| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for February 6, 2003
The Open-HCI project launches
The announcement went out on the last day of January: members of the GNOME and KDE projects have gotten together to improve cooperation between the two with regard to human interface guidelines. For the (many) users who have wanted to see a higher degree of cooperation between KDE and GNOME, this move can only be seen as a step in the right direction.At the beginning, of course, it is a pretty small step. Both desktop projects maintain a set of usability guidelines which promote consistency and good human factors in desktop applications. The plan is to merge the two sets into a single document. Initially, each project's guidelines will remain in a separate section. Over time, the plan is to find areas which can be merged into shared sections, common to both desktops. The possibility exists that a single set of guidelines could eventually emerge. That is a distant hope, however; for now, the Open-HCI workers are more concerned with details like what format will be used for the combined document.
It would be hard to overestimate the value of a high-quality, shared usability document. Usability work is hard, tedious, and unglorious; it is also a crucial part of the development of end-user applications that actually work. It is exactly the sort of work that free software projects are not supposed to be good at - though much of the work already done within GNOME and KDE puts the lie to that claim. Making it easier for both projects to benefit from the usability work that is being done can only lead to better desktop applications in the future.
Shared usability guidelines should also lead to more consistent behavior between the two desktops. The competition between KDE and GNOME has been a good thing for both projects, and for the Linux desktop as a whole. But there is no need for the two to be separate islands. More consistent behavior will make it easier for users to pick and choose applications from both projects, allowing them to take advantage of the best of each. And that, too, should be good for the Linux desktop.
(See also: usability guidelines for KDE and GNOME; there is also a mailing list for the Open-HCI project).
Desktop Linux Summits and Consortiums
[This article was contributed by Joe 'Zonker' Brockmeier]
Sometimes two stories in the media become inextricably linked. When one story is covered, the other issue is always mentioned -- creating an impression that there is a connection where the link is sometimes tenuous or non-existant.Such is the case with the Desktop Linux Summit and the Desktop Linux Consortium (DLC).
The link, however, between the Summit and the DLC is thin at best and seems to be the victim of bad timing. With better timing, the DLC might be seen for what its founders want it to be: a meeting of the minds of companies and organizations who are interested in furthering Linux as a desktop operating system.
Questions still remain as to exactly what happened with the Desktop Linux Summit. The event is promoted as a "multi-vendor" event about Linux on the desktop. However, many vendors have abandoned the summit after Bruce Perens was replaced as the keynote speaker by Michael Robertson -- not coincidentally the CEO and founder of Lindows.com.
The original list of sponsors and exhibitors differs greatly from the current list. In fact, at least one organization listed as an exhibitor has asked to be withdrawn. Sam Hiser, of the OpenOffice.org Project confirmed today that the project has asked to be withdrawn from the list of exhibitors. However, they are still listed on the Summit website. A representative for Sun Microsystems also confirmed that they have asked to be removed as an exhibitor, but explained that it was because Sun's speaker would be unavailable for the conference -- not because Perens was no longer speaking.
We spoke with Jill Ratkevic, who was the original coordinator for the Desktop Linux Summit. According to Ratkevic, Robertson and Lindows.com president Kevin Carmony were aware of the decision to have Perens do the keynote. However, Carmony claims that he "always" thought that Robertson would be the keynote speaker and that it was a "mix-up."
Jeremy White, CEO of CodeWeavers, told us that no one had a problem with Robertson speaking -- only the manner in which the change was made. "I think that a lot of folks that were willing to be flexible on the agenda...what was frustrating was the manner in which it was done."
According to Carmony, the event is still sold out, but it certainly has a different flavor now that many Linux companies have pulled out. Attendees listed for the "sold-out" conference now include such Linux-specific companies as Borders, NovaPCs and the Brobeck law firm.
Shawn Gordon, of The Kompany, says he plans to remain involved:
The Linux Professional Institute and SuSE will also remain involved. Holger Dyroff, head of SuSE's U.S. operations, said that he did not want to disappoint people who had already made appointments to speak with SuSE.
However, by all accounts, the fuss over the summit is separate from the decision to form a Linux Desktop Consortium. Perens, who is serving as the interim executive director for the consortium, says that the LDC:
White says that the discussions for the consortium began "more than a month ago." "A few of us got together and said, 'hey, we should do a Linux Desktop Consortium.' We felt that we could use a more unified voice, and it's time for a Linux desktop." White says that the consortium will focus on business users' needs, but "we definitely don't want to neglect grandma."
The consortium is still in the planning stages right now. White says the group is "in a waiting period while we're gathering information."
Despite the fact that a number of LDC members pulled out of the Summit, Lindows.com was still invited to join the LDC. Carmony says that Lindows.com is taking a wait-and-see attitude about the consortium, but that Lindows is "absolutely" open to the idea of joining the group if it turns out to be something they can get behind.
