By Jake Edge
November 26, 2008
Here at LWN, we get a chance to see a fair number of security advisories in
the course of a week—sometimes even in just a single day—so we tend to
notice the quality, or lack thereof, of these important announcements.
There are a few important pieces of information that need to be a
part of any security update announcement, but sadly sometimes they aren't
included. Overall, the quality of advisories seems to be declining, which
is something that we would like to see change. While it clearly would make
collecting security advisories easier for us, that is not the primary
motivation for this look at security reporting—users are not being
well-served by the current state of affairs.
Distributions need to remember that the audience for their security
announcements is their users. Those users require some basic information
to make an informed choice about whether they need to apply the update as
well as how urgently. In order to make those decisions, the following
should be present in advisories:
- the package affected
- the problem that is being fixed
- the impact of the vulnerability
- some kind of unique identifier for the alert
- links to relevant additional information (CVE,
bugzilla, ...)
- where and how to update the package
- consistent formatting of advisories is a definite plus
Users are not as familiar with either the package or the distribution as
the person writing the alert is, so it should be written with that in
mind. The most important thing is to concisely communicate the severity
and urgency of the problem in a way that the reader can
understand—and figure out what to do about it.
The biggest problem seen with alerts of late is a lack of information about
the problem they are fixing. As an example, consider the recent Fedora advisory on kvm. It
refers to a recent CVE number (CVE-2008-4539)
which is "reserved", but no details are present, and says that it fixes a
"cirrus vulnerability". It also references a bugzilla
entry that apparently addresses a separate CVE from 2007 (CVE-2007-1320),
if you follow that link in
the bugzilla, you finally end up somewhere with actual information, though
the connection between the two problems is not particularly obvious.
Another example of this is CentOS advisories, which suffer from a number of
problems, but the most vexing for folks trying to determine whether they
need to update is this lack of bug information. It is not all that hard to
get the information as a typical
alert has a link to the appropriate Red Hat advisory, but why make
users take that step? A concise summary of the bug(s), as well as a
reference to the—generally very complete—Red Hat errata, would
be quite useful. There is certainly nothing wrong with linking to sources
of additional information, but the basics of the problem and its impact
should be available in the alert.
Unique identifiers for advisories are useful for a number of reasons:
keeping track of which have been addressed, having a unique search string to
use, or referring to them in conversations, bug reports, etc. When the
identifier is not unique, it muddies the waters a bit, making it more
difficult than it needs to be. Sometimes mistakes are made (like the spate
of recent Fedora alerts with the same FEDORA-2008-10000 identifier), but
there appear to be distribution policies about using identifiers multiple times.
CentOS uses the same identifier on multiple advisories, one per
architecture, but also shared between CentOS releases. So the same
identifier will be applied to an s390 update for CentOS 4 as is applied to
x86_64 for CentOS 5.
Another identifier reuse problem comes from Fedora. When mozilla (or more
recently xulrunner) library vulnerabilities occur, Fedora pro-actively
rebuilds and updates all of the packages that depend on those libraries.
This is very much to its credit as the API is not (yet) stable, but all of
the resulting alerts refer to the same identifier. For those who try to
track vulnerabilities along with alerts, that results in messy listings that don't
provide much in the way of helpful information. Other library bugs result
in much saner listings where
one could relatively easily track down—and keep straight—the
advisories for various packages.
There are others problems as well. Alerts that combine unrelated
fixes do "avoid flooding mailing lists", but they are a bit painful to
tease apart for users that are tracking specific packages. Too much
history, in the form of changelogs (example) can also be confusing.
If there is only a link to provide vulnerability information, as is the
CentOS way, it
should probably go directly to a page about the flaw, not to some page that
lists all recent upstream flaws (example). And on and on.
Certain distributions have been singled out here, but that is not really
the point. These are just recent examples of problems that are regularly
seen in distribution security alerts. It should be noted that the
commercial distributions (SUSE, Ubuntu, Red Hat, Mandriva) seem to do a
much better job overall, which is not surprising, but sometimes they fail
as well. The key thing to remember is that security announcements are
meant to be read by users and acted upon. If information is lacking, the
communication will fail.
This is not the first time we have looked at the problem, way back in 2000
security page editor Liz Coolbaugh took a look at security
advisories, and had some of the same complaints seen here. Her
conclusion is still valid: it is not that distributions are not trying or
that they don't care, but at times the contents of their advisories slip
below the radar. After her article, things got better with security
alerts, hopefully this gentle prodding will have a similar effect.
Comments (3 posted)
Brief items
Jennifer Granick of the Electronic Frontier Foundation (EFF) has created a
guide for security researchers who may have run afoul of computer crime laws. It looks at the risks and some possible solutions for revealing information about vulnerabilities so that they can get fixed. Granick is
seeking comments to improve the guide. "
The researcher is in a quandary when she has potentially broken the law, but never intended to steal information or invade privacy and wants to see the problem fixed. Reporting the information raises a red flag that could result in an investigation and civil claims or even criminal charges. Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent. What is the grey hat hacker to do?"
Comments (21 posted)
New vulnerabilities
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2008-5183
CVE-2008-5184
|
| Created: | November 25, 2008 |
Updated: | March 2, 2011 |
| Description: |
cupsd in CUPS before 1.3.8 allows local users, and possibly remote
attackers, to cause a denial of service (daemon crash) by adding a large
number of RSS Subscriptions, which triggers a NULL pointer
dereference. NOTE: this issue can be triggered remotely by leveraging
CVE-2008-5184.
The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest
username when a user is not logged on to the web server, which makes it
easier for remote attackers to bypass intended policy and conduct CSRF
attacks via the (1) add and (2) cancel RSS subscription functions. |
| Alerts: |
|
Comments (none posted)
dovecot: access restriction bypass
| Package(s): | dovecot |
CVE #(s): | CVE-2008-4578
|
| Created: | November 20, 2008 |
Updated: | December 15, 2008 |
| Description: |
Dovecot has an access restriction bypass vulnerability.
From the National Vulnerability Database entry:
The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes. |
| Alerts: |
|
Comments (none posted)
gvim: multiple vulnerabilities
| Package(s): | gvim |
CVE #(s): | CVE-2008-3074
CVE-2008-3075
CVE-2008-3076
|
| Created: | November 24, 2008 |
Updated: | March 24, 2009 |
| Description: |
From the rPath advisory:
Previous versions of the vim package contain multiple vulnerabilities,
the most serious of which allow user-assisted attackers to execute
arbitrary commands via maliciously crafted file and directory names.
|
| Alerts: |
|
Comments (none posted)
hf: arbitrary code execution
| Package(s): | hf |
CVE #(s): | CVE-2008-2378
|
| Created: | November 24, 2008 |
Updated: | November 25, 2008 |
| Description: |
From the debian-hams mailing list posting:
The hf package, Described by Debian as an amateur-radio protocol suite
using a soundcard as a modem, is a program that eventually becomes
setuid(0), and has a trivial security hole in it.
By default the package installs "/usr/bin/hfkernel" as a typical binary,
but when first started via the program "hf" the binary is changed to
be setuid(root).
[...]
Unfortunately the hfkernel program contains a trivial root hole:
int main(int argc, char *argv[])
{
// snip
while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
switch (c) {
// snip
case 'k':
system ("killall hfkernel");
//
}
Creating ~/bin/killall is sufficient to gain root privileges.
|
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflow
| Package(s): | imlib2 |
CVE #(s): | CVE-2008-5187
|
| Created: | November 26, 2008 |
Updated: | January 20, 2009 |
| Description: |
There is a buffer overflow vulnerability in imlib2; it can be exploited via a specially-crafted XPM file to execute arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
imp: cross-site scripting
| Package(s): | imp |
CVE #(s): | CVE-2008-4182
|
| Created: | November 25, 2008 |
Updated: | July 27, 2010 |
| Description: |
Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba
Contact Manager H3 2.2.1, and possibly other Horde Project products, allows
remote attackers to inject arbitrary web script or HTML via the User field
in an IMAP session. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2008-4933
CVE-2008-4934
CVE-2008-5029
|
| Created: | November 24, 2008 |
Updated: | November 4, 2009 |
| Description: |
From the Mandriva advisory:
Buffer overflow in the hfsplus_find_cat function in
fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or
system crash) via an hfsplus filesystem image with an invalid
catalog namelength field, related to the hfsplus_cat_build_key_uni
function. (CVE-2008-4933)
The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the
Linux kernel before 2.6.28-rc1 does not check a certain return value
from the read_mapping_page function before calling kmap, which allows
attackers to cause a denial of service (system crash) via a crafted
hfsplus filesystem image. (CVE-2008-4934)
The __scm_destroy function in net/core/scm.c in the Linux kernel
2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to
itself through calls to the fput function, which allows local users
to cause a denial of service (panic) via vectors related to sending
an SCM_RIGHTS message through a UNIX domain socket and closing file
descriptors. (CVE-2008-5029)
|
| Alerts: |
|
Comments (none posted)
libcdaudio: buffer overflow
| Package(s): | libcdaudio |
CVE #(s): | CVE-2005-0706
|
| Created: | November 21, 2008 |
Updated: | December 7, 2009 |
| Description: |
From the CVE entry: Buffer overflow in discdb.c for grip 3.1.2 allows
attackers to cause a denial of service (crash) and possibly execute
arbitrary code by causing the cddb lookup to return more matches than
expected. |
| Alerts: |
|
Comments (none posted)
mozilla: denial of service
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2008-5052
|
| Created: | November 24, 2008 |
Updated: | November 26, 2008 |
| Description: |
From the CVE entry:
The AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js. |
| Alerts: |
|
Comments (none posted)
nagios: authorization bypass
| Package(s): | nagios |
CVE #(s): | CVE-2008-5027
|
| Created: | November 26, 2008 |
Updated: | July 20, 2009 |
| Description: |
Versions of nagios prior to 3.0.5 contain a bug which can allow an authenticated user to circumvent authorization checks and run arbitrary programs. |
| Alerts: |
|
Comments (none posted)
openoffice.org: insecure temp files
| Package(s): | openoffice.org, openoffice.org-amd64 |
CVE #(s): | CVE-2008-4937
|
| Created: | November 25, 2008 |
Updated: | March 10, 2009 |
| Description: |
From the Ubuntu advisory: Dmitry E. Oboukhov discovered that senddoc, as included in OpenOffice.org, created temporary files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS. |
| Alerts: |
|
Comments (none posted)
pidgin: multiple vulnerabilities
| Package(s): | pidgin |
CVE #(s): | CVE-2008-2955
CVE-2008-2957
CVE-2008-3532
|
| Created: | November 24, 2008 |
Updated: | January 18, 2010 |
| Description: |
From the Ubuntu advisory:
It was discovered that Pidgin did not properly handle file transfers containing
a long filename and special characters in the MSN protocol handler. A remote
attacker could send a specially crafted filename in a file transfer request
and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)
It was discovered that Pidgin did not impose resource limitations in the UPnP
service. A remote attacker could cause Pidgin to download arbitrary files
and cause a denial of service from memory or disk space exhaustion.
(CVE-2008-2957)
It was discovered that Pidgin did not validate SSL certificates when using a
secure connection. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. This update alters Pidgin behaviour by asking users to confirm
the validity of a certificate upon initial login. (CVE-2008-3532)
|
| Alerts: |
|
Comments (none posted)
tog-pegasus: authentication issues
| Package(s): | tog-pegasus |
CVE #(s): | CVE-2008-4313
CVE-2008-4315
|
| Created: | November 25, 2008 |
Updated: | November 27, 2008 |
| Description: |
From the Red Hat advisory:
After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these
additional security enhancements were no longer being applied. As a
consequence, access to OpenPegasus WBEM services was not restricted to the
dedicated users as described in README.RedHat.Security. An attacker able to
authenticate using a valid user account could use this flaw to send
requests to WBEM services.
Failed authentication attempts against the OpenPegasus CIM server were not
logged to the system log as documented in README.RedHat.Security. An
attacker could use this flaw to perform password guessing attacks against a
user account without leaving traces in the system log. |
| Alerts: |
|
Comments (none posted)
vim: heap-based overflow
| Package(s): | vim |
CVE #(s): | CVE-2008-3432
|
| Created: | November 25, 2008 |
Updated: | November 26, 2008 |
| Description: |
From the Red Hat advisory: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially-crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
vim: sanitization flaws
| Package(s): | vim |
CVE #(s): | CVE-2008-4101
|
| Created: | November 25, 2008 |
Updated: | March 3, 2009 |
| Description: |
Several input sanitization flaws were found in Vim's keyword and tag
handling. If Vim looked up a document's maliciously crafted tag or keyword,
it was possible to execute arbitrary code as the user running Vim.
|
| Alerts: |
|
Comments (none posted)
webkit: arbitrary code execution
| Package(s): | webkit |
CVE #(s): | CVE-2008-3632
|
| Created: | November 24, 2008 |
Updated: | November 25, 2008 |
| Description: |
From the Ubuntu advisory:
It was discovered that WebKit did not properly handle Cascading Style Sheets
(CSS) import statements. If a user were tricked into opening a malicious
website, an attacker could cause a browser crash and possibly execute
arbitrary code with user privileges.
|
| Alerts: |
|
Comments (none posted)
yast2-backup: code injection
| Package(s): | yast2-backup |
CVE #(s): | CVE-2008-4636
|
| Created: | November 25, 2008 |
Updated: | November 26, 2008 |
| Description: |
Insufficient shell quoting in yast2-backup allowed local users to craft special file names that inject shell code into the backup process. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
