| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for October 3, 2002
A crucial U.S. copyright case
October 9 is the day the U.S. Supreme Court has set aside to hear arguments in the case known as "Eldred vs. Ashcroft." The subject of the case - a 20 year extension to copyright protection - may seem obscure, but the outcome of this case may well change the shape of copyright law (and intellectual property law in general) in the U.S. for a long time.
The specific details of this case are as follows. Eric Eldred operates the
Eldritch Press, a collection of
books which are in the public domain. Mr. Eldred's plans to add a number
of new works, including poems by Robert Frost, were thwarted by the "Sonny
![[Free the mouse]](http://old.lwn.net/images/ns/free-the-mouse.gif){kind=small}
Bono Copyright Term Extension Act," which added twenty years to copyright
terms. Works that were in the public domain were suddenly brought back
under copyright protection, and thus could no longer be posted publicly.
And works that were about to enter the public domain - the famous example
(and seeming motivation for the copyright extension) being Micky Mouse -
now will not for another two decades.
The U.S. Constitution describes the congressional power to regulate intellectual property in typical, terse fashion:
The key points here are (1) the statement that promoting the progress of science and the arts is the purpose of granting a monopoly right to intellectual property, and (2) the phrase "limited times." The plaintiffs in Eldred vs. Ashcroft (the case is being argued by none other than Lawrence Lessig) are making the claim that the new, longer copyright terms go beyond any reasonable "limited time," and that they no longer promote the creation of new works. After all, the authors whose works benefit from the extra 20 years of protection are dead; even the strongest economic incentives are unlikely to motivate them to produce anything of any interesting quality. The plaintiffs in this case are asking the court to rule that the Congress has exceeded its constitutional authority in making this law, and that the law should thus be void.
The Supreme Court is an unpredictable institution; it could do almost anything in response to this case. It is also a slow institution. The case will be argued on the 9th, but the eventual ruling will not be heard until sometime next year.
How is all of this relevant to free software? There is an ongoing push in the U.S. to establish absolute control over ideas in many forms. As Mr. Lessig has argued many times, the concept of an intellectual commons, with ideas available to all, is being pushed aside. But that commons is the source of much that intellectual property owners want to protect. Disney took "The Little Mermaid" from the commons, but wants to hold on to its rather less gory version forever.
Free software benefits from a deep commons of shared ideas and code. Those who feel threatened by free software would like to fight it by withholding ideas from that commons. Whether the issue is file formats, network protocols, or patented algorithms, the problem is the same: monopolies on ideas reduce the commons from which free software developers can draw. The expansion of intellectual property monopolies in the U.S. has gone unchallenged for years, with results like copyright extension, the DMCA, and future delights like the CBDTPA.
Eldred vs. Ashcroft has the potential to put limits on the expansion of intellectual property law and the fencing off of the intellectual commons. It could be the turning point in this battle - but it could turn in either direction. We can only wish the best of luck to the plaintiffs in this fight, and thank them for making the effort.
(See also: the Eldred vs. Ashcroft page).
The status of the subscription experiment
As of Wednesday Morning (October 2), there are almost 1200 individual subscribers to LWN. We also have all of three confirmed (small) corporate subscriptions, with discussions happening with others. With luck, we will be able to announce our first large corporate subscription in the near future. Many thanks to all of you who have shown your support for LWN.So where does that leave us? It takes on the order of 1000 subscribers to support one full-time LWN editor with a minimal salary (i.e. less than they can make elsewhere) once taxes, health insurance, connectivity, and, perhaps, an occasional trade show are thrown in. So, in other words, we have made some real progress, but we are still some distance from being able to operate LWN at its current level of staffing (and, thus, content).
It is, of course, early to say what the steady state subscription level will be. Corporate subscribers, in particular, move slowly. But, it seems reasonably clear that, unless we get a new surge in interest, LWN will likely go forward as a smaller operation than it is now. The good news is that (1) it looks like LWN will continue, in some form, and (2) we have been surprised before; the situation may yet improve.
The best way to make things improve remains corporate subscriptions. We'll ask our readers one more time to encourage their employers and universities to look into our group subscription offerings. These subscriptions make LWN available to large groups of people while doing a lot to help keep LWN on the air.