Though the goals of the consortium are still somewhat vague, Perens said that they definitely plan to put on a vendor-neutral desktop conference. Group marketing initiatives also seem to be part of the plan. White says that the group wants to find a way that companies, projects and end-users can work together -- though the details haven't been ironed out yet. Member companies are being asked to pony up $1,000 for membership, but White says that the group doesn't plan to ask free software and open source projects for money.
Some may wonder how successful the consortium will be, since many members are competing companies. However, Perens says that the consortium "won't have to do much to be successful... there are a number of things that the various players should be taking about. There are events that should be held that can be held fairly. We don't have to save the world."
Holger Dyroff, head of SuSE Linux U.S. operations, says that SuSE doesn't plan to take the most active role in the organization but that SuSE is behind the idea of pooling marketing efforts and encouraging companies to see that their products integrate their products with Linux.
With any luck, the bad blood over the Summit will fade in time and Linux vendors will be able to make Linux a real success on the desktop. Everyone we spoke to for this story indicated a desire to put the issue behind them and to work on making Linux a success rather than focusing on the negatives.
The MS-SQL worm: lessons for free software
The MS-SQL worm has run its course and been cleared off the net. It is also, of course, another example of a proprietary software failure that did not affect Linux users except in indirect ways. Still, the worm is interesting to look at in a number of ways, and it should give free software users and developers a few things to think about.Much has been written about how quickly the worm spread across the net. Most of the vulnerable systems had been infected within about ten minutes. With that sort of propagation speed, there really is very little that system and network administrators can do; by the time they know that there is a problem, they have already been infected. There is no time to scramble for patches, or even to pull the plug. Someday networks will have to be able to react automatically to this sort of attack; automated response systems, however, are likely to be a source of outages themselves.
The worm infected something on the order of 100,000 hosts. Given the size of the Internet, that is a relatively small number; there just weren't that many vulnerable systems which were directly reachable on the net. Even with such a small proportion of vulnerable systems, however, the worm was able to create a great deal of disruption. It is not necessary to infect much of the net to create trouble for everybody.
This suggests that the talk of software monocultures that one often encounters (including on this site) may be a bit misguided. The net, certainly, is not a monoculture of vulnerable SQL Server systems. Monocultures still increase the risk of truly devastating, global attacks, but their elimination will not necessarily make the net a whole lot safer.
There are plenty of free programs which run at least 100,000 network-exposed systems. A widespread vulnerability in any of these programs could, conceivably, be used to similar effect by a future attacker. There is a good chance, perhaps almost a certainty, that a vulnerability in free software will be used someday to trash the net. It is not an occasion to look forward too.
Still, there are aspects of the free software way of doing things that help to make this kind of event less likely. They include:
- Security updates for free programs tend to be small fixes which
address the vulnerability and nothing else. Most distributors put
considerable effort into backporting fixes to whatever version of the
program they shipped. As a result, the security updates are
relatively safe and easy to install. The SQL Server fix was,
apparently, part of a huge patch set which changed many things.
Applying all security updates as they come out to a Linux system can
be tedious and annoying, but it is also a reasonable thing to do. It
has been said that companies trying to keep up with Microsoft patch
sets will encounter more outages from the patches themselves than from
security breaches.
The result of all this is that Linux systems are more likely to be current with their security updates. Or, at least, they have less of an excuse if they fall behind.
- Many, if not most of the systems compromised by the MS-SQL worm were
running a version of SQL Server that came packaged with a completely
different application; some examples include the Cisco E-Mail Manager,
ISS System Scanner, JD Edwards ERP, Office 2000/XP, Visio, Unicenter,
and many
others. Many of the people running vulnerable systems had no idea
that SQL Server was even present. Free applications do not tend to
drag along major subsystems in quite the same way. Further moves
toward complicated applications and component architectures could
change that, however.
- SQL Server, by default, opens a port to the world as a whole. For the most part, free software (and Linux distributors) have learned better than that. PostgreSQL and MySQL will talk to the net, and both have had security issues in the recent past. It is a rare installation, however, which has exposed either database server to the net without deliberate action by the system administrator.
All of the above points, hopefully, indicate that free software offers some relative security advantages, especially with regard to widespread infections. We have a long way to go, however, before we can even begin to think that we are safe. Smugness is the wrong response to this episode; instead, we need to learn from it and redouble our efforts to keep it from happening to us.
Page editor: Jonathan Corbet
Security
Security news
Vulnerabilities and alerts in 2002
One of the advantages to having a site built on a real database is that you can use it to generate nifty tables. When we ran a list of vulnerabilities and alerts one year ago, the whole thing was generated by hand. Life is easier this time around....at least, if you're not concerned with keeping your systems secure. The following table, which covers the second half of 2002, contains 119 separate vulnerabilities, and well over 300 alerts. As much as we like to say that free software is more secure, the table below makes it clear that it is not anywhere near secure enough.
On the other hand, it's worth pointing out that almost none of the vulnerabilities listed below have, to our knowledge, been exploited on any kind of scale. Most of these problems have been found (and fixed) by developers proactively auditing the code; in general, the fixes seem to get out to most users in time to avoid widespread problems. Many of these vulnerabilities are, most likely, relatively hard to exploit.
