LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

SOPA and PIPA

By Jake Edge
January 18, 2012

As this article is being written on January 18, many high-profile web sites have gone "black" in order to protest proposed legislation in the US that would, ostensibly, combat online "piracy". Lots of different sites are participating, from Wikipedia and Google to sites that cater to more technical audiences like Reddit and Bruce Schneier's security blog. The intent is to raise the profile of the two related pieces of legislation with the hope that users (both technical and less so) will recognize the threat to a "free and open internet" that the laws represent.

As seems to commonly be the case—at least in the US—the proposals have been given names that don't accurately reflect their scope. The "Stop Online Piracy Act" (SOPA) is the House of Representatives' entrant, while the Senate bill is called the "Protect Intellectual Property Act" (PIPA). Both are strongly backed by the content industries who make unsubstantiated claims about the financial and job losses caused by online piracy—and are undoubtedly pouring lots of money into lobbying for their passage. But, many internet sites and luminaries are extremely wary of the bills' contents because they could "break the internet".

The law of "unintended consequences" is often present in internet-targeted legislation, but it's a little hard to see some of the consequences from SOPA/PIPA as being unintended—at least by some of their proponents. The content industry has found it expensive and difficult to combat the copyright infringement of its works under the existing laws, and is always looking for a way to make others responsible for enforcement. SOPA/PIPA are just the latest salvo in that effort.

The biggest technical problem with the legislation is that it tries to fundamentally alter how the domain name system (DNS) works, so that "rogue" sites that carry infringing content—or even links to infringing content—can be "banished" from the internet. As pointed out by Paul Vixie, though, all of the technical measures that SOPA/PIPA want to use to blacklist these supposedly rogue sites won't do so. In addition, implementing these "features" will just increase the load on DNS servers as clients try to route around the censorship.

The argument from proponents is that many of the sites that they would like to shut down are foreign-owned, and thus are impossible to affect via US law. Aside from the irony of using US legislation to somehow do the impossible, mandating that US companies blacklist web sites via DNS or any other method is only likely to result in fragmenting the infrastructure of the internet. As an open letter from 83 internet inventors and engineers to the US Congress in December put it:

The US government has regularly claimed that it supports a free and open Internet, both domestically and abroad. We cannot have a free and open Internet unless its naming and routing systems sit above the political concerns and objectives of any one government or industry. To date, the leading role the US has played in this infrastructure has been fairly uncontroversial because America is seen as a trustworthy arbiter and a neutral bastion of free expression. If the US begins to use its central position in the network for censorship that advances its political and economic agenda, the consequences will be far-reaching and destructive.

The bills would mandate that US companies enforce the blacklist, and provide penalties if a service allows users to circumvent the list. Not only does that put a large burden on ISPs, web application providers, internet startups, and others, it also adds a large uncertainty factor by the terms used. Rather than focusing strictly on sites that infringe copyrights (for which there are plenty of laws already available), these bills would be enforced against sites that are "enabling or facilitating" infringement (at least in SOPA). That kind of ambiguity leaves the door open to all sorts of abuse.

Those penalties can be severe. One of the actions that a copyright holder could take against a site deemed to have violated these acts is to get a court order that requires payment sites and advertising networks to cut the site off. So, a site that "facilitates" infringement (which could easily be applied to almost any site on the internet) could suddenly find itself cut off from its funding sources—or in court to show why it shouldn't be. For larger, well-established sites and service providers, that will be an expensive annoyance, but for smaller fish (including startups and sites like LWN) it could easily put the company out of business.

Proponents of these laws downplay the potential for widespread applicability, explaining that they are targeted at the "worst of the worst" offenders. But, as we have seen with almost any law (internet-focused or not), they is almost always some kind of overreach. Once these (or similar) laws are on the books, the content industries will be pushing the envelope. We've seen this overreach with the DMCA, anti-"hacking" laws, the PATRIOT act, and more. Meanwhile, the rest of the world (along with much of the US) will just find ways to route around the blockades.

Certainly copyright infringement is a problem. Copyright is, after all, the tool that the free software community uses to enforce its licenses. The question is how big of a problem infringement really is, and what the right solution is. The content industries would have us believe that infringement is stealing food from the mouths of babes—while often reporting record profits. It's not at all clear that passing more and more laws will "fix" the problem.