The subscription system itself seems to be working reasonably well - not bad for a big body of completely new code that had its first real stress test when deployed on the site. A few glitches remain, and we are working on it. In particular, there seems to be a cookie problem with Internet Explorer that is proving hard to track down - especially since we have very few Windows systems around here. It is not our desire to exclude IE users - they are responsible for about 20% of our traffic. We will work this one out somehow.
Thanks yet again for your support of LWN. We will continue to do our best to produce a site that is worthy of that support.
Page editor: Jonathan Corbet
Security
Security news
Here we go again
vnunet has posted another one of its Linux security articles with the same sort of theme:
Nobody would try to argue that Linux is free of security holes - anybody who thinks so need only read the rest of this page to learn otherwise. But the above comparison is absolutely meaningless for a number of reasons:
- Each distribution is counted independently. The same vulnerability in
five distributions will count as five separate vulnerabilities. This
practice, of course, inflates the number of reported Linux problems.
- Linux vulnerabilities include those in applications (i.e. PostgreSQL)
which are not part of a standard Windows system.
- Most Linux vulnerabilities are found through code audits and similar efforts; they are patched and reported before any exploits happen. Any Windows bugs found through similar audits are fixed silently and do not appear in these counts.
Articles like this one try to make it appear that Linux has worse security problems than other operating systems. If you look, however, at the amount of actual security pain suffered by Linux administrators, the story is different. Linux security is nowhere near as good as it really should be, but it's not as bad as some people would like to make it out to be.
Red Hat and Dell host open source security summit
Red Hat and Dell have announced that an "open source security summit" will be held on October 29 in Washington, DC. "The Security Summit will provide an open forum to discuss and explore how open source technologies, methodologies, tools, and support processes meet the challenges of securing networks and computer systems."
New vulnerabilities
Apache 2.0 cross-site scripting vulnerability
| Package(s): | apache | CVE #(s): | CAN-2002-0840 |
| Created: | October 2, 2002 | Updated: | October 2, 2002 |
| Description: | Versions of Apache 2.0 prior to 2.0.43 have a cross-site scripting vulnerability in the error page handling code. If you are running Apache 2.0, this one is worth fixing. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
Multiple vulnerabilities in bugzilla
| Package(s): | bugzilla | CVE #(s): | ||||
| Created: | October 2, 2002 | Updated: | October 9, 2002 | |||
| Description: | The Bugzilla bug tracking system (versions prior to 2.14.4 or 2.16.1) suffers from a number of vulnerablities, including one which could result in remote command and SQL injection. An upgrade to 2.16.1 is recommended, since the 2.14 branch will be unmaintained after the end of the year. See the Bugzilla advisory for details. | |||||
| Alerts: |
| |||||
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | December 17, 2002 | |||||||||||||||||||||||||||
| Description: | e-matters GmbH has issued an advisory warning of a new set of buffer overflows in the fetchmail header parsing code. The vulnerabilities have been fixed in fetchmail 6.1.0. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Buffer overflow in gv
| Package(s): | gv | CVE #(s): | CAN-2002-0838 | ||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | November 25, 2002 | ||||||||||||||||||||||||
| Description: | gv, a graphical front end to ghostscript, has a buffer overflow vulnerability which can be exploited by a properly crafted PostScript or PDF file. If a user can be tricked into viewing such a file, arbitrary code can be executed with that user's privileges. See this iDEFENSE advisory for the details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Buffer overflows in heimdal
| Package(s): | heimdal | CVE #(s): | |||||||
| Created: | October 1, 2002 | Updated: | October 17, 2002 | ||||||
| Description: | A SuSE security team audit of the heimdal Kerberos implementation turned up sever buffer overflow vulnerabilities. No exploits are known as of this writing, but these vulnerabilities are almost certainly possible for a remote attacker to exploit; if you are running heimdal, you should upgrade at the first opportunity. | ||||||||
| Alerts: |
| ||||||||
sendmail smrsh bypass vulnerability
| Package(s): | sendmail | CVE #(s): | CAN-2002-1165 | ||||||||||||
| Created: | October 2, 2002 | Updated: | November 29, 2002 | ||||||||||||
