Security
Cascading security updates
When following the distributions' security updates on a daily basis, as we do at LWN, certain days are more work than others. Two weeks ago we had a rather full update with no less than 28 packages updated for Fedora (most of those for both F7 and F8), along with a handful of updates from other distributions. It turns out that the majority of the Fedora updates had a single cause: a set of serious vulnerabilities in Mozilla Firefox.
How does a single update to an application ripple so far that more than a dozen packages have to be rebuilt? One would think there would be shared libraries that would get updated, with applications picking up those changes the next time they are run. That is, in theory, how things are supposed to work, but in this case, the underlying libraries have no fixed application binary interface (ABI). So, changes to those libraries require any applications that use them to be rebuilt and retested.
Gecko is the rendering engine used by Mozilla in their products to display HTML. Various other packages have started using it as well because of its speed and standards compliance. Because Mozilla sometimes breaks the ABI between releases, even minor releases, distributions may be stuck rebuilding those applications when a new version of the library is released. Normally, that only happens when packaging a new version of the distribution—or when serious security flaws are found.
Mozilla's solution for this problem is XULRunner which will provide a stable ABI for applications. As XULRunner and its companion libxul become more widely available, the applications that currently link to the Gecko libraries will presumably switch to avoid these kinds of problems in the future. It is highly unlikely that we have seen the last security problem in the Gecko engine, so reducing the cascade that results from finding one would be welcome.
Because of problems with the ABI changing in the past, Fedora chooses to make the applications' library version number exactly track the Mozilla release number. Some other distributions do not do that, so unless the ABI does change, they do not need to update each package that uses the libraries. This has some advantages, but could lead to broken applications if an ABI change goes unnoticed.
We have also seen similar cascades of updates, most notably from the xpdf PDF viewer. Unlike Gecko, there is no library for xpdf, leading multiple applications to include its source into their own. When a flaw is found, several different applications (cups, gpdf, etc.) across all distributions need to be updated immediately, leading to a similar effect as was seen with the Gecko vulnerabilities. Hopefully, over time, the development of the poppler library will mitigate this problem somewhat.
There are lots of good reasons to separate code into components where possible, but security is an important one. Creating and maintaining an ABI is sometimes difficult, but generally worth the trouble. Imagine the chaos that could result from a security vulnerability requiring an ABI change in glibc.
Brief items
Cold Reboot Attacks on Disk Encryption
Ed Felten's Freedom to Tinker weblog has a report on research he and his colleagues have done on subverting whole disk encryption by reading the keys from RAM after the machine has been power-cycled. "The root of the problem lies in an unexpected property of todays DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system."
Security reports
Risk report: Three years of Red Hat Enterprise Linux 4
Red Hat has published an updated version of its risk report for RHEL4, summarizing the security vulnerabilities in that distribution for the last three years and how Red Hat responded to them. "Fixes for 81% of critical flaws were available from Red Hat Network at latest one calendar day after public disclosure of the flaw. 63% of the critical flaws were fixed on the very same day. This fast response time is a deliberate goal of the Red Hat Security Response Team and forms an essential part of reducing customer risk from critical flaws." It would be nice if all distributors would produce an occasional report like this.
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2007-5659 CVE-2007-5663 CVE-2007-5666 CVE-2007-0044 | ||||||||
| Created: | February 22, 2008 | Updated: | March 3, 2008 | ||||||||
| Description: | Several flaws were found in the way Adobe Reader processed malformed PDF files. An attacker could create a malicious PDF file which could execute arbitrary code if opened by a victim. A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack. | ||||||||||
| Alerts: |
| ||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2007-3762 CVE-2007-3763 CVE-2007-3764 CVE-2007-4103 | ||||||||||||
| Created: | February 27, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | Asterisk suffers from a protocol handling error, a buffer overflow, and a NULL pointer dereferencing bug in the IAX2 channel driver, and a memory overflow in the Skinny channel driver. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: heap corruption
| Package(s): | clamav | CVE #(s): | CVE-2008-0728 | ||||||||||||
| Created: | February 22, 2008 | Updated: | April 18, 2008 | ||||||||||||
| Description: | From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0886 | ||||||||
| Created: | February 27, 2008 | Updated: | February 27, 2008 | ||||||||
| Description: | From the Mandriva advisory: A flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash. | ||||||||||
| Alerts: |
| ||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0882 | ||||||||||||||||||||||||||||||||
| Created: | February 22, 2008 | Updated: | April 3, 2008 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2008-0596 CVE-2008-0597 | ||||||||||||||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
diatheke: insufficient input sanitizing
| Package(s): | diatheke | CVE #(s): | CVE-2008-0932 | ||||||||||||||||
| Created: | February 26, 2008 | Updated: | March 4, 2008 | ||||||||||||||||
| Description: | From the Debian advisory: Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitizing of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
dnssec-tools: insufficient validation
| Package(s): | dnssec-tools | CVE #(s): | |||||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||||
| Description: | DNSSEC-Tools 1.3.2 contains several fixes, including a patch to the libval DNSSEC validation library to ensure that the signature that validates it is a signature of the trust anchor itself. | ||||||||||
| Alerts: |
| ||||||||||
dspam: insecure password
| Package(s): | dspam | CVE #(s): | CVE-2007-6418 | ||||
| Created: | February 22, 2008 | Updated: | February 27, 2008 | ||||
| Description: | From the Debian advisory: Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. | ||||||
| Alerts: |
| ||||||
ghostscript: buffer overflow
| Package(s): | ghostscript gs | CVE #(s): | CVE-2008-0411 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 27, 2008 | Updated: | April 10, 2008 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Ghostscript color-space handling code suffers from a buffer overflow which may be exploitable by way of a specially-crafted postscript file. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kernel: arbitrary code execution
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2004-2731 | ||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||||
| Description: | From the Debian advisory: CVE-2004-2731: infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
kernel: memory corruption
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2006-5753 | ||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||||
| Description: | From the Debian advisory: CVE-2006-5753: Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2006-6053 | ||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||||
| Description: | From the Debian advisory: CVE-2006-6053: LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2007-2525 | ||||||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||||||||
| Description: | From the Debian advisory: CVE-2007-2525: Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: reduction in random entropy
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2007-4311 | ||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||||
| Description: | From the Debian advisory: CVE-2007-4311: PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel-source-2.6.8 | CVE #(s): | CVE-2006-7203 | ||||
| Created: | February 25, 2008 | Updated: | February 27, 2008 | ||||
| Description: | From the Debian advisory: CVE-2006-7203: OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. | ||||||
| Alerts: |
| ||||||
moin: multiple XSS vulnerabilities
| Package(s): | moin | CVE #(s): | CVE-2008-0780 CVE-2008-0781 | ||||||||||||||||||||||||||||||||||||
| Created: | February 21, 2008 | Updated: | June 18, 2009 | ||||||||||||||||||||||||||||||||||||
| Description: | moin has cross site scripting vulnerabilities in the login action and the AttachFile action. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
qemu: unchecked block read/write
| Package(s): | qemu kvm | CVE #(s): | |||||||||||||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||||||||||||
| Description: | From this post
to the Debian security list: "I think I have discovered a vulnerability in qemu. It is related to the block device drivers: that is, the backends which implement the functionality offered to a guest via emulated block devices such as the emulated IDE controller." | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
splitvt: privilege escalation
| Package(s): | splitvt | CVE #(s): | CVE-2008-0162 | ||||||||
| Created: | February 22, 2008 | Updated: | March 4, 2008 | ||||||||
| Description: | From the Debian advisory: Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. | ||||||||||
| Alerts: |
| ||||||||||
turba2: access violation
| Package(s): | turba2 | CVE #(s): | CVE-2008-0807 | ||||||||||||||||||||||||||||
| Created: | February 25, 2008 | Updated: | February 29, 2008 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Peter Paul Elfferich discovered that turba2, a contact management component for horde framework did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2007-3238 CVE-2007-2821 CVE-2008-0193 CVE-2008-0194 | ||||
| Created: | February 22, 2008 | Updated: | February 27, 2008 | ||||
| Description: | From the Debian advisory:
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. (CVE-2007-3238) SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. (CVE-2007-2821) Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0193) Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0194) | ||||||
| Alerts: |
| ||||||
wyrd: insecure temporary file
| Package(s): | wyrd | CVE #(s): | CVE-2008-0806 | ||||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||||
| Description: | wyrd 1.4.3b allows local users to overwrite arbitrary files via a symlink attack on the wyrd-tmp.[USERID] temporary file. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>