by remembering where each timer last ran. Since the kernel does not move timers across processors, the query loop in del_timer_sync() could then be reduced to looking at the single processor where the timer would have to be. It was observed, however, that a simpler solution is possible:

    if (! del_timer(timer))
        /* Do the full CPU query loop */

The idea here is that, if the timer was successfully deleted from the queue before it ran, there is no need to check to see if it is running anywhere. The only problem with this idea is that it is wrong. Timer functions can - and often do - resubmit themselves. If the timer to be deleted has resubmitted itself, but is still running, the above code will fail. If kernel code is deleting a timer, it really should first ensure that said timer will not resubmit itself, but the timer code cannot count on that behavior.

That said, some of the top callers of del_timer_sync() within the kernel are using timers which do not resubmit themselves. There is no reason why that code should pay the overhead of a full system search when, if a timer has been deleted off the queue before running, it is already guaranteed that the timer will not be running on any processor. For cases like this, a new function has been created:

    int del_singleshot_timer_sync(struct timer_list *timer);

Callers of this function must guarantee that the timer does not resubmit itself; in its current form, del_singleshot_timer_sync() will generate an oops if it detects a resubmitted timer. This function has not yet found its way into the mainline, but, given that it can yield a performance improvement of 2-3 orders of magnitude on large NUMA systems, its addition seems likely.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Architecture-specific

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Knoppix 3.4 Has Landed

May 12, 2004

This article was contributed by Ladislav Bodnar

The Knoppix live CD has justly earned a reputation of staging a mini-revolution in our Linux world. By delivering an instant and portable Linux operating system that anybody could use without having to go through a sharp learning curve, the Knoppix developers have not only provided a superb rescue tool for Linux power users, they have also created the best possible advocacy tool to entice computer users not yet familiar with Linux. And although more than a hundred Knoppix clones have sprouted all over the Internet in the last year alone, none of them has surpassed the popularity of the original king of the Linux live CDs. The much awaited Knoppix 3.4 was released last week, inclusive of all the latest software packages, and for the first time, kernel 2.6.

What's new in Knoppix 3.4? The lion's share of the development work is done by Klaus Knopper (the founder of Knoppix), Christian Perle and Fabian Franz, and much of their effort goes into one of the following four areas: software updates, hardware auto-detection, the "cloop" compressed files system, and the "knoppix-installer".

  • Software package updates. Although Knoppix releases are essentially snapshots of the Debian Sid (unstable) branch at the time of the release, it is still a pleasure to see so much up-to-date software on the CD. As an example, the latest release of Knoppix comes with some of the best desktop applications, including OpenOffice.org 1.1.1, GIMP 2.0.1, Gaim 0.77, xine-lib 1-rc4 and XMMS 1.2.10, all of which are the latest available versions at the time of writing. As for server-specific packages, their versions are just slightly behind, in line with Debian's policy of using only well-tested packages for important tasks. There is a choice of two kernels now, the default kernel remains at 2.4.26, but unless you have a problem with a particular piece of hardware, there is no reason not to boot into the shiny new 2.6.5 (by specifying "kernel26" at boot prompt). The default desktop is KDE (version 3.2.2). Back in the days of Knoppix 3.1, it was possible to fit both of the two most popular desktop environments onto the CD, but with the rapid growth of KDE and GNOME, plus the inclusion of two kernels, the choice of desktops is now limited to KDE, and a handful of low-resource ones, such as Fluxbox, IceWM, WindowMaker, and XFce (version 3.8.18). Unfortunately, some applications that were present in Knoppix 3.3 had to go; the most noticeable victims of the "downsizing" process were KOffice and TeTeX.

  • Hardware autodetection. The hardware autodetection modules were the main reason of the instant popularity of Knoppix and it is nice to see the scripts are being continuously updated to include some of the latest devices from hardware manufacturers. While the Knoppix changelog tends to be dry and skimpy on details about support for newly added hardware, you can rest assured that this is one aspect of Knoppix that won't get neglected. In those cases where a particular piece of hardware is not detected correctly, it is best to get in touch with the developers on the debian-knoppix mailing list and provide information about the specific hardware - in most cases it will be added to the hardware database rather quickly.

  • Cloop compressed file system. Cloop is a kernel module that ads support for a compressed, read-only block device. Thanks to cloop, the Knoppix CD normally holds almost 3 times as much software as is the physical capacity of the CD. This fact not only enables the developers to place more software on the disk, the compression also speeds up data transfer between the CD-reading device and RAM. Cloop was originally developed by the LNX-BBC project, but has now become an integral part of the development of Knoppix. And despite the existence of other compressed file systems (e.g. SquashFS, CramFS, JFFS2...), cloop has become a de facto standard among many Linux developers thanks to the popularity of Knoppix and Knoppix-based live CDs.

  • Hard disk installer. Although the experimental hard disk installer is not officially endorsed by the Knoppix project (after all, the primary purpose of Knoppix is to serve as a bootable live CD), many users find it hard to resist the desire to give Knoppix a permanent home on their hard disks. The curses-based menu-driven installer has undergone substantial changes since the early days and, unless one chooses the expert route, installing Knoppix on the hard disk is a very simple and straightforward procedure. The installation is largely automated; the installer even sets up lilo with the choice of either of the two available kernels, as well as Windows, if present on the hard disk. Bear in mind, though, that once you boot Knoppix from a partition on a hard disk, it effectively becomes Debian Sid, so any future requests for help should be directed to Debian mailing lists, rather than to Knoppix forums.
Knoppix 3.4 comes with several new features. One of them is a newly-added support for writing to NTFS partitions made possible with the help of the Microsoft Captive NTFS driver. Also new in this release is the "Knoppix-Live Installer", a set of scripts capable of downloading extra packages from the Internet and "installing" them into RAM (or the swap partition) so that they can be used as if the applications were present on the Knoppix CD. The current list of available software includes the NVIDIA driver, Macromedia Flash plugin, Microsoft True Type fonts, F-Prot virus scanner, Quanta Plus, Tuxracer, and a handful of other applications.

Knoppix 3.4 continues in the tradition of excellence by providing many of the latest open source packages on the Knoppix CD, by continuously adding new hardware to its extensive hardware database, and by developing interesting new features. As the undisputed leader among Linux live CDs, Knoppix is an indispensable rescue disk, a demonstration tool, and a quick Debian installer all-in-one. An already remarkable product has just gotten better.

Comments (8 posted)

Distribution News

Astaro Security Linux

Astaro Corp. has announced the availability of Version 5 of its Astaro Security Linux, which now includes Intrusion Protection and added Virus Protection for HTTP and FTP. Click below for more information.

Full Story (comments: none)

SUSE LINUX 9.1 is available

SuSE has announced the general availability of SUSE LINUX 9.1. Click below for details.

Full Story (comments: none)

Debian GNU/Linux

The Debian Weekly News for May 11, 2004 covers the New York version of PacMan (PacManhattan), EU patents, Debian OASIS membership, documentation, the Debian-Installer release process, a draft proposal for modification of the Debian Free Software Guidelines, Debian trademarks, Debian Day at LinuxTag, and several other topics.

The upcoming stable Debian release (sarge) will feature fully integrated XML support. Multiple toolchains for XSL(T) processing, a fully standards-compliant XML catalog system, and a Debian XML policy document for both Debian developers and users provide the backbone of a complete, out-of-the-box system for XML developers and authors.

Here's some information about the DebConf key signing party.

Comments (1 posted)

Fedora News Updates

Fedora News Updates #11 is available; it features a message from project leader Cristian Gafton, notes on the Fedora Core 2 Test 3 release, an update on Fedora Legacy, and more.

Comments (none posted)

Gentoo Weekly Newsletter

The May 10 Gentoo Weekly Newsletter is out; this issue looks at the status of the Gentoo Documentation Project, proposed changes in how kernels are handled in Portage, and various other topics.

