| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for October 23, 2003
Bernstein wins, sort of
Not with a bang, but a whimper. That's how Daniel Bernstein's fight with the federal government over cryptography regulations has wound to a close. It is an unsatisfying end to the eight years of court battles over the constitutionality of export restrictions on cryptography.Bernstein may be better-known to the community as the author of qmail, djbdns, ezmlm and a number of other popular (if not quite free) packages. Bernstein, now an associate professor in the department of Mathematics, Statistics, and Computer Science with the University of Illinois, first filed suit against the Department of State in 1995.
Before the first suit was filed, Bernstein was a PhD candidate working in the field of cryptography at the University of California at Berkeley. Bernstein had produced "Snuffle," a private-key encryption system and requested a decision in June, 1992 from the Department of State as to whether the source code could be published on the "sci.crypt" newsgroups. The response was that Snuffle was a "defense item" and Bernstein would need licenses for export of Snuffle. After additional correspondence over the next three years, Bernstein and the Electronic Frontier Foundation filed suit against the Department of State and a number of individuals. Bernstein argued that the International Traffic In Arms Regulations (ITAR) requiring licensing for export of cryptographic software were unconstitutional.
The Bernstein case produced a landmark ruling that recognized code as a form of speech. The Department of State asked Judge Marilyn Hall Patel to dismiss the case, arguing (among other things) that export controls on encryption software do not constitute a prior restraint of free speech. Patel, in refusing to dismiss the case, issued an opinion in the case that source code is to be protected as speech under the First Amendment:
Patel's ruling was the first that recognized source code as speech with regards to consideration under the First Amendment. Courts had previously recognized code as something that could be protected under copyright law, but not as communication to be protected under the First Amendment. Eventually, Bernstein won his case against the Department of State, with Patel agreeing with Bernstein in 1996 that the regulations were unconstitutional.
The victory, however, was short-lived. Regulation of encryption shifted from the Department of State under ITAR to the Commerce Department and a new set of regulations, the Export Administration Regulations (EAR). Bernstein challenged EAR, and Patel also found that the EAR was unconstitutional and enjoined the Department of State and the Commerce Department from enforcing it.
The government appealed and the Ninth Circuit upheld Patel's decision, finding that "encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive."
After failed appeals, the government changed the regulations and the case was remanded back to Patel. Instead of requiring Bernstein or other crypto researchers to acquire a license for every viewer of the information, the government now wanted encryption items sent to the Bureau of Industry and Security (BIS) for export approval. However, the changes in EAR were still not satisfactory to Bernstein or the EFF, and the legal battles continued.
Unfortunately, in the U.S. judicial system, it is apparently not enough to merely show that a particular law may be unconstitutional. One must also show that the law in question may be used against you. Patel dismissed Bernstein's case against the Department of Commerce on July 28 of this year for lack of standing. Patel also dismissed Bernstein's case against the Department of State last week, after the Bush administration said it would not attempt to enforce some of the encryption export regulations.
Though Bernstein seems safe from prosecution, at least at the moment, the problem is that the export regulations remain on the books. There is nothing stopping the government from prosecuting others for violation of EAR at this time. Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone.
Since this includes any distribution of software online, and even "technical assistance" with the development of encryption software subject to EAR, the EAR restrictions continue to pose at least a potential threat to open source developers working with encryption in the U.S. Violations of EAR could result in fines of up to $250,000 or ten years in prison, so the threat is not one to be taken lightly.
While it would be nice to believe that the regulations will be unenforced, it would have been a much better result if Bernstein could have succeeded in having them thrown out entirely. For now, we will have to settle for a partial victory.
The EU Open Source Migration Guidelines
The European Union Interchange of Data between Administrators project has (with the help of NetProject) published a document on how to migrate over to open source software. This document is available as a 148-page PDF file.Much of this document will seem like basic common sense to many readers. Remember, however, that the target readership is high-level management, and one should not make too many assumptions with that crowd. Thus, for example, we have suggestions like "have a clear understanding of the reasons to migrate," "start with non-critical systems," and "ensure that there is active support for the change from IT staff and users." All of which is undoubtedly good advice.
The guidelines repeatedly suggest that, even if no changes are foreseen in the near future, it is still a good idea to avoid doing things that would make such a change harder in the future. Thus, web pages should be written to work with all browsers, excessive use of scripts and macros in documents should be avoided, standard file formats should be used, etc. This suggestion, by itself, would make life a lot easier for many people even if they never switch to free software.
The guidelines make specific suggestions for software to migrate to. These include OpenOffice.org (best Office replacement, can run on Windows), Evolution, Galeon (or Mozilla if it has to run on Windows too), MySQL, Exim (Postfix is "an acceptable alternative"), PhpGroupWare, Apache, and Zope. The report recommends GNOME over KDE ("netproject considers that [GNOME] has a better architecture and believes it has a better future").
A great many migration scenarios are provided; here the guidelines begin to resemble a system administration book. If you are looking for instructions on how to export your Access data for ingest into MySQL or how to convert your Word templates, this document has something for you. As a general rule, the information provided will not be sufficient for those who do not already have some expertise in making this sort of transition. It does, however, show that the transition is possible and highlight some of the potential pitfalls.
The document concludes with 50 pages of appendices. There is a lengthy list of available case studies, a detailed description of how mail systems are put together, some fairly useless tables of package versions, a Red Hat kickstart file for installing systems using the French language, and a glossary.
The Open Source Migration Guidelines may well prove to be a useful document for managers trying to plan (or decide on) a change to free software in their organizations. Its real value, however, may be found in a different area. What the Guidelines provide is a convincing demonstration that this transition can be done, and that the required tools exist. And that may be what many people pondering free software need more than anything else.
Catching up with SCO
There have been a few developments in the SCO case over the last week or so; time to check in and see what they are up to.Much noise was made about the $50 million equity investment that the company received. This money was presented as being from BayStar, a venture capital firm. In fact, BayStar was the minority investor, having put in $20 million. The rest came from the Royal Bank of Canada.
This is not a straightforward equity investment. The investors will be getting "Series A convertible preferred stock," which brings no voting rights. The holders of the stock do, however, get veto power over a number of possible corporate actions, including taking on large debts or sales of assets. The preferred stock can be converted to common stock at $16.93/share whenever the investors wish. The investors can also force SCO to buy back the stock (with cash) under certain conditions, including delisting of the stock or financial problems that suggest bankruptcy is near.
After one year, SCO must pay an 8% dividend on the preferred stock; that dividend goes up 2% per year to a maximum level of 12%. Starting next year, SCO will have to come up with $4 million in cash flow to service this dividend requirement.
In summary, SCO has tied itself to an investment scheme that is rather more expensive than a straightforward stock issue would have been. For those who are interested, the full agreement is online at the SEC.
Meanwhile, in the courtrooms, the story is mostly one of motions going back and forth. The company has submitted a new brief in support of its motion to dismiss the Red Hat suit; this brief has been analyzed in great detail over at Groklaw. Suffice to say that PJ was not particularly impressed. We'll not duplicate the analysis on Groklaw, but there is one paragraph (from the opening page) which is worthy of note:
A quick grep through the kernel source turns up an awful lot of Red Hat copyright statements. Red Hat indisputably has ownership rights in the Linux kernel. The fact that the relevant code has been placed under a license that allows free redistribution under certain conditions does not change that fact.
What is going on here is that the SCO Group, despite its ongoing bluster about intellectual property rights, is trying to deprive those who have contributed to the Linux kernel of their rights. This denial of Red Hat's rights goes along with SCO's attacks on the GPL. SCO would like nothing better than to invalidate all rights on the kernel - except, of course, those it claims to own itself. As long as others have rights to the kernel and the GPL holds, SCO cannot make a serious go at a general Linux tax.
The court records in Delaware show that SCO has filed to change its legal representation in the Red Hat case. Such a change in the middle of an ongoing case is generally unexpected. According to Groklaw, SCO is using some of its BayStar money to trade up to a higher-class, better-connected law firm.
In Utah, SCO is trying to fight (or at least delay) IBM's "motion to compel" the company to disclose the exact nature of its claims. From IBM's latest filing opposing a request from SCO for a delay:
Again, see Groklaw (where else?) for the details.
SCO has a new agreement with Boies, Schiller & Flexner, the law firm representing it in the IBM case. The company's recent 8K filing describes the new deal:
In other words, Boies et al. are no longer willing to work for a straight contingency deal. The 20% fee could yet be lucrative - it is not clear whether it includes the $50 million from BayStar and RBC - but Boies is now getting $1 million and almost $7 million worth of stock as well regardless of the outcome of any litigation. SCO's lawyers win whether its client does or not.
The 8K filing also notes that Microsoft has pumped another $8 million worth of "licensing fees" into SCO.
SCO has backed down from its threats to "cancel" SGI's Unix license. At the latest conference call, Darl McBride noted that SCO was happy with the (about 200 lines) of code that SGI has removed from the kernel; he seems to have stopped talking about the XFS filesystem. Mr. McBride also, in response to a question, stated that SCO did not have any other Unix vendors in its sights. He did, however, make a rather chilling statement about SCO's several thousand end-user Unix licensees. There is, apparently, something in those contracts which makes those users - if they also use Linux - look like especially tempting targets. SCO remains a good company to avoid signing contracts with.
Time for another Europatent push
As described in this FFII alert, the software patent proposal recently voted in the European Parliament may yet get pushed aside. "If UK ministers cannot be convinced otherwise before 10 November, it is believed they will push for the Council to adopt a November 2002 draft text, which is even worse than the infamous McCarthy report. The European Parliament's rules for second reading make it very difficult for MEPs to fix a bad text from the Council." There will be a meeting of "patent officials from across Europe" held on October 23 to work out the next steps for the establishment of software patents in Europe. FFII is requesting that everybody who can contact their (national) Parliament members to help them understand why software patents are a bad idea. This battle is not yet over. (Thanks to James Heald)
Page editor: Jonathan Corbet
Security
Security news
Blocking forgeries and spam with SPF
Anybody who has spent any amount of time dealing with spam (i.e. just about anybody with an email address) knows that a great deal of it comes with forged return addresses. Email worms attacking certain proprietary systems also have a habit of generating mail with fake return addresses. If there were a way to filter out mail with bogus sender addresses, a great deal of spam and other unpleasant mail could be automatically removed from our mailboxes.A technique called "Sender Permitted From" (SPF) is being readied to attempt to make this sort of filtering possible. Those looking for details can find them in the draft RFC, but the core concept is simple: the DNS database for each domain should be augmented with information on which systems are authorized to originate email for that domain. This information is added as a DNS "text" record, so no changes to the DNS protocol are required.
So, for example, the DNS zone file for a domain which never, ever sends mail could be made SPF-compliant by adding one line:
example.com IN TXT "v=spf1 default=deny"
The "v=spf1" portion indicates that this is an SPF version 1 entry, and the rest says to deny all mail from that domain.
In most interesting cases, however, people will want to be able to send mail from a domain. So the SPF entry must be modified to tell mail recipients which systems can send mail for the domain. The simplest way of doing that, perhaps, is to simply state that the domain's MX servers can originate mail:
example.com IN TXT "v=spf1 mx default=deny"
There are, of course, many ways of specifying, in great detail, exactly which systems can legitimately send mail for the domain of interest; see the RFC for details.
None of this will work until receiving systems perform SPF tests, of course. One of the nice features of SPF is that the check can be done before the body of a message is received. If the message will be filtered, this filtering can be done at the SMTP level and a meaningful message returned to the sender - if, indeed, there is a real sender. Patches exist for a number of MTAs now; expect more as the SPF specification solidifies. There are also plans to add SPF support in other places; apparently SpamAssassin 2.70 will support it, for example.
SPF certainly will not solve the spam problem; spammers will just use domains that lack SPF information, open relays, or throwaway domains of their own. But it does place one more obstacle in their way, and will doubtless reduce the flow somewhat. The real value of SPF may be in its ability to make the forgery of email more difficult. In a fully SPF-compliant world, Linux users would no longer be flooded with "virus notifications" every time a new worm starts digging through peoples' address books. A dedicated attacker would probably still be able to forge email from a specific victim, but the days of easy, casual forgery would, one hopes, be over. And that is worth something.
New vulnerabilities
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
gdm: local attacker may crash or freeze gdm
| Package(s): | gdm | CVE #(s): | CAN-2003-0793 CAN-2003-0794 | |||||||||
| Created: | October 16, 2003 | Updated: | October 27, 2003 | |||||||||
| Description: | Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that would allow a local attacker to cause gdm to crash or freeze. | |||||||||||
| Alerts: |
| |||||||||||
ircd: denial of service vulnerability
| Package(s): | ircd | CVE #(s): | CAN-2003-0864 | ||||||
| Created: | October 17, 2003 | Updated: | October 22, 2003 | ||||||
| Description: | Piotr Kucharski reported a buffer overflow vulnerability that may allow an attacker to crash the ircd server, thus causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0864 to this issue. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 | CVE #(s): | CAN-2003-0730 | |||||||||||||||
| Created: | September 12, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
glibc - buffer overflow
| Package(s): | glibc | CVE #(s): | CAN-2003-0689 | |||||||||||||||
| Created: | October 15, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openssl: vulnerabilities in ASN.1 code
| Package(s): | openssl | CVE #(s): | CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 30, 2003 | Updated: | November 4, 2003 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a Denial of Service. See CAN-2003-0543 and CAN-2003-0544. It may be possible for an attacker to exploit this issue to execute arbitrary code. See CAN-2003-0545. CERT has an updated OpenSSL advisory identifying additional OpenSSL vulnerabilities. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail | CVE #(s): | CAN-2003-0694 CAN-2003-0681 | |||||||||||||||||||||||||||||||||
| Created: | September 17, 2003 | Updated: | November 18, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
tomcat4: denial of service vulnerability
| Package(s): | tomcat | CVE #(s): | ||||
| Created: | October 15, 2003 | Updated: | October 15, 2003 | |||
| Description: | Aldrin Martoq has discovered a denial of service (DoS) vulnerability in Apache Tomcat 4.0.x. Sending several non-HTTP requests to Tomcat's HTTP connector makes Tomcat reject further requests on this port until it is restarted. | |||||
| Alerts: |
| |||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||
| Alerts: |
| ||||||||
wget: buffer overflow
| Package(s): | wget | CVE #(s): | CAN-2003-1565 | |||||||||
| Created: | August 5, 2003 | Updated: | December 10, 2003 | |||||||||
| Description: | The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. | |||||||||||
| Alerts: |
| |||||||||||
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd | CVE #(s): | CAN-2003-0211 | |||||||||||||||
| Created: | May 13, 2003 | Updated: | November 12, 2003 | |||||||||||||||
| Description: | Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Resources
Linux Security Week
The October 20 issue of Linux Security Week from LinuxSecurity.com is available.
Events
DallasCon Wireless Security Conference 2004
The third annual DallasCon Wireless Security Conference is happening in Dallas, Texas on May 1 and 2, 2004. Papers are being accepted now; see the announcement for details.
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.6.0-test8, which was released by Linus on October 17. This patch includes a working NFS direct I/O implementation, a workaround for the Athlon prefetch bug, various architecture updates, working signal handling for kernel threads, an ALSA update, some software suspend work, and numerous other fixes. The long-format changelog has the details.Linus's BitKeeper repository is full of stability fixes, as is appropriate for his current goal of getting 2.6.0 in shape. It also includes an SGI Altix serial console driver and Jeff Garzik's libata driver (covered here last August).
The current stable kernel is 2.4.22; Marcelo has not released any 2.4.23 prepatches since 2.4.23-pre7 on October 9.
Kernel development news
The unfinished SCSI job
The repository for SCSI patches has just been forked into two separate trees. One of them is a bugfix-only repository, with its contents meant to get past Linus's "stability fixes only" filter and into the 2.6.0-test kernel. The other is for everything else, which will be held for 2.7, or, at least, a post-2.6.0 release.This change brought out the question: what about expanding the number of SCSI disks (and partitions) that can be supported by the kernel? That was, after all, one of the reasons for expanding the dev_t type in the first place. The larger device numbers are now in place, but there are no patches in the mainline to make more SCSI disks available.
