LWN.net Weekly Edition for September 11, 2008 [LWN.net]

Waiting for Rockbox 3.0 - again

By Jonathan Corbet
September 10, 2008

Rockbox is a GPL-licensed replacement firmware for a number of digital audio players. LWN published an article on the imminent Rockbox 3.0 release in May, 2006. Well over two years later, it is clear that some projects use a larger value of "imminent" than others. In this case, the Rockbox developers concluded that certain problems simply were not going to be resolved in any reasonable 3.0 time frame; rather than make a major release with known problems, they simply gave up on 3.0 at that time. As a result, the current stable Rockbox release is Rockbox 2.5, from September, 2005.

It is probably safe to bet that few Rockbox users are running 2.5, which only had support for a handful of Archos players. Grabbing a daily build is a fact of life in the Rockbox community. Meanwhile, Rockbox has performed a valuable service for Debian developers who would otherwise have to struggle to find a project with longer release cycles than their own.

Perhaps that state of affairs is about to change. Back in July, the project announced that, once again, an attempt was to be made for a 3.0 release. On August 15, Rockbox went into feature freeze, with the 3.0 release planned for "within a couple (as in two) weeks." That, of course, was a few (as in three) weeks ago, but this release is clearly getting closer.

Now would seem like the time for the project to begin its hype campaign with lots of screenshot-heavy articles on all of the features this major release will bring. Evidently the Rockbox developers have some strange ideas about actually working on the code, though; they haven't gotten around to the promotional side of things yet. So, while the Rockbox manual is reasonably comprehensive and current, it's hard to come up with a list of changes for the 3.0 release.

At the top of any list would have to be the list of supported players, which has expanded considerably since the 2.5 release. The Rockbox buyer's guide gives a good summary of the currently-supported players. Alas, none of these players are currently in production, though some can still be found on auction sites and elsewhere. There is progress toward support for some more contemporary players; early successes have been announced for the Cowon iAudio D2 and iAudio i7 devices. Those players will not be supported in the 3.0 release, of course, and the Rockbox developers have reserved the right to withhold support for other players as well if it is not stable enough.

Beyond that, changes to Rockbox in recent times include the ever-growing list of codecs (including some video formats on suitable players), a five-band parametric equalizer, an increasingly powerful theme capability with many user-contributed themes, album art display, a highly capable tag database, Speex codec support for the voice-based interface, and a whole host of new plugins including the much-anticipated Lamp plugin which displays a blank screen at full intensity, turning your player into an expensive, short-lived flashlight. Rockbox 3.0, it seems, will have something for almost everybody.

[PULL QUOTE: Given that installation can be a bit of a sweaty-palms experience overshadowed by the fear of turning that nice, new player into a brick, any help which can be given is more than welcome. END QUOTE] It also appears that 3.0 may include the hard-to-find RBUtil program - a Qt-based tool which automates the process of installing Rockbox. Given that installation can be a bit of a sweaty-palms experience overshadowed by the fear of turning that nice, new player into a brick, any help which can be given is more than welcome. Bricks, after all, are not known for high-fidelity sound.

Another recent event in the Rockbox community is the creation of the Rockbox Steering Board, currently consisting of Daniel Stenberg, Linus Nielsen Feltzing, Dave Chapman, Paul Louden, and Jens Arnold. The mandate for this board is not particularly clear; it seems to be intended to help break deadlocks in technical discussions. There have been some concerns raised that the creation of this board is a sign that Rockbox is moving into a more bureaucratic, slow-moving mode, but those worries are probably premature.

Rockbox developers also recently decided that all of the project's code would be licensed as "GPLv2 or later." While there is no plan for Rockbox to switch to GPLv3, the developers wanted their code to be available to other projects which are using that license. Since Rockbox does not require copyright assignments, this change will require an audit to find any GPLv2-only code and either relicense it or remove it. There have been no public announcements on how that process is going.

The Rockbox project faces a number of challenges. Cooperation from vendors is essentially zero, so all ports require a reverse engineering effort. Target platforms go through their market lifecycle quickly, making it difficult to get a port stable before the target device disappears. Its programming environment is highly specialized and resource-constrained, limiting the pool of developers who can work on the project. And, someday, the whole effort may lose its relevance as platforms become more capable and it gets easier to just run Linux on them. For now, though, there is nothing better for those who want a dynamic and user-oriented operating system for their digital audio player, and it continues to improve.

Comments (11 posted)

Fedora distributes new keys

By Jake Edge
September 10, 2008

The Fedora project is back on track after its recent "infrastructure issues" with new package signing keys as well as packages and updates signed with the new keys. Fedora users should be able to pick up the new key and update their systems now, with a minimum of hassle—just verifying and accepting the new key. But, no further information has been released about exactly what went wrong, leading to more speculation and some worry in the Fedora community.

When a user gets a package from their distribution—or, more likely, a mirror of their distribution repository—they need to have some way to determine that it is a valid package. Distributors sign packages using a private key; that signature can then be verified by using the distribution's public key. If the private key gets compromised somehow, malicious packages could be created that would be indistinguishable from the real versions. This is why private signing keys must be well guarded, usually by isolating them on separate machines and encrypting them with a password.

According to one of the announcements about the problem, there is no evidence that the passphrase used to guard the Fedora private signing key has been compromised, though the clear implication is that the encrypted key file may have been captured. Out of an abundance of caution—and perhaps the concern that the passphrase might be guessed or brute-forced—the project decided to generate new keys. Along with new keys come various headaches: re-signing all of the packages as well as getting the keys installed on user's machines.

Getting the keys to users is largely a matter of getting the new fedora-release package—along with PackageKit and friends for GUI-enabled updates—installed. That package contains the new key and repository name (updates-newkey). Of necessity, those updates are the last that will be signed with the old key, so they will install on existing Fedora systems. Once that package makes its way out to the mirrors, users can install it so that they can proceed with any needed updates using the new key.

A yum clean metadata was helpful at the time of this writing to accelerate the process; depending on which mirror is being used and when it gets updated, that may not be needed. After fedora-release is installed, yum list updates gives a long list of updates available, all signed with the new key. All a user needs to do is verify the key and add it to the RPM key database. Verifying the key is a manual step as a user must check its fingerprint against that published on the web site. The method described requires importing the key into gpg, then doing gpg --fingerprint fedora@fedoraproject.org to see the key fingerprint; this is clearly something that could be made easier.

As part of phase one of the re-signing, Fedora has re-signed all Fedora 8 and 9 package updates. Phase two is ongoing, re-signing each package that is distributed as part of the original release of Fedora 8 and 9. Fedora 10 already has a new signing key as well. From the perspective of a possible compromise of the signing keys, things are well on their way back to normal. But there is still the nagging issue of how this all came about to begin with.

Several different questions about the intrusion were directed at the Fedora board from community members in their IRC meeting on September 9. Unfortunately, there was no new information forthcoming, nor was there any indication of when that information might be available. According to the board member Tom "spot" Callaway, information will be released "when we're told that we can by the parties running the investigation, not a second before, and not a second later."

Red Hat is clearly holding all information about the intrusion as a closely guarded secret—whether that is at the behest of law enforcement or just lawyers is unclear. While there was no timeline given, the clear sense that one got from the meeting is that it might be weeks or months before clearance will be granted to even confirm that they know how the intrusion occurred. In addition, the Fedora board has not been officially briefed on the incident; some members have knowledge because of their Red Hat responsibilities, but the rest are in the dark. If one needed a reminder that Fedora is not an independent distribution, but instead is subject to the whims of Red Hat, this is a clear demonstration.

The justification for secrecy is that Red Hat is a publicly traded company so intrusions into its systems need to be treated differently. Some board members believe that had there not been an intrusion into the servers that handle packages for Red Hat Enterprise Linux—that is if it had only been Fedora servers that were affected—the incident would have been handled much more transparently. Overall, the board is clearly unhappy about the situation but, perhaps because they are almost all Red Hat employees, don't see that there is much that can be done about it. That too should serve as a reminder.

It should be noted that Debian has had several server compromises over the years (for example, 1 and 2), which is, perhaps, a poor record of server security, but it is an excellent example of transparency. Debian is rather well known for its independence, which is part of what allows it to be so open. Those incidents do serve as examples; perhaps they are not an exact fit for the current Fedora/RHEL intrusion but that remains to be seen.

It may very well be that Red Hat is between a rock and a hard place here. As a friend to free software, Red Hat is unparalleled, but once in a while it shows that it is foremost a corporation with responsibilities to its shareholders. When those responsibilities conflict with the transparency we have come to expect from free software projects—especially with regard to security issues—that transparency must be set aside. One can argue that Red Hat is being overly protective of the details—confirmation that they either know or do not know how the intrusion occurred for example—but that argument really can't be made until all the facts are known. For that we must wait for the process to run its course.

Comments (28 posted)

Kernel security, year to date

By Jonathan Corbet
September 9, 2008

Earlier this year, your editor asked a high-profile kernel developer, in a public discussion at a conference, about the seemingly large number of kernel-related security bugs. Was the number of these vulnerabilities of concern, and what was being done about it? The answer that came back was that security issues aren't a huge concern, that most of the reported issues were obscure local exploits requiring the presence of specific hardware. Serious issues, like the vmsplice() vulnerability, are rare.

More recently, as part of the panic associated with getting a talk together for the Linux Plumbers Conference, your editor decided to take a closer look at kernel vulnerabilities. It turns out that there are, in fact, quite a few of them. The vulnerabilities which have been given CVE numbers in 2008 (so far) are:

CVE Subsystem Vuln type Notes

CVE-2008-0001 VFS privilege File access mode bypass

CVE-2008-0007 drivers privilege Missing fault() boundary checks

CVE-2008-0009 core info disclosure vmsplice() #1

CVE-2008-0010 core info disclosure vmsplice() #2

CVE-2008-0352 net remote DOS IPv6 packet handling crash

CVE-2008-0598 x86 info disclosure 32-bit emulation exposes memory

CVE-2008-0600 net privilege The big vmsplice() hole

CVE-2008-0731 AppArmor privilege SUSE AppArmor vulnerability

CVE-2008-1294 core resource RLIMIT_CPU limit bypass

CVE-2008-1367 x86 privilege? GCC 4.3.0 and DF

CVE-2008-1375 VFS privilege dnotify race

CVE-2008-1514 s380 DOS ptrace() crash

CVE-2008-1615 x86 DOS ptrace() crash

CVE-2008-1619 Xen DOS Xen crash (Red Hat kernels)

CVE-2008-1669 VFS privilege fcntl() race

CVE-2008-1673 net remote privilege ASN.1 buffer overflow

CVE-2008-1675 net privilege Tehuti driver overflow

CVE-2008-2136 net remote DOS IPv6 SIT tunnel memory leak

CVE-2008-2137 sparc DOS mmap() panic

CVE-2008-2148 VFS DOS utimensat() missed permission check

CVE-2008-2358 net remote DOS DCCP integer overflow

CVE-2008-2365 core DOS Red Hat utrace race

CVE-2008-2372 net DOS mmap() resource use

CVE-2008-2729 x86 info disclosure x86_64 copy_*_user() error

CVE-2008-2750 net remote privilege PPPOL2TP overflow

CVE-2008-2812 TTY drivers privilege NULL pointer dereference

CVE-2008-2826 net DOS SCTP memory use

CVE-2008-2931 VFS privilege unprivileged mount point changes

CVE-2008-2944 core DOS Red Hat utrace double free

CVE-2008-3077 x86 privilege x86_64 ptrace() crash and use-after-free

CVE-2008-3247 x86 privilege x86_64 LDT setup error

CVE-2008-3272 sound info disclosure OSS unverified device number

CVE-2008-3275 VFS DOS Dentry cache memory use (needs UBIFS for exploit)

CVE-2008-3276 net remote DOS DCCP integer overflow

CVE-2008-3496 UVC drivers privilege UVC driver buffer overflow

CVE-2008-3525 net privilege Missing checks in sbni WAN driver

CVE-2008-3526 net remote privilege SCTP integer overflow

CVE-2008-3534 VFS DOS tmpfs crash

CVE-2008-3535 VFS DOS readv()/writev() off-by-one

CVE-2008-3686 net DOS IPv6 null pointer dereference

CVE-2008-3792 net remote DOS SCTP-AUTH crashes

That is 41 CVE numbers (so far) for 2008 - not a small number. Fully 1/3 of these vulnerabilities were in the networking subsystem, which is scary: this is the most likely place to find remotely-exploitable problems in the kernel. It is true that sites not running SCTP or DCCP can forget about many of those, and IPv6 is responsible for a few of the rest, so most of those vulnerabilities were not a concern for most sites.

Many of the remaining vulnerabilities were in the core kernel or in architecture-specific code. The number of vulnerabilities found in drivers - the part of the kernel which has long been sneered at as containing the worst code - is actually quite small. On the other hand, four of the CVE-listed vulnerabilities (the Xen, AppArmor, and utrace problems) were caused by out-of-tree code added by distributors. There is no way to know how many vulnerabilities were fixed without obtaining a CVE number - or without even realizing that a vulnerability existed in the first place.

When a single program is responsible for this many vulnerabilities, it makes sense to ask why. The kernel, of course, is a very large program; more code means more bugs, some of which will have security implications. Beyond that, though, the kernel runs in a special, privileged environment. Flaws which would simply be fixed as just-another-crash in a normal application are denial-of-service vulnerabilities in the kernel - or worse. So a larger number of vulnerabilities in the kernel does not, by itself, imply that the kernel's code is worse than that of other programs; it only reflects the fact that the consequences of kernel bugs tend to be more severe.

The discovery (and repair) of vulnerabilities does not necessarily imply that our current process is creating a lot of vulnerabilities; it could be that we are mostly fixing older problems. If the developers are fixing vulnerabilities more quickly than they are adding more, life should be good in the long run. The vulnerabilities in the list above vary from those which are very old (affecting 2.4 kernels too) to some which are very new (the UVC driver was added in 2.6.26). Some of them are in code which, while being intended for the mainline, has not yet been merged. It is probably impossible to say whether security problems are being fixed more quickly than they are being created, but one thing is clear: all of that code flowing into the mainline is bringing a certain number of security problems with it.

For that reason, it is a little discouraging that there is little work being done in the kernel community with the explicit goal of improving the security of the kernel. Few patches are reviewed with security issues in mind; the vmsplice() vulnerability, as one example, was a clear failure of the review process. There are undoubtedly many people who are doing fuzz testing and such - some of them are even the good guys - but much of the formal testing going on seems aimed more at API conformance than at security verification. There must be more work going on behind the scenes, but it is still hard to avoid a sense of a certain amount of complacency with regard to security issues.

As a community, we take pride in the security of our system. But one vulnerability per week is not the most inspiring security record. It would be good to find a way to do better than that. Better tools must be a part of the solution, but more thorough code review is also needed. There still is no substitute for a pair of eyeballs looking for ways in which new code might be subverted. Asking for more security-oriented review seems ambitious when code review is already one of the biggest bottlenecks in the development process. But the alternative would appear to be to continue to add to our collection of CVE numbers.

Comments (77 posted)

Page editor: Jonathan Corbet

Security

DR rootkit released under the GPL

By Jake Edge
September 10, 2008

A free software Linux rootkit has been announced with a number of interesting features. Its availability may, unfortunately, help lower the bar for "script kiddies" and others, but it also provides a nice look into what makes up a rootkit. The rootkit, called DR for Debug Register, uses some new techniques to evade detection, such that even a change recently proposed for inclusion in the kernel would have missed it.

A rootkit is malware that typically hooks into the kernel to hide its presence from administrators. Usually, rootkits can hide their processes from /proc, which in turn means ps won't see them, but sophisticated rootkits do much more than that. DR can also hide network sockets and files in the filesystem that are associated with rootkit processes. There are some benefits to this approach as the announcement describes:

The major benefit of the DR rootkit is that all this happens transparently to the end user. The children of a hidden process are also automatically hidden. The sockets a hidden process creates are also hidden. But if you are a hidden process, you can see hidden resources. This makes the DR rootkit nicely manageable.

Unlike many rootkits, DR does not alter the system call table directly. Instead it sets a hardware breakpoint for the syscall_call() function which gets called whenever a system call is made. When that breakpoint is reached, a handler is set up to watch for an access to the memory location where the specific system call's function pointer lives (i.e. syscall_table[__NR_syscall]). When the address is retrieved from that location, the breakpoint substitutes the address of the code the rootkit wants to run—the system call hook.

The system call hooks is where the work is done to evade detection. By hooking less than a dozen different calls, DR can hide its processes, files, and sockets. By creating a program that does an exec() of a special filename—one that starts with "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"—one can set the "hidden" bit on the process; spawning a shell or running some malware after the exec() fails will cause those processes to no longer be visible to the rest of the system.

There are some limitations outlined in the announcement, the biggest of which is that DR is implemented as a kernel module without any attempt to hide its presence. Doing an lsmod will show it clearly, but there are other ways to detect it as well. Fixing those are all are on the "to do" list and won't take a very large effort to complete.

DR was created by Immunity, Inc. as part of their penetration testing efforts and has been released under the GPLv2. It contains roughly 1200 lines of well-documented code that should be of interest to anyone curious about rootkits. It is not the first rootkit available with source code, Adore predates it by several years and there are probably others, but it is an interesting—if a bit scary—release.

Comments (4 posted)

New vulnerabilities

adminutil: multiple vulnerabilities

Package(s):

adminutil

CVE #(s):

CVE-2008-2928 CVE-2008-2929 CVE-2008-2932

Created:

September 10, 2008

Updated:

September 10, 2008

Description:

adminutil suffers from several vulnerabilities, including a buffer overflow in its accept-language parsing code and a heap overflow in input parsing.

Alerts:

Fedora	FEDORA-2008-7339	2008-09-05
Fedora	FEDORA-2008-7642	2008-09-05

Comments (none posted)

awstats: cross-site scripting

Package(s):

awstats

CVE #(s):

CVE-2008-3714

Created:

September 10, 2008

Updated:

December 1, 2009

Description:

awstats through version 6.8 suffers from a cross-site scripting vulnerability; see this page for details.

Alerts:

Mandriva	MDVSA-2009:266	2009-08-09
Fedora	FEDORA-2008-10950	2008-12-08
Fedora	FEDORA-2008-10962	2008-12-08
Fedora	FEDORA-2008-10938	2008-12-08
Ubuntu	USN-686-1	2008-12-04
Debian	DSA-1679-1	2008-12-03
Mandriva	MDVSA-2008:203	2008-09-23
Fedora	FEDORA-2008-7663	2008-09-05
Fedora	FEDORA-2008-7684	2008-09-05

Comments (none posted)

bitlbee: account hijack

Package(s):

bitlbee

CVE #(s):

CVE-2008-3920 CVE-2008-3969

Created:

September 5, 2008

Updated:

September 24, 2008

Description:

Upstream released Bitlbee 1.2.2 with the following changes to the former release: - Security bugfix: It was possible to hijack accounts (without gaining access to the old account, it's simply an overwrite) - Some more stability improvements. The 1.2.3 release "completes" the fix for thsese problems.

Alerts:

Gentoo	200809-14	2008-09-23
Fedora	FEDORA-2008-7830	2008-09-11
Fedora	FEDORA-2008-7761	2008-09-11
Fedora	FEDORA-2008-7712	2008-09-05
Fedora	FEDORA-2008-7274	2008-09-05

Comments (none posted)

clamav: multiple vulnerabilities

Package(s):

clamav

CVE #(s):

CVE-2008-1389 CVE-2008-3912 CVE-2008-3913 CVE-2008-3914

Created:

September 10, 2008

Updated:

November 14, 2008

Description:

Version 0.94 of clamav fixes a number of problems, including a number of denial of service vulnerabilities and "a number of unspecified vulnerabilities".

Alerts:

Fedora	FEDORA-2008-9651	2008-11-14
Fedora	FEDORA-2008-9644	2008-11-14
Debian	DSA-1660-1	2008-10-26
Gentoo	200809-18	2008-09-25
SuSE	SUSE-SR:2008:018	2008-09-19
Mandriva	MDVSA-2008:189-1	2007-09-17
Mandriva	MDVSA-2008:189	2007-09-09

Comments (none posted)

courier-authlib: SQL injection

Package(s):

courier-authlib

CVE #(s):

CVE-2008-2667

Created:

September 8, 2008

Updated:

December 26, 2008

Description:

From the Gentoo advisory:

It has been discovered that some input (e.g. the username) passed to the library are not properly sanitised before being used in SQL queries.

A remote attacker could provide specially crafted input to the library, possibly resulting in the remote execution of arbitrary SQL commands. NOTE: Exploitation of this vulnerability requires that a MySQL database is used for authentication and that a Non-Latin character set is selected.

Alerts:

Debian	DSA-1688-2	2008-12-22
Debian	DSA-1688	2008-12-20
Gentoo	200809-05	2008-09-05

Comments (none posted)

django: cross-site request forgery

Package(s):

django

CVE #(s):

Created:

September 4, 2008

Updated:

September 10, 2008

Description:

From the Mandriva alert: A cross-site request forgery vulnerability was discovered in Django that, if exploited, could be used to perform unrequested deletion or modification of data. Updated versions of Django will now discard posts from users whose sessions have expired, so data will need to be re-entered in these cases.

Alerts:

Fedora	FEDORA-2008-7672	2008-09-05
Fedora	FEDORA-2008-7288	2008-09-05
Mandriva	MDVSA-2008:185	2007-09-03

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):

drupal

CVE #(s):

CVE-2008-3740 CVE-2008-3741 CVE-2008-3742 CVE-2008-3744

Created:

September 10, 2008

Updated:

September 10, 2008

Description:

Versions of drupal through 5.9 have several vulnerabilities, including multiple cross-site scripting issues, an unrestricted upload problem, and multiple cross-site request forgery problems.

Alerts:

Fedora	FEDORA-2008-7626	2008-09-05
Fedora	FEDORA-2008-7467	2008-09-05

Comments (none posted)

php: multiple vulnerabilities

Package(s):

php

CVE #(s):

Created:

September 4, 2008

Updated:

September 10, 2008

Description:

PHP 4 has four vulnerabilities. From the Slackware change log for PHP 4.4.9: Fixed overflow in memnstr(). Fixed crash in imageloadfont when an invalid font is given. Fixed open_basedir handling issue in the curl extension. Fixed bug #27421 (mbstring.func_overload set in .htaccess becomes global). This is the final Slackware release for PHP 4.

Alerts:

Slackware

SSA:2008-247-01

2008-09-04

Comments (none posted)

R: temporary file vulnerability

Package(s):

CVE #(s):

Created:

September 10, 2008

Updated:

September 10, 2008

Description:

The R programming language suffers from a temporary file vulnerability in its "javareconf" script.

Alerts:

Fedora	FEDORA-2008-7670	2008-09-05
Fedora	FEDORA-2008-7619	2008-09-05
Fedora	FEDORA-2008-7670	2008-09-05
Fedora	FEDORA-2008-7619	2008-09-05

Comments (none posted)

samba: wrong permissions of group_mapping.ldb

Package(s):

samba

CVE #(s):

CVE-2008-3789

Created:

September 5, 2008

Updated:

January 8, 2009

Description:

From the samba advisory: The file group_mapping.ldb is created with the permissions 0666. That means everyone is able to edit this file and gain additional access rights while connecting remotely to the Samba server. By manipulating the SID mappings contained in this file, it is also possible to establish a connection that runs in the privileged root context.

Alerts:

Fedora	FEDORA-2008-10518	2008-12-02
Fedora	FEDORA-2009-0268	2009-01-07
Fedora	FEDORA-2008-7243	2008-09-05

Comments (none posted)

vlc: multiple vulnerabilities

Package(s):

vlc

CVE #(s):

CVE-2008-3732 CVE-2008-3794

Created:

September 8, 2008

Updated:

June 18, 2009

Description:

From the Gentoo advisory:

g_ reported the following vulnerabilities:

* An integer overflow leading to a heap-based buffer overflow in the Open() function in modules/demux/tta.c (CVE-2008-3732).

* A signedness error leading to a stack-based buffer overflow in the mms_ReceiveCommand() function in modules/access/mms/mmstu.c (CVE-2008-3794).

A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.

Alerts:

Debian	DSA-1819-1	2009-06-18
Gentoo	200809-06	2008-09-07

Comments (none posted)

wordpress: privilege escalation

Package(s):

wordpress

CVE #(s):

CVE-2008-3747

Created:

September 5, 2008

Updated:

September 12, 2008

Description:

The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie.

Alerts:

Fedora	FEDORA-2008-7463	2008-09-05
Fedora	FEDORA-2008-7279	2008-09-05

Comments (none posted)

xastir: insecure temporary files

Package(s):

xastir

CVE #(s):

Created:

September 5, 2008

Updated:

September 10, 2008

Description:

Multiple insecure temporary file usage flaws were identified in the get- maptools.sh and get_shapelib.sh scripts shipped in xastir packages.

As those scripts are not needed with Fedora-distributed xastir packages (they automate installation of libraries used by xastir, which are provided in the Fedora archive in the pre-packaged RPM format), they were removed.

Alerts:

Fedora	FEDORA-2008-7541	2008-09-05
Fedora	FEDORA-2008-7269	2008-09-05

Comments (none posted)

xine-lib: denial of service

Package(s):

xine-lib

CVE #(s):

CVE-2008-3231

Created:

September 10, 2008

Updated:

June 1, 2010

Description:

xine-lib up to version 1.1.15 suffers from a denial-of-service vulnerability exploitable via a corrupted Ogg file. There are also "multiple possible buffer overflows." See this advisory for more information.

Alerts:

Gentoo	201006-04	2010-06-01
Mandriva	MDVSA-2009:319	2009-12-05
Fedora	FEDORA-2009-3428	2009-04-09
SuSE	SUSE-SR:2009:004	2009-02-17
Ubuntu	USN-710-1	2009-01-26
Mandriva	MDVSA-2009:020	2009-01-21
Fedora	FEDORA-2009-0542	2009-01-14
Fedora	FEDORA-2008-7512	2008-09-05

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.27-rc6, released on September 9. "Same old deal - except it's been almost two weeks since -rc5. That said, the diff is actually about the same size, so I guess that means things are calming down." Full details may be found in the long-format changelog.

As of this writing, no patches have been merged into the mainline repository since the 2.6.27-rc6 release.

The current stable 2.6 kernel is 2.6.26.5, released on September 7. It contains a single fix for a build error introduced by 2.6.26.4, released earlier the same day. 2.6.26.4 contains a fairly long list of bug fixes.

Also released on the 7th was 2.6.25.17, also containing a fair number of fixes.

For older kernels: the 2.4 process has restarted with the release of 2.4.36.7, fixing "several minor security issues" and a few other problems. 2.4.37-rc1 is also out; this one includes a number of enhancements; see the announcement for details.

Comments (none posted)

Kernel development news

Quotes of the week

There's patronage. This is where the Crown Prince of Bavaria, say, gives Linus Torvalds a castle and a moat, and bids him to write code for the pleasure of the court, or else be thrown in the dungeon with those BSD mongrels. Linus goes on to create great works, often prefaced with a large set of logon messages in praise of his honoured patron, only to die later in poverty following some dismissive comments he includes in a kernel driver about the CEO of OSDN's mistresses' pet lioness.

Critics of patronage point out to live on the whims of a distant, self-involved elite is a demeaning life for Linux programmers, reminiscent as it is of both medieval surfdom and being a mere Linux user, both of which being horrid epochs that as a civilisation we imagine we have transcended.

-- Danny O'Brien (a recycled column but still fun).

In Ubuntu we have in general considered upstream to be "our ROCK", by which we mean that we want upstream to be happy with the way we express their ideas and their work. More than happy - we want upstream to be delighted! We focus most of our effort on integration. Our competitors turn that into "Canonical doesn't contribute" but it's more accurate to say we measure our contribution in the effectiveness with which we get the latest stable work of upstream, with security maintenance, to the widest possible audience for testing and love. To my mind, that's a huge contribution.

-- Mark Shuttleworth

Grr. I'd love to say "I told you so", and write another rant about -rc series patches. But I'm too lazy, so people - please mentally insert my standard rant here.

-- Linus Torvalds

I didn't know that sending a test patch which is admittedly not pretty is a capital crime nowadays.

In future I'll restrict myself to look at such stuff only on Monday to Friday between 9AM and 5PM and send test/RFC patches only when they got approved by the nonshitapproval committee, which holds a meeting once a month.

-- Thomas Gleixner

Comments (9 posted)

Tightening the merge window rules

By Jonathan Corbet
September 9, 2008

The 2005 kernel summit included a discussion on a recurring topic: how can the community produce kernels with fewer bugs? One of the problems which was identified in that session was that significant changes were often being merged late in the development cycle with the result that there was not enough time for testing and bug fixing. In response, the summit attendees proposed the concept of the "merge window," a two-week period in which all major changes for a given development cycle would be merged into the mainline. Once the merge window closed, only fixes would be welcome.

Three years later, the merge window is a well established mechanism. Over that time, the discipline associated with the merge window has gotten stronger; it is now quite rare that significant changes go into the mainline outside of the merge window. The one notable exception is that new drivers can be accepted later in the cycle, based on the reasoning that a driver, being completely new and self-contained functionality, cannot cause regressions. Even then, there are hazards: the UVC webcam driver, merged quite late in the 2.6.26 cycle (in 2.6.26-rc9), brought a security hole with it.

The merge window rule is often expressed as "only fixes can go in after the -rc1 release." Recent discussions have made it clear, though, that Linus is starting to develop a rather more restrictive view of how development should go outside of the merge window. The imminent 2008 kernel summit may well find itself taking on this topic and making some changes to the rules.

In short, Linus has concluded that "fixes only" is not disciplined enough; a lot of work characterized as a "fix" can, itself, be a source of new regressions. So here's how Linus would like developers to operate now:

Here's a simple rule of thumb:

if it's not on the regression list
if it's not a reported security hole
if it's not on the reported oopses list

then why are people sending it to me?

There can be no doubt that the tighter rules have come as a surprise to a number of developers - if nothing else, the frequency with which Linus has found himself getting grumpy with patch submitters makes that clear.

And, the truth of the matter is that Linus has not enforced anything like the above rule in the past. Beyond new drivers, post-merge-window changes have typically included things like coding style and white space fixups, minor feature enhancements, defconfig updates, documentation updates, annotations for the sparse tool, and so on. Relatively few of these changes come equipped with an entry on the regression list.

To look at this another way, here's a table which appeared in the 2.6.26 development statistics article, updated with 2.6.27 (to date) information:

Release Changesets merged

For -rc1 after -rc1

2.6.23 4505 2570

2.6.24 7132 3221

2.6.25 9629 3078

2.6.26 7555 2577

2.6.27* 7733 2451

* (Through September 9).

2.6.27 appears to be following the trend set by previous kernels: on the order of 25% of the total changesets will be merged outside of the nominal merge window. The most recent 2.6.27 regression summary shows a total of 150 regressions during this development cycle, of which 33 were unresolved. That suggests that at least 2300 patches merged since 2.6.27-rc1 were not fixes for listed regressions.

So the "regression fixes only" policy is truly new - and not really effective yet. Should this policy hold, it could have a number of interesting implications including, perhaps, an increase in the number of non-regression fixes shipped in distributor kernels. It might make developers become more diligent about reporting regressions so that the associated fix can be merged. With fewer changes going in later in the cycle, development cycles might just get a little shorter, perhaps even to the eight weeks that was, once, the nominal target. And, of course, we might just get kernel releases with fewer bugs, which would be a hard thing to complain about. In the short term, though, expect more grumpy emails to developers who are still trying to work by the older rules.

Comments (14 posted)

LIRC delurks

By Jonathan Corbet
September 10, 2008

The Linux Infrared Remote Control project (LIRC) provides drivers for a number of infrared receivers and transmitters. It is, perhaps, most heavily used by people running MythTV and similar packages; it would, after all, completely ruin the experience to have to get up from the couch to change channels. Despite their established user base, and despite the fact that a number of distributors ship the code, the LIRC drivers have never found their way into the mainline kernel. In more recent times, little effort has gone into their development and maintenance; the link to "Caldera OpenLinux" on the project's web site would seem to make that clear.

But LIRC is useful code, and, as is the case with most out-of-tree drivers, most people would really rather see LIRC in the mainline kernel. Merging into the mainline got a step closer on September 9, when Jarod Wilson posted a version of the LIRC drivers for consideration. Jarod, it seems, has been working (with Janne Grunau) on these drivers for some months; in the process, they have eliminated "tens of thousands" of complaints from the checkpatch.pl script and cleaned up a number of things.

Even after that work, though, the LIRC drivers are clearly not yet up to normal kernel standards. Some very strange coding conventions are used in places. Many of the drivers have broken (or completely absent) locking. Duplicated code abounds. One driver has implemented a command parser in its write() function. Another driver is for hardware which already has a different driver in the mainline. And, importantly, these drivers do not work with the input subsystem.

[PULL QUOTE: The LIRC drivers would appear to strongly support the notion that out-of-tree code is, almost by necessity, worse code. END QUOTE] In the past, Linus Torvalds (and others) have argued for merging drivers as soon as possible. If the code is poor, its chances of being improved get much higher once it's in the mainline and others can fix it. The LIRC drivers would appear to strongly support the notion that out-of-tree code is, almost by necessity, worse code. These drivers have been around for almost a decade, have been packaged by distributors, and have been used by large numbers of people. Despite all of that, they contain a large number of serious problems which have never been addressed.

Now that the drivers have been posted to the linux-kernel list, quite a few of these problems are being pointed out; Jarod and Janne have been responding to reviews and fixing the issues. The "merge drivers early" philosophy would argue for pushing LIRC into 2.6.28, even if serious problems remain. Presence in the mainline will raise the visibility of the code, inspiring (one hopes) more developers to work on fixing it up. Merging LIRC will also free distributors from the need to create separate packages for those drivers.

One important question will have to be addressed before merging LIRC can be seriously considered, though: its user-space API. Once LIRC is merged, its user-space API will be set in stone, so any problems with that API need to be resolved first. LIRC, being out of the mainline, did not follow the development of the input subsystem, so it does not behave like other input drivers - even in-tree drivers for infrared remotes. The use of an in-kernel command-line parser in at least one driver is sure to raise eyebrows; that sort of interaction should really be handled via ioctl() or sysfs. All told, it is hard to imagine this code being merged until the API problems have been resolved.

Changing the LIRC API will, of course, lead to problems of its own. There is user-space code which depends on the current API; any changes will break that code. The kernel community will certainly understand this problem, but is unlikely to be swayed by it. There are a number of risks associated with maintaining production kernel code out of the mainline tree; one of those risks is that your established APIs will not be accepted by the kernel development community. So an API change may simply be part of the cost of getting LIRC into the mainline at this late date.

It should be a cost worth paying. Once LIRC is in the mainline, interested developers will work to continue to bring the code up to kernel standards. The community will maintain it going forward. All Linux users will get the LIRC drivers with their kernel, with no need to deal with external packages. Getting there may be a bit frustrating for users of remotes and (especially) for the developers who have taken on the task of getting this code into the mainline. But, once it's done, remotes will just be more normal hardware, supported by the kernel like everything else.

Comments (5 posted)

System calls and rootkits

By Jake Edge
September 10, 2008

A patch to add some security checks before making system calls would seem like a reasonable addition to the kernel, but because it is, at best, a half-measure, it received a less than enthusiastic response. Preventing rootkits—malware that alters the kernel to hide its presence and function—from altering the system call table was the rationale behind the patch, but it would only work for the current crop of rootkits. Once that change was made, rootkit authors would just change their modus operandi in response.

There are many possible ways that a root user—or malware running as root—can modify a Linux system to run rootkit code. Some currently "popular" rootkits modify the system call table, though it is ostensibly read-only. Some commercial malware scanners that run on Linux have also been known to use this technique. In both cases, certain system calls are re-routed from the standard kernel code to code that lives elsewhere. That code, running in kernel mode, can then do just about anything it wants with the system.

Arjan van de Ven proposed a patch that hooked into the system call entry code to check the address of the call to ensure that it was within the addresses occupied by kernel code. He describes the change and its impact this way:

The patch below, while obviously not perfect protection against malware, adds some cheap sanity checks to the syscall path to verify the system call is actually still in the kernel code region and not some external-to-this region such as a rootkit.

The overhead is very minimal; measured at 2 cycles or less. (this is because the branches get predicted right and the rest of the code is almost perfectly parallelizable... and an indirect function call is a branch issue anyway)

Various kernel hackers pointed out the flaws inherent in that scheme. As Andi Kleen succinctly puts it:

This just means that the root kits will switch to patch the first instruction of the entry points instead. [...] So the protection will be zero to minimal, but the overhead will be there forever.

One of the more interesting ideas to come out of the discussion was Alan Cox's thoughts on using a hypervisor to enforce protections:

The only place you can expect to make a difference here is in virtualised environments by teaching KVM how to provide 'irrevocably read only' pages to guests where the guest OS isn't permitted to change the rights back or the virtual mapping of that page.

Ingo Molnar described a rather complicated scheme that might increase the likelihood of a rootkit being detected, but with a fairly high cost—in build complexity as well as the ability to debug the resulting kernel. The compiler would be changed to insert calls to rootkit checks randomly throughout the kernel binary in ways that would be difficult or impossible for a rootkit to detect and evade. In the end, though, a rootkit could simply install a new kernel that does exactly what it wants, then cause, or wait for, a reboot.

Without some kind of hardware enforcement (e.g. Trusted Platform Module) or locked-down virtualization, Linux is defenseless against attacks that run as root. The kernel could change to thwart a particular kind of attack, such as van de Ven's patch, but other kinds of attacks will still succeed. It is clearly a situation where "the only way to win is not to play this game", as Pavel Machek—amongst others—noted in the thread.

In the end, van de Ven wrote off the patch as an exercise in measuring the cost of this kind of runtime checking. It was fairly low cost solution, but without any major upside. The real upside was getting kernel hackers thinking about the problem, which could lead to some better solutions down the road.

Comments (9 posted)

Patches and updates

Kernel trees

Linus Torvalds: Linux 2.6.27-rc6. (September 10, 2008)

Andrew Morton: 2.6.27-rc5-mm1. (September 5, 2008)

Greg KH: Linux 2.6.26.4. (September 8, 2008)

Greg KH: Linux 2.6.26.5. (September 8, 2008)

Steven Rostedt: 2.6.26.5-rt8. (September 10, 2008)

Steven Rostedt: 2.6.26.3-rt5. (September 4, 2008)

Steven Rostedt: 2.6.26.3-rt6. (September 5, 2008)

Steven Rostedt: 2.6.26.3-rt7. (September 8, 2008)

Greg KH: Linux 2.6.25.17. (September 8, 2008)

Steven Rostedt: 2.6.24.7-rt18. (September 10, 2008)

Willy Tarreau: Linux 2.4.37-rc1. (September 8, 2008)

Willy Tarreau: Linux 2.4.36.7. (September 8, 2008)

Build system

Nir Tzachar: ncurses based config. (September 4, 2008)

Core kernel code

Mike Travis: smp: reduce stack requirements for genapic send_IPI_mask functions. (September 8, 2008)

Vaidyanathan Srinivasan: Tunable sched_mc_power_savings=n. (September 8, 2008)

Mathieu Desnoyers: Priority Sifting Reader-Writer Lock v13. (September 9, 2008)

Oren Laadan: Kernel based checkpoint/restart`. (September 9, 2008)

Development tools

jmerkey@wolfmountaingroup.com: mdb: Merkey's Linux Kernel Debugger Release 2.6.27-rc6. (September 8, 2008)

Device drivers

Dmitry Baryshkov: platform: add new device registration helper. (September 5, 2008)

Thomas Hellstrom: TTM user interface.. (September 8, 2008)

Manu Abraham: DVB Update [PATCH 0/31] multiproto tree. (September 8, 2008)

Bartlomiej Zolnierkiewicz: ide: add generic ATA/ATAPI disk driver. (September 8, 2008)

Steve Glendinning: SMSC LAN9500 USB2.0 10/100 ethernet adapter driver. (September 8, 2008)

Frank Zago: V4L2 driver for some Fujifilm cameras. (September 8, 2008)

Jarod Wilson: linux infrared remote control drivers. (September 9, 2008)

Alex Chiang: PCI: let the core manage slot names. (September 9, 2008)

Mark Brown: mfd: Core support for the WM8400 AudioPlus HiFi CODEC and PMU. (September 10, 2008)

Documentation

Michael Kerrisk: man-pages-3.09 is released. (September 10, 2008)

Filesystems and block I/O

Takashi Sato: freeze feature ver 1.11. (September 8, 2008)

Evgeniy Polyakov: New distributed storage release.. (September 8, 2008)

Conrad Meyer: FUSE-Tux3 (At your own risk). (September 8, 2008)

Hugh Dickins: discarding swap. (September 10, 2008)

Mark Fasheh: Fiemap, an extent mapping ioctl. (September 10, 2008)

Janitorial

Parag Warudkar: x86: sysfs - kill owner field from attribute. (September 10, 2008)

Memory management

Andy Whitcroft: Reclaim page capture v2. (September 8, 2008)

Hamid R. Jahanjou: VM: Implements the swap-out page-clustering technique. (September 8, 2008)

Networking

Evgeniy Polyakov: Network channels.. (September 8, 2008)

Luis R. Rodriguez: New regulatory infrastructure for cfg80211 and drivers. (September 8, 2008)

Architecture-specific

Thomas Gleixner: TSC calibration improvements. (September 8, 2008)

Security-related

Arjan van de Ven: Add basic sanity checks to the syscall execution patch. (September 4, 2008)

Paul Moore: Labeled networking patches for 2.6.28. (September 8, 2008)

Virtualization and containers

Jeremy Fitzhardinge: x86: lay groundwork for Xen domain 0 support. (September 8, 2008)

sukadev-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org: : Enable multiple mounts of devpts. (September 8, 2008)

Benchmarks and bugs

Rafael J. Wysocki: 2.6.27-rc5-git8: Reported regressions from 2.6.26. (September 8, 2008)

Miscellaneous

Karel Zak: util-linux-ng v2.14.1 (stable). (September 10, 2008)

Page editor: Jonathan Corbet

Distributions

News and Editorials

What's up with the Intrepid Ibex

By Rebecca Sobol
September 10, 2008

Ubuntu's current development release is called the Intrepid Ibex, which is soon to become v8.10. The Alpha5 release was announced this week, which is pretty close to on schedule. One more alpha release is planned, followed by a single beta, and the final release should be available by October 30, 2008.

Looking at the blueprints for Intrepid we see a number of high priority items such as 3G networking, which will be integrated into NetworkManager. Another high priority item is an improved flash experience, which is aimed at improving the plugin finder wizard, better interaction with sites that use the flash detection kit, and an improved user-experience for selecting available alternatives. Internally there are the Package Status Pages, which are meant to provide a web page for each of the top 20-30 packages in Ubuntu showing bug counts and other vital signs and statistics.

What else is new in Intrepid? GNOME 2.23.91, X.Org server 7.4, Linux kernel 2.6.27, and Network Manager 0.7 are all being included. An encrypted private directory will also be added to each home directory. In addition, there's a Guest session available from the User Switcher panel applet to give temporary access with restricted privileges.

Dynamic Kernel Module Support (DKMS) is also available in Intrepid. It allows kernel drivers to be automatically rebuilt when new kernels are released. This makes it possible for kernel package updates to be made available immediately without waiting for rebuilds of driver packages, and without third-party driver packages becoming out of date. Finally, the "Last successful boot" recovery entry retains a copy of your running kernel and makes it available from the boot loader. This makes it possible for old kernel packages to be safely auto-removed by the package manager, instead of being kept indefinitely.

Kubuntu will be using KDE4, with no plans to support KDE3. The Kubuntu wiki for Intrepid says, "KDE 3 is obsolete and largely unmaintained. Keeping with KDE 3 would offer no advantage over giving users Hardy."

Bug squashing has been ongoing, with a number of focused Hug Days. The latest of these will be held September 11 to focus on bugs that don't have a package assigned to them.

There are still a few known issues in the Alpha5 release, but overall the development is progressing nicely. Of course, if wild mountain goats are not your thing (however intrepid they might be), you can always wait for the more mythological Jaunty Jackalope, which will be in the planning stages at a Ubuntu Developer Summit (UDS) in Mountain View, California next December.

Comments (9 posted)

New Releases

Intrepid Alpha 5 released

Ubuntu's Intrepid Ibex (v8.10) has reached the fifth alpha release. Intrepid Alpha 5 is also available in Ubuntu Education Edition, Kubuntu and Xubuntu flavors.

LWN.net Weekly Edition for September 11, 2008

adminutil: multiple vulnerabilities

awstats: cross-site scripting

bitlbee: account hijack

clamav: multiple vulnerabilities

courier-authlib: SQL injection

django: cross-site request forgery

drupal: multiple vulnerabilities

php: multiple vulnerabilities

R: temporary file vulnerability

samba: wrong permissions of group_mapping.ldb

vlc: multiple vulnerabilities

wordpress: privilege escalation

xastir: insecure temporary files

xine-lib: denial of service

Events: September 18, 2008 to November 17, 2008