Full Story (comments: none)

Xandros Desktop OS

Xandros has announced that the Xandros Desktop OS serves as the core framework for the new line of ION laptops from Element Computer. Element customized the Xandros Desktop OS with their ION Parchment icon theme, the new Mozilla Firefox browser, and "Unbreakable Upgrade" support. Click below for press release.

Full Story (comments: none)

DistroWatch Weekly, Issue 48

The DistroWatch Weekly for May 10, 2004 looks at source based distributions and other topics.

Comments (none posted)

Mandrakelinux

Mandrakelinux updates:
  • A number of bugs have been fixed in evolution for ML 9.2.
  • A kdepim update fixes an endless loop in kaddressbook for ML 10.0.

Comments (none posted)

Slackware Linux

This week the slackware-current changelog shows upgrades to lots of GNOME packages, with a few old ones removed; KOffice has been upgraded; Linux kernel 2.6.6 is in testing; and there are bug fixes and upgrades to several other packages.

Comments (none posted)

Trustix Secure Linux

Trustix has fixed a bug in rsync 2.6.1 dealing with the sorting of the filenames.

Full Story (comments: none)

New Distributions

OpenLab GNU/Linux

OpenLab GNU/Linux is a product of South Africa's DireqLearn, an organization that seeks to make a significant positive impact on education in Africa. It is a thin client-enabled Linux distribution based on Slackware Linux, and is designed with an educational focus. It features unique desktop themes for maximum user friendliness without sacrificing compatibility, integrated thin client support that requires no complex setup, the 2.6 series kernel for maximum desktop performance, many DireqLearn enhancements, a unique system administration interface, KDE, and Dropline GNOME. OpenLab joins the list at version 3.0.5, released May 11, 2004. (Thanks to Joe Klemmer)

Comments (none posted)

Minor distribution updates

KnoppiXMAME

KnoppiXMAME has released v1.3 beta 19 with major bugfixes. "Changes: This is a preview of what 1.3 will be like, minus the features of NTFS write access and arcade monitor support. VIA AC97 sound is fixed, and the NVidia binary driver is now supplied."

Comments (none posted)

Lineox Enterprise Linux Desktop

Lineox has released v3.0 of the Lineox Enterprise Linux Desktop. Click below for more information.

Full Story (comments: none)

Onebase Linux

Onebase Linux has released 2004-r3. "This release features a number of package updates including improved kernel driver support and hardware detection. The installer itself has been given more polish and some issues were resolved. The most noted item of this release is OLM version 2.2.1, which comes with a significant amount of improvements."

Comments (none posted)

PLD Live CD

PLD Live CD has released v0.95 with major bugfixes. "Changes: [0.94] is mainly a bugfix release, in which some packages and a few script mistakes were fixed. New features include new packages (KDE 3.2.2, GNOME 2.6.1, and many more) and improved autodetection (more PCI IDs for network, IDE, and SCSI controllers and better PCMCIA controller detection). Some unusual screen resolutions for laptops are now supported. [In 0.95] The kernel has been upgraded to 2.6.6. It works on nforce2 and i865 chips now."

Comments (none posted)

ThinStation

ThinStation has released v2.0 with major feature enhancements. "Changes: The Dillo and Mozilla Firefox Web browsers were added to the contribs section. The Samba options were improved, and a USB keyring can be mounted as a Samba share. VT220 and TN5250 terminal emulators were added. rdesktop was upgraded to version 1.3.1, which features 24-bit color and sound. XFree86 was upgraded to 4.3.99.rc2. A bootable CD that works everywhere (like Knoppix) can be created. Lots of new keymaps were added. A boot splash screen with a progress bar was added. A Web Management package was added. Most software was updated to the latest versions."

Comments (none posted)

XoL - Diskless X office Linux

XoL has released v18.00 with major feature enhancements. "Changes: This version features a full desktop and OpenOffice environment in both English and German. The unique USB-TO-GO feature offers you the freedom to continue your work on any other system using XoL and a USB storage device. KDE and GNOME are included. The entire distribution fits on one standard 700MB CD. Multimedia software includes voice and video-over-IP applications, DVD-players, MP3 players, and many more. XoL can also be installed onto a hard disk."

Comments (none posted)

Distribution reviews

SuSE Linux 9.1 Personal Edition Review (JemReport)

The Jem Report reviews SuSE Linux 9.1 Personal Edition. "Personal Edition includes all of the basics: CD playing, ripping and writing software and other multimedia tools; office software in the form of the much-acclaimed OpenOffice.org suite; the KDE desktop environment; photo and graphics editing software; and the Konqueror web browser with built-in plugins for Macromedia Flash and the Sun Java Runtime Environment. In other words, you have everything you need for a standard home computer."

Comments (none posted)

Review: The Sun Java Desktop System (UnixReview.com)

Unix Review looks at the Sun Java Desktop System. "I've had JDS installed for more than two months, and I've used it off and on since then. Overall, it's a solid distribution but I can't say I was "wowed" by it. I had seen screenshots of Sun's JDS prior to actually installing it, and I was pleasantly surprised when I sat down and started using it. The screenshots I had seen certainly didn't do it justice."

Comments (none posted)

Page editor: Rebecca Sobol

Development

GCC gets a new Optimizer Framework

May 12, 2004

This article was contributed by Steven Bosscher and Diego Novillo.

Earlier this week, the first bits a major compiler internals overhaul have been merged into the development mainline of the GNU Compiler Collection (GCC) for inclusion in the next release.

GCC is used as the system compiler for GNU/Linux and many other operating systems. The system compiler is one of the components of an operating system that has a massive impact on the performance of the system as a whole. From the kernel to productivity applications, from the C library to even the compiler itself, almost all executable binaries are compiled with the system compiler, so it has to be stable and produce good code. It is therefore not surprising that major changes to the internals of a stable compiler almost never happen. But computer architectures change, so at some point an aging compiler will have to undergo big surgery or risk becoming irrelevant. And GCC is aging.

While GCC produces reasonably good code for a large number of architectures, even its most recent version essentially builds on the compiler framework started by Richard Stallman in the early 1980's. In this framework, code improving transformations are performed on an intermediate representation called Register Transfer Language (RTL), an architecture independent, lisp-like assembly language. Older versions of GCC used this framework mostly for local optimizations, but such limited optimizations are insufficient for modern architectures with RISC-like properties and a significant difference between the speed of the chip and of memory access.

So, with the release of GCC 3.0, a number of global optimizations acting on RTL were introduced. Unfortunately, for many code transformations, RTL is not a suitable and effective representation because it is too close to the actual machine language. This hinders several of the high-level analyses performed by modern compilers. It has become more and more obvious that a new, high-level intermediate representation needs to be added to GCC. The Tree SSA project has been started to address this need.

The goal of the Tree SSA project is to build a completely machine-independent optimization framework based on the Static Single Assignment (SSA) form. SSA is an intermediate representation (IR) that is becoming increasingly popular because it allows efficient implementations of data flow analysis and optimizing transformations.

In SSA form, every temporary variable is only assigned a value once. Actual programs are seldom in SSA form initially, because variables tend to be assigned multiple times, not just once. An SSA-based compiler modifies the program representation so that every time a variable is assigned in the original program, a new version of the variable is created. Different versions of the same variable are distinguished by subscripting the variable name with its version number.

Variables used in the right-hand side of expressions are renamed so that their version number matches that of the most recent assignment. It is not always possible to statically determine what is the most recent assignment for a given use. These ambiguities are the result of branches and loops in the program's flow of control. To solve them, the SSA form introduces a new type of operation called PHI functions, these merge multiple incoming assignments to generate a new definition; they are placed at points in the program where the flow of control causes more than one assignment to be available.

Figure 1Figure 2

For example, consider the code fragment in Figure 1, where it may not be known at compile time which of the branches will execute. The USE-DEF chains for 'x' are drawn in the figure. In the second 'switch', the compiler has to assume that any of the assignments to 'x' in the first switch may have been executed. In this case, the SSA conversion process will introduce a PHI function for 'x' to create the needed unique definition, as shown in figure 2.

Notice that PHI functions are an artifact used internally by the SSA form and are never emitted in the final code. The PHI function that defines 'x_4' in the previous example simply means that 'x_4' can take the value of 'x_1', 'x_2', or 'x_3' at run time.

Once the program is in SSA form, flow of control and USE-DEF chains are explicitly represented in the intermediate representation, giving almost instantaneous information to passes like constant propagation and folding. The properties of the SSA form greatly simplify data flow analysis, and indeed many traditional compiler optimizations, such as constant and copy propagation and also some forms of common subexpression elimination, are relatively straightforward and fast on functions and even whole programs represented in SSA form.

Before work on these optimizations could start, a whole new optimization framework had to be implemented:

  • A new intermediate representation.
  • GCC already constructed each function as an abstract syntax tree (AST), but there was no single AST representation in GCC. Instead, each language defined its own trees which were translated piecewise to RTL and then optimized in the old framework. With Tree SSA, two new language independent representations have been added to resolve this issue.

    All the language front-ends now emit a very high-level IR called GENERIC. Each function is handed over to the language independent parts of the compiler as a tree in GENERIC form. Next, this tree is lowered to GIMPLE form, another new IR derived from the SIMPLE representation proposed by the McCAT project out of McGill University.

    The GIMPLE representation looks like three-address code. All side effects are explicit so that a function in GIMPLE form is ready for analysis. Most of the existing front-ends have been modified to emit GENERIC so that they can be optimized using Tree SSA. The next release will also include a Fortran 95 front-end, which is the first front-end built directly to emit GENERIC.

  • Analyses for rewriting the GIMPLE representation in SSA form.
  • In the old framework, no optimizations were performed on the AST. This meant that there was no need for a control flow graph, or for data flow analysis to be performed. All of this is now necessary before a representation can be rewritten into SSA form.

    To avoid unnecessary code duplication, a lot of effort was spent on rewriting the old framework so that it was possible to share many of the basic control flow graph manipulations between the old and the new framework. Data flow analyses had to be implemented from scratch.

    One particularly interesting analysis is alias analysis. GCC now implements several types of alias analysis: type-based flow-insensitive analysis, flow-insensitive points-to analysis, and flow-sensitive points-to analysis. Most analyses are currently intra-procedural, although some inter-procedural analyses are partially implemented or planned.

  • Passes for performing the actual code optimizations.
  • Passes that have already been implemented include sparse conditional constant propagation, partial redundancy elimination, dead code and dead store elimination, and scalar replacement of aggregates. Also, a lot of dominator tree based optimizations and some conditional execution conversions have been implemented. Many of these passes replace equivalent passes that work on RTL.

All the new parts together account for about 100,000 lines of new code, not including the many changes to existing parts of the compiler. The framework implemented as part of the Tree SSA project adds a whole new path to the compilation process, while no RTL passes have been disabled yet.

Still, a compiler with the Tree SSA passes enabled is not significantly slower than the recently released GCC 3.4.0, and a number of very expensive passes in the RTL framework have already been subsumed by Tree SSA passes. Once these RTL passes have been disabled and removed, the resulting compiler will be a lot faster than GCC 3.4.0, while the generated code is at least as good, and often better.

Comments (25 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include new versions of Ecasound, Seq24, Libfishsound, and Aeolus.

Comments (none posted)

Database Software

SQL Database Access with DBTags (O'ReillyNet)

Deepak Vohra explains the use of Jakarta DBTags on O'Reilly. "Jakarta DBTags is a custom tag library that consists of tags to access and modify a database. This tutorial explains the procedure to incorporate Apache Jakarta DBTags custom tag library tags in an example JSP."

Comments (none posted)

PostgreSQL Weekly News

The May 11, 2004 edition of the PostgreSQL Weekly News is out with several new PostgreSQL database articles.

Full Story (comments: none)

Interoperability

New stable Samba releases

The Samba project has announced the release of Samba 3.0.4. This is the version that production Samba servers should be running. Samba 2.2.9 is also out.

Comments (none posted)

Libraries

libxml++ 2.6.1 (stable) released

Version 2.6.1 of libxml++, a C++ wrapper for the libxml XML parser library, is out."This release fixes 2 annoying bugs found in libxml++ 2.6.0."

Full Story (comments: none)

libxml++ 1.0.3 (stable) released

Version 1.0.3 of libxml++, a C++ wrapper for the libxml XML parser library, is available and features bug fixes.

Full Story (comments: none)

Mail Software

Milter.org announcements

The milter.org mail filtering site lists new versions of SPF Milter and milter-spamc.

Comments (none posted)

Medical Software

FreeMED 0.7.0 Beta 4 Released (LinuxMedNews)

Version 0.7.0 Beta 4 of FreeMED, an open source medical practice management and electronic and computer records system, has been announced. "This release consists mostly of packaging fixes and user contributed bugfixes, as well as more specialized reports. All users who are currently testing the 0.7.0 beta series should upgrade to this release."

Comments (none posted)

Printing

LinuxPrinting.org changes

The LinuxPrinting.org site mentions the availability of new from Kyocera PPD files.

Comments (none posted)

LPRng-3.8.27 released

Version 3.8.27 of the LPRng printing system is available. Change information is in the source code.

Comments (none posted)

Web Site Development

Bricolage 1.8.0 Arrives (use Perl)

Version 1.8.0 of Bricolage, a Perl-based content management and publishing system, has been announced. "Version 1.8.0 represents a significant new pinnacle for the much-lauded open source content management and publishing system. This release offers more new features, improvements, and performance gains than any previous release."

Comments (none posted)

CPS 3.1.0 (development branch) has been released today.

Development version 3.1.0 of CPS, a collaborative Web content management system, is out. "CPS 3.1.0 (development branch) is an intermediate release that takes place in the development process of the future stable release of CPS3, which will be CPS 3.2.0 (stable branch). It is fairly stable, and most of the products are currently used in production, but, except for unit tests which are usually written along the code, it has not received yet a thourough QA process. Some API may also change until CPS 3.2."

Full Story (comments: none)

mnoGoSearch-php-3.2.5 is out

Version 3.2.5 of mnoGoSearch-php, the PHP front-end to the mnoGoSearch-php web site search engine, is available. See the ChangeLog for more information.

Also, version 1.88 of mnoGoSearch-php-extension has been released.

Comments (none posted)

OpenPSA 1.9.0 Released

Version 1.9.0 of OpenPSA is available. "Nemein has released the first Open Source licensed version of the OpenPSA suite. OpenPSA is a management software package for consultancies including project tracking, CRM, help desk, group calendaring and document management functionalities."

Full Story (comments: none)

SC-Track Roundup 0.7 available

Version 0.7 of the Roundup, an Issue-Tracking System for Knowledge Workers with command-line, web, and e-mail interfaces, is available. This version adds a lot of new features.

Full Story (comments: none)

TBNL toolkit announced

The TBNL toolkit project has been announced. "TBNL is a new "toolkit for building dynamic websites with Common Lisp" by Edi Weitz. It is based on Apache for HTTP communication between the server and the browser, and mod_lisp for communication between the server and Lisp."

Full Story (comments: none)

UnCommon Web 0.2.1 released

Version 0.2.1 of UnCommon Web, a common Lisp-based web application development framework, is out. "The new features in this version are component threads, improved error handling and application administration, improved TAL environments."