There are, as it turns out, a few remaining issues that must be addressed before the SCSI expansion can be completed. One of those is naming. Currently, the first 26 SCSI drives are called sda through sdz. Then a second letter is added, making sdaa through sdzz available. The default plan seems to be to go to sdaaa thereafter, and sdaaaa if need be.
Is the number of partitions per drive to be expanded? The current limit of fifteen is apparently constraining to some. As a result, there has been persistent talk of raising the limit to 63. That change, however, would create interesting numbering challenges. The current numbering scheme divides the (eight-bit) minor number in half; the upper nibble is the drive number, and the lower nibble is the partition number. To support more partitions, the portion of the (now 20-bit) minor number dedicated to the partition number would have to be expanded. A naive implementation would simply remap the minor number so that bits 0..5 describe the partition, and bits 6..19 the drive number.
The only problem with that approach is that it would break all existing SCSI device nodes. The kernel hackers have a sense that they might get a complaint or two if they did that, so they are fairly strongly committed to ensuring that old device numbers continue to work. As a result, there have been proposals for more complicated schemes, with the two new partition bits being placed, for example, up at the high end of the minor number. This approach would put an end to the manual creation of device nodes for large SCSI devices - who wants to figure out what number to give to mknod? - but there was not likely to be much of that going on anyway.
A better long-term approach might be to go to one or more completely new major numbers for SCSI drives. The block layer could then assign numbers dynamicly as the drives are discovered, with a tool like udev creating device nodes on demand. For sites that need old numbers to work, a small compatibility module could map between the old and new numbers at device open time. That is all certainly 2.7 material, however. For 2.6.0, the most likely scenario might be the merging of a simple patch (like Badari Pulavarty's patch found in the -mm tree) which expands the number of disks supported in a relatively unintrusive way. The complete solution can come later.
The cpuset mechanism
A set of patches has been making the rounds for the last month or so which implements a concept known as a "cpuset." A cpuset is simply an arbitrary collection of processors in an SMP system; cpusets can be used to partition a large system into smaller virtual machines in a flexible sort of way. This patch was originally posted by Simon Derr; more recent versions (found in the "patches" section, below) have been sent out by Stephen Hemminger at OSDL.Internally, the patch creates a hierarchy of cpusets. At boot time, the root set is created containing all of the system's processors. System calls can then be used to create child sets. The creation of a cpuset is not a privileged task, but no process can expand beyond the set of processors initially assigned to it. Thus, for example, the system administrator can create a cpuset for a particular group of processes which will be confined to the designated processors. Those processes can, however, further partition the set for their own purposes.
In normal use, one would expect cpusets to correspond to the underlying hardware; all processors in a set would normally be part of the same NUMA node, for example. There is nothing in the patch that requires users to do things that way, however; cpusets can be any arbitrary subset of the available processors. Processors can also belong to multiple cpusets, so cpusets can overlap each other in arbitrary ways. There is, however, a "strict" flag which can be set to disallow the sharing of processors in this way.
There are a few new system calls created by this patch:
- cpuset_create();
- Creates a new cpuset as a child of the process's current cpuset, containing the same processors as the parent.
- cpuset_destroy();
- Destroys the given cpuset.
- cpuset_attach()
- Attaches a process to a particular cpuset.
- cpuset_alloc()
- Changes the set of processors belonging to a cpuset. The name of this call is a little misleading, since it can release processors from a cpuset. In fact, removing CPUs will be the normal usage, since a cpuset cannot contain processors which are not also contained in its parent.
- cpuset_getfreecpus();
- Returns a list of processors which are not part of the current cpuset, but which could be added.
Processes running within a cpuset have no view of the processors which are not contained within that set. Processors in a cpuset are renumbered to appear to be the only processors on the system; thus, for example, system calls like sched_setaffinity() will only bind processes within their particular cpuset.
This patch has generated a cer