| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for March 22, 2007Linux and flash As part of your editor's moral duty to be a torment to his children, he requires them to use Linux whenever possible. They have come to realize that Linux works well for almost anything required by their school, but that it is not up to their requirements for fun. The lack of a World of Warcraft client is a big problem, but the lack of solid Flash support seems to be an even bigger one. The YouTube/MySpace lifestyle remains hard to support on Linux; children are unimpressed by our high-quality Theora implementation.One of the things your editor heard Lawrence Lessig say at Wizards of OS 4 was that video is the communication medium of our time. The free software world needs to better support this channel. In support of this argument, consider that those of us interested in the next U.S. presidential election (a mere year and a half away) may have to resort increasingly to anonymously-posted videos to get our full share of attack advertisements. The best mudslinging will be unavailable to those of us stuck in the text world. While there are a number of video formats out there, what all of this really comes down to is that we need decent support for Flash. For better or for worse, Flash dominates in a number of areas, including network video and a number of interactive site features. It's not just for really obnoxious advertisements anymore. We do not have decent support for Flash now; that proprietary plugin just does not cut it in the free software world. The good news is that we're getting closer to the level of support we need. In particular, Benjamin Otte has recently announced that the swfdec Flash player is now able to work with video from YouTube. In general, swfdec has some ground to cover yet; to answer the question of whether swfdec can replace proprietary Flash Benjamin writes:
That really depends on your definition of close. For the definition
"implements all of Flash's features" it'll probably not hit 5%. For
the definition of "plays all the Flash files on the Web" I think
it's 80/20 right now. Swfdec plays 80% of the ads and 20% of the
real content.
What's important here is that swfdec has hit a point where it will start to be truly useful; that, in turn, may help to attract more developers to the project. A program which almost works is often more attractive to hack on than something which is just a promise for the future. Swfdec is not the only Flash-related project out there; Gnash is also working toward a solution to this problem. Gnash would also appear to be at a similar point in development; the project is not quite ready to proclaim YouTube support, but, according to Gnash hacker Rob Savoye, that's a result of different objectives:
I don't want to sound like I'm insulting swfdec, I think it's good
there are multiple open source flash players. But swfdec is tweaked
to handle primarily YouTube, Gnash handles many more Flash movies
correctly. It's a difference in focus.
Given that what we need is one truly good Flash player, one might well wonder what the point of two competing projects is. That is the same question people asked about desktops in the past; at this point it seems clear (to your editor, at least) that the competition between GNOME and KDE has helped to increase the pace of free desktop development and to explore different approaches to the graphical Linux experience. The important thing is to focus on the development and stay away from silly flame wars. To that end, Rob's message contains some good news:
We all spend alot of time talking about Flash
internals. [Benjamin's] very happy. We're happy too, because of the
discussions of how swfdec and Gnash are implemented, we're learning
things from each other's experiences.
If the projects can continue to cooperate and learn from each other, Linux should have a high-quality Flash implementation in short order. If some of the more desktop-oriented distributions were to realize that supporting these projects is very much in their own interest, it could happen even sooner. There are few limits to what a free software project can do once it gets rolling. A good Flash player is just the beginning, however. If we want free software to have a significant role in the creation of all this content, we need good authoring tools - and those are rather further behind. Another thing Lawrence Lessig urged was the creation of a free software culture for Flash developers, almost all of whom are, for all practical purposes, shipping binaries at this point. Some good free Flash tools, along with increased support for sharing source, could transform the Flash development world - for video and more. We could help to bring freedom to an important communication medium; that would be even better than creating the ability to watch silly videos with free software tools.
Playing with the N800 Your editor recently decided to pick up a Nokia N800 tablet device. This acquisition wasn't just another case of yielding to the lure of a new gadget - your editor would never do that. Instead, the hope was that the N800 would be useful as a way of getting onto the net and dealing with simple situations without having to haul the laptop everywhere. Besides, such a device is always good for an article or two, at a cost that isn't that much above buying an article from an outside author.Besides, it's a cool new gadget.
The N800 is, naturally, a Linux-powered device. It has an 800x480 screen,
two speakers, and a pop-out camera. There's a headphone jack, a USB port,
and two SD memory slots. The device can communicate wirelessly via 802.11
or Bluetooth. Also provided is a stylus which is used for most interaction
On the connectivity side, the N800 developers have done some nice work. On the first boot, the tablet offers to pair with a Bluetooth-capable phone and set up a GPRS connection automatically. Anybody who has been through the process of setting up a Bluetooth/GPRS link on a Linux system knows that there can be a certain amount of pain involved - and that's before trying to get any real work done over such a painfully slow connection. Having GPRS Just Work is a nice bonus. The tablet also handles WiFi connections easily. After that, however, a new N800 user might well feel at a bit of a loss. The startup screen includes a Google search bar (the usage of which is entirely straightforward), an RSS reader window with no subscribed feeds, a contact manager window (with no contacts, obviously), and a "Discover Tableteer" window which, when "tapped," opens a web browser on a remarkably static and unhelpful Nokia page. Digging through the menus yields a simple email client. Anybody expecting something that feels like a normal Linux system will be disappointed; there's not a whole lot else there. That can be changed, of course; we'll get to application installation shortly. The tablet comes packaged with a user's manual, in PDF format, in a large number of languages. The user will not encounter this manual until he or she happens to fire up the file manager and look in the right place, however. The "Discover Tableteer" window does not do much to help a beginning user find this useful document. Text entry is done through a keyboard which appears at the bottom of the screen; individual letters are approximately 2mm square. In practice, the letters are not hard to hit, and, with a bit of practice, one gets good at entering text quickly. Learning the simple gestures to minimize trips to the shift keys helps a lot. There is another mode where the keyboard expands to fill most of the screen; in this mode, the stylus can be put aside and text can be typed directly with the fingers. It works, and can be nice for extended text input, but your fat-fingered editor had a hard time using it as a real QWERTY keyboard. Finally, the tablet does support handwriting recognition, but your editor has not really had a chance to play with that mode yet. The web browser is the proprietary Opera application. It works reasonably well for the most part, making good use of the limited display space. Your editor has found it to be not entirely stable; it occasionally hangs and must be restarted. Dragging Google maps around does not work. Pages generally render well, though; the browser is good enough for the sort of work one would want to do on a small tablet device. Your editor tried the Minimo browser as well. It does not seem to render pages as nicely as Opera, based on some quick tests. It is also far less stable; your editor managed to crash it almost immediately. Still, Minimo will stay on the system in the hope that it gets better; your editor would much prefer to run free software on this system. There is an application manager which can be used to install more software onto the tablet. The bad news is that it has little to offer out of the box. The good news is that one can go to maemo.org to look for a rather wider variety of software goodies for the device. The bad news is that the majority of those applications, as of this writing, say "missing install" and cannot actually be installed onto a tablet. The good news is that there's still quite a few useful tools available. In short order, your editor was able to equip his tablet with essential utilities like xterm and an ssh client. The really bad news showed up with some of the other interesting packages, such as vim and gnumeric. The application manager will happily download the packages before popping up a window which says:
Unable to
install: some application packages required for the installation are
missing.
Such a message would perhaps have been acceptable ten years ago on some distributions. One would not expect to see it on a Debian-based system in 2007. There is no excuse for an "application manager" which is unable to handle dependencies anymore. The N800 includes a (proprietary) Flash player and a media player as well. As many others have noted, the tablet comes well equipped to handle patent-encumbered formats like MP3 but it cannot play an Ogg file. One can make an argument for minimizing the size of the base system on a resource-limited tablet, but there's no easy way to fill in that gap afterward either. It would appear that installing an Ogg player, at this point in time, would involve downloading the development kit and building the application from source. In general, the N800 feels a little like an unfinished product. Nokia has created a nice piece of hardware, based (mostly) on free software, and appears to be hoping that the development community will help turn it into a fully capable device. The company's practice of selling tablets to developers at a sharply-reduced price is clearly intended to help make this happen. One can only hope that Nokia succeeds here; the company has done what we really need it to do: made a open, Linux-based device. We certainly have the ability to make it do interesting things from here.
The road to freedom in the embedded world If I had to choose the single moment that defines when the Free Software movement became self-aware, it would be the 1983 publication of the GNU manifesto by Richard Stallman. Despite its age it is amazingly up to date. Free Software has come a long way since that time; creating an alternative by inspiring people to put together the GNU Project piece by piece on a proprietary platform. Only with the publication of the Linux kernel were people able to see pure Free Software operating systems running on their computers in the 90s. But they were still booting off a proprietary BIOS, and we also saw an increasing tendency to put hardware functionality into proprietary firmware. Only recently have projects such as LinuxBIOS managed to bring more freedom to the BIOS, although notebooks still are problematic. The issue of proprietary firmware is still being worked on, including by the FSF. Compared to the situation in the personal computer area, embedded devices are still several years behind, but there are people who are working hard to catch up. I recently had the pleasure to learn a little more about this exciting field. One device that a lot of people have in their homes or offices are routers to connect to the internet. Until not so long ago, these used to be entirely proprietary. That is no longer true. Not only do several vendors provide routers with more or less free firmware based on the Linux kernel, but the OpenWRT project and its younger offspring the FreeWRT project have also made some amazing advances in this area. However even though FreeWRT has a web interface to build custom firmware online, both are still catching up with the freedom, ubiquity and sophistication of modern GNU/Linux desktop distributions. There are still problems with hardware compatibility and drivers, as both distributions are still confined to a certain chipset, and locked into the 2.4 Linux kernel series because of proprietary drivers for the wireless card built by Broadcom, a manufacturer that has proven itself to be very uncooperative towards the Free Software community. Getting rid of these restrictions to freedom is a collaborative effort with many different players, including FSFE's Freedom Task Force, which helped the OpenWRT team to avoid making mistakes in the reverse engineering of the Broadcom wireless driver, such that the result will then be fully usable by all Free Software. The situation with mobile phones and PDAs is even worse than that of routers. Until very recently it was close to impossible to find mobile phones that were running Free Software and gave the user control over what they were doing. One of the first companies that tried to answer requests for Free Software mobile phones was Trolltech with their Qtopia Greenphone. Maybe because this was the first time this was tried, and maybe because they didn't consult enough community voices before launching the phone, they made some mistakes. One of them was the overly restrictive EULA terms, which Trolltech quickly corrected after being confronted with the problem. This was not the only problem. The Greenphone's package management is still proprietary, although that problem can be mitigated by using the ipkg package manager instead. Ultimately it seems that everything but the communication stack can be replaced by Free Software in this way. So the Greenphone was a step in the right direction, but it is not yet good enough. The interest it raised probably also helped bringing about the OpenMoko phone, which will ship very soon and which is taking another big step toward freedom. Like the Greenphone, the GSM stack remains proprietary, though. Reasons for this appear to be a thicket of cross-licensed patents and regulatory concerns about frequency usage and transmission strength. Many politicians are concerned that tinkering with these could impair the ability of other people to communicate, including the ability to access emergency services. Their argument is that the potential damage done by tinkering is greater than the damage of not having the freedom to change the code. This is a reincarnation of the old "your freedom to swing your fist ends at my nose" argument, and it is not easily discarded. We need to convince society with good answers to this and because of that, the GSM stack is likely to remain a difficult area for some time. Depending on when you start to count, it took our community at least 10 years to address the issue of the proprietary BIOS on our PCs, but we did not let this stop us from improving our GNU/Linux Desktops. In the same way I believe we should work to create maximum freedom on mobile phones. Other possible candidates have been launched by Nokia, namely the 770 and N800 internet tablets. Both devices are running a Linux kernel with a very small GNU/Busybox system using Debian package management. Because they do not need the GSM stack, these devices might be made entirely free, though unfortunately they are not being shipped that way. They come with the proprietary Opera browser and a Flash player, which are easily uninstalled and can be replaced by a Mozilla port called Minimo; maybe Gnash can be compiled for them as well. But there is more work waiting to be done: In a sad kind of irony Nokia seems to have chosen the Gtk+ library over Qt because that would allow them to keep part of their helper library for the embedded small screen proprietary. There are also other parts that are still kept proprietary, like the boot loader and battery charging application. They also seem to share the proprietary firmware problem with the personal computer platform. Even the flashing utility is proprietary software at the current point in time. This has made some people very sceptical. It may even turn out that we will not be able to free these specific devices entirely without Nokia's help on the hardware interfaces, which may never come. But working to free them will inevitably end up providing more freedom, although maybe not on these specific devices. Experience gained can be used in many ways, and Free Software written can be transferred to other platforms. Like the Greenphone, these Nokia devices provide a substantial step towards freedom, but are not yet good enough. So they have to be seen as an intermediate step towards freedom in the embedded world. Both Trolltech and Nokia deserve praise for making a step into the right direction, as well as constructive criticism on the remaining proprietary parts, which should also be set free. There are projects that have already gotten very far in this effort for other devices, like the Familiar Project for the iPAQ which, I was told, is now running fully Free Software except for the wireless driver. And there are other devices that seem capable of running Familiar, like the Siemens Simpad, which also spawned its own community project to set it free. So maybe a FreeMaemo.org project is what we need for the Nokia internet tablets. An essential element in truly achieving freedom in the embedded world will be to further strengthen the Free Software community in this area and enable more Free Software developers to tinker with these devices. One person who has done extraordinary work in this area is Harald Welte. His signature is also visible all over the OpenMoko project and the way it actively reaches out to build a strong developer community. We need more people like him and the other OpenMoko developers, and I hope you will take a look at their call for GPL'ed wireless drivers and application developers. We also need to get more of the devices into the hands of capable developers. This is what Armijn Hemel of gpl-violations.org did during FOSDEM 2007 when he gave a bunch of routers to the OpenWRT project so they would have more devices to work with and set free. Ultimately freedom is not static. It is a process that involves a lot of work. It is also a differential question: There are steps towards more freedom, which are good, and steps towards less freedom, which cause problems -- if not immediately, then in the future. The choices of which direction to take were recently described by FSFLA as "The fifth freedom." As a community, we have set the personal computer free to a very large extent. We are not yet as far with embedded devices, but there are first signs of the Free Software community growing into this area. With the possible exception of the GSM stack, I believe we have good reason to expect 100% Free Software devices in the near future by starting from the most free, although imperfect, options available and setting them free entirely. Through this effort we'll not only see the Free Software community flourish in this area and we are also likely to see more hardware vendors willing to supply the community and people who value their freedom with such devices. Eventually it will be possible to enter the store and buy such a device running only Free Software out of the box, which is what I really want. And with projects such as the GPE Palmtop Environment we will be able to use the same software environment on different hardware devices; something that is common on personal computers, and a great advantage. Working for this goal can serve to strengthen Free Software on the desktop, because integration of the mobile devices with desktop computers is an important issue. With Free Software it could be possible to use the same software on both, possibly in different versions and from different vendors. The result would be seamless integration that proprietary software might not be able to achieve across vendor boundaries. It seems only a question of time until someone picks up on this and offers the combination of freedom and convenience to people. In the end, by walking forward on the road to embedded freedom, we might end up strengthening Free Software overall. (The author is initiator and president of the Free Software Foundation Europe (FSFE) and his personal blog is available at the Fellowship of FSFE)
Page editor: Jonathan Corbet Security SQL-Ledger and LedgerSMB: a study in security reporting Accounting information is the kind of data that most organizations would want to keep private; it is also information that attackers might be most interested in. Because of that, security vulnerabilities in accounting packages require high visibility and prominent announcements so that users can take the appropriate steps to safeguard their data. Two related accounting systems, SQL-Ledger and LedgerSMB provide an interesting contrast in approaches to security reporting. SQL-Ledger is a GPL-licensed accounting system first released in 1999; it has a large feature set and a sizable number of happy and loyal users. It is a web-based program, written in Perl that uses an SQL database to store the information. The original intent seems to be a system that lived behind a firewall and was not exposed to the Internet; most of the vulnerabilities reported recently have a much reduced impact behind the firewall. In fact, buried at the end of the FAQ, SQL-Ledger recommends using the web server authentication mechanisms (presumably HTTP Basic Auth for Apache) on top of those provided by SQL-Ledger. SQL-Ledger is tightly controlled by its creator, Dieter Simader, and he has not encouraged a developer community to spring up around the system. This has caused some users to become frustrated with the pace of development; it doesn't help that the suggested way to get features added more quickly is to pay Simader's company to develop them. In addition, the documentation, user forums and wiki are only available to those who pay for them. There is nothing inherently wrong with doing things this way, but it is quite different than the way most GPL projects operate. The project continued in this manner for quite some time until a reported session hijacking issue was not handled quickly by Simader. Another user mentioned that the issue had been known for a lot longer as they had reported it nearly a year earlier and, though there had been several releases in the interim, no fix had been made. This incident led directly to the September 2006 fork of the SQL-Ledger code as the LedgerSMB (SMB for 'small-medium business') project. The LedgerSMB developers have created a project that operates the way open source developers expect, with open documentation, a public source code repository and a willingness to accept patches from anyone interested. They have also been doing an informal security audit of the shared codebase and coordinating security releases with SQL-Ledger. They have released a number of detailed vulnerability reports on the Bugtraq mailing list that cover security updates for both projects. Visiting each project's homepage is very instructive with regards to the security updates. The SQL-Ledger page makes no mention of updates; one must follow the "What's New" link to see the updates and the descriptions make no mention of the security implications of the release. A user could easily be lulled into thinking that "added %00 check for login to trigger an error" is just a run-of-the-mill bug fix rather than a fix for an arbitrary code execution and authentication bypass bug as described in the report. The LedgerSMB site, on the other hand, has its news listed on the front page and calls the most recent security release (1.1.10) a fix for "a serious security hole." The users and announce mailing lists both have detailed reports about the problem whereas the SQL-Ledger public user mailing list makes no mention of the new release. One presumes and hopes that the users who have purchased support get some kind of notification from DWS Systems (Simader's company), but the non-paying users need to pay close attention to Bugtraq (or the LedgerSMB site). In many ways, the contrast between the two mirrors the contrast between how open source and proprietary software projects handle security issues. One disseminates the information far and wide while the other treats it as a public relations black eye and obscures it. DWS Systems is presumably trying to protect its income stream but, by doing it in the way it has, it appears to have alienated a segment of its user base which is now directly competing with the company. Had Simader been more responsive to those issues, there very well might not be a competing project. It will be interesting to see which approach works better in the long term or if both thrive equally.
Security news Felten: Too much innovation in the OLPC? Ed Felten questions the OLPC security model. His problem is not with specifics of the model itself, but rather with an overall sense of second system syndrome. "OLPC needs to be innovative in some areas, but I don't think security is one of them. Sure, it would be nice to have a better security model, but until we know that model is workable in practice, it seems risky to try it out on millions of kids." (LWN covered the OLPC security model in February).
New vulnerabilities asterisk: SIP denial of service
inkscape: format string vulnerabilities
kernel: multiple vulnerabilities
libwpd: buffer overflows
lookup-el: insecure temporary file
LSAT: insecure temporary file creation
nas: code execution
openafs: privilege escalation
OpenOffice.org: buffer overflow and command execution
ssh: privilege escalation
webcalendar: missing input sanitizing
Updated vulnerabilities amarok: remote code injection
apache: cross-site scripting
bind: denial of service
bluez-utils: hidd vulnerability
bugzilla: multiple vulnerabilities
busybox: insecure password generation
cpio: arbitrary code execution
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: index cache file handling error
ekiga: format string vulnerability
fail2ban: denial of service
fetchmail: password disclosure and DOS
ffmpeg: buffer overflows
freeradius: several vulnerabilities
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gdb: buffer overflow
gdm: improper file permissions
GnuPG: unsigned data injection vulnerability
gv: stack-based buffer overflow
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
imlib2: arbitrary code execution
java: multiple vulnerabilities
kdelibs: denial of service
kdelibs: cross-site scripting
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[N800]](/images/ns/n800-sm.jpg)