Full Story (comments: none)

ZopeMag Weekly News

Issue #30 of the ZopeMag Weekly News is available with another collection of Zope related articles.

Comments (none posted)

Miscellaneous

Ganymede 1.0.12 archive fixed

The recently released version 1.0.12 of the Ganymede metadirectory system had installation problems. The version has been re-released.

Full Story (comments: none)

Desktop Applications

Audio Applications

Audacity 1.2.1 released

Version 1.2.1 of Audacity is available. "Audacity 1.2.1 is a new stable version of the free Audacity sound editor. This release fixes several minor bugs that were found in Audacity 1.2.0. It also includes several new and updated translations."

Comments (none posted)

Ecasound 2.3.3 released

Version 2.3.3 of Ecasound, an audio processing utility, is out. This is the first stable release for 2004, numerous bugs have been fixed.

Full Story (comments: none)

Muine 0.6.1 released

Version 0.6.1 of Muine, a GUI-based music player, is out. "This release mainly includes a workaround for a Mono bug that caused compilation problems with 0.6.0 for many people. Upgrade to 0.6.1 if 0.6.0 didn't compile for you." Version 0.6.0 featured some performance improvements.

Full Story (comments: none)

WaveSurfer 1.6.4 released

Version 1.6.4 of WaveSurfer, a sound visualization and manipulation tool, is out. The changes include a new chooser dialog, file splitting by transcriptions, updated demos, bug fixes, and more.

Comments (none posted)

Desktop Environments

GDM 2.6.0.2 stable is out

Version 2.6.0.2 stable of GDM, the GNOME Display Manager, is out. "This release has some major bugfixes especially some long pending PAM fixes and basically I integrated a bunch of patches from bugzilla. Also the IPv6 support is now off by default since it's still not as reliable as the IPv4 code, and really, if you need IPv6 for your private lab of X terminals, there is something wrong with your head."

Full Story (comments: none)

Metacity 2.8.1 released

Version 2.8.1 of Metacity, a window manager for GNOME 2, is out with bug fixes and improved translations.

Full Story (comments: none)

Bag of Software (GnomeDesktop)

GnomeDesktop.org mentions the release of new versions of three GNOME applications. "New releases of Passpartout, the GNOME CPUFreq Applet and Notify are now available."

Comments (none posted)

KDE 3.3 Release to Coincide with KDE Community World Summit (KDE.News)

A new release of KDE is being planned. "Developers should make sure to get the stuff listed they plan to have ready for 3.3 in the planned-features document as soon as possible. KDE 3.3 Alpha is prepared around May 23rd and June 1st will see the first freeze (excluding outstanding listed features and i18n strings) kicking in."

Comments (none posted)

KDE-CVS-Digest (KDE.News)

The May 7, 2004 KDE-CVS-Digest is out, here's the content summary: "KMail adds filter for attachments and Evolution import. KDE has a new configuration creator and editor. Work continues on Quanta PHP debugger, KJSEmbed with more examples, KDevelop documentation browser, Kexi query designer and much more."

Comments (none posted)

Tutorial: Write your own KFile Plugins (KDE.News)

KDE.News points to a tutorial on KFile plugins. "For those not familiar, a KFile plugin is the meta-data magic that powers the "MetaInfo" tab when you display the properties of a file, and the Info List View in Konqueror. It's easy to write one, and there are a lot of file formats we don't have support for yet. This is a fun way to get into KDE development!"

Comments (none posted)

Electronics

XCircuit 3.2.16 released

Version 3.2.16 of XCircuit, an electronic schematic drawing program, is out. Here are the changes for this version: "Autoconf fix for Solaris, to handle the gcc compiler with the non-gcc linker. Created local version of strdup() to do its allocation through Tcl_Alloc(). Modified the library manager "library import" routine to load any library instances of an object in addition to the object itself. Added the ability to ignore a specific element when selecting."

Comments (none posted)

Financial Applications

SQL-Ledger 2.2.7 released

Version 2.2.7 of SQL-Ledger, a web-based accounting system, is out. The changes include a revised reconciliation screen, a new reconciliation report capability, a new backup routine, and more.

Comments (none posted)

Games

WorldForge Weekly News

The May 7, 2004 edition of the WorldForge Weekly News is out with the latest WorldForge game project developments.

Comments (none posted)

Graphics

An Introduction to GraphViz and dot (O'Reilly)

Michele Simionato explores dot and GraphViz on O'Reilly. "First of all, let me make clear that dot is not just another paint program, nor a vector graphics program. dot is a scriptable, batch-oriented graphing tool; it is to vector drawing programs as LaTeX is to word processors. If you want to control every single pixel in your diagram, or if you are an artistic person who likes to draw free hand, then dot is not for you. dot is a tool for the lazy developer, the one who wants the job done with the minimum effort and without caring too much about the details."

Comments (none posted)

GIMP Animation Package version 2.0.2 Released

Version 2.0.2 of gimp-gap is out. "gimp-gap 2.0.2 is a bug-fix release of the GIMP Animation Package. If you had problems to use GAP with GIMP 2.0.1, please upgrade to this version."

Comments (none posted)

GUI Packages

vtkFLTK 0.4.5 released

Version 0.4.5 of vtkFLTK, a C++ class library for interfacing with VTK, has been announced. "The 0.4.5 release of vtkFLTK eliminates annoying improper redrawing of sibling widgets upon parent resize. This was the last of the known runtime bugs experienced with vtkFLTK and represents a major milestone for the quality of the library."

Comments (none posted)

Interoperability

Wine 20040505 released

Version 20040505 of Wine has been announced. Changes include filesystem improvements, drive autodetection, Direct3D improvements, sound driver fixes, and other bug fixes.

Comments (none posted)

Music Applications

galan 0.3.0-beta6 released

Version 0.3.0-beta6 of galan, The Graphical Audio Language, has been released. "This release has vst(i) support through libfst. So if you ever wanted to wire up networks of vst plugins and instruments, you can do this now."

Full Story (comments: none)

jMax 4.1.0 released (SourceForge)

Version 4.1.0 of jMax is available. "jMax is a visual programming environment for building interactive real-time musical and multimedia applications. This release is the first release with ASIO support for Windows. There is also a lot of bug fixes."

Comments (none posted)

Office Suites

OpenOffice.org build 1.1.55 is out

Build 1.1.55 of OpenOffice.org is available. "This package contains the desktop integration work for OpenOffice.org, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to OO.o."

Full Story (comments: none)

PDA Software

Guikachu 1.4.0 released

Version 1.4.0 Guikachu, the premiere solution for creating PalmOS resource files on UNIX operating systems, is out. This release has many new features and improvements.

Full Story (comments: none)

Web Browsers

Mozilla 1.4.2 Released (MozillaZine)

Stable version 1.4.2 of the Mozilla browser has been announced. "This latest release from the 1.4 branch features only bug fixes (no new features) and will be mainly of interest to developers building products from the stable branch. Most end-users will want Mozilla 1.6 or the upcoming Mozilla 1.7."

Comments (none posted)

mozilla.org Status Update (MozillaZine)

The May 3, 2004 edition of the Mozilla.org Status Update has been announced. "It includes news on Mozilla 1.7 Release Candidate 1, Mozilla Thunderbird 0.6, Camino, the default build configuration, Mozilla Firefox and Mozilla Thunderbird extensions, the Mozilla newsgroups, the RDF module, newsgroup filters, Find in This Page…, FTP upload, the UIEvent interface, junk mail controls, phishing, XPI software installation, cookies and more."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes of the April 26, 2004 Mozilla.org staff meeting are available. "Issues discussed include Mozilla 1.7 final and Mozilla Thunderbird 0.6."

Comments (none posted)

Miscellaneous

gi8k 1.2.2 released

Version 1.2.2 of gi8k is out with minor bug fixes. "gi8k is a small Gnome applet that reads the CPU temperature and fan speeds on Dell laptops. It also allows direct control over the fans by simply clicking on the applet."

Full Story (comments: 1)

HylaFAX/libtiff incompatibility

Users of the HylaFAX fax modem software who have libtiff 3.6.1 should be sure to apply this patch, which fixes an incompatibility problem.

Comments (none posted)

Quanta 3.3 BE 2 Released (KDE.News)

Version 3.3 BE (Bleeding Edge) 2 of Quanta, a web development tool for the K Desktop Environment, has been announced. "The Quanta team has just released the first Bleeding Edge technology preview of Quanta from the new kdewebdev module. This includes KMDI, CSS enhancements, a new link checker, imagemap editor and a new embedded PHP debugging interface".

Comments (none posted)

Languages and Tools

Assembly Language

Why Learning Assembly Language Is Still a Good Idea (O'Reilly)

Randall Hyde talks about code efficiency and assembly language skills on O'Reilly. "Because greatness is a multifaceted attribute, a short article such as this one cannot begin to describe all the possible components of a great piece of software. Instead, this article will describe one component of writing great code that has been neglected in recent years as computer systems have increased in capacity and power: efficiency."

Comments (none posted)

C++

Use shared objects on Linux

Sachin O. Agrawal explains shared objects on IBM's developerWorks. "Making the most of shared memory isn't always easy. In this article, IBM's Sachin Agrawal shares his expertise in C++, showing how the object-oriented among us can take key advantage of a uniquely useful interprocess communications channel."

Comments (none posted)

Java

XDoclet v1.2.1 released (SourceForge)

Version 1.2.1 of XDoclet, a java code generator, is available. "v1.2.1 is mainly a bug fix release, plus a couple of new modules have been added to support the Spring framework and OpenEJB application server."

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The May 3-9, 2004 edition of This Week on perl5-porters is available. "On the menu of the P5P summary this week, you will find language constructions, segmentation faults, proposals for new tied methods, pronunciation issues, and (in fine) a few bugs."

Comments (none posted)

This Week on Perl 6

The May 07, 2004 edition of This Week on Perl 6 is available with the latest Perl 6 discussion topics.

Comments (none posted)

Building Testing Libraries (O'Reilly)

Casey West covers Perl testing issues on O'Reilly. "Testing is an important step in developing any important body of work. In today's pragmatic culture, we're taught to test first, test often, and design with tests. The expectation is that chanting "test test test" forgives all sins. To a large extent, this is true. Testing helps us produce quality software at all scales. The extreme code produced by this extreme lifestyle hides in the test suite itself. Often the ugliest code we write resides in files with a .t extension. Riddled with redundant, ghastly expressions, the test suite is the collateral damage on our road to beautiful production code. Let's review some common pitfalls made when testing."

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The May 10, 2004 edition of Dr. Dobb's Python-URL! is out with this week's Python language article links.

Full Story (comments: none)

Dive Into Python

Version 5.3 of Dive Into Python, a free online Python book, is out. See the revision history for details on what's new.

Comments (none posted)

PyAlsa 0.0.1 is available

Version 0.0.1 of PyAlsa is available. PyAlsa is a Python language wrapper for the ALSA audio driver's mixer.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The May 10, 2004 edition of Dr. Dobb's Tcl-URL! is available with more Tcl/Tk article links.

Full Story (comments: none)

XML

UML, XMI, and code generation, Part 2 (IBM developerWorks)

Benoît Marchal continues his IBM developerWorks series on UML with part two. "In the second part of this series on UML and XML, Benoît introduces the UML metamodel. He proceeds to XMI, the XML-based specification for the exchange of models. He then shows how to map from the metamodel to XML schema. As an illustration, he includes two stylesheets that provide simple round-trip engineering between UML and XML."

Comments (none posted)

Utility Stylesheets, Part Two (O'Reilly)

Bob DuCharme continues his series on XML Stylesheets with part two. "Last month we looked at some short utility stylesheets, each dedicated to a specific task that may be necessary with a wide variety of XML documents: stripping empty paragraphs, converting mixed content to element content, and adding ID values to elements. Stylesheets like these can serve as building blocks in the creation of a large, complex workflow composed of pipelined modular processes. This week, we'll look at several more such stylesheets."

Comments (none posted)

Editors

MlView 0.6.3 released

Version 0.6.3 of MlView, an XML editor for GNOME, is out. "This release adds tons of bug fixes, a lot of polishing and also some internal architecture enhancements to prepare the future. It's also the first version of MlView that is 100% gtk+2 based."

Full Story (comments: none)

IDEs

Build GUIs with the Eclipse Visual Editor project (IBM developerWorks)

David Gallardo introduces the Eclipse Visual Editor project on IBM's developerWorks. "Like many Eclipse.org projects, the goal of the Visual Editor project is to build a tool for building tools -- in this case, tools for building graphical user interfaces. The most interesting thing about the Visual Editor Project is that it has already released a reference implementation. The Visual Editor release 0.5 is a GUI builder for AWT/Swing applications, an Eclipse feature that has long been awaited. Coming soon in release 1.0, slated for delivery in mid-2004, is added support for SWT. In this article, you'll get an overview of Visual Editor and the technology behind it, along with a short demonstration of Visual Editor 0.5's features for building AWT/Swing applications and a preview of the SWT support in Visual Editor 1.0."

Comments (none posted)

Profilers

OProfile 0.8 released

Version 0.8 of OProfile, a code profiler, has been released. "New in this release is experimental call-graph profiling support, new hardware support, support for separate debug files, and some important bug fixes."

Comments (none posted)

Test Suites

Use Jython to build JUnit test suites

Michael Nadel works with JUnit TestSuite classes on IBM's developerWorks. "Developers decide to automate unit tests for a number of reasons. Many take it even a step further and automate the location and execution of those tests. But what if you need your test harness to act as if it were statically defined? Follow along with developer Michael Nadel and see how to use Python to feign statically defined JUnit TestSuite classes."

Comments (none posted)

Version Control

cvsdelta 1.7.0 Released

Version 1.7.0 of cvsdelta, a utility that lists what has changed in a CVS repository, is out. The news file says: "Fixed handling of newly added files. Fixed so that files pending removal are not attempted to be re-removed. Made banner (header and footer) optional. Fixed errors in --no-changes mode. Fixed to handle different output for files not found for a revision or date."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Bad laws, bad code, bad behavior (ZDNet)

News.com looks at bad laws in the U.S. including a new bill which would require parental consent before installing "peer to peer" software. "Software distribution sites like those of SourceForge and the Comprehensive Perl Archive Network would be outlawed, if they did not follow these byzantine legal rules, which include obtaining 'verifiable parental consent,' if the downloader is a minor, ensuring that the software can be readily uninstalled, keeping 'records of its compliance' and so on. Anyone running such a Web site outside the United States would be required to hire a "resident agent" and file reports with the FTC--hardly a boon to the burgeoning global open-source movement."

Comments (7 posted)

Living Down to a Low Standard (ComputerWorld)

Nicholas Petreley trashes GNOME 2.6 in a ComputerWorld column. "Of all the criticisms one might lodge against GNOME, it's the hypocrisy of its design philosophy that looms largest. GNOME grew out of the desire to free people from Microsoft's ability to dictate what users can or can't do. Yet GNOME is built on the premise that its developers are so much wiser than users when it comes to navigating folders and setting colors that GNOME users shouldn't have a choice in the matter."

Comments (110 posted)

Benchmarking Filesystems (LinuxGazette)

LinuxGazette compares journaling filesystems. "I recently purchased a Western Digital 250GB/8M/7200RPM drive and wondered which journaling file system I should use. I currently use ext2 on my other, smaller hard drives. Upon reboot or unclean shutdown, e2fsck takes a while on drives only 40 and 60 gigabytes. Therefore I knew using a journaling file system would be my best bet. The question is: which is the best? In order to determine this I used common operations that Linux users may perform on a regular basis instead of using benchmark tools such as Bonnie or Iozone. I wanted a "real life" benchmark analysis."

Comments (20 posted)

Trade Shows and Conferences

The Linux Audio Conference 2004 (Linux Journal)

Dave Phillips reports from the Linux Audio Software Conference in the Linux Journal. "Developer Bob Ham revealed plans for his Linux Audio Session Handler (LASH), a system for saving and restoring the states of and connections between any number of LASH-aware audio applications. LASH is a much-needed system. As Linux audio applications continue to subscribe to the JACK bus, a means for saving and restoring their states becomes most valuable."

Comments (4 posted)

Open Source in Africa (O'ReillyNet)

Here's an O'ReillyNet report from the Africa Source conference. "This meeting, called Africa Source, was the first event of its kind, bringing together developers from roughly 25 countries on the continent, as well as visitors from a dozen countries outside Africa. Africa Source had several organizers, including SchoolNet Namibia, The Tactical Technology Collective, and The AllAfrica Foundation, with support from The Open Society Institute, and USAID."

Comments (none posted)

The SCO Problem

Canadian bank backs away from SCO (News.com)

News.com reports that the Royal Bank of Canada has sold the bulk of its investment in SCO to BayStar, which is currently trying to redeem its stake. "'The timing and price of our purchase of RBC's holdings in SCO presented a strategic and financial opportunity for BayStar and its investors,' a BayStar representative said, declining to discuss the motivation or terms of the sale."

Update: Interestingly, RBC has converted the remainder of its holdings into common stock at a rate of $13.50/share - over twice the current market price. One might conclude that RBC has had enough of this particular game.

Comments (7 posted)

Darl Secretly Attended Novell's Brainshare (Groklaw)

Groklaw looks at a pair of interviews with Darl McBride and comes to some conclusions about SCO's strategy in its suit against Novell. "Both interviews indicate that the SCO plan in the Novell lawsuit was to have some ex-Novell executives on the stand to testify that they were at Novell at the time when the negotiations were going on and the contract was written up, both when Novell bought UNIX and when it sold whatever portion of UNIX they sold (SCO claims all of it, naturally), whereas the current Novell executives were not participants. They presumed that testimony would carry the day. Darl is one of the ex-Novell executives. Of course, if Novell succeeds in turning it instead into a federal copyright question, that plan goes down the drain."

Comments (none posted)

Now It's Novell v. Canopy (Groklaw)

Groklaw delves into a strange, obscure legal battle between Novell and Canopy (SCO's parent company and largest owner) over DR-DOS and the associated Microsoft lawsuit. "According to the Daily Herald article, Canopy says it all happened like this: Novell was really the one that wanted to sue Microsoft but was afraid of retaliation. So they negotiated with Canopy to do it for them, then sold them rights to the DR-DOS source code on condition that Canopy sue Microsoft. Novell retained rights to royalties and license fees, but they kept out of the written agreements the part about Canopy suing on their behalf. That, according to Canopy, was agreed upon orally, their little secret. Now Canopy is trying to compel them to live up to the alleged oral contract. Those Canopy folks seem to have altogether too much time on their hands."

Comments (4 posted)

Companies

HP brings OpenVMS to the SuperDome (ZDNet)

ZDNet covers the release of OpenVMS. "The porting of the operating system to Itanium 2-based systems will give OpenVMS users an upgrade path when HP discontinues the Alpha processor line, which it picked up with the acquisition of Compaq."

Comments (5 posted)

Red Hat Desktop strategy: Semantics have been part of the messaging problem (NewsForge)

NewsForge has an article by Jeremy Hogan, Red Hat's Community Relations Manager, about the company's desktop strategy. "And here we are. We've just launched the first Red Hat product with "desktop" in its name (albeit with the silent "corporate" in front of it). This move is alleged to be in response to Sun's Java Desktop System. In actuality, it is in line with our market's demand, and the strategy we articulate in our Open Source Architecture. It is also just the first phase, because we aren't ready to give (or exceed) the single system consumer desktop experience currently available."

Comments (9 posted)

Linux Adoption

A public library's success story (GnomeDesktop)

GnomeDesktop.org covers a library's conversion to Linux. "Over the past year, the Howard County (Md.) Public Library has migrated more than 200 public PCs from Windows 98 and Windows NT to Linux. These PCs are used both to surf the Internet and to access the library's catalogues."

Comments (none posted)

Penguin power may rule in Vic classrooms (LinuxWorld)

LinuxWorld looks at Novell's plans for Linux expansion in Victoria, Australia. "Swinburne senior systems administrator for IT services, Brian Habel, said the IT staff are “very excited” by Novell’s Linux strategy as it “opens up a lot of opportunities”. “If you can run NetWare on Linux you can leverage other [Linux] applications,” he said. “We may already have Linux boxes installed so we could re-use that hardware. Novell’s SuSE Linux will give us more flexibility to get the job done.”"

Comments (4 posted)

Interviews

Bitkeeper after the storm - Part 1 (NewsForge)

NewsForge interviews Larry McVoy, author of Bitkeeper. "We are strongly committed to helping the Linux kernel community and other open source projects. Not everyone may believe this, but we'd be doing it even if there was no benefit to us. It is our way of giving back some value for all the great free software we use every day. We run our business on free software, we develop our product with free software, the free software community has been great for our business. All companies who benefit from free software ought to find a way to help the people who are producing that software."

Comments (13 posted)

de Icaza: Rest of World Will Force US Into Linux (OS News)

OSNews talks with Miguel de Icaza about all things Linux and Novell. "Regarding Mono and the Microsoft .NET patents, Ximian is now splitting the "non-free" parts of .NET in Mono, and so OS providers can decide if they want to include in their products the "non-free non-ECMA" portions or not. Apparently, even without the non-free portions, Mono is fully usable, complete with the GTK# bindings, database and other free parts. Miguel knows that a completely "clean" Mono will still find resistance from some OS/distro makers for political reasons, rather than legal or technical ones, and he is prepared for it." (Found on Footnotes)

Comments (none posted)

JBoss CEO Opposes Open-Source Java (CRN)

CRN has posted an interview with Marc Fleury, CEO of JBoss. "JBoss CEO and founder Marc Fleury recently spoke with CRN Senior Editor Elizabeth Montalbano about why he's committed to open source as a lucrative business model and how things have changed between his company and Java steward Sun Microsystems since JBoss Inc. became an official J2EE licensee. Fleury also took a firm stand on why, despite objections from IBM and open-source proponents, Sun should continue to oversee Java licensing and compatibility."

Thanks to Phillip Warner.

Comments (11 posted)

The People Behind KDE: Helio Chissini de Castro (KDE.News)

This week the People Behind KDE travels to Brazil to talk with Helio Chissini de Castro. "The first time I took on KDE, I got Ark maintainership. After that I started packaging Conectiva Linux independent packages. Today I work on Kmix, solve a bug, or another time I try to see whats happening with Ark (since I plan to pass maintainership to the other new guys :-). On a non developer basis, I got the task to be the primary contact on South America and the personal task to annoy some guys of core kde from time to time... :-) And of course, I work hard on PR to show KDE to the Brazilian masses." (Found on KDE.News)

Comments (none posted)

MandrakeSoft: An inside look (NewsForge)

NewsForge interviews the Mandrakesoft management team. With regard to getting Mandrakelinux back on store shelves: "I can't divulge any specifics, but I can tell you that we are striking a deal with a major partner and we will be making that announcement in the next few weeks.... I will say that users know them and will be very pleased."

Comments (none posted)

OpenBSD PF Developer Interview (O'ReillyNet)

Federico Biancuzzi interviewed six leading OpenBSD developers responsible for PF, the packet filter. Daniel Hartmeier, Henning Brauer, Mike Frantzen, Cedric Berger, Ryan McBride and Can Erkin Acar talk about their work on OpenBSD and on new features and goals. The interviews are carried on O'ReillyNet in two parts. Here's part 1 and here's part 2.

Comments (none posted)

Interview: Xandros and KDE (KDE.News)

KDE.News interviews Rick Berenstein, Xandros Chairman and CTO and Ming Poon,Vice President for Software Development. "Ming Poon: When we first started our Linux desktop effort back in 1997, we actually implemented a 100% pure Java solution called Cabot which was running on the StrongARM processor on a little NC (Network Computer) called the NetWinder. It had pretty well all the key functionalities of KDE or any other desktop environment including toys like an Internet news ticker in the task bar. It is probably something more close to a true Java desktop than what Sun's Java Desktop is today. It was really 100% Java."

Comments (none posted)

Mozelle Thompson, FTC Commissioner (InternetNews.com)

Internet News talks with FTC commissioner Mozelle Thompson about spam, patents and other topics. "There should be a means to have the Patent Office re-examine patent they've granted. One thing we've talked about is to provide the Patent Office with better tools that would give them more granularity to understand and consider the difference between an idea and a technical standard, so they can understand that granting a patent might be overbroad or have unintended consequences." (Thanks to Doug Jensen)

Comments (2 posted)

Resources

ULB 2004 Preview: Ultimate Linux Box Boots (Linux Journal)

Linux Journal is building the 2004 edition of the Ultimate Linux Box. "Previous Ultimate Linux Boxes have had two processors, which generally has been the maximum in the market for parts for roll-your-own machines. Vendors will sell you a bigger system, but when you're building it yourself, the choice has been one processor or two. This year, we're moving up to a four-way. What better way to celebrate the 2.6 kernel?"

Comments (none posted)

XSLT: Taming a functional language (DevChannel)

The OSDN DevChannel has an excerpt from XSLT 2.0 Web Development, published by Prentice Hall PTR. "Everything is possible by asking the right questions. XSLT was designed as a functional programming language. The functional programming paradigm dates from the 1980s and has proved very useful, even if in a limited way. Other established functional languages include Haskell and Scheme."

Comments (8 posted)

Reviews

Linux For Everyone: From Servers To Desktops (CXOtoday.com)

CXOtoday reports that ELX, Everyone's Linux, is about to launch in India. "To flag its entry into the Linux segment, ELX plans to launch its low fee desktop operating system, known as Biz Desk 4.0, which will cater to both business and home users, and also its high end server called PowerISP, which is positioned as the primary Internet edge server for organizations, business houses, service providers and educational institutes."

Comments (none posted)

Red Hat launches new desktop Linux (LinuxWorld)

LinuxWorld takes a look at Red Hat's new desktop offering and a an upcoming carrier grade Linux product. "[Unlike] the WS distribution, which is sold on a per-system basis, Red Hat Desktop will be available in packages of 10 or 50 units when it begins shipping, said Mike Ferris, Red Hat's product marketing manager for Enterprise Linux. "What we are doing now is extending the Enterprise Linux product family by adding a Red Hat product that is specifically targeted at the front office," Ferris said."

Comments (4 posted)

Giving XFce4 a Spin (OS News)

OS News reviews XFce. "[If] you've got GNOME and KDE as fantastic, complete desktop environments, why use XFce? The simple answer to this is - it's lightweight, and very fast. For users like me, who're stuck with 6-year-old Pentium IIs, KDE and GNOME seem more or less sluggish (depending upon how much RAM you have). But XFce is blazing fast." (Found on Footnotes)

Comments (1 posted)

Miscellaneous

Luminary joins open-source protection firm (News.com)

News.com reports that Bruce Perens has joined the board of directors of Open Source Risk Management, a company that sells insurance-like protection for Linux use. "Perens endorsed the company's mission. "Collective legal defense is the next necessary step for open source to be ready for business," Perens said in a statement. "Through a concentration of legal resources and expertise, OSRM will be a formidable power against the legal opponents to Open Source.""

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Linux in Defense: Free Software is Just Too Expensive

Here's another FUD missile (white paper) from Green Hills Software. This time the focus is on free software's high development costs and lack of support. "No one has ever established a profitable open source business model, because no company can sustain an exploitable proprietary advantage. The nature of open source is that every proprietary advantage must be returned to the public domain. The talents of individual engineers can't be retained because the engineers can just quit and take all of their knowledge with them to apply in their next job. The open source process drives the profit out of Linux businesses leading to their eventual demise."

Comments (23 posted)

Software Patents: EU Council Plans to Scrap Parliamentary Vote

The Foundation for a Free Information Infrastructure reports that a counter proposal to the software patents directive is expected to be confirmed without discussion at a meeting of ministers on May 17-18, 2004. The new proposal allows the direct patent-ability of computer programs, data structures and process descriptions.

Full Story (comments: 2)

The Edinburgh Fund

The Edinburgh Fund has been announced by the people at the wxWidgets project. "This is a fancy name for the small amount of money left over from the name change settlement with Microsoft, after legal fees, tax, and labour fees have been deducted. Julian Smart is administering this as a separate fund from SPI donations to avoid 'contaminating' other funds with money that a small number of people consider offensive, due to its source. It also makes for quick decisions about allocation and rapid transfer of funds to people who need it." People who are contributing to wxWidgets may apply.

Comments (none posted)

The Midgard Project Celebrates 5th Anniversary

The Midgard project is celebrating its 5 year anniversary. "Midgard is an Open Source Content Management System integrating world's most popular Open Source web development tools — MySQL, Apache and PHP — providing an environment for deploying powerful Internet based content management solutions. The Midgard environment includes a component framework and several web-based authoring and administration tools."

Full Story (comments: none)

The Xiph.org Foundation joins Linuxaudio.org

Linuxaudio.org has announced a new member: "The Xiph.org Foundation has joined the Linuxaudio.org consortium, becoming the newest member and bringing the total number of members to nineteen."

Full Story (comments: none)

Commercial announcements

Announcing CrossOver Office, Version 3.0

Version 3.0 of CrossOver Office is available from CodeWeavers. "We've added new, official, support for Outlook XP, Microsoft Project, and Notes 6.5.1. Unofficially, we're excited by users comments that far more applications are working now. These include programs like Framemaker and Microsoft Money."

Full Story (comments: 1)

BRU Server for Linux enterprise data protection

TOLIS Group has announced enhancements to BRU Server for Linux.

Full Story (comments: none)

CPUBuilders High Performance Linux PCs

CPUBuilders by Stratitec announced the availability of two new higher end Linux PCs with a street price of less than $600.

Full Story (comments: none)

Eclipse Use Grows

Evans Data Corp. has announced that according to its latest survey the Eclipse open source Java IDE is growing in popularity.

Comments (2 posted)

Novell announces Evolution 2.0, free Connector

Novell has sent out a press release pre-announcing Evolution 2.0 (which will be available in the third quarter). Perhaps more interesting is the announcement that the proprietary Connector product, which interfaces Evolution with Microsoft Exchange servers, will be integrated with Evolution and released under the GPL.

Comments (32 posted)

Novell announces tech support offerings

Novell has announced a new set of support offerings for Linux, and is now claiming to be "the only software company to provide comprehensive enterprise-level support for a customer's entire Linux environment, from servers to desktops to laptops." See the press release for details.

Comments (1 posted)

Single-kernel real-time Linux supports dual-PPC VMEbus board (LinuxDevices.com)

LinuxDevices covers the TimeSys release of a single-kernel real-time Linux board support package as well as a complete development tool set for a dual-PowerPC processor VMEbus single board computer targeting military and aerospace applications.

Comments (none posted)

VA Linux in Collaborative Development Project with NTT Data

VA Linux Systems Japan K.K. has announced the undertaking of a collaborative development project with NTT Data Corporation designed to develop a crash analysis tool for the Linux operating system. The project aims to have the tool in circulation by the first quarter of 2005.

Full Story (comments: 2)

New Books

"Eclipse" Released by O'Reilly

O'Reilly has published the book Eclipse by Steve Holzner. "Eclipse, the popular Java integrated development environment (IDE), provides an elegant, powerful, and (best of all) free remedy for Java's exacting programming requirements."

Full Story (comments: none)

"Hackers and Painters" Released by O'Reilly

O'Reilly has published the book Hackers and Painters by Paul Graham.

Full Story (comments: none)

Resources

The LDP Weekly News

The May 5, 2004 edition of the Linux Documentation Project Weekly News has been published. Take a look to see the latest new documentation.

Full Story (comments: none)

LDP Weekly News

The May 12, 2004 edition of the LDP Weekly News is out, take a look for the newest Linux documentation releases.

Full Story (comments: none)

PyZine Issue 6

Issue #6 of PyZine, the Python magazine, has been announced.

Full Story (comments: none)

Upcoming Events

GUADEC 2004 Press Release (GnomeDesktop)

GUADEC 2004 has announced an international slate of speakers at the Fifth Annual GNOME User and Developer Europe Conference (GUADEC 2004). GUADEC will be held at Agder University College in Kristiansand, Norway, from June 28-30, 2004.

Comments (none posted)

Hosts wanted for GUADEC 2005! (GnomeDesktop)

GnomeDesktop.org has posted a request for a GUADEC 2005 host location. "The GNOME Foundation is looking for a host city for GUADEC 2005. Yes, we haven't even had this years GUADEC in Norway and we're already looking to next year!"

Comments (none posted)

The Desktop Developers' Conference

It's official: the Desktop Developers' Conference will be happening in Ottawa on July 19 and 20 - immediately prior to the Ottawa Linux Symposium. Registration is now open.

Comments (none posted)

Linux Audio Miniconf Canberra Australia

An early announcement has gone out for the Australian Linux Linux Audio Mini-Conf. "The Linux Audio Mini-Conf @ LCA2005 will be held before linux.conf.au, Australia's national Linux conference, in April 2005 at the Australian National University in Canberra, Australia."

Full Story (comments: none)

Austrian Perl Workshop schedule (use Perl)

Use Perl has an announcement that details the schedule of the Austrian Perl Workshop. The event will take place in Vienna, Austria on May 20-22, 2004.

Comments (none posted)

php|works 2004 Call For Papers

A call for papers has gone out for the php|works 2004 conference. The event will take place in Toronto, Canada on September 22-24, 2004. "The deadline for submitting talk proposals is May 21st, 2004. Due to organizational constraints, this is a firm date that cannot be postponed."

Comments (none posted)

SciPy 2004 Conference Announced

The 2004 SciPy Conference has been announced. The event will take place at Caltech on September 2 and 3, 2004.

Full Story (comments: none)

KDE Community World Summit: Call for Papers (KDE.News)

KDE.News announces the call for papers for the KDE Community World Summit. The deadline for proposals is May 30, 2004. The conference is in August.

Comments (none posted)

Events: May 13 - July 8, 2004

Date Event Location
May 16 - 18, 2004European Firebird Conference 2004Fulda, Germany
May 17 - 20, 2004Fifth LCI International Conference on Linux Clusters(University of Texas)Austin, TX
May 17 - 19, 2004Enterprise Software Summit(The Palace Hotel)San Francisco, CA
May 17 - 20, 2004Black Hat Briefings Europe 2004(Grand Hotel Krasnapolsky)Amsterdam, the Netherlands
May 17 - 21, 2004Apache Boot CampAtlanta, GA
May 20 - 22, 2004Austrian Perl WorkshopVienna, Austria
May 24 - 26, 2004GridToday 2004(Philadelphia Convention Center)Philadelphia, PA
May 25 - 26, 2004LinuxWorld Conference & Expo(Suntec)Singapore
May 26 - June 6, 2004DebConf4Porto Alegre, Brazil
May 26 - 29, 20042nd International Symposium on Computer Music Modeling and RetrievalEsbjerg, Denmark
June 2 - 4, 20042004 GCC and GNU Toolchain Developer's Summit(Ottawa Congress Centre)Ottawa, Canada
June 2 - 4, 2004inbox, the email event(San Jose Marriott)San Jose, CA
June 3 - 4, 2004Web.It 2004Milano, Italy
June 6 - 7, 2004French Perl WorkshopParis, France
June 7 - 9, 2004EuroPython(Chalmers University of Technology)Göteborg, Sweden
June 13, 20041st European Lisp and Scheme WorkshopOslo, Norway
June 14 - 18, 200418th European Conference on Object-Oriented Programming(ECOOP-2004)(The University of Oslo)Oslo, Norway
June 16 - 18, 2004Yet Another Perl Conference(YAPC::NA::2004)(University at Buffalo)Buffalo, NY
June 28 - 30, 2004GNOME User and Developer European Conference(GUADEC)Kristiansand, Norway
June 29 - July 1, 2004Perl Workshop 6.0(Barbara-Künkelin-Halle)Schorndorf, Germany

Comments (none posted)

Web sites

pgFoundry Open For Business

A new PostgreSQL database site is online. "PostgreSQL's new collaboration site for associated projects, pgFoundry, also known as projects.postgresql.org, is up and running at http://www.pgfoundry.org/. This is the beginning of our transition from our own GBorg to a framework which is maintained and improved by a broad external community -- GForge. And of course it runs on PostgreSQL."

Full Story (comments: none)

A new Wiki for PyQt and PyKDE (KDE.News)

KDE.News has an announcement for the new PyQt and PyKDE community Wiki site. "In order to create a community platform, we have set up a wiki entirely devoted to Python GUI development with PyQt and PyKDE. So if you don't know anything about it, the time might be great, because a new version of PyKDE supporting the KDE APIs up to 3.2.2 is currently in Beta stage - and a release is coming soon! In the wiki, you will find links to tutorials on how convenient Qt or KDE programming can be without C++, no matter if you use it for rapid prototyping or for the actual applications."

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

A seperate Political Based newsletter for Linux

From:  roger <roger-AT-eskimo.com>
To:  lwn-AT-lwn.net, letters-AT-lwn.net
Subject:  A seperate Political Based newsletter for Linux
Date:  Mon, 10 May 2004 15:43:34 -0400

I don't know about you guys, but I certainly hate mixing Politics with
the top stories of Linux.
 
Stuff like, "Is Linux ready for the Desktop", "de Icaza: Rest of World
Will Force US Into Linux (OS News)", "Linux in Defense: Free Software is
Just Too Expensive" is just all a waste of text/ascii in my brief and
explicit opinion.
 
Can you please post this crap (bluntly stating the term -- some call it
FUD ;-) someplace else, such as a different section. One great idea
would be to use a seperate RSS feed for politics, (titled ie. "Linux in
Politics", etc)
 
I personally use the RSS feed available within Evolution mail client.
And seeing this political junk just kills my good mood at times. It's
sort of like the press trying to pick a fight (ie MS vs Linux, etc).
Press reports such as this only add some good amounts of high octane
fuel to the fire. It's something would even make good corp executes get
sick of hearing about, enough to push them over the edge as well.
 
A newspaper or magazine has different sections as well. So just a
thought here.
 
 
--
 
Roger
http://www.eskimo.com/~roger/index.html

Comments (6 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds