Anonymous Reader writes “Embedded Linux vendor LynuxWorks joined the growing chorus of responses to Microsoft’s recent efforts to portray Embedded Linux as inferior to Windows XP Embedded from both technical and business perspectives. Embedded Linux vendors have countered that Microsoft’s document contains numerous inaccuracies and is based on distorted characterizations of the Embedded Linux operating system as well as of the vendors of Embedded Linux. Read the LynuxWorks response at LinuxDevices.com.”

NewsFactor Network writes “The desktop metaphor is under attack these days. Usability experts and computer scientists like Don Norman, David Gelernter and George Robertson have declared the metaphor “dead.” The complexities blamed on the desktop metaphor are not the fault of the metaphor itself, but of its implementation in mainstream systems. The default hard disk icon is part of the desktop metaphor. And the icon is the cause of the complexity created by the desktop”

From CNet: “Intel provided PC buyers with some new options on Monday, as
double data rate memory quietly made its debut alongside the Pentium
4.”

Dre writes “See http://dot.kde.org/1008632158/. Thanks, Andreas Pour.” and Timothy R. Butler writes “”The KDE Project has announced the release
of KOffice 1.1.1, the official KDE office suite. The new release
promises better stability, which could help make KOffice the suite of
choice for light productivity needs.” More…”

LinuxPlanet: “During the course of writing this week’s column, I found myself looking at the font presentation in KDE 2.2.1 and thinking: ‘yes, these are anti-aliased, but by golly is the kerning completely screwed on this thing.’ I checked the KDE site, and sure enough, there was at least one bug report about the problem… I plucked down the relevant RPM files from the KDE site and upgraded the environment. Unfortunately, things are pretty much the same with the on-screen display.” Read more here.

BBC: “The heart of a new light-emitting diode (LED) developed in Cambridge, UK, can be controlled so precisely that it emits just one single photon of light each time it is switched on. The device could be a key component in quantum cryptography, a code-making technology which, it is hoped, will be uncrackable.” Read more here.

ComputerUser.com: “On August 7, the Court of Appeal in the Sixth Appellate District of California said a lower-court judge was correct in finding the state has jurisdiction over Matthew Pavlovich, and ordered him to stand trial in California. Pavlovich, an open-source developer who played a role in the creation of DVD-playing software for Linux known as LiViD, is one of a number of defendants targeted in a lawsuit filed by the DVD Copy Control Association (DVD CCA). Pavlovich, who was a student at Purdue University in Indiana at the time of the filing of the complaint and now resides in Texas, claimed to have no contacts in California and argued that the state has no jurisdiction over him.” Read more here.

PC World: “Immunity is impossible, but the open-source operating system may be protected… Why? Is Linux totally impervious to an e-mail virus? In theory, no. But in practice, it comes close.” Read more here.

ZDNet: “At the end of November Microsoft posted a document on its Web site comparing the Windows XP Embedded and embedded Linux operating systems, with the emphasis on the technical and business inferiority of Linux. Embedded Linux distributors argue that the document not only distorts the value of Linux, but contains inaccuracies. The following is a point-by-point response to Microsoft’s attack from Lineo, one of the companies of which Microsoft is most critical.”

EnGarde: “While researching the recent globbing bugs in wu-ftpd, Flavio Veloso
flaviovs@magnux.com> discovered (with the assistance of Jakub Jelinek
jakub@redhat.com>) a buffer overflow in glibc’s glob(3)
implementation. This vulnerability can only be triggered by programs
that use glibc’s globbing functions.”

+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory               December 17, 2001 |
|  http://www.engardelinux.org/ ESA-20011217-01 |
|                                                                        |
| Package:  glibc                                                        |
| Summary:  'glibc' globbing buffer overflow                             |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
--------
  There is a buffer overflow in glibc's globbing functions.


DETAIL
------
  While researching the recent globbing bugs in wu-ftpd, Flavio Veloso
  flaviovs@magnux.com> discovered (with the assistance of Jakub Jelinek
  jakub@redhat.com>) a buffer overflow in glibc's glob(3)
  implementation.  This vulnerability can only be triggered by programs
  that use glibc's globbing functions.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2001-0886 to this issue.

SOLUTION
--------
  All users should upgrade to the most recent version as outlined in
  this advisory.

  Guardian Digital recently made available the Guardian Digital Secure
  Update, a means to proactively keep systems secure and manage
  system software. EnGarde users can automatically update their system
  using the Guardian Digital WebTool secure interface.

  If choosing to manually upgrade this package, updates can be
  obtained from:

     ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/

Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh filename

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv filename


UPDATED PACKAGES
----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).           

  Source Packages:

    SRPMS/glibc-2.1.3-1.0.4.src.rpm
      MD5 Sum:  94ad720b0450dc659e2d5ed05d2350dc

  Binary Packages:

    i386/glibc-2.1.3-1.0.4.i386.rpm
      MD5 Sum:  6a59be712e55c3da6e027ba44599ab9e

    i686/glibc-2.1.3-1.0.4.i386.rpm
      MD5 Sum:  6a59be712e55c3da6e027ba44599ab9e


REFERENCES
----------
  Guardian Digital's public key:
     http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

Credit for the discovery of this bug goes to:
    Flavio Veloso flaviovs@magnux.com>

glibc's Official Web Site:
     http://www.gnu.org/software/glibc/

CAN-2001-0886 (Buffer overflow in glob function of glibc)
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886

Security Contact:    security@guardiandigital.com
EnGarde Advisories:   http://www.engardelinux.org/advisories.html

--------------------------------------------------------------------------
$Id: ESA-20011217-glibc,v 1.3 2001/12/17 19:48:17 rwm Exp $
--------------------------------------------------------------------------
Author: Ryan W. Maple, ryan@guardiandigital.com>
Copyright 2001, Guardian Digital, Inc.