On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Kaladix Linux - Paranoid Security Linux Distribution.Kaladix Linux showed up on Freshmeat on June 1st, describing itself as a "Paranoid Security Linux Distribution". It is based on LinuxFromScratch (LFS) with mandatory access controls and access control lists enabled (RSBAC). Also to be included are Openwall, FormatGuard and other similar patches.
They have just barely gotten started, with a 0.3 release expected out soon. Note that the license for Kaladix is listed as "Free for non-commercial use". "I am aware that it is not possible to relicense GPL licensed software. Taking into respect that I do not like companies that make money from my work, I thought of licensing Kaladix Linux free for non-commercial use according to the following assumption: Every single piece of software that is included in Kaladix Linux is still licensed under GPL and may be used by whomsoever for whatsoever. However, the creation of configuration files, the compilation of software packages, my worktime and other various aspects of Kaladix Linux is my service (work) so that I can choose whatever license I wish and can thus assume to be able to distribute Kaladix Linux under a free for non-commercial use license".
Interview with Wietse Venema about his tcp_wrappers license (BSD Today). Fun with licensing continued this week with a look at the license for tcp_wrappers. BSD Today interviewed Wietse Venema, tcp_wrappers author, about its license, which original read, "If someone wants to redistribute the TCP Wrapper code in a manner that is not covered by the Copyright notice, then they are expected to contact me. I am a nice person and I haven't refused permission to anyone yet."
After discussion with many different people, Wietse has updated the license to read, "Redistribution and use in source and binary forms, with or without modification, are permitted provided that this entire copyright notice is duplicated in all such copies".
A nice, simple answer to a licensing problem. Would that all of them could be resolved so quickly and cleanly!
Happy Birthday, PGP. PGP author Phil Zimmerman marked the 10 year anniversary of the release of PGP 1.0 on Tuesday, June 5th. "It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet". It quickly grew faster than he had ever dreamed possible. "Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it".
The anniversary is also covered in this Wired article by Declan McCullagh
OpenSSH tmplink vulnerability.A tmplink vulnerability has been reported in OpenSSH when X forwarding is enabled on both the client and the server. It has been reported fixed in the OpenSSH CVS development tree, but is not yet mentioned in the OpenBSD 2.9 errata page. Until an updated version of OpenSSH is made available, disabling X forwarding for both the client and server might be a good idea. This is also covered in BugTraq ID 2825.
Sendmail multiple race condition vulnerabilities.Michal Zalewski issued a paper describing race conditions in sendmail's signal handlers. As a result, sendmail 8.11.4 and 8.12.0.Beta10 have been released with fixes for these problems. Check 2794 for additional details. No distribution updates for this problem have been reported so far.
man malicious cache file creation vulnerability. Yet more trouble for the beleaguered man command. This week, a new vulnerability was reported in which files are cached in the system cache directory from outside of the system manual page hierarchy search path. It is believed that this can be used together with man, mandb or any other utility which trusts cached filenames in order to gain elevated privileges. A workaround is to eliminate the setuid bit from the 'mandb' binary (not the wrapper).
xinetd default umask vulnerability.Red Hat issued an advisory this week reporting that the default umask for xinetd in Red Hat 7.0 and 7.1 was set to zero. As a result, some daemons started from xinetd that did not set their own permissions were creating world-writable files. The default umask has been set instead to 022. No information has been posted yet on whether this problem is specific to Red Hat or shows up in other distributions (though Red Hat-based distributions are likely vulnerable).
ispell symbolic link vulnerabilities.OpenBSD released patches to fix problems in ispell where the use of mktemp() (instead of mkstemp()) left it vulnerable to symlink attacks. The patches also modify the use of gets() to use fgets() instead. This is also covered under BugTraq ID 2827.
Qualcomm qpopper username buffer overflow.A buffer overflow was introduced into Qualcomm qpopper 4.0, 4.0.2 and 4.0.2 as a result of the way in which the client-supplied username is handled. As a result, a remote root attack is possible. An upgrade to 4.0.3 is strongly recommended.
Horde IMP Message Attachment symbolic link vulnerability.A symbolic link vulnerability has been reported in the Horde Imp versions prior to 2.2.5. The vulnerability comes from the use of the PHP tempnam function for creating temporary files. Prior to PHP 4.0.5, tempnam used mktemp for creating temporary files instead of mkstemp. Upgrading to Imp 2.2.5 and PHP 4.0.5 is recommended.
fvwm initialization script vulnerability.If no $HOME environment variable is set, fvwm may read the .fvwm2rc from the current directory instead of from the home directory, making it possible for a local attacker to execute commands as another user. fvwm-2.2.5 fixes this issue.
OpenBSD Dup2 VFS Race Condition Denial Of Service Vulnerability.It has been reported that a local user can cause a kernel panic on OpenBSD if a file descriptor shared by two processes is set to null by one process while the other process is asleep. This can be used to facilitate a local denial-of-service attack. All versions of OpenBSD are reportedly vulnerable. No confirmation or advisory for the problem has been posted on the OpenBSD site as of yet.
Acme.Serve 1.7 arbitrary file access vulnerability.Acme.serve is a Java class that contains a small, embeddable HTML browser. By default, Acme.Serve 1.7 allows all connections to browse the entire filesystem. No fix for the problem has been reported so far. Check BugTraq ID 2809 for more details.
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
gnupg format string vulnerability.Check the May 31st LWN Security Summary for the initial report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Werner Koch also sent out a note warning of minor build programs with gnupg 1.0.6 when compiled without gcc.
This week's updates:
Webmin environment variable inheritance vulnerability. Check the May 31st LWN Security Summary for the original report.
This week's updates:
MIT Kerberos FTP daemon buffer overflows.Check the May 24th LWN Security Summary for the initial report. MIT Kerberos 5, all versions, is affected. If anonymous ftp is enabled, a remote root exploit is possible. Otherwise, a local root exploit or a remote root exploit via an authorized login is still possible.
This week's updates:
Red Hat update to mktemp.Check the May 24th LWN Security Summary for the initial report. This problem is specific to Red Hat Linux prior to version 7 (and other distributions based on Red Hat).
This week's updates:
man -S heap overflow.Check the May 17th LWN Security Summary for the initial report. The exploitability is definitely on whether or not the man command is installed setgid group man.
This week's updates:
Linux Intrusion Detection System (LIDS) 1.0.9 for 2.4.5. LIDS 1.0.9 has been ported over to the 2.4.5 kernel and includes a few other minor bugfixes.
oftpd - a secure anonymous FTP server. oftpd is an anonymous FTP server specifically designed for security. Author Shane Kerr sent us a note describing some of its features and explaining why he chose to implement only anonymous ftp access. "Non-anonymous FTP is a security risk, despite certain FTP extensions that support encryption via SSL or other mechanisms. As used most commonly FTP is a fundamentally flawed protocol, in that it sends passwords in the clear. Because of this I suggest that no matter how secure you make your server software, FTP should be avoided for data transfer, especially since excellent alternatives such as SSH are available".
Research Paper - ICMP Usage In Scanning v3.0. Ofir Arkin has released version 3 (PDF) of his paper entitled "ICMP Usage In Scanning".
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Liz Coolbaugh
June 7, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily