Parallel forks
The free software world generally sees a fork in a development project as a
bad thing. The
ability to fork is a crucial freedom, but the
exercise of that ability is seen much like initiating a divorce. Sometimes
it is necessary, but it is rarely an event which brings joy.
Little attention, however, has been paid to the idea of a parallel
fork, which we will define as a fork which continues to follow the
changes in the original project. The Linux kernel has been the subject of
large numbers of parallel forks over the years; distributor kernels,
architecture-specific trees, and development trees have diverged widely
from the mainline kernel and each other, but they also track the updates to
the mainline. Projects which are patched by distributors (such as
cdrecord) can also be seen as parallel forks. Yet another example might be
Sylpheed-claws, which
functions as a testing ground for bleeding-edge Sylpheed features.
Parallel forks can be the best of both worlds: they retain a tie to the
original project, but also are responsive to whatever forces created the
fork in the first place.
A parallel fork worthy of some attention is ooo-build, a version of
OpenOffice.org maintained by the folks at Ximian. Version 1.3.0 of
ooo-build was announced on August 18.
This fork was motivated by several issues, which are explained in depth at
the project web site. What it comes down to, however, is that the
OpenOffice.org process is slow, bureaucratic, and difficult for outsiders
to contribute to. As the web site says, "this is no way to create
excitement and provide fast problem fixes." So ooo-build was set up
as a place where would-be contributors can get their changes in quickly
and, with luck, see those changes used and possibly propagated back into
OpenOffice.org.
What does the 1.3.0 release offer?
This package contains Desktop integration work for OpenOffice.org,
several back-ported features & speedups, and a much simplified
build wrapper, making an OO.o build / install possible for the
common man.
There is a detailed list, which includes a number of bug fixes, GTK+ and
KDE file selector support, Lotus 123 importing, improved icons, and much
more. Oh, and the obnoxious business where OOo calls your file "modified"
every time you print it has been fixed.
The ooo-build parallel fork is a good thing: it brings the notoriously
unapproachable OpenOffice.org development process closer to what the rest
of the community expects to deal with. It can be a useful staging ground
which gets new features to users quickly, and enables stability testing
which can help smooth the eventual merging of those features into OpenOffice.org. It is
not the sort of acrimonious separation which normally comes to mind when
the word "fork" is mentioned; it is, instead, more of an impedance matching
mechanism. ooo-build should result in a better OpenOffice.org experience
for everybody involved.
Comments (8 posted)
Alternatives to cdrecord
After last week's
discussion of cdrecord,
and concerns that recent releases of cdrecord may not be free software, we
decided to take a look and see what alternatives exist for Linux users. The
answer, unfortunately, is "not many."
While there are quite a few front-ends for recording CDs under Linux, there
are very few actual CD and DVD-burning applications available to Linux
users. Applications like K3b, MP3Roaster, BashBurn and others all use
cdrecord to burn CDs.
In all, we were only able to find three suitable candidates for users
looking to find a replacement for cdrecord. Projects that were obviously
abandoned or with no new releases in more than one year were not
considered.
Cdrdao
For users with no interest in recording DVDs, Cdrdao is available under the GPL
and is a good alternative to cdrecord. This utility will perform
disk-at-once recording for audio and data CD-R/CD-RWs. The primary focus of
the Cdrdao project seems to be audio or mixed-mode CDs. In fact,
documentation on burning ISO images with cdrdao seems to be non-existent.
However, it is possible to burn ISOs with cdrdao with a little extra
effort. Burning CDs with cdrdao requires a description file (either a
native toc-file or a cue file from a Windows burning utility) in addition
to the actual data to be burned to CD. In the case of ISO images, users
must create the toc-file by hand to provide cdrdao with the necessary
information to burn a disk from an ISO. The cdrdao utility is also used to
make an image of a disk, and to create a toc-file to burn the image back to
disk.