The only real way to completely prevent digital copyright infringement is to curtail general purpose computing (and networking) in ways that would be drastically detrimental to the worldwide economy (not to mention little things like personal freedom). Cory Doctorow recently spoke about the likelihood of an upcoming war against general-purpose computing. One could argue that we have already lost some battles in that war (e.g. DMCA) and SOPA/PIPA are yet another. Hopefully, the efforts of the high-profile sites protesting this legislation will start to wake people up about what kinds of things the content industries and their "pet" legislators are trying to do. If not, we will likely see even more draconian legislation down the road.

For readers wanting to know more, Techdirt's Mike Masnick has two analyses of SOPA/PIPA [1, 2] that are well worth a read.

Comments (5 posted)

Brief items

NSA releases security-enhanced Android (The H)

The H looks at SEAndroid, which was recently released by the US National Security Agency. It brings some of SELinux to the Android kernel to limit the damage that malicious apps can do. "In a presentation [PDF] originally given at the 2011 Linux Security Summit, Stephen Smalley of the NSA explained the functionality within SEAndroid. He noted that it brings Mandatory Access Control to Android's Linux kernel and can help sandbox, isolate and prevent privilege escalation by applications with a centralised policy that is amenable to analysis. That said, it cannot protect against kernel vulnerabilities and misconfiguration of the security policy. Smalley also discussed how SEAndroid works to protect against a number of known exploits and how SEAndroid would have stopped them in different ways."

Comments (21 posted)

Berrangé: Building application sandboxes with libvirt, LXC & KVM

On his blog, Daniel P. Berrangé writes about a new application sandbox tool that uses libvirt, LXC (Linux Containers), and KVM. It is based on some of the ideas behind the SELinux sandbox but uses KVM or LXC to isolate the application from the rest of the OS. "People also generally assume that running a KVM guest, means having a guest operating system install. This is absolutely something that is not acceptable for application sandboxing, and indeed not actually necessary. In a nutshell, libvirt-sandbox creates a new initrd image containing a custom init binary. This init binary simply loads the virtio-9p kernel module and then mounts the host OS' root filesystem as the guest's root filesystem, readonly of course. It then hands off to a second boot strap process which runs the desired application binary and forwards I/O back to the host OS, until the sandboxed application exits. Finally the init process powers off the virtual machine. To get an idea of the overhead, the /bin/false binary can be executed inside a KVM sandbox with an overall execution time of 4 seconds."

Comments (17 posted)

New vulnerabilities

acroread: code execution

Package(s):acroread CVE #(s):CVE-2011-2462 CVE-2011-4369
Created:January 17, 2012 Updated:January 18, 2012
Description: From the CVE entries:

Unspecified vulnerability in the PRC component in Adobe Reader and Acrobat 9.x before 9.4.7 on Windows, Adobe Reader and Acrobat 9.x through 9.4.6 on Mac OS X, Adobe Reader and Acrobat 10.x through 10.1.1 on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. (CVE-2011-4369)

Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. (CVE-2011-2462)

Alerts:
SUSE SUSE-SU-2012:0086-1 2012-01-17
openSUSE openSUSE-SU-2012:0087-1 2012-01-17
Gentoo 201201-19 2012-01-30

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-4611 CVE-2011-4914
Created:January 16, 2012 Updated:January 18, 2012
Description: From the Debian advisory:

CVE-2011-4611: Maynard Johnson reported an issue with the perf support on POWER7 systems that allows local users to cause a denial of service.

CVE-2011-4914: Ben Hutchings reported various bounds checking issues within the ROSE protocol support in the kernel. Remote users could possibly use this to gain access to sensitive memory or cause a denial of service.

Alerts:
Debian DSA-2389-1 2012-01-15
Red Hat RHSA-2012:0350-01 2012-03-06
CentOS CESA-2012:0350 2012-03-07
Scientific Linux SL-kern-20120308 2012-03-08
Oracle ELSA-2012-0350 2012-03-12

Comments (none posted)

kernel: syscall instruction induces guest panic

Package(s):kernel CVE #(s):CVE-2012-0045
Created:January 16, 2012 Updated:January 18, 2012
Description: From the Red Hat bugzilla:

32bit guests will crash (and 64bit guests may behave in a wrong way) for example by simply executing following nasm-demo-application: 

    [bits 32]
    global _start
    SECTION .text
    _start: syscall
The reason seems a missing "invalid opcode"-trap (int6) for the syscall opcode "0f05", which is not available on Intel CPUs within non-longmodes, as also on some AMD CPUs within legacy-mode. (depending on CPU vendor, MSR_EFER and cpuid)

Because previous mentioned OSs may not engage corresponding syscall target-registers (STAR, LSTAR, CSTAR), they remain NULL and (non trapping) syscalls are leading to multiple faults and finally crashes.

Alerts:
Fedora FEDORA-2012-0480 2012-01-14
Fedora FEDORA-2012-0492 2012-01-14
Red Hat RHSA-2012:0350-01 2012-03-06
CentOS CESA-2012:0350 2012-03-07
Scientific Linux SL-kern-20120308 2012-03-08
Oracle ELSA-2012-2003 2012-03-12
Oracle ELSA-2012-2003 2012-03-12
Oracle ELSA-2012-0350 2012-03-12
Ubuntu USN-1407-1 2012-03-27
Ubuntu USN-1406-1 2012-03-27
Ubuntu USN-1405-1 2012-03-27
Debian DSA-2443-1 2012-03-26
Ubuntu USN-1421-1 2012-04-12
Ubuntu USN-1422-1 2012-04-12
Ubuntu USN-1425-1 2012-04-24
Ubuntu USN-1426-1 2012-04-24
Ubuntu USN-1431-1 2012-04-30
Ubuntu USN-1433-1 2012-04-30
Ubuntu USN-1440-1 2012-05-08
SUSE SUSE-SU-2012:0616-1 2012-05-14
Oracle ELSA-2012-0862 2012-07-02

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-4347
Created:January 16, 2012 Updated:March 7, 2012
Description: From the Red Hat bugzilla:

It was found that kvm_vm_ioctl_assign_device function did not check if the user requesting assignment was privileged or not. Together with /dev/kvm being 666, unprivileged user could assign unused pci devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers.

Please note that privileged access was still needed to re-program the device to for example issue DMA requests. This is typically achieved by touching files on sysfs filesystem. These files are usually not accessible to unprivileged users.

As a result, local user could use this flaw to crash the system.

Alerts:
Fedora FEDORA-2012-0363 2012-01-11
Fedora FEDORA-2012-0492 2012-01-14
Red Hat RHSA-2012:0149-03 2012-02-21
Red Hat RHSA-2012:0350-01 2012-03-06
Scientific Linux SL-kvm-20120306 2012-03-06
Ubuntu USN-1389-1 2012-03-06
CentOS CESA-2012:0350 2012-03-07
Oracle ELSA-2012-0149 2012-03-07
Scientific Linux SL-kern-20120308 2012-03-08
Oracle ELSA-2012-2003 2012-03-12
Oracle ELSA-2012-2003 2012-03-12
Oracle ELSA-2012-0350 2012-03-12
Ubuntu USN-1407-1 2012-03-27
Ubuntu USN-1406-1 2012-03-27
Ubuntu USN-1409-1 2012-03-27
Ubuntu USN-1405-1 2012-03-27
Debian DSA-2443-1 2012-03-26
Ubuntu USN-1421-1 2012-04-12
Ubuntu USN-1422-1 2012-04-12
Ubuntu USN-1425-1 2012-04-24
Ubuntu USN-1426-1 2012-04-24
Ubuntu USN-1431-1 2012-04-30
Ubuntu USN-1433-1 2012-04-30
Ubuntu USN-1440-1 2012-05-08
Red Hat RHSA-2012:1042-01 2012-06-26

Comments (none posted)

libxml2: code execution

Package(s):libxml2 CVE #(s):CVE-2011-3919
Created:January 12, 2012 Updated:September 26, 2012
Description:

From the Red Hat advisory:

A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919)

Alerts:
Red Hat RHSA-2012:0018-01 2012-01-11
Red Hat RHSA-2012:0016-01 2012-01-11
Red Hat RHSA-2012:0017-01 2012-01-11
CentOS CESA-2012:0016 2012-01-11
CentOS CESA-2012:0017 2012-01-11
CentOS CESA-2012:0018 2012-01-11
Oracle ELSA-2012-0016 2012-01-12
Oracle ELSA-2012-0018 2012-01-12
Scientific Linux SL-libx-20120111 2012-01-11
Scientific Linux SL-libx-20120112 2012-01-12
Scientific Linux SL-libx-20120111 2012-01-11
Oracle ELSA-2012-0017 2012-01-12
Mandriva MDVSA-2012:005 2012-01-16
openSUSE openSUSE-SU-2012:0107-1 2012-01-19
Ubuntu USN-1334-1 2012-01-19
SUSE SUSE-SU-2012:0117-1 2012-01-24
Debian DSA-2394-1 2012-01-26
Red Hat RHSA-2012:0104-01 2012-02-08
Gentoo 201202-09 2012-02-29
Oracle ELSA-2012-0324 2012-03-09
Oracle ELSA-2012-1288 2012-09-18
Fedora FEDORA-2012-13820 2012-09-26
Fedora FEDORA-2012-13824 2012-09-27
Red Hat RHSA-2013:0217-01 2013-01-31
CentOS CESA-2013:0217 2013-02-01
Oracle ELSA-2013-0217 2013-02-01
Scientific Linux SL-ming-20130201 2013-02-01

Comments (none posted)

openssl: private key disclosure

Package(s):openssl CVE #(s):CVE-2011-4354
Created:January 16, 2012 Updated:January 18, 2012
Description: From the Debian advisory:

On 32-bit systems, the operations on NIST elliptic curves P-256 and P-384 are not correctly implemented, potentially leaking the private ECC key of a TLS server. (Regular RSA-based keys are not affected by this vulnerability.)

Alerts:
Debian DSA-2390-1 2012-01-15
Ubuntu USN-1357-1 2012-02-09

Comments (none posted)

plib: arbitrary code execution

Package(s):plib CVE #(s):CVE-2011-4620
Created:January 16, 2012 Updated:March 5, 2012
Description: From the CVE entry:

Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted remote attackers to execute arbitrary code via vectors involving a long error message, as demonstrated by a crafted acc file for TORCS. NOTE: some of these details are obtained from third party information.

Alerts:
Fedora FEDORA-2012-0100 2012-01-05
Fedora FEDORA-2012-0144 2012-01-05
Debian DSA-2425-1 2012-03-04
openSUSE openSUSE-SU-2012:1506-1 2012-11-20
openSUSE openSUSE-SU-2013:0146-1 2013-01-23

Comments (none posted)

rubygem-rack: denial of service

Package(s):rubygem-rack CVE #(s):CVE-2011-5036
Created:January 17, 2012 Updated:March 6, 2012
Description: From the CVE entry:

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Alerts:
Fedora FEDORA-2012-0166 2012-01-07
Fedora FEDORA-2012-0233 2012-01-07
Gentoo 201203-05 2012-03-05

Comments (none posted)

simplesamlphp: cross-site scripting

Package(s):simplesamlphp CVE #(s):
Created:January 12, 2012 Updated:January 18, 2012
Description:

From the Debian advisory:

timtai1 discovered that simpleSAMLphp, an authentication and federation platform, is vulnerable to a cross site scripting attack, allowing a remote attacker to access sensitive client data.

Alerts:
Debian DSA-2387-1 2012-01-11

Comments (none posted)

t1lib: multiple vulnerabilities

Package(s):t1lib CVE #(s):CVE-2011-1552 CVE-2011-1553 CVE-2011-1554
Created:January 12, 2012 Updated:January 30, 2012
Description:

From the Mandriva advisory:

t1lib 5.1.2 and earlier reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764 (CVE-2011-1552).

Use-after-free vulnerability in t1lib 5.1.2 and earlier allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764 (CVE-2011-1553).

Off-by-one error in t1lib 5.1.2 and earlier allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764 (CVE-2011-1554).

Alerts:
Mandriva MDVSA-2012:004 2012-01-12
Debian DSA-2388-1 2012-01-14
Ubuntu USN-1335-1 2012-01-19
Oracle ELSA-2012-0062 2012-01-25
Red Hat RHSA-2012:0062-01 2012-01-24
Scientific Linux SL-t1li-20120125 2012-01-25
Fedora FEDORA-2012-0289 2012-01-28
Fedora FEDORA-2012-0266 2012-01-28
CentOS CESA-2012:0062 2012-01-30
Red Hat RHSA-2012:0137-01 2012-02-15
Scientific Linux SL-texl-20120215 2012-02-15
CentOS CESA-2012:0137 2012-02-16
Oracle ELSA-2012-0137 2012-02-15
openSUSE openSUSE-SU-2012:0559-1 2012-04-25
Slackware SSA:2012-228-01 2012-08-15
Red Hat RHSA-2012:1201-01 2012-08-23
CentOS CESA-2012:1201 2012-08-23
Oracle ELSA-2012-1201 2012-08-23
Scientific Linux SL-tete-20120823 2012-08-23
Mandriva MDVSA-2012:144 2012-08-28

Comments (none posted)

wordpress: cross-site scripting

Package(s):wordpress CVE #(s):CVE-2012-0287
Created:January 17, 2012 Updated:January 18, 2012
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.

Alerts:
Fedora FEDORA-2012-0248 2012-01-07
Fedora FEDORA-2012-0247 2012-01-07
Mageia MGASA-2012-0168 2012-07-19

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds