Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for December 21, 2006A 2006 retrospective This is the last LWN.net Weekly Edition for 2006; following our longstanding tradition we will take the last week of the year off and dedicate it to cleaning all of this year's unanswered mail out of our inboxes. We wish you all a pleasant holiday season; LWN will be back on its regular schedule on January 4.Another LWN tradition is to review our predictions made at the beginning of the year to see just how badly wrong your editor was this time around. Those predictions were published in the January 4, 2006 edition, for those who wish to follow along from the source. Some of the comments posted to the article can also be interesting to read with a year's perspective. We'll not review every prediction made in that article. Some of them are sufficiently obvious ("Perl 6 will not be released," "the SCO case will drag on") or general ("the pace of kernel development will not slow") that little review is called for. Some of the others, however, offer some insights into how perspectives have changed over the last year (or, perhaps, how blind your editor was back then). The very first prediction made was that the GPLv3 process would dominate the news. Your editor was not able to foresee, however, that the FSF would take the license revision as an opportunity to attack DRM head-on. What has happened over the last year, as evidenced by GPLv3 and in other places, is that many in the community now think that we have enough weight to throw around in support of goals beyond the simple creation of free software. Whether the exercise of this weight will lead to a more free society, or whether it will just make us more like the entertainment industry (which also thinks it has plenty of weight to use in pursuing power under copyright law) remains to be seen. Some commenters doubted your editor's prediction that the non-free kernel module issue would come to a head this year. But, over the course of this year, a number of distributors swore off shipping such modules, those which continue to embrace proprietary modules have taken a fair amount of criticism, and the kernel developers seriously considered banning them outright. Whether all that constitutes "coming to a head" can be debated, but the fact remains: there is a great deal of resentment over proprietary kernel modules and this issue will not go away anytime soon. Your editor predicted the return of European software patents. There were some stirrings over the year, but software patents have, for the most part, laid low. It would be foolish to believe that they will do so forever, though. With regard to desktop Linux, your editor's advice was to not expect amazing advances, but that there would be steady progress. The movement of 3D technologies onto the Linux desktop may not qualify as an "amazing advance," but they are a big step regardless; Linux need defer to no other system in the eye candy department. A prediction that alternatives to OpenOffice.org would gain prominence did not really come through - but it is worth noting that the OLPC project has gone with a lightweight version of AbiWord. One of the more controversial predictions said that the Fedora Project would have to make changes to maintain its position. Over the course of the year, Fedora abandoned the "Fedora Foundation" idea, gave up (belatedly) on Fedora Legacy, decided to lengthen its support period, and merged the Core and Extras distributions. The project has picked up a new energy, renewed its longstanding dedication to free software, and looks well poised to move forward with a stronger community focus. Predicting that a Debian release would happen on schedule is always a daring thing to do. Things clearly did not work out that way, but substantial progress has been made. Debian Etch might not be that late, in the end. Predicting Emacs releases is equally risky, and Emacs 22 did not come out this year - but a couple of pretest releases did. Your editor thought that Novell would "get its act together and become a truly successful Linux-based company." Oh well. That could yet happen, but, after the events of 2006, few people would see it as a foregone conclusion. So what did your editor miss entirely? Big company moves were at the top of the list. The idea that Novell would make a deal with Microsoft - paying patent royalties in the process - was beyond your editor's imagination at the time. Similarly, the notion that Oracle would try to muscle into Linux support by repackaging Red Hat Enterprise Linux was a surprise. Free software has reached such a level of importance that the largest companies out there are paying attention. Also missed was the open-sourcing of Java, though one could certainly quibble that we have not actually seen the code yet. Perhaps your editor should simply predict this event for 2007 and be dead-on. Seriously, however, this event has been delayed for so long that many of us had despaired of it ever happening. It does appear, however, that Jonathan Schwartz has brought a new emphasis on free software to Sun's top position; the planned release of Java under the GNU General Public License suggests that he is serious. In the end, the easiest prediction to make was that our community would remain healthy, and that our software would continue to get better. Despite our disagreements and our mistakes we are going from one strength to the next. That helps make 2006 another pleasant year to look back on.
The 2006 Linux and free software timeline For the ninth year in a row, the editors at LWN.net have put together a timeline highlighting the most important events of the last twelve months.It has been an active and interesting year - just like the ones before. The GPLv3 process was launched - and threatened to split our community over differing views of freedom. Software patent issues came and went. The Linux desktop went 3D. Large companies became more involved with Linux and free software - and not everybody is pleased with the result. Distributors reevaluated and reworked their dealings with the community. And, while all this was happening, the community continued to produce great code which made all of our systems better. This is version 1.0 of the 2006 timeline. If you find any errors or remaining major omissions, please send them to us at timeline@lwn.net; please do not post errors or omissions as comments until after we have had a chance to address them. The development of the LWN.net Linux Timeline was supported by LWN subscribers; if you like what you see, please consider subscribing to LWN.
For the historically minded, the timelines for the previous eight years remain available:
Second Life and Open Source When Larry Lessig proclaimed that "code is law" he was talking metaphorically. But for a virtual world, constructed entirely out of bits, it is literally true: the laws regarding what you can and cannot do there, both legally and even physically, are inscribed in the lines of code that implement it. In this space, then, open source has an added significance in that it not only lays bare the engines of creation, but it potentially allows them to be hacked. What some of the consequences of this openness might be was shown recently in Second Life, when the open source project libsecondlife released a program called CopyBot. As its name suggests, this tool allowed copies to be made of in-world objects - including the "avatars" that are used to represent the residents of Second Life. This was deeply problematic, since one of the attractions of Second Life is that creators of digital content retain ownership, unlike in most other virtual worlds. Many now make a good living from this in-world activity selling virtual items, with some earning tens of thousands of dollars per year. However, CopyBot raised the spectre of people replicating content for free, rendering digital objects valueless, and undermining the entire Second Life economy. The person leading the libsecondlife project is Jonathan Freedman. He took over recently after John Hurliman, the previous lead, and still the main contributor of code to the project, decided he didn't want to deal with the public relations issues that CopyBot threw up. Freeman recalls: "he said to me: 'I just want to code, I don't want to deal with this.'" The libsecondlife project began six months ago, and was started by a group of coders who "were interested in seeing a little more flexibility in what they could do with Second Life," as Freedman explains. The idea was to create an open source library that third parties could employ to create new Second Life applications. To do that, the libsecondlife group started reverse-engineering the Second Life protocols. One by-product of this work was that they turned up security issues - "and believe you me, they found quite a few," Freedman says - which they reported to Linden Lab, the company behind Second Life. Partly as a result, "the way the project had been run impressed Linden Lab, who were very happy with it," Freedman explains. "Back in the Second Life Community Convention in August, they gave their unofficial endorsement of the libsecondlife project." And then along came the CopyBot incident. "It was a debugging tool," Freedman says of CopyBot. "The developer was working on the part of the Second Life protocol that was responsible for drawing avatars. He needed a way to verify that the data was coming correctly: what better way to verify that than just mirroring it back" down the connection to the system and observing the result? Freedman emphasizes that there were safeguards built into ensure that this "mirroring" - copying of virtual objects - was kept within the terms of service at the time. "You'd actually have to ask it before it would copy you, and it would then give you a lengthy disclaimer explaining what was going on so people could make sure that that was what they wanted. And generally people were agreeing with that, and they'd be there for five or ten minutes dancing with themselves." There the story might have ended, were it not for the fact that CopyBot was free software. "Anybody could get a copy and make use of it, and that's what we saw happening: other people were modifying it to take out the disclaimer, and generally shout stuff like 'I'm stealing your textures'" - the surface elements of virtual objects. As well as taunting victims in this way, a few of these "griefers" started selling the modified, no-holds-barred version of CopyBot within Second Life. Panic spread in some quarters of Second Life. Shop owners closed hundreds of virtual stores, afraid that their inventory would be copied endlessly and rendered worthless. But in practice, the damage was minor, and the economy of Second Life continues to grow - not least because CopyBot itself had important limitations that were consequences of the way Second Life operates. Each "sim" or simulator of a portion of the virtual world in Second Life is created on a server running Debian GNU/Linux, Apache, Squid and MySQL; currently there are several thousand of these PC boxes. To allow for fast response times, the virtual world is sent not as pixels or even as a mesh, but as a series of 3D primitives - "prims". The Second Life client creates the world by converting the stream of information about prims and their position into a visual representation. This means that the client has all the structural information about any object visible to it; CopyBot works by taking that information, and replicating it. However, in addition to the prims and the textures applied to them, more complex objects add scripting to provide interactive behaviour that endows Second Life with much of its richness. These scripts are run server-side, and are not passed to the client, so CopyBot is unable to intercept them. Nonetheless, the residents of Second Life who made money from their virtual creations were understandably perturbed by the appearance of a piece of software with the provocative name of CopyBot - "in retrospect it probably could have been named something else," Freedman concedes. At a November meeting held in-world, Second Life's creator and CEO, Philip Rosedale, explained that nothing could be done about CopyBot using technical means: Second Life's client-server architecture implied that CopyBot was not just possible but in some sense inevitable. But he did promise other measures, including more metadata, such as attribution and creation time-stamps, for virtual objects. Since these would be stored server-side, and hence immutable, they would provide clear proof of whether an object had been copied. To give this approach some teeth, Linden Lab made clear that anyone who used CopyBot or something similar in a malicious manner faced the prospect of expulsion from Second Life. Some remain unhappy with Rosedale's response, and also see the CopyBot incident as part of a deeper malaise involving cynical hackers exploiting loopholes in the Second Life code to grief other residents. They accuse Linden Lab of a certain complicity because of its encouragement of the external libsecondlife project. Perhaps that encouragement is not so surprising given Linden Lab's stated intention [PDF - look at final slides] to make elements of Second Life open source. "Without speaking to specific timing or plans - and we've thought and are thinking lots and lots where there might be exceptions to this - it seems like the best way to allow [Second Life] to become reliable and scalable and grow," Rosedale said recently on the subject of opening up the code. "We've got a lot of smart people here thinking about that." It's obviously useful to have smart people thinking about it on the outside too - provided things don't get out of hand. Freedman has instituted one important change in the libsecondlife project to try to ensure that another CopyBot does not happen. "Previously, the way the libsecondlife source tree was done was basically anybody who wants an account can have one. That's the first thing I changed: just the core developers can have the accounts." Freedman also has some clear-cut goals for the project, which will be releasing all its code under the BSD license. "Short-term, the aim is to have a workable third-party library that other people can make use of to interface with Second Life. I believe that by the middle to end of December we'll have a fairly decent third-party viewer that's comparable to the Second Life [client] application. Longer term, ideally we'd like to see a completely open implementation of Second Life, from the client, to the sims, to the assets - everything." Freedman believes "the use of open standards, if not open source, will go a long way in the propagation of Second Life as an actual platform." This seems to explain Linden Lab's enthusiasm for libsecondlife and patience with things like CopyBot. At stake is the chance to help create the next online platform - the 3D Web, sometimes known as Web 3.D. Opening up the platform will also take some of the strain off Linden Lab: currently, Second Life is growing at an unsustainable rate, with over a million new members joining in the last couple of months. If users could host their own virtual land, then Second Life could scale more gracefully. Beyond that, open protocols would allow distinct but interconnected virtual worlds to be created. The technical aspects of this are the easy part; more difficult are working out social and economic issues like making reputation and money portable between those worlds, and legal ones - as the CopyBot episode made all-too clear. Glyn Moody writes about open source and virtual worlds at opendotdotdot.
Page editor: Jonathan Corbet Security The state of PHP security PHP security has been much in the news lately, mostly centered around the resignation of Stefan Esser from the PHP Security Response Team. His stated reasons for leaving are rather alarming, and he indicates a pattern of slow responses to security holes within the language itself. Others, including Zend co-CTO Zeev Suraski, disagree and chalk it up to a personality conflict between Esser and the rest of the team. A recent look at the National Vulnerability Database (NVD) specifically for PHP related security issues also highlights some of the problems with PHP. It is time, it seems, to take a look at the state of PHP security. PHP is touted as an easy language to use to write web applications, particularly those that use a database for storage. There are no end of PHP tutorials available on the web that will help readers to get a web application up and running in short order. Unfortunately, many of these tutorials completely ignore security and invite their readers to create applications that suffer from SQL injection and other security flaws. This example (from the top ten results of a Google search for 'php tutorial') explains how to update a record in a MySQL database using single quotes around the values that come in from a web form. It also describes how to display data in ways that allow for cross-site scripting. As described in another security page article, the proper way to handle database queries with user supplied data is by using placeholders. PHP does provide ways to do that, using the PEAR database API, but finding information about it is non-trivial. It certainly is not promoted by the PHP homepage, which tends to push the included, easily abused, MySQL interface. Because PHP strives to be easy to use, its developers have added features that have caused all manner of security problems. The worst offender is the register_globals 'feature' which automatically instantiates PHP variables from the CGI variables that are passed in a GET or POST. While it does make it easier for programmers to access these values, it also allows attackers to set the value for any uninitialized variable in the PHP program. Because PHP is a dynamic language, variables do not necessarily need to be initialized before they are used and many programs relied on that feature. When combined with register_globals, this practice leads to easy exploits. register_globals has long been turned off by default in PHP, but there are a huge number of applications that still rely on it. Many PHP web hosting companies have it turned on because their customers demand it, but it is very difficult to use the feature correctly. There are PHP modes that warn of using uninitialized variables, but those warnings typically end up in a log file somewhere which may not be examined frequently. It is an extremely dubious feature, but one that PHP creator, Rasmus Lerdorf, seems to think should have been left on by default. Other poor design choices include the 'magic quotes' feature that gives the illusion of removing SQL injection issues without actually providing that protection. Another is the ability of the PHP include directive to take URL arguments; this has been abused by attackers to pick up their scripts and have them run on the victim's server. Unfortunately, these features get into the language and are used making it difficult to remove them later. There are various projects to improve upon PHP security, including Esser's Hardened-PHP, as well as efforts, such as the PHP Security Consortium, that seek to educate people about writing secure PHP code. Unfortunately, many of the open source PHP projects do not provide good examples for budding PHP programmers to emulate; they either rely upon various PHP misfeatures and/or they were written by programmers without the requisite secure coding skills. The existence of these projects (and other similar ones) certainly provides an indication that the security problem with PHP is acknowledged by some. PHP proponents tend to take a 'blame the user' approach that is reasonable in some ways, but fails to recognize some of the inherent issues with PHP itself. If you target inexperienced web application programmers, you can hardly be surprised that they do not have fundamental security skills. Security seems to fall somewhere below simplicity in the minds of the PHP language developers; that makes it more difficult to have secure PHP applications. Security is a hard problem and any attempt to 'dumb down' a language is likely to run into security issues. Encouraging amateur programmers to write web applications is unlikely to produce secure code in any language, but by providing tutorials and examples that have glaring security issues and by not concentrating on teaching secure coding, PHP makes it that much worse. A great deal of useful code has been written on the PHP platform; it would be nice to find a way to keep that code coming while simultaneously making it more secure.
New vulnerabilities clamav: stack overflow
dbus: denial of service
flash-player: CRLF injection vulnerability
gdm: format string vulnerability
gnuradius: format string vulnerability
Mozilla stuff: multiple vulnerabilities
proftpd: stack-based buffer overflow
sql-ledger: several remote vulnerabilities
Updated vulnerabilities apache: cross-site scripting
apache-mod_auth_kerb: off-by-one error
avahi: sender id check
bind: denial of service
bugzilla: multiple vulnerabilities
busybox: insecure password generation
bzip2: race condition and infinite loop
clamav: missing sanity checks
cpio: arbitrary code execution
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: index cache file handling error
elinks: arbitrary file access
enemies-of-carlotta: input sanitizing
ffmpeg: buffer overflows
freeradius: several vulnerabilities
freetype: integer overflows
ftpd: privilege escalation
gcc: file overwrite vulnerability
gdb: buffer overflow
gdm: improper file permissions
gnupg: stack overwrite
gv: stack-based buffer overflow
gzip: multiple vulnerabilities
gzip: arbitrary command execution
imagemagick: buffer overflows
ImageMagick: buffer overflows
imlib2: arbitrary code execution
kdegraphics: stack overflow
kdelibs: integer overflow
kernel: denial of service
kernel: bridging code buffer overflow
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: denial of service
koffice: integer overflow
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||