Aside from the extra bit of effort required to create a toc-file, cdrdao
works well and is probably preferable to cdrecord for users who primarily
burn audio CDs. One note of caution, users should specify an appropriate
writing speed for their device. This writer neglected to specify a writing
speed the first time out of the gate, and cdrdao elected to shoot for a
rather optimistic 40x writing speed -- which produced a coaster rather than
a bootable KNOPPIX disk on the Sony DRU-530A DVD+RW/-RW, CD-RW
drive. Theoretically, this drive is rated for 40x burns with CD-R media,
but much better success has been had with lower burn rates.
The supported
drives page gives a list of drives that are known to work with cdrdao,
though it is not exhaustive. Version 1.1.9 of cdrdao was released on June 7,
2004.
OSS DVD Extensions
Though not a standalone program, the OSS DVD extensions are
worth mentioning. This project provides extensions to cdrecord for users
who would like to be able to burn DVDs as well as CDs. There is little
difference between using cdrecord and cdrecord with the OSS DVD extensions,
with the exception that the OSS DVD extensions enable DVD burning from
DVD-R(W) drives.
The OSS DVD website includes patches for several releases of cdrecord, as
well as RPMs for several versions of Fedora Core, Mandrake, Red Hat, and
SUSE Linux. The last patch for cdrtools was released in May. The OSS DVD
Extensions should work with any drive supported by cdrecord.
DVD+RW-Tools
Another project for DVD-burning is the DVD+RW-Tools
project. Despite the name, the DVD+RW-Tools project actually supports
DVD+RW and DVD-RW drives.
This writer has been happily using DVD+RW-Tools since investing in a DVD
burner back in February. The DVD+RW-Tools project includes a utility called
growisofs, which is used to master images and burn them to disk. Growisofs
can also be used "on the fly" to burn directly to DVD without the
intermediate step of creating a image file. The project also includes a
utility called dvd+rw-format to, not surprisingly, format DVD+RW media
before use.
The DVD+RW-Tools are used only for burning DVDs. Users who want to burn CDs
and DVDs must depend on cdrecord or cdrdao for CD burning. The project
seems to be a fairly healthy one, with the latest
release being a little more than a month old at the time of this
writing. According to the DVD+RW-Tools website, any MMC-compliant drive
should be supported.
Conclusions
While it's not unusual for people to complain that there are too many
programs that handle a given task (e-mail clients, for example), the Linux
community could do with a choice of CD and DVD recording programs. The
existing programs are suitable enough, but users are left with a
disappointing number of options when they need to utilize CD and DVD
burners.
Comments (22 posted)
IBM's summary judgment motion
The core of the suit filed by the SCO Group against IBM is a set of
breach-of-contract allegations. SCO is saying that IBM, through its
contributions to Linux, has violated the Unix licensing contracts signed
with ATT years ago. SCO's rather broader public claims have tended to
overshadow the much more restricted nature of the actual case at hand, but
that is what the real issue is. IBM has concluded that the time has come
to put an end to those charges, however, and has filed for a partial
summary judgment which would dispose of the contract case. The
supporting memorandum is
available as a 100-page PDF file. Your editor, who has not had a chance to
rip into this sort of meaty legal document for a while, has been through
the whole thing; the following is a summary of what IBM is saying.
IBM goes on at great length on why it believes the judgment should be
entered. The core of the argument reads this way:
- There is very little of the original Unix code in either AIX or
Dynix.
- Of that code which remains, IBM has contributed none of it to Linux.
- SCO's interpretation of the license, which would give SCO rights over
any code which ever went near AIX or Dynix, is nonsensical. SCO has
no rights over IBM's code which it developed itself.
- Even if the license agreement did, somehow, give SCO those rights,
Novell has the right to waive licensing enforcements, and has done so
in this case.
- SCO, by virtue of continuing to publish the contested code itself, has
forfeited any rights it may have had to keep others from doing so.
- SCO's right to terminate IBM's AIX and Dynix license (the basis of two
of SCO's charges) does not exist, and, if it did, it would be
overridden by Novell's waiver.
As followers of the flotilla of SCO cases have been reminded many
times by now: a motion for a summary judgment must show that there are no disputed
facts at issue. For IBM to prevail here (and avoid a longer trial on these
charges), it must show that all the facts are on the table and are not
contested. The standards are high for this sort of motion; if you want to
short out a real trial and dump a set of charges against you, you must have
a truly convincing argument.
