News from the SCO front
The SCO Group, a little while back, filed a motion asking for a delay in
the trial of its suit against IBM. According to SCO, IBM's foot-dragging
had slowed things to the point that SCO could not get its act together in
time. IBM has now responded; the full filing can be read
in PDF format. It is not particularly
surprising that IBM opposes this delay.
In fact, IBM has taken this filing as an opportunity to stiffen its
language against SCO in general:
Since this suit began in March, 2003, SCO has publicly touted its
evidence of IBM's alleged misconduct, but has resisted disclosing
the supposed evidence to IBM. In fact, SCO's Chief Executive Darl
McBride commented in an interview that SCO was 'fine to go to court
just on what we have before discovery.' ... In contrast to its
public assertions, SCO's conduct during discovery reflects a
remarkable pattern of delay and obfuscation.
It's not clear when the judge will rule on this motion.
A hearing will be held on June 9 on SCO's suit against
DaimlerChrysler, with a focus on Daimler's motion for a summary dismissal
of the case. As reported
in Groklaw, this case appears to have drawn a no-nonsense judge who
will try to see things through to a resolution in relatively short order.
The Free Software Foundation received a subpoena from SCO last year; they
have now posted
the subpoena on their site with some related discussion. It will
surprise few to see that the subpoena is impossibly broad; the FSF has no
intention of fulfilling it in its entirety. Being the FSF, they cannot
stop with just the subpoena, however:
In addition to answering and/or disputing the subpoena, we must
also educate the community about why it is that Linux was attacked
and GNU was not. For more than a decade, FSF has urged projects to
build a process whereby the legal assembly of the software is as
sound as the software development itself. Many Free Software
developers saw the copyright assignment process used for most GNU
components as a nuisance, but we arduously designed and redesigned
the process to remove the onerousness. Now the SCO fiasco has shown
the community the resilience and complete certainty that a good
legal assembly process can create.
The FSF is right to emphasize the importance of ensuring that stolen code
is not merged into free software projects; there is no doubt that more care
is called for in that regard. Claiming that the FSF's
copyright assignment policies headed off a legal attack from the SCO Group
seems a little strong, however. It seems just as likely that SCO was
repelled by the FSF's small bank balance. IBM, too, has strong rules
covering its code contributions; armies of lawyers are involved. Those
rules did not keep SCO from suing IBM, however.
Expect some fun around June 2, when SCO will announce its second
quarter results. One can only assume that said results will not be of
a kind that will revive the company's stock price, which fell below its
one-year low this last week. It will be interesting to see what the
company comes up with as a way of distracting attention from these matters.
Comments (5 posted)
Australia considers a free trade agreement
The United States and Australia recently negotiated a trade agreement
which, like many US-driven agreements these days, requires Australia to
follow America's lead on numerous intellectual property issues. In
particular, the agreement forces the adoption of software patents and DMCA-like copyright
laws. Needless to say, free software advocates have been concerned about
this agreement; they have also been doing something about it.
On May 17, The Australian Senate Select Committee on the Free Trade
Agreement between Australia and the US heard testimony on the effects that
the agreement would have. The transcript is available as a 700KB PDF
file. Included therein are several pages of testimony from kernel
hacker Rusty Russell, representing Linux Australia.
Open source is particularly important to Australia because we are
good at it. We develop it, we distribute it, and our expertise
gives Australian business a competitive advantage over
international competitors--not just IT business but all businesses
that use IT. The Boston Consulting Group in a survey a few years
ago found that eight per cent of open source developers are in
Australia--hugely disproportionate to our population. We are in a
prime position to take advantage of the growth opportunities
provided by these projects especially the benefits of better, more
open infrastructure that open source provides. On the other hand,
the cost of chilling competition in this area will affect us
greatly now and we will lament the loss of our lead in years to
come.
Unfortunately, there is no picture of Rusty in his suit and tie.
Many other witnesses appeared, including representatives of Electronic
Frontiers Australia, and the Australian Digital Alliance. Whether this
testimony will have an effect on the eventual ratification of this treaty
is to be seen; the fact that these issues were heard in this forum is a
good start, however. (Thanks to Michael Neuling for the transcript
pointer).
Comments (3 posted)
European software patents get closer
Toward the end, it appeared that the European Council might not approve
software patents after all. Representatives of the German and Italian
governments had expressed reservations, and an objection from Luxembourg
forced a discussion on what was supposed to be a fast-track vote. But, on
May 18, the Council voted in favor of a patent directive which strips
out the European Parliament's changes, and which thus legitimizes software
patents in Europe.
Believe it or not, this lengthy process is still not complete, however.
The directive must return to the Parliament one last time for final
approval; this vote is likely to happen sometime in the (northern
hemisphere) autumn. If the Parliament rejects the Council's draft, then some
sort of compromise will be hammered out. Thus, it is not time for
anti-patent activists to rest, even though they are likely to be tired and
discouraged. Software patents in Europe are not yet a done deal, but
heading them off will require efforts to educate members of Parliament in
all EU member countries.
It is also worth remembering that elections to the Parliament are happening
in June. Voter turnout in European Parliament elections tends to be low,
so those who do vote have a relatively strong voice.
If you are able to vote in these elections, you may want to consider learning the
candidates' positions on software patents and voting accordingly. There is
yet time to make a difference on this issue.
Comments (4 posted)
Stupid patent tricks
May 19, 2004
By Pamela Jones, Editor of Groklaw
If you read about Microsoft's
patent number 6,727,830, "Time based
hardware button for application launch," issued on April 27, 2004,
you're probably thinking that now you've heard everything. A patent on
double-clicking and on holding down an application button? How can the
Patent Office issue such a patent, since you can probably think of
several instances of prior art off the top of your head?
Here is
the abstract, explaining the patent:
A method and system are provided for extending the functionality of
application buttons on a limited resource computing device. Alternative
application functions are launched based on the length of time an
application button is pressed. A default function for an application is
launched if the button is pressed for a short, i.e., normal, period of
time. An alternative function of the application is launched if the
button is pressed for a long, (e.g., at least one second), period of
time. Still another function can be launched if the application button
is pressed multiple times within a short period of time, e.g., double
click.
It drones on a while longer, but although they expend a great many
words, what they have patented is simply this:
- You have a device with a button. If you press the button quickly, you
get different behavior than if you hold the button down. Electric
typewriters have worked that way for decades, and portable CD players
for
many years.
- Press the button twice in a short period, and you get different
behavior. This, of course, is the "double click."
Linux systems are full of software which implements the claimed
behavior.
Double-clicking is found everywhere. The "hold the button for different
behavior" can be found in places like the CD player.
The patent specifies a "limited resource" computing device, so they are
talking about PDA-type systems. The simple fact is that all computing
devices are "limited resource," however.
I asked my right-hand man on Groklaw, Dr Stupid, if he could think of
any prior art and he had no trouble in about 10 minutes coming up with
these possibilities:
The general concept of short press and long press doing different
things is not new at all - many embedded devices use it. What the
patent is about is a particular use of this concept for launching
programs on a device. That is, clicking once on the icon launches the
program with one command line parameter, and a double-click a different
command line parameter. Or a hold down is yet another.
The very old FVWM window manager for Linux has a 'maximize' button
which works like this:
- Click-and-hold: stretches the window vertically.
- Single Click: stretches the window but does not cover the taskbar
or
button bar.
- Double Click: stretches the window to cover the entire
screen.
So you have normal action, hold-it-down action, and double-click
action. It's still shipped with SuSE and most distributions to this day, I
believe...
To me, it fails the 'not obvious' test. Another one that I wonder if
it might be relevant is here:
'If you wish, you can distinguish single, double, and triple clicks.
A double click means clicking a mouse button twice in approximately the
same place. The first click generates an ordinary click event. The
second click, if it comes soon enough, generates a double-click event
instead....'
Microsoft listed 8 prior art documents, each slightly different from
theirs. But then you find a long list of what they asserted was unique
to this patent. But, without analyzing this one in great depth,
certainly we can agree there are patents issued that should not be
issued, and the real question is: why does the Patent Office issue
them? And why do companies want them?
The answer to the first question is simple: they are understaffed and
there is a general policy that you do your best and later the courts
can determine if the patent was valid or not.
Why do companies want them? I asked that question of patent attorney
Dan Ravicher, head of PubPat, the
organization that is dedicated to going after patents that were wrongly
issued, and also asked about this specific patent, and here is what he
told me:
When I read those claims, I was like, sure, nice try. I
doubt
Microsoft would ever assert this patent. But, there is still value in
building up a portfolio because many valuations are based purely on the
objective factor of how many patents or how many claims one has, despite
the fact that a wide swath of them are useless. The valuation experts
aren't that sophisticated, yet.
A patent, in other words, is an
intangible, and you look good to valuation experts if you have a big
pile of them.
Does that mean there is no danger? Should something be done? He told
me that until Microsoft begins to assert the patent, which so far it
seems not to have done, the best thing is just to monitor it. "If
Microsoft begins
to assert this patent specifically, then we'll review the situation and
make a decision about how best to protect the public," he says.
Comments (8 posted)
Page editor: Jonathan Corbet
Security
Hardened PHP
The
Hardened PHP project has
recently announced its existence; naturally, a
Gentoo
package is already available. The PHP language is highly popular for
the creation of web applications, but it has long suffered from a
reputation for poor security. This reputation is perhaps not entirely
fair; the number of sites which have actually been compromised as a result
of PHP vulnerabilities is small. Nonetheless, PHP has tended to have more
holes than it really should, given its wide deployment.
Hardened PHP is attempting to address that
problem by adding patches to the language implementation which close off a
number of potential security problems.
Those interested in the actual changes being made can learn more on
this page. These changes include:
- The addition of "canaries" to the internal memory manager. PHP uses a
variant of malloc() which tracks all allocated memory, making
it easy to reclaim everything after the completion of a web request. The
Hardened PHP patch adds special, random values at the beginning and
end of each allocated block and checks to see whether those values
have been overwritten when the memory is freed. These checks should
help defend against bugs in the PHP system which allow heap overflow
attacks.
- Canaries are also added to PHP's internal linked list structures.
- The "%n" format specifier has been removed from (some of)
PHP's internal string printing functions in an attempt to head off
certain types of format string attacks.
- The PHP include directive has some additional restrictions
which prevent the inclusion of program text from remote sources.
- Checks are made for strings with embedded NULL characters.
This effort is worthy and worthwhile, but it is also inadequate for a
couple of reasons. Exploitable buffer overflows in PHP are relatively
rare; instead, PHP programs tend to suffer from different classes of
vulnerabilities, such as cross-site scripting, SQL injection, and command
injection. A truly hardened PHP would attempt to address these problems
through tighter restrictions on what scripts can do and enforced checking
of input strings.
The fact that there needs to be a "hardened PHP" project in the first place
is also a bad sign, unless this project is simply a staging area for
patches on their way into the mainline. PHP is used to implement an
unbelievable number of web sites; any vulnerabilities in PHP put vast
numbers of systems at risk. Security should be at the top of the PHP
project's goals; every PHP installation should be hardened. The
Hardened PHP project is a good thing; lets hope its work is quickly picked
up by the main PHP distribution.
Comments (2 posted)
New vulnerabilities
cvs: heap overflow
| Package(s): | cvs |
CVE #(s): | CAN-2004-0396
|
| Created: | May 19, 2004 |
Updated: | June 11, 2004 |
| Description: |
CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites). |
| Alerts: |
|
Comments (none posted)
heimdal: missing input sanitizing
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0472
|
| Created: | May 18, 2004 |
Updated: | May 27, 2004 |
| Description: |
Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4
component of heimdal, a free implementation of Kerberos 5. The
problem is present in kadmind, a server for administrative access to
the Kerberos database. This problem could perhaps be exploited to
cause the daemon to read a negative amount of data which could lead to
unexpected behavior. |
| Alerts: |
|
Comments (none posted)
icecast: denial of service
| Package(s): | icecast |
CVE #(s): | |
| Created: | May 19, 2004 |
Updated: | May 19, 2004 |
| Description: |
The icecast server has a read error in its authorization code which can enable a denial of service attack; upgrading to version 2.0.1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
kde: URI Handler Vulnerabilities
| Package(s): | kde Opera |
CVE #(s): | CAN-2004-0411
|
| Created: | May 17, 2004 |
Updated: | June 15, 2004 |
| Description: |
iDEFENSE identified a vulnerability in the Opera Web Browser that could
allow remote attackers to create or truncate arbitrary files. The KDE team
has found that similar vulnerabilities exists in all version of KDE, up to
KDE 3.2.2 inclusive. See this advisory for
more information. |
| Alerts: |
|
Comments (none posted)
kernel: integer overflow in the SCTP code
| Package(s): | kernel |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | May 18, 2004 |
| Description: |
There is an integer overflow in the SCTP code in the Linux kernel starting
with 2.4.23-pre5 and up to and including 2.4.25. This could allow for a
local root exploit. See this
advisory for more details. |
| Alerts: |
|
Comments (none posted)
libuser: problems in libuser library
| Package(s): | libuser |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | May 18, 2004 |
| Description: |
Steve Grubb discovered a number of problems in the libuser library that
can lead to a crash in applications linked to it, or possibly write 4GB
of garbage to the disk. |
| Alerts: |
|
Comments (none posted)
mah-jong: missing argument check
| Package(s): | mah-jong |
CVE #(s): | CAN-2004-0458
|
| Created: | May 13, 2004 |
Updated: | May 18, 2004 |
| Description: |
A problem has been discovered in mah-jong, a variant of the original
Mah-Jong game, that can be utilized to crash the game server after
dereferencing a NULL pointer. This bug be exploited by any client
that connects to the mah-jong server. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Pound format string vulnerability
| Package(s): | pound |
CVE #(s): | |
| Created: | May 18, 2004 |
Updated: | May 19, 2004 |
| Description: |
There is a format
string flaw in Pound, allowing remote execution of arbitrary code with
the rights of the Pound process. |
| Alerts: |
|
Comments (none posted)
subversion: buffer overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0397
|
| Created: | May 19, 2004 |
Updated: | May 20, 2004 |
| Description: |
Versions of the subversion source management package up to and including 1.0.2 suffer from a remotely exploitable buffer overflow vulnerability in their date parsing code; see this advisory for details. "Exploiting this vulnerability on not heavily protected servers is trivial
even for beginners, therefore it is strongly recommended to update
immediately." |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache - denial of service in mod_ssl
| Package(s): | apache |
CVE #(s): | CAN-2004-0113
|
| Created: | April 13, 2004 |
Updated: | May 25, 2004 |
| Description: |
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49. |
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2003-0993
CAN-2003-0020
CAN-2003-0987
CAN-2004-0174
|
| Created: | May 12, 2004 |
Updated: | May 26, 2004 |
| Description: |
Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details. |
| Alerts: |
|
Comments (none posted)
clamav: improper string checking
| Package(s): | clamav |
CVE #(s): | |
| Created: | May 12, 2004 |
Updated: | May 12, 2004 |
| Description: |
Versions of clamav prior to 0.70 fail to check filenames when responding to viruses; with certain configurations, this failure can allow an attacker to execute arbitrary commands. |
| Alerts: |
|
Comments (none posted)
cvs: client-side file overwrite vulnerability
| Package(s): | cvs |
CVE #(s): | CAN-2004-0180
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
exim: stack-based buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2004-0399
CAN-2004-0400
|
| Created: | May 7, 2004 |
Updated: | May 14, 2004 |
| Description: |
Georgi Guninski discovered two stack-based buffer overflows.
CAN-2004-0399: When "sender_verify = true" is configured in exim.conf a
buffer overflow can happen during verification of the sender. This problem
is fixed in exim 4.
CAN-2004-0400: When headers_check_syntax is configured in exim.conf a
buffer overflow can happen during the header check. This problem does also
exist in exim 4. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
kernel - root exploit in MCAST_MSFILTER
| Package(s): | kernel |
CVE #(s): | CAN-2004-0424
|
| Created: | April 22, 2004 |
Updated: | June 11, 2004 |
| Description: |
A locally exploitable integer overflow has been found the multicast code
of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A
successful exploit could lead to full superuser privileges. |
| Alerts: |
|
Comments (1 posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
kolab: password disclosure
| Package(s): | kolab |
CVE #(s): | |
| Created: | May 5, 2004 |
Updated: | May 27, 2004 |
| Description: |
Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information. |
| Alerts: |
|
Comments (3 posted)
LHA: stack buffer overflows and directory traversal flaws
| Package(s): | LHA |
CVE #(s): | CAN-2004-0234
CAN-2004-0235
|
| Created: | April 30, 2004 |
Updated: | June 11, 2004 |
| Description: |
LHA is an archiving and compression utility for LHarc format archives. Ulf
Harnhammar discovered two stack buffer overflows and two directory
traversal flaws in LHA. See this advisory+patch for more details.
CAN-2004-0234: An attacker could exploit the buffer overflows by creating a
carefully crafted LHA archive in such a way that arbitrary code would be
executed when the archive is tested or extracted by a victim.
CAN-2004-0235: An attacker could exploit the directory traversal issues to
create files as the victim outside of the expected directory. |
| Alerts: |
|
Comments (2 posted)
libpng: denial of service vulnerability.
| Package(s): | libpng |
CVE #(s): | CAN-2004-0421
|
| Created: | April 29, 2004 |
Updated: | June 11, 2004 |
| Description: |
The PNG library can accesses memory that is out of bounds when
creating an error message, this can be exploited by a malformed
PNG image file. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
mc: multiple vulnerabilities
| Package(s): | mc |
CVE #(s): | CAN-2004-0226
CAN-2004-0231
CAN-2004-0232
|
| Created: | April 29, 2004 |
Updated: | May 26, 2004 |
| Description: |
Midnight Commander
has multiple vulnerabilities including buffer overflows,
insecure temp files, and format string problems. |
| Alerts: |
|
Comments (none posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: format string vulnerabilities
| Package(s): | neon |
CVE #(s): | CAN-2004-0179
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
passwd: various problems
| Package(s): | passwd |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | June 2, 2004 |
| Description: |
Steve Grubb found some problems in the passwd program. Passwords given to
passwd via stdin are one character shorter than they are supposed to be.
He also discovered that pam may not have been sufficiently initialized to
ensure safe and proper operation. A few small memory leaks have been fixed
as well. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
proftpd privilege escalation
| Package(s): | proftpd |
CVE #(s): | |
| Created: | April 30, 2004 |
Updated: | May 19, 2004 |
| Description: |
A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based
(aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like
an "AllowAll" directive and so FTP clients are granted access to files and
directories although the server configuration might explicitly deny this.
See this bug
report. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