| Description: | iDEFENSE has posted an advisory warning of a couple of ways of bypassing the restrictions imposed by the sendmail "smrsh" utility. smrsh puts limits on which programs a user may run out of a .forward file; this vulnerability could give a local user undesired access to the mail server system. A patch has been made available from sendmail.org which closes the vulnerability. | ||||||||||||||
| Alerts: |
| ||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | |||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | |||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | |||||||||||
| Alerts: |
| |||||||||||
Safemode vulnerability in PHP
| Package(s): | PHP | CVE #(s): | CAN-2001-1246 | ||||||||||||
| Created: | August 20, 2002 | Updated: | October 9, 2002 | ||||||||||||
| Description: | PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 14, 2002 | Updated: | December 5, 2002 | |||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | |||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | |||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow in groff
| Package(s): | groff | CVE #(s): | CAN-2002-0003 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | December 9, 2002 | ||||||||||||||||||
| Description: | The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax | CVE #(s): | CAN-2001-1034 | |||||||||
| Created: | July 30, 2002 | Updated: | October 9, 2002 | |||||||||
| Description: | The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
| |||||||||||
| Alerts: |
| |||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs | CVE #(s): | |||||||||||||
| Created: | September 17, 2002 | Updated: | November 18, 2002 | ||||||||||||
| Description: | Konqueror for KDE 3.0.3, and earlier versions, is subject to this cross-site scripting vulnerability. Since the problem is in kdelibs, any other application which uses the KHTML renderer is also vulnerable. Javascript code running in one frame can access other frames which should be inaccessible. The problem is fixed in kdelibs 3.0.3a. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 | CVE #(s): | ||||||||||
| Created: | August 14, 2002 | Updated: | October 29, 2002 | |||||||||
| Description: | A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc | CVE #(s): | CAN-2002-0738 CAN-2002-1307 CAN-2002-1388 | |||||||||
| Created: | September 11, 2002 | Updated: | January 3, 2003 | |||||||||
| Description: | Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. | |||||||||||
| Alerts: |
| |||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla | CVE #(s): | CAN-2002-0354 | |||||||||
| Created: | May 21, 2002 | Updated: | October 18, 2002 | |||||||||
| Description: | This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2). | |||||||||||
| Alerts: |
| |||||||||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Remotely exploitable vulnerability in pine
| Package(s): | pine | CVE #(s): | CAN-2002-0014 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | November 27, 2002 | ||||||||||||||||||
| Description: | Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow vulnerabilities in purity
| Package(s): | purity | CVE #(s): | ||||
| Created: | September 17, 2002 | Updated: | September 25, 2002 | |||
| Description: | It seems that the "purity" game isn't entirely pure itself - a couple of buffer overflows have been found which could be exploited to gain access to the "games" group on Debian systems. Rather than face the prospect of people tampering with their nethack scores, the Debian Project released the first upgrade closing the vulnerability. | |||||
| Alerts: |
| |||||
PXE server denial of service vulnerability
| Package(s): | pxe | CVE #(s): | CAN-2002-0835 | |||||||||
| Created: | September 4, 2002 | Updated: | November 11, 2002 | |||||||||
| Description: | The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
| |||||||||||
| Alerts: |
| |||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils | CVE #(s): | CAN-2002-0178 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 30, 2002 | ||||||||||||||||||
| Description: | According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid | CVE #(s): | |||||||||||||||||||
| Created: | July 8, 2002 | Updated: | November 15, 2002 | ||||||||||||||||||
| Description: | Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following changes:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump | CVE #(s): | CAN-2002-0380 | |||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 9, 2002 | |||||||||||||||||||||
| Description: | A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat | CVE #(s): | ||||||||||||||||
| Created: | September 25, 2002 | Updated: | January 29, 2003 | |||||||||||||||
| Description: | Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
| |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Local root vulnerability in chfn
| Package(s): | util-linux | CVE #(s): | CAN-2002-0638 | |||||||||||||||||||||
| Created: | July 29, 2002 | Updated: | October 30, 2002 | |||||||||||||||||||||
| Description: | chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file. CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans | CVE #(s): | CAN-2002-0837 | |||
| Created: | September 11, 2002 | Updated: | February 4, 2003 | |||
| Description: | The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. | |||||
| Alerts: |
| |||||
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop | CVE #(s): | |||||||||||||
| Created: | May 21, 2002 | Updated: | May 7, 2003 | ||||||||||||
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle | CVE #(s): | CAN-2002-0818 | |||||||||
| Created: | August 14, 2002 | Updated: | October 1, 2003 | |||||||||
| Description: | The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." | |||||||||||
| Alerts: |
| |||||||||||
Local privilege escalation vulnerability in XFree86
| Package(s): | xf86 xfree86 | CVE #(s): | |||||||||||||
| Created: | September 18, 2002 | Updated: | October 27, 2002 | ||||||||||||
| Description: | XFree86 version 4.2.1 fixes a problem in Xlib that made it possible to execute arbitrary code in privileged clients. Other libraries are dynamically loaded by libX11.so as needed. When linking against a setuid program, arbitrary code could be loaded and executed from a pathname controlled by the user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Denial of service vulnerability in xinetd
| Package(s): | xinetd | CVE #(s): | ||||||||||||||||
| Created: | August 14, 2002 | Updated: | December 3, 2002 | |||||||||||||||
| Description: | A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Multiple vulnerabilities in Zope 2.5.1
| Package(s): | zope | CVE #(s): | CAN-2002-0170 CAN-2002-0687 CAN-2002-0688 | |||
| Created: | September 25, 2002 | Updated: | September 25, 2002 | |||
| Description: | Three security hotfixes are available to fix vulnerabilities in
Zope 2.5.1:
| |||||
| Alerts: |
| |||||
Resources
Linux Security Week - September 30th 2002
Linux Security Week for September 30 from LinuxSecurity.com is available.
Slapper Worm brought to heel (Register)
The Register covers two recent varients of the Slapper worm, Slapper.B (Cinik) and Slapper.C (Unlock). "Two fresh variants of the Slapper worm, which spreads through Linux machines by exploiting a well-known flaw in OpenSSL libraries, have been sighted this week."
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.5.40, released by Linus on October 1. Among the usual fixes and updates, it includes high memory support for User-mode Linux, the CPU frequency (power management) patches, more disk management thrashups from Al Viro, the in-kernel NUMA topology API, the removal of the task queue subsystem, an ISDN update, and an ARM update. Here's the long-format changelog with the details.Linus announced 2.5.39 on September 27. The biggest change, perhaps, was the inclusion of the deadline I/O scheduler (covered in last week's LWN Kernel Page); this kernel also contained a bunch of XFS fixes, an SCTP update, a bunch of memory management work by Andrew Morton, Ingo Molnar's in-kernel symbolic oops dumper, some driver model work, and numerous other fixes and updates. The the long-format changelog is available.
Linus's pre-2.5.41 BitKeeper tree contains a big ALSA update (the source of some grumbling from Linus), Ingo Molnar's "workqueue" implementation (see below), and a relatively small number (as of this writing) of other fixes and updates.
Dave Jones jumped back into the prepatch business with 2.5.39-dj1, which contained a number of fixes from his tree. Dave evidently still has a substantial pile of fixes to push on to Linus, but has been busy.
After a long absence, Alan Cox has also started putting out development kernel prepatches again. 2.5.40-ac1 includes support for the Voyager architecture, a merge of the uClinux distribution, and a number of fixes.
The latest 2.5 status summary from Guillaume Boissiere is dated October 2.
The current stable kernel is 2.4.19. Marcelo released 2.4.20-pre8 seconds after last week's Kernel Page was posted; it included an IBM hotplug driver update, a couple of security fixes, an x86-64 update, and a number of other fixes.
The current prepatch from Alan Cox is 2.4.20-pre8-ac3. Alan's recent releases have contained quite a few fixes, but no major new work.
Kernel development news
The feature freeze is coming
As part of the 2.5.40 announcement, Linus reminded the world that the feature freeze is coming soon:
Linus also let it be known that he's "perfectly happy with the kernel" and feels no need to deal with last-minute code submissions.
In fact, the list of outstanding features is getting smaller. A couple of big changes that are pending, and which could be disruptive, are:
- Changing the sector_t type to 64 bits, allowing block devices
to be larger than 2TB. One would think that 2TB would last for a
while, even by the standards of modern disks, but large RAID arrays
are already pushing that boundary. A patch (by Peter Chubb) is being
prepared, but it's taking him a while; among other things, he points
out that testing is a slow process because it takes a full day just to
write 4TB to a device.
- Turning dev_t into a 32-bit value. Increasing the number of devices has been on the list since long before the 2.5 series began, but the change has not yet been made. This is not a trivial change, since the major device number is still used to index into static arrays within the kernel. Drastically increasing the number of devices requires dealing with those arrays. Alexander Viro has a plan to that end, but a lot of work remains to be done.
Beyond that, quite a few other developments are pending, and they won't all get in. Some outstanding items include the completion of the Linux Security Module and asynchronous I/O merges, ext3 indexed directory support, Rusty Russell's new module loader, a new kernel configuration and build system, a whole pile of memory management work, etc.
What also remains to be seen is how serious Linus is about the feature freeze. Past kernel freezes have tended to be slushy at best. Some substantial work will have to be integrated after the freeze; it will be interesting to see what gets in as "stabilization" or "feature completion."
Then, there is the much-publicized debate over whether the next stable series should be 2.6 or 3.0. Linus started by saying that there was nothing all that revolutionary in this kernel, and that it should be called 2.6. Numerous other developers disagreed, however, and Linus appears to have relented. It seems likely that the next major stable kernel will be called Linux 3.0.
The end of task queues
Kernel code often needs to set aside a task to be performed "a little later." The classic example is that of an interrupt handler, which must perform its task quickly, without blocking. Typically interrupt handlers simply acknowledge the interrupt, then arrange for the real work to be done outside of interrupt context. That work, which can include starting new I/O operations, delivering data to user space, or cleanup actions, gets done when the kernel gets around to it - and, usually, when it's safe to sleep.In the good old days, the "bottom half" mechanism was used to set aside tasks in this manner. Linux bottom halves were quite inflexible, being identified by globally-unique, compile-time numbers. There could be no more than 32 of them - the number that could be tracked in a single-word bitmask. And bottom halves were not safe places for extended processing or tasks that needed to sleep.
More recent kernels moved much of the bottom half work to "task queues." A task queue is a simple linked list of functions to call (and data to pass to them). Certain predefined task queues were run at well-defined times; one was executed whenever the scheduler was called, and another was run out of the timer interrupt handler. Task queues cleaned things up significantly, but they were not particularly transparent and, fundamentally, they were still bottom halves. Their removal has been on numerous peoples' "todo" lists for some time.
One replacement for task queues is the "tasklet" interface, which was introduced in the 2.3 development series. Tasklets provide a high-performance interface for quick tasks that do not sleep; they are thus suitable for certain sorts of operations, but they do not replace task queues in all situations.
More recently, an attempt was made to address other deferred processing needs by wrapping a new interface (schedule_task()) around (what was) the scheduler task queue, and creating a special kernel thread (keventd) to run that queue. keventd provided a well-defined process context for tasks that need it (in particular, those which can sleep). But keventd still suffered the limitations of task queues, plus one other: all tasks were executed by a single thread. One very slow task could thus hold up everything else in the queue, creating unpredictable latencies.
A couple of patches recently posted by Ingo Molnar address these problems and clean up deferred processing substantially. The first patch removes the task queue interface and converts its remaining users over to schedule_task(); this patch was included in 2.5.40. The more interesting work is contained in the workqueue patch (since updated), which has not yet (as of this writing) been merged by Linus. This patch replaces the task queue mechanism (and schedule_task() entirely with a mechanism which is simpler to use and which yields better-defined results.
With the workqueue patch, task queues are replaced with the new "workqueue" concept. The basic idea is the same: a workqueue is a linked list of structures containing functions to call and data to pass to them. But the internals of workqueues are better hidden so that users need not worry about what is really going on. Workqueues are executed in process context, so tasks executed from those queues may sleep. Each workqueue, however, has its own worker threads (one per CPU), so one subsystem's workqueue entries will not block others from running. There is a default workqueue (analogous to the old schedule_task() functionality) for relatively simple tasks that do not justify their own queue.
For those who are interested, we have written up a separate article with reasonably complete documentation of the workqueue interface.
There has been a bit of discussion over the details of this interface. It has been through one set of modifications already, and will likely evolve more in the near future. The basic idea, however, appears to have been well received; some version of this patch will probably go in before too long.
Some security hooks get the hook
The Linux Security Module code works by allowing security-related code to hook into almost every access decision the kernel makes. Security modules can only tighten restrictions by vetoing access that would have otherwise been around. A number of security regimes - most notably the NSA's SELinux - have been built on the LSM structure. The LSM patch has been partially merged into the kernel; many of the LSM hooks are not yet there, however.Recently some developers have been questioning some of the specific hooks. In response, LSM maintainer Greg Kroah-Hartman has posted a patch removing a few LSM hooks: those for creating, initializing, and deleting modules. Nobody seems to have an issue with the ability to control those operations - it's just that no code is currently using those hooks.
That is, in fact, Greg's stated policy with LSM: any hooks that are not actually being used by an available, open source security module will be removed.
The idea, of course, is that there is no point in trying to maintain code that is not in use. By the time somebody actually tries to make use of it, chances are it will be broken anyway. And, it is said, it is easy to reintroduce a hook should the need develop.
Of course, given the LSM design, it's not that easy to put in a new hook. LSM requires security modules to provide an explicit implementation for every available hook, with the result that security modules accumulate a lot of stub "no-op" hooks. Adding a hook will break every security module out there until they implement a stub for that hook. Given that, security module authors who see a use for some of the more obscure hooks might want to document that use before too long.
Catching code which sleeps on the job
The kernel is full of code which is not allowed to sleep. Anything which is handling an interrupt or otherwise running out of process context, for example, should not try to go to sleep. This particular case is easy to catch in the scheduler, but others are not. For example, any code which is holding a spinlock can not sleep either. Sleeping in this situation can lead to deadlocks (some other process spinning on the lock can prevent the holder from running again and releasing the lock), mutual exclusion failures (on uniprocessor systems where spinlocks are optimized out), or, at a minimum, excessive lock hold time and lock contention.The problem is that it can be easy to sleep in the wrong places. Sleeps are often not done directly; instead, a piece of atomic code calls a function which calls some other function which sleeps. The "sleep tendency" of functions is not always documented, and, in any case, kernel hackers, being human, can make mistakes. Even if it seems, at times, that they don't sleep.
Until recently, these mistakes have been hard to catch. There was no "I'm running in an atomic section" flag, and thus no way for the kernel to know that it is sleeping in a bad place - until something went badly wrong. The preemptible kernel patch changed all that, however. Any place where the code can not sleep is also certainly a bad place for that code to be preempted. So the functions which mark atomic sections (such as spinlock operations) now set a "don't preempt me" flag.
But once you have that flag, why not use it to detect sleeps in the wrong place? Andrew Morton posted a patch which does exactly that, and Linus merged it on the spot. The patch was titled "increase traffic on linux-kernel," and it has done exactly that. There are, it turns out, quite a few places where sleeping functions are called within code that is supposed to be atomic. These mistakes are being fixed almost as quickly as they are found. A small patch has done a lot to eliminate a whole class of kernel programming errors.
The new CPU frequency code
A new CPU frequency subsystem, written by Dominik Brodowski and others, was integrated by Linus into the 2.5.40 release. This code provide user-space control over the clock frequency of the CPU(s) in the system - at least, for processors which provide that capability.One might wonder why it would be desirable to run a processor at anything below its rated speed. The reasons, of course, are power consumption and thermal control. A faster CPU requires more power to run. If you're using your laptop on an airplane, and you're not trying to crack any encryption keys or set kernel build time records before you land, you might just want to slow down the processor a little to avoid draining your battery. Meanwhile, the processor may decide to slow down on its own if it's getting too warm.
In fact, some modern processors can take a fairly smart approach to frequency control. If the processor notices that it is spending a lot of time idle, it can slow itself down. If it's constantly busy, it can turn up the speed a bit. If a particular processor supports setting its frequency in a "dumb" mode only, it might be nice for the operating system to provide the automatic adjustment in software.
For this reason, a simple "set the frequency" interface was deemed to be insufficient. The CPU frequency code merged into 2.5.40 reflects the new understanding of the problem: it allows the user to set a range of acceptable frequencies and the desired policy. If the user selects "performance" as the policy, the processor will be instructed to run at the upper end of its range; if it slows down, it does so gradually. With the "powersave" policy, speeds will be kept lower even in the face of sustained work to do. Overall, the new interface gives the user a great deal of control over how the system operates. Of course, this interface is just a cryptic /proc file (see Documentation/cpufreq in the 2.5.40 tree for details); look for the KDE and GNOME applications to show up in the near