Direct copying of code
The first two points above (direct copying of code) are argued early on, in ¶7:
SCO alleges that it has found approximately 74,000 lines of UNIX
System V code in AIX and approximately 78,000 lines of UNIX System
V code in Dynix... SCO does not contend (and in any case has no
evidence) that IBM has misused any of these lines of code.
One of the best ways of establishing an "undisputed" fact, obviously, is to
use the opposite side's statements against them. IBM does not stop there,
however; the company brought in its own MIT scientist (and a high-profile
one at that: Randall Davis) to compare IBM's Linux contributions against
the SYSV code base. Mr. Davis concluded that, as one might expect, there
is no SYSV code (or even similarities to SYSV code) in IBM's work, which
is, thus, not a derived work of SYSV. The memorandum does not state
whether Mr. Davis developed a deep semantic theory to that effect,
however.
Finally, IBM repeatedly points out that SCO was never able to provide any
examples of SYSV-derived code contributed to Linux, and that SCO is not
arguing that such a contribution has occurred:
Moreover, SCO's responses to IBM's interrogatories do not identify
any UNIX System V source code from which any of the code IBM
contributed to Linux is allegedly derived. Indeed, SCO refused to
provide such information because it "is not part of SCO's
claims". (¶59).
Thus, says IBM, the lack of any direct use of SYSV-derived code in violation of the
license agreement is undisputed.
What the license says
SCO still seems to believe that it has a case, however. That case depends
on a very broad reading of the Unix license contract signed between ATT and
IBM almost 20 years ago. From ¶62:
SCO's contract claims instead rest entirely on the proposition that
"[t]he AIX work as a whole and the Dynix/ptx work as a whole are
modifications of, or are derived from [UNIX] System V". Under
SCO's theory of the case, all of the tens of millions of
lines of code ever associated with any technology found in AIX or
Dynix, even if that code does not contain any UNIX System V code,
is subject to the restrictions of the IBM and Sequent Software
Agreements.
SCO, in other words, claims to own anything which ever might have breathed
the same air as SYSV Unix. This interpretation has been clear for some
time, and IBM has gone to great lengths to get SCO to commit itself (in
court) to that
position. IBM now hopes to demonstrate that, beyond any possibility of
dispute, the license contracts do not give SCO the rights it thinks it has.
The first step in that process was to hold depositions with all of the
people involved in the writing and signing of those contracts. So they
tracked down all of the IBM, Sequent, and (crucially) ATT people who were
involved in the process and queried them about the intent of the license
language. Everybody involved, on both sides of the table, agreed that the
contract was never intended to give ATT (or any of its successors) power
over code which it did not
develop. There are many pages of quotes to this effect. Here is one
example, from Michael DeFazio, who ran ATT's Unix product management,
marketing, and licensing group, and who said:
The [software] agreements did not (and do not) give AT&T, USL,
Novell, or any of their successors or assigns the right to assert
ownership or control over modifications and derivative works
prepared by its licensees, except to the extent of the original
Unix System V source code included in such modifications and
derivative works.... I do not believe that our licensees would
have been willing to enter into the software agreement if they
understood Section 2.01 to grant AT&T, USL, Novell, or their
successors or assigns the right to own or control source code
developed by or for the licensee. (¶90).
Several of the ATT people involved are also quoted as stating, flat out,
that SCO's claims are wrong.
IBM notes that, under New York law (which is the law governing its
agreement with ATT), sworn statements from both parties to a contract are
the most compelling evidence with regard to the intent of the contract.
So, if there were any ambiguity in what the contract means (which, says
IBM, there is not), the testimony from the relevant IBM, Sequent, and ATT
people would be more than sufficient to straighten things out.
Not content with that, however, IBM argues this issue from several other
points. It brings up the old issue of $ echo describing ATT's
intent, and the "side letter" signed with IBM and various other licensees.
ATT also redrafted the paragraph in question at some point; the people
involved stated that the change was only to make the intent clearer, and
did not actually change the license terms. IBM states that SCO's
interpretation of the contract is simply absurd and unreasonable, and thus
not enforceable. And
finally, IBM cites federal copyright law and its provisions regarding
rights over derivative works.
Waivers
IBM believes that it has shown that there is no possible interpretation of
the ATT license contract which favors SCO's position. But, says IBM, even
if that argument were to fall apart entirely, it doesn't matter: Novell has
waived any alleged breaches by IBM. The agreement between Novell and the
Santa Cruz Operation ("old SCO") is murky in several ways, but it seems
clear that Novell retained the right to shut down enforcement of Unix
license agreements at its will. Says IBM:
Novell's letters to SCO establish as a matter of law that even if
SCO had the right under the IBM and Sequent Software Agreements to
prevent IBM from disclosing its or Sequent's original code, Novell
explicitly waived that right.
If that isn't enough, IBM also claims that SCO, itself, has waived any
enforcement rights through its own distribution of Linux.
In this case, SCO's acts and conduct are plainly inconsistent with
an intention to assert a breach of contract against IBM based on
the code allegedly at issue. Both before and even after SCO sued
IBM, SCO sold to customers and made publicly available on the
Internet the code that it claims IBM improperly contributed to
Linux. Indeed, this code was still available on SCO's website as
recently as August 4, 2004. SCO cannot on the one hand market
and sell the source code IBM contributed to the Linux operating
system, and on the other hand claim that IBM was prohibited by its
licensing agreements from contributing that code to Linux.
In support of this position, IBM has dug up old SCO press releases and such
proclaiming features like journaling filesystems, SMP scalability,
asynchronous I/O, etc. As many people have pointed out over the last year,
SCO has dug itself into a deep hole with its own Linux distribution
activities.
License termination
Two of SCO's charges against IBM have to do with SCO's "termination" of
IBM's Unix licenses. This termination, says SCO, deprives IBM of the right
to distribute AIX or Dynix. It also, incidentally, is said to deprive all
users of those operating systems the right to keep running them - a risk of
proprietary code that, one assumes, most users were not expecting to have
to deal with.
IBM's motion deals with these actions almost as an afterthought. If IBM
has truly not breached the Unix agreements, then SCO's "termination" is
clearly beyond its powers. IBM states that SCO has no right to terminate
the license in this way in any case, however; quoting Novell:
Pursuant to Amendment No. X, however, Novell and SCO granted IBM
the 'irrevocable, fully paid-up, perpetual right' to exercise of of
the rights under the IBM SVRX Licenses that IBM then held. IBM
paid $10,125,000 for the rights under Amendment No. X. Novell
believes, therefor, that SCO has no right to terminate IBM's SVRX
Licenses, and that it is inappropriate, at best, for SCO to be
threatening to do so.
Even without this argument, however, Novell's waiver of enforcement rights
should be adequate to counteract this "termination."
Conclusion
IBM's motion for a partial summary judgment is thoroughly and
comprehensively argued; the company would appear to have covered all of the
bases. If IBM's argument holds water with the judge, the core of SCO's
case will have been demolished, and the collapse of the entire house of
cards will not be far away. This motion is an ambitious attempt to put an
end to this whole affair.
It is interesting to see which arguments do not appear in this
memorandum. In particular, there is no reference to the whole issue of who
really owns the Unix copyrights other than little digs like saying that SCO
"purports" to have acquired them. The copyright ownership issue could, by
itself, torpedo everything SCO is trying to accomplish. But the ownership
of the copyrights is very much a disputed fact, and, as such, it is not a
useful argument in support of a summary judgment.
If IBM succeeds with this motion, the SCO case is done. It would be far
too soon to conclude that this will come to pass, however. The next step
will be a response from SCO, followed by arguments in front of the judge.
SCO will do its best to drag up facts which, it will claim, remain in
dispute. We may see expert witnesses claiming that, testimony from the
principals involved notwithstanding, the ATT license agreements have a
broader meaning than IBM is claiming. SCO may try to claim that it hasn't
been able to come up with the facts because IBM has been "stalling
discovery." And so on. If SCO can create enough fog around IBM's
arguments, it might just succeed in defeating this motion and forcing the
whole thing to go to a full trial. In that case, we would have to wait
until next year for the outcome.
Comments (22 posted)
Page editor: Jonathan Corbet
Security
The Mosquitos trojan
Many people interested in security issues fear the first big security
breach which
affects mobile wireless devices. A large, destructive cell phone worm would
make for a bad day in many quarters. The "Mosquitos" trojan does not quite
live up to those fears, but there are lessons to be learned from it anyway.
Mosquitos is a game for Symbian-based wireless handsets. According to
early reports, a version of the game had been "cracked" and circulated
through the usual channels. Users who picked it up and ran it found out,
sooner or later, that it had a bad habit of sending text messages to
expensive, premium phone numbers. That was almost certainly not the
experience the users had in mind when they loaded the game.
While many outlets reported the existence of a Symbian trojan, rather fewer
followed up with the truth of the matter became clear: the "trojan"
functionality was an intentional feature added by the manufacturer of the
game. It is, in essence, an attempt at a copy protection mechanism; if the
game finds itself running outside of its intended geographical area, it
sends a bunch of expensive messages in retaliation. This behavior is a
feature, not a trojan.
Then again, that might depend on your definition of "trojan." It is an
undocumented behavior hidden within a program; certainly nobody who bought
this game intended to purchase a function which sends unwanted messages if
it decides things are not right. Most users might be forgiven for feeling
that they had, indeed, been trojaned after all.
It would be out of character for us to fail to point out that this sort of
behavior is almost exclusively associated with closed-source, proprietary
software. The author of a free software program is certainly capable of
inserting trojan-like behavior; consider the
mICQ incident from February, 2003. But it would be surprising indeed
for any such code to last for long. Free software means that hostile code
can be found and ripped out in a hurry. Now if we only had mobile phones built with
free software...
Comments (9 posted)
Security news
Crypto researchers abuzz over flaws (News.com)
News.com
reports from Crypto 2004, where researchers are presenting findings on weaknesses in secure hash algorithms.
"
Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives.
Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It is certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard."
Comments (26 posted)
New vulnerabilities
acroread: UUDecode filename buffer overflow
| Package(s): | acroread |
CVE #(s): | |
| Created: | August 16, 2004 |
Updated: | August 17, 2004 |
| Description: |
acroread contains two errors in the handling of UUEncoded filenames.
First, it fails to check the length of a filename before copying it
into a fixed size buffer and, secondly, it fails to check for the
backtick shell metacharacter in the filename before executing a command
with a shell. By enticing a user to open a PDF with a specially crafted
filename, an attacker could execute arbitrary code or programs with the
permissions of the user running acroread. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gv: unsafe sscanf () buffer overflow vulnerability
| Package(s): | gv |
CVE #(s): | CAN-2002-0838
|
| Created: | August 12, 2004 |
Updated: | August 19, 2004 |
| Description: |
gv (prior to version 3.5.8-r4) has a buffer overflow vulnerability involving the sscanf()
function. An attacker can execute arbitrary code with the
permission of the user running gv. |
| Alerts: |
|
Comments (1 posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerability
| Package(s): | mysql |
CVE #(s): | CAN-2004-0457
|
| Created: | August 18, 2004 |
Updated: | September 1, 2004 |
| Description: |
The MySQL "mysqlhotcopy" script contains a temporary file vulnerability
which could be used by an attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
nessus: adduser race condition vulnerability
| Package(s): | nessus |
CVE #(s): | |
| Created: | August 12, 2004 |
Updated: | August 17, 2004 |
| Description: |
The nessus security scanner has a temporary file vulnerability that allows a
user to perform a privilege escalation attack by way of an adduser
race condition. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
Comments (none posted)
ruby: insecure file permissions
| Package(s): | ruby |
CVE #(s): | CAN-2004-0755
|
| Created: | August 16, 2004 |
Updated: | October 14, 2004 |
| Description: |
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session. |
| Alerts: |
|
Comments (none posted)
xine-lib: VCD MRL buffer overflow
| Package(s): | xine-lib |
CVE #(s): | |
| Created: | August 17, 2004 |
Updated: | August 18, 2004 |
| Description: |
xine-lib contains a bug where it is possible to overflow the vcd:// input
source identifier management buffer through carefully crafted playlists.
An attacker may construct a carefully-crafted playlist file which will
cause xine-lib to execute arbitrary code with the permissions of the
user. In order to conform with the generic naming standards of most
Unix-like systems, playlists can have extensions other than .asx (the
standard xine playlist format), and made to look like another file
(MP3, AVI, or MPEG for example). If an attacker crafts a playlist with
a valid header, they can insert a VCD playlist line that can cause a
buffer overflow and possible shellcode execution. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
Cfengine: RSA Authentication Heap Corruption
| Package(s): | Cfengine |
CVE #(s): | |
| Created: | August 10, 2004 |
Updated: | August 11, 2004 |
| Description: |
Two vulnerabilities have been found in cfservd. One is a buffer overflow in
the AuthenticationDialogue function and the other is a failure to check the
proper return value of the ReceiveTransaction function. An attacker could
use the buffer overflow to execute arbitrary code with the permissions of
the user running cfservd, which is usually the root user. However, before
such an attack could be mounted, the IP-based ACL would have to be
bypassed. With the second vulnerability, an attacker could cause a denial
of service attack. |
| Alerts: |
|
Comments (none posted)
cvstrac: arbitrary code execution
| Package(s): | cvstrac |
CVE #(s): | |
| Created: | August 6, 2004 |
Updated: | August 11, 2004 |
| Description: |
Richard Ngo
reported on BugTraq that a vulnerability has been discovered in the CVS
repository web browsing tool CVSTrac. If properly exploited an
attacker can execute arbitrary code on the CVSTrac host with the privileges
of the associated web server. |
| Alerts: |
|
Comments (none posted)
Ethereal: Multiple security problems
| Package(s): | ethereal |
CVE #(s): | CAN-2004-0633
CAN-2004-0634
CAN-2004-0635
|
| Created: | July 9, 2004 |
Updated: | August 19, 2004 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it
could cause a crash.
* A malformed or missing community string could cause the SNMP
dissector to crash.
See this
advisory for more information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
MoinMoin Group ACL Bypass
| Package(s): | moinmoin |
CVE #(s): | |
| Created: | July 12, 2004 |
Updated: | August 26, 2004 |
| Description: |
MoinMoin contains a flaw that may allow a malicious user to gain access to
unauthorized privileges. The issue is triggered when an attacker creates a
user with the same name as an administrative group. This flaw may lead to a
loss of integrity. See this osvdb
entry for additional information. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
opera: remote filesystem read access vulnerability
| Package(s): | opera |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | August 11, 2004 |
| Description: |
The Opera browser has a vulnerability that may allow a remote attacker
to read a local filesystem. |
| Alerts: |
|
Comments (none posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
samba: potential buffer overruns
| Package(s): | samba |
CVE #(s): | CAN-2004-0600
CAN-2004-0686
|
| Created: | July 22, 2004 |
Updated: | September 2, 2004 |
| Description: |
According to this Samba advisory, Evgeny
Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug
in the Samba Web Administration Tool (SWAT) on decoding Base64 data during
HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are
affected. (CAN-2004-0600)
Another buffer overflow bug has been located in the Samba code used to
support the "mangling method = hash" functionality. The default setting for
this parameter is "mangling method = hash2" and therefore Samba is not
vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0
through 3.0.4 are affected. (CAN-2004-0686) |
| Alerts: |
|
Comments (1 posted)
shorewall: temporary file exploit
| Package(s): | shorewall |
CVE #(s): | |
| Created: | August 10, 2004 |
Updated: | August 11, 2004 |
| Description: |
Javier Fernández-Sanguino Peña has discovered an exploitable
vulnerability in the way that Shorewall handles temporary files and
directories. The vulnerability can allow a non-root user to cause
arbitrary files on the system to be overwritten. LEAF Bering and Bering
uClibc users are generally not at risk due to the fact that LEAF boxes
do not typically allow logins by non-root users. The complete advisory is
here. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|