The table reveals some of the limitations of our security database. If a vulnerability has no alerts from a particular distributor, it does not necessarily mean that said distributor never got around to fixing the problem. In many cases, the distributor did not ship a vulnerable version of the affected program, and thus did not need to put out an update.
New vulnerabilities
bladeenc - improper input verification
| Package(s): | bladeenc | CVE #(s): | ||||
| Created: | February 5, 2003 | Updated: | February 5, 2003 | |||
| Description: | Versions 0.94.2 (and prior) of the Blade MP3 encoder contain an input validation vulnerability which can lead to arbitrary code execution; see this advisory for details. | |||||
| Alerts: |
| |||||
courier - missing input sanitizing
| Package(s): | courier | CVE #(s): | CAN-2003-0040 | |||
| Created: | January 30, 2003 | Updated: | February 5, 2003 | |||
| Description: | The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module. Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine. An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability. The MySQL auth module is not affected. | |||||
| Alerts: |
| |||||
kernel - Multiple vulnerabilities in version 2.4.18 of the kernel
| Package(s): | kernel | CVE #(s): | CAN-2003-0001 CAN-2003-0018 | |||
| Created: | February 4, 2003 | Updated: | February 5, 2003 | |||
| Description: | Vulnerabilities have been found in version 2.4.18 of the kernel.
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0001 to this issue. A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and later that can create a limited information leak where any user on the system with write privileges to a file system can read information from that file system (from previously deleted files), and can create minor file system corruption (easily repaired by fsck). Red Hat Linux in its default configuration is not affected by this bug, because the ext3 file system (the default file system in Red Hat Linux 7.2 and later) does not support the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18 kernels have this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0018 to this issue. | |||||
| Alerts: |
| |||||
krb5 - vulnerability in Kerberos ftp client
| Package(s): | krb5 ftp netkit | CVE #(s): | CAN-2003-0041 | ||||||
| Created: | January 31, 2003 | Updated: | February 21, 2003 | ||||||
| Description: | Kerberos is a network authentication system.
A problem has been found in the Kerberos ftp client. When retrieving a file with a filename beginning with a pipe character, the ftp client will pass the filename to the command shell in a system() call. This could allow a malicious ftp server to write to files outside of the current directory or execute commands as the user running the ftp client. The Kerberos ftp client runs as the default ftp client when the Kerberos package krb5-workstation is installed on a Red Hat Linux distribution. | ||||||||
| Alerts: |
| ||||||||
qt-dcgui: file leaking
| Package(s): | qt-dcgui | CVE #(s): | ||||
| Created: | February 4, 2003 | Updated: | February 5, 2003 | |||
| Description: | All versions of qt-dcqui prior to 0.2.2 have a major security vulnerability
in the directory parser. This bug allows a remote attacker to download
files outside the sharelist. It's recommended that you upgrade the
packages immediatly.
Read the full announcment at: http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html | |||||
| Alerts: |
| |||||
slocate - buffer overflow
| Package(s): | slocate | CVE #(s): | CAN-2003-0056 | |||||||||||||||
| Created: | February 5, 2003 | Updated: | May 8, 2003 | |||||||||||||||
| Description: | version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Updated vulnerabilities
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 | CVE #(s): | CAN-2002-1378 CAN-2002-1379 | |||||||||||||||||||||
| Created: | December 6, 2002 | Updated: | February 21, 2003 | |||||||||||||||||||||
| Description: | OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries (openldap2-devel package) have been fixed. Since there is no workaround possible except shutting down the LDAP server, an update is strongly recommended. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
BIND8: Multiple vulnerabilities
| Package(s): | bind | CVE #(s): | CAN-2002-1219 CAN-2002-1220 CAN-2002-1221 | |||||||||||||||||||||||||||
| Created: | November 13, 2002 | Updated: | March 6, 2003 | |||||||||||||||||||||||||||
| Description: | Three new vulnerabilities have been found in version 8 of the Berkeley
Internet Domain Server; see this
ISS advisory, the CERT Advisory
CA-2002-31, or the November 14 LWN
Security Page for details.
Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups - multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CAN-2002-1366 CAN-2002-1367 CAN-2002-1368 CAN-2002-1369 CAN-2002-1371 CAN-2002-1372 CAN-2002-1383 | ||||||||||||||||||||||||
| Created: | December 30, 2002 | Updated: | February 17, 2003 | ||||||||||||||||||||||||
| Description: | Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges. See the iDEFENSE advisory for more information. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs | CVE #(s): | CAN-2003-0015 | ||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2003 | Updated: | April 7, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server. All users of CVS are advised to upgrade to erratum packages which contain patches to correct the double-free bug. See also this CERT advisory | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 | CVE #(s): | CAN-2003-0039 | ||||||||||||
| Created: | January 28, 2003 | Updated: | April 4, 2003 | ||||||||||||
| Description: | Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s). This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets. The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already. | ||||||||||||||
| Alerts: |
| ||||||||||||||