[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

modutils issues remain. Back in our November 16th edition, we discussed security problems with modutils on both our Security and Kernel weekly pages. Modutils 2.3.20 was quickly released to try to resolve the problem, but the issues involved are not so simple.

This week, as part of the ongoing effort to resolve the issue properly, modutils 2.3.21 was released. It specifically fixes some side effects from the fixes applied in 2.3.20. Meanwhile, Adam Richter pointed out that even 2.3.21 only fixes half the problem.

Currently, querying a nonexistent network interface named, say, "eth0" results in a result_module call for "eth0". I want to change that to "if-eth0". This will make it impossible for users to pass things like "-C/my/bogus/modules.config", or to cause the loading of legitimate but buggy module to crash the system. The changes to modutils that Keith Owens posted address the former problem, but not the latter, which is a pretty real possibility given that our current builds install 786 modules.
Adam has requested feedback on his idea, so take a look and pass your comments back to him. While Adam's idea makes a lot of sense, it will also require every existing system to modify its modules.conf file. There are ways around that, but the potential for problems is very high.

BSD coverage feedback. We received twenty notes from readers regarding last week's editorial, Why Cover BSD?. The responses were uniformly positive, so you can rest assured our BSD coverage will continue. Four of those notes asked for more BSD coverage, including coverage outside the LWN Security page. We are taking those suggestion under consideration, but for now we'll move slowly. We've got friends over at Daemon News that are already doing a good job of global BSD coverage. As always, we prefer not to duplicate the work of others, but instead step in only when we think we can provide some unique perspective, value or service.

Still, in places like the Security page where a contrast of BSD information and Linux information provides a special value, you may indeed see increased coverage in the future.

Improved Security Advisories. We'd like to say that our November editorial, Credit Your Source, had a similar impressive response. However, we didn't see any unilateral change in advisories as a result.

So, since complaining apparently works poorly, we thought we'd take a different approach and use praise. Two distributions have improved their security advisories noticeably over the past two week, Debian and Immunix, and we pass them our grateful thanks.

Debian has standardized their header for security advisories, started numbering them and does a good job of crediting the person who originally reported the vulnerability. Many thanks! The addition of a URL or the forum in which that vulnerability was reported would also be useful, but let's not get picky. Their header also contains a new entry indicating whether or not the vulnerability is "Debian-specific". This is quite useful, something we've only previously enjoyed in FreeBSD advisories.

Immunix has also straightened up the look of their advisories, adding their own header, complete with numbering scheme and author. This week, they also included URLs to the relevant BugTraq postings. This is a noticeable improvement over the casual announcements they made previously.

Note we aren't holding the Debian and Immunix advisories up as examples of perfection, but their efforts to improve are much appreciated.

Signed code: Security or censorship? (ZDNet). ZDNet takes a look at Microsoft's plans for code signing. "Known as code signing, the technique links a software developer's name with a program or Internet applet using digital signatures. The code cannot be changed without destroying the signature, giving users a way to link a company with a program. If something goes wrong, the user will know whom to blame."

The article discusses concerns for possible misuse of code signatures (to punish a commercial rival, for example), its limitations in terms of providing real security and its impact on small developers. "Virus writers could still sign their code and cause it to execute as soon as someone installs another piece of software, he said. To the user, it would seem that the software he or she just installed caused the problem".

Security Reports

ghostscript vulnerabilities. Two vulnerabilities were reported in ghostscript this week, a symlink vulnerability and a shared library usage vulnerability. Both could potentially lead to elevated privileges. We don't know exactly who to credit for finding these problems; the distribution advisories were the first notice of them we saw and none of them either claim credit or offer it elsewhere.

This week's updates:

koules buffer overflow. Guido Bakker reported a buffer overflow in koules, an arcade-style game authored by Jan Hubicka, which could be exploited locally to gain root privileges.

This week's updates:

bash tmpfile vulnerability. Reports of ways in which the Unix /bin/sh could be exploited, via its use of temporary files, led to an examination of Linux' bash. That turned up very similar problems. The vulnerability can be used to overwrite arbitrary files, particularly a problem when root runs bash. This week's updates:

pine remote code execution. In October, FreeBSD released a report of a pine buffer overflow that can be exploited remotely to execute arbitrary code via a specially-crafted mail message. Unfortunately, we mixed up that report with an earlier pine problem reported in September, that was not as serious. Since then, we've been listing updates for both problems together, with an inaccurate description. Please accept our apologies for the confusion. The following packages prevent the remote exploit as well as fixing the earlier pine problem.

This week's updates:

Previous updates:

syslog-ng remote denial-of-service. Balazs Scheidler posted an advisory this week for a remote denial-of-service vulnerability in syslog-ng. Check the syslog-ng home page for syslog-ng news. All versions prior to and including syslog-ng 1.4.8 are vulnerable. syslog-ng 1.4.9 and higher are no longer vulnerable.

twig remote execution of arbitrary code. Joćo Gouveia posted an advisory on BugTraq this week pointing out twig, a GPL'd "Web Information Gateway", can be used to execute arbitrary code on a server under the uid of the httpd server. Shaun Clowes followed up with a suggested workaround to use until a new version of twig has been released.

ed symlink vulnerability. Alan Cox noticed that GNU ed, a basic line editor, creates temporary files unsafely. The problem has subsequently been fixed in ed 0.2-18.1.

This week's updates:

fsh temporary directory vulnerability. fsh, a "fast" rsh/ssh/lsh tool, uses a directory under /tmp to hold its sockets. Colin Phipps examined the program and reported how this could be exploited via a symlink. Patched versions of fsh have been made available for Debian.

This week's updates:

identd. A buffer overflow in identd was reported by Niels Heinen. He used the SuSE platform to demonstrate the vulnerability. The SuSE Security Team followed up the report and confirmed multiple problems in the code. Updates from SuSE, and other impacted distributions, should show up over the next week.

cons.saver file overwrite vulnerability. Maurycy Prodeus reported a problem in cons.saver which can be used to write a NUL character to the file given as its parameter. The problem has been fixed in version 4.5.42-11. New versions of mc are being distributed with this fix.

This week's updates:

elvis-tiny /tmp file vulnerability. Debian reported a problem in elvis-tiny caused by the creation of files in /tmp in an insecure manner, which was discovered by Topi Miettinen during an audit of the code. They have issued updated packages with a fix for the problem. Any distribution using elvis-tiny will also require an update.

Secure Locate buffer overflow. Michel Kaempf reported a buffer overflow in Secure Locate (slocate) this week. Secure Locate 2.3 should fix the problem. However, Olaf Kirch pointed out other potential problems that still remain.

xmcd untrustworthy privileged binaries. A Debian-specific vulnerability in xmcd was reported this week. The xmcd package installs helpers for accessing cddb databases and SCSI CDrom drives. Two of the helper binaries were installed setuid. The previously reported ncurses buffer overflow allowed these two binaries to be exploited. Check the ncurses update below for a link to Debian's just-released fix for ncurses as well.

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • Watchguard Firebox II, denial of service vulnerability reported last week. Watchguard has released a fix, as promised.
  • Nokia IP440 Firewall-1/IDS, multiple vulnerabilities that can be used to cause the appliance to crash. The vendor has been notified, but no response has been posted.
  • WebMail attachment theft. The vendor is reported to have a fix for the problem.
  • Cisco 675 DSL router, a denial-of-service vulnerability was reported to Cisco eleven months ago. No fix is yet available.
  • Sonicwall SOHO firewall is vulnerable to a denial-of-service attack via its built-in webserver. The vendor has been notified and promises a fix in the next firmware release. In the meantime, disabling external access to the webserver is recommended.

Updates

ethereal buffer overflow. Check last week's Security Summary for the initial report of this problem. An update to ethereal 0.8.14 should fix this problem.

This week's updates:

Previous updates:

joe symlink vulnerability. Check last week's Security Summary for the original report.

This week's updates:

  • Red Hat, Alpha packages added for RH7
Previous updates:

Local root exploit problem in modutils. Check the November 16th Security Summary and Kernel Page for the original report and details. Note, however, that the updates listed below include either modutils 2.3.19 or modutils 2.3.20. As mentioned above, modutils 2.3.21 has been released with still more fixes.

This week's updates:

Previous updates:

Hostile server vulnerability in OpenSSH. Check the November 16th LWN Security Summary for details. Upgrading to 2.3.0 is recommended.

This week's updates:

Previous updates:

fetchmail AUTHENTICATE GSSAPI bug. Check the November 16th Security Summary for the original report.

This week's updates:

  • Red Hat, Alpha packages added for RH7
Previous updates:

Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.

This week's updates:

Previous updates:

nss_ldap race condition. Check the November 2nd LWN Security Summary for the original report and the November 9th LWN Security Summary for a correction to our original report.

This week's updates:

  • Red Hat, Alpha packages added for RH7
Previous updates:

tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details.

This week's updates:

Previous updates:

Red Hat cyrus-sasl authentication problem. Check the November 2nd Security Summary for the original report. Only Red Hat 7 is impacted.

This week's updates:

Previous updates:

curl buffer overflow. A buffer overflow in curl, a command-line tool for getting data from a URL, was reported in October.

This week's updates:

  • Red Hat, Alpha packages added for RH7
Previous updates:

Format string vulnerabilities in PHP. Check the October 19th LWN Security Summary for the original report. PHP 3.0.17 and 4.0.3 contain the fixes for these problems.

This week's updates:

  • Red Hat, Alpha packages added for RH7
Previous updates:

ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem. Updates for this vulnerability continue to trickle in more slowly than usual.

This week's updates:

Previous updates:

usermode inherited environment variable vulnerability. Check the October 12th LWN Security Summary for details.

This week's updates:

  • Red Hat, Alpha packages added for RH7
Previous updates:
  • Red Hat (October 12th)
  • SuSE (not vulnerable) (October 12th)
  • Immunix (October 12th)
  • Linux-Mandrake (not vulnerable) (October 12th)
  • Kondara (October 19th)
  • Red Hat, updated advisory with fixes for an incorrect specification in the /usr/bin/shutdown wrapper and an additional security vulnerability in the userhelper binary. (November 16th)

gnorpm tmpfile link vulnerability. Check last week's LWN Security Summary for more details.

This week's updates:

  • Red Hat, Alpha packages added for RH7

Previous updates:

Resources

ICMP error message use in fingerprinting. Ofir Arkin posted a description of using ICMP error messages in fingerprinting.

Events

Upcoming security events.
Date Event Location
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
December 3-7, 2000. Asiacrypt 2000 Kyoto, Japan.
December 3-8, 2000. LISA 2000 New Orleans, LA, USA.
December 10-13, 2000. INDOCRYPT 2000 Calcutta, India.
December 11-15, 2000. 16th Annual Computer Security Applications Conference New Orleans, LA, USA.
December 20-21, 2000. The Third International Workshop on Information Security University of Wollongong, NSW, Australia.
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


November 30, 2000

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds