| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for December 4, 2003
The brk() vulnerability
It has been disclosed that the compromise of the Debian Project's servers was made possible, in part, by a previously unpatched vulnerability in the kernel's memory management code. For the curious, this article describes how that vulnerability works, and what is required to exploit it. We'll also look at how it could have remained unfixed for months.
| Process memory |
|---|
| 0x00000000-0x08047FFF
Unmapped area |
| 0x08048000-0x08??????
Program text |
| 0x08??????-
Named memory and heap |
| 0x40000000-0x4???????
Shared libraries, shared memory segments |
| 0x4???????-0xbfffcfff
Unmapped area |
| 0xbfffd000-0xc0000000
Stack |
The bulk of the memory used by a program for its variables and heap storage is found in the section marked "named memory and heap" in the diagram. This memory area is initially made large enough to hold the static variables created by the program, but, as soon as more memory is required (to satisfy malloc() calls, perhaps) that region of memory must be expanded. Since the beginning, Unix-like systems have provided a system call (named brk()) which can be used to change the size of the heap area. The caller simply passes in the virtual address indicating where the new "break point" should be set, and the area is expanded or contracted as need be.
Back in September, Andrew Morton noticed that no sort of bounds checking was being applied to the address passed to brk(). In theory, this omission means that a process could request an arbitrarily large heap area. In practice, most programs would not get that far. The kernel does not allow virtual memory areas to overlap each other, so any expansion of the heap area that caused it to impinge upon the shared library areas starting at 0x40000000 would be rejected with an error. So it would appear that the lack of bounds checking was never that serious of a problem; all it could do is allow a user to set up some huge page tables.
Obviously, the situation is worse than that. The memory layout diagram is missing one important area; on ia-32 systems, the kernel itself is mapped in starting at 0xc0000000 - right above the process stack area. Processes normally do not have any access to that part of memory, of course. But, as it turns out, if you can convince brk() to expand your heap area up into the kernel's address range, you have direct access to the kernel code and data areas. At that point, the integrity of the system is lost.
The key to cracking the system is changing the process memory layout so that the heap area can be expanded into the kernel's space. You cannot easily do that with a normal C program, but, with a bit of assembly trickery things become easier. A proof of concept exploit has already been posted to Bugtraq, so one can see how it is done. It is really a matter of (1) moving the program origin up into the highest part of virtual memory, where the stack usually lives, and (2) shorting out the C library's startup code which sets up the address space in the first part. Once you do that, an unpatched system will happily expand your heap area into kernel space.
So, as the Debian Project learned at great cost, this little omission in the implementation of the brk() system call is fully usable for a complete local root exploit.
There have been a lot of questions about how such a vulnerability could remain unfixed for so long. In fact, it was patched in the 2.6.0-test series almost as soon as it was found. The fix also went to Marcelo Tosatti, the 2.4 maintainer, but it was too late for the 2.4.22 release, which happened on August 25. So the fix was merged into 2.4.23-pre7, which came out on October 9. The current 2.4.23 kernel is not vulnerable - but that was too late to help Debian.
The real problem, of course, is that nobody realized the severity of this bug. Had the kernel developers understood that current kernels were vulnerable to this sort of attack, the alert would have gone out and the various distributors would have sent out the usual set of updates. But this patch was just one of over 2000 patches merged by Linus in September. It would seem that it simply became part of the stream of fixes, and nobody looked at it particularly closely.
Except, of course, somebody did. Chances are, the posting of this fix drew an attacker's attention to the brk() code. With a bit of effort, the exploit got written, and now thousands or millions of systems are at risk.
What the kernel (along with most other projects) needs is more friendly eyes looking for this sort of problem. We do reasonably well, in that most vulnerabilities are found and fixed by the good guys before they can be exploited. There are cases where that doesn't happen, however, and the brk() bug was one of them. Security auditing is hard work, and usually unrewarding. But it would have been nice if somebody had looked hard enough at this problem to raise the alarm.
Wind River's change of heart
You win some, you lose some. While the free software community has lost an ally (by some peoples' reckoning, anyway) with the defection of SCO, Wind River seems to be coming around, at least to some degree. Until recently, the company had been fairly critical of the GPL and Linux as an embedded solution. The company surprised many in October when the announcement went out that Wind River would be providing tools for Linux development.This week, Wind River upped the ante with the announcements that it would be joining two open source industry groups, the Eclipse Consortium and the Open Source Development Labs (OSDL). Wind River is joining OSDL to participate in OSDL's Carrier Grade Linux (CGL) Working Group, and focusing on embedded tools that are compatible with the Eclipse framework.
We spoke with Michel Genard, general manager of Wind River's Hardware Assisted and Stand-alone Tools product division about the company's change of heart. Why has Wind River changed its tune with regards to Linux? Genard first explained that Wind River's previous stance towards Linux and the GPL was based in part on fear.
Dave Fraser, Wind River's group vice president of products acknowledged in an interview with eWeek that Wind River had backed the wrong horse in trying to supplant Linux with a BSD-derived solution:
Being the Betamax of embedded OSes can be painful. According to the company's SEC filings, its revenue peaked in its 2001 fiscal year at almost $438 million, dropping to $351 million in 2002 and $249 million in 2003. (Wind River's fiscal year begins in April of the previous year.) Wind River seems to be headed for a disappointing 2004 fiscal year as well, with revenue for the six months ending July 31, 2003 falling off by almost $31 million compared to the previous year. Wind River also notes in recent SEC filings that open source may be more popular "where our customer's budget constraints may make such software more appealing than Wind River products for their initial project development."
Recent changes in management also help to ease Wind River's transition to a Linux-friendly company. Kenneth Klein has taken the CEO job after Tom St. Dennis resigned in late June. St. Dennis had been critical of Linux and the GPL, while Klein seems open to working with Linux and the free software community.
As Wind River tries to overcome its past missteps, it will likely face some skepticism. The company's past statements regarding the GPL aren't likely to be forgotten easily, nor the firing of Slackware's development team shortly after the BSDi acquisition.
More recently, Darl McBride has cited Wind River as one of the companies "on this side of the table as SCO is on." Though McBride seemed to be merely citing Wind River since the company had previously criticized the GPL, we asked Genard where Wind River stood on SCO's claims. Genard said Wind River has no position on SCO's claims that the GPL is invalid, but said that the suit was "a wake-up call for the customer."
There is also some concern that embedded companies are disregarding the GPL, so we asked Genard if Wind River would be working to educate their customers about their obligations when using GPL-licensed code in embedded devices. Genard said that, at the moment, they are only offering tools to develop Linux-based solutions and that the company isn't planning to "do any recommendation to the customer what to do with Linux."
One need not look too deeply to understand why Wind River has changed its attitude towards Linux. Its past strategy of dismissing embedded Linux simply wasn't working, and an ever-shrinking market share was probably not very appealing to Wind River's customers. Wind River is being squeezed on two sides in the embedded space. On one side is Linux, a robust solution that is royalty-free and extremely flexible. On the other side is Microsoft, which outguns Wind River by several orders of magnitude when it comes to dollars spent on marketing and R&D.
Whatever the reasons, it's good to see that a company can change its tune for the better. We hope that Wind River continues this process and becomes an active contributor to the free software community.
Jon Johansen returns to court
Things have been quiet enough on the DeCSS front that one might be forgiven for thinking that the issue had run its course. The software remains freely available on the net, and there are no high-profile DeCSS cases left in the U.S. We are now being treated to a reminder that the U.S. is far from alone when it comes to repressive legislation, however.Jon Johansen is one of the original authors of the DeCSS code, which may be employed to play a DVD on a Linux system. The Motion Picture Association of America (MPAA), not content with its efforts to suppress any mention of the code in the U.S., went to the Norwegian economic crime authorities and asked that charges be pressed against Mr. Johansen in Norway. The agency (Řkokrim) obliged, and Jon went to trial in 2002 for violations of Norway's anti-circumvention law. The court, however, decided that, if you buy a DVD with a film on it, you have bought the right to access that film. Jon Johansen was acquitted on all counts.
The Norwegian government appealed the ruling, and the new trial started on December 2. It is expected to last for eight days. Jon and his lawyers have expressed confidence that the appeal will come to the same conclusion as the original trial, but there is never any certainty when an issue goes to court. One can only hope that the appeals court will see reason and realize that it makes no sense to convict somebody for breaking into their own property.
Regardless of the outcome, however, the MPAA will have achieved an important goal. It has been made clear that, if you write the wrong sort of code, you can be arrested and threatened with jail. Even if the ultimate outcome is a complete acquittal, few people will want to avail themselves of the opportunity to learn how the justice system works in such a close way. The prosecution of hackers like Jon Johansen can only have a chilling effect on other developers, whether or not that prosecution is successful.
(See also: this IP Justice press release).
The GPL Is a License, not a Contract
[Editor's note: last week's article on GPL attacks drew some questions on just why the GPL cannot be enforced like a contract. We're pleased to announce that we have convinced Pamela Jones to expand on that issue for us.]There has been considerable FUD of late asserting that, if a company inadvertently incorporates GPL code into its proprietary code, it can be forced to release its proprietary code under the GPL. This isn't new FUD. It's old FUD, but it is coming from some new sources. Even some attorneys have been saying this in the media and at various conferences. While it's not a crime to misunderstand the GPL, and it certainly isn't rare, it does arouse unnecessary fears about whether the GPL is safe to use or work with. Is it true? Can you lose your code this way? No, and the reason why hinges on the GPL being a license and not a contract.
A lot of the confusion about the GPL stems from this central issue: Is the GPL a license or a contract? The reason this issue matters is that contracts are enforced under contract law, which is done state by state, and there are certain necessary elements to qualify as a valid contract. Licenses, instead, are enforced under copyright law at the federal level. The penalties available are not the same.
Let's analyze and see how this all relates to the recent FUD. First of all, what is a license? A license is just a permission to do something you otherwise wouldn't be allowed to do. When I want to go fishing, for example, I have to get a fishing license from the local municipality. That's a license, as its name implies. But why? Why isn't it a contract? Because there are no further agreed-upon promises, no reciprocal obligations. It would be a contract if I said to the owner of a pond: if you give me a license to fish in this pond, I'll give you half of all the fish I catch. In that scenario, each of us has voluntarily entered into a kind of promise. We each give the other something of value, so if I get the license and then I don't give over half of all my catch of the day, the pond owner can sue me for not living up to the terms of the contract.
Eben Moglen, the Free Software Foundation's attorney, who is primarily responsible for enforcing the GPL, explains the difference between contracts and licenses like this:
A contract, on the other hand, is an exchange of obligations, either of promises for promises or of promises of future performance for present performance or payment. The idea that 'licenses' to use patents or copyrights must be contracts is an artifact of twentieth-century practice, in which licensors offered an exchange of promises with users: 'We will give you a copy of our copyrighted work,' in essence, 'if you pay us and promise to enter into certain obligations concerning the work.' With respect to software, those obligations by users include promises not to decompile or reverse-engineer the software, and not to transfer the software.
Very clear, but what about the GPL? First, the name tells you what the authors intended: General Public License. It doesn't say "General Public Contract" or even "General Public License Contract". So they intended it to be a license, not a contract. Does it fit the definition? Professor Moglen:
Suppose a company really did mingle GPL code into a program with its own proprietary code and then distributed the merged product under a proprietary license or without living up to the terms of the GPL? Now what happens? What will the judge do now? Order the code released under the GPL over the wishes of the owner?
Stop and think. What happens if you violate the terms of a fishing license? For example, the license may restrict how much fish you can catch on a particular day or what kinds of fish you can keep, what sizes, etc. Suppose you violate the terms of the license. What happens? You lose your license to fish. There may be a fine to pay. That's essentially the same thing that happens under the GPL, except it's nicer, because the company gets to choose what it wishes to do under the terms of the GPL. If it still isn't resolved, and it goes to a judge, however, it's enforced as a violation of copyright law, not contract law. Here is Professor Moglen's explanation of what happens:
The claim that a GPL violation could lead to the forcing open of proprietary code that has wrongfully included GPL'd components is simply wrong. There is no provision in the Copyright Act to require distribution of infringing work on altered terms. What copyright plaintiffs are entitled to, under the Act, are damages, injunctions to prevent infringing distribution, and--where appropriate--attorneys' fees. A defendant found to have wrongfully included GPL'd code in its own proprietary work can be mulcted in damages for the distribution that has already occurred, and prevented from distributing its product further. That's a sufficient disincentive to make wrongful use of GPL'd program code. And it is all that the Copyright Act permits.
So when you read claims that the GPL is perhaps not enforceable because you don't sign it or click on a form, or because of a lack of privity, or because there is a lack of consideration, or some such, you'll know that the person misunderstood the GPL and thought in terms of contract law. It's a common error. They don't shoot you at dawn for not fully understanding the GPL. But at the same time, it's good to know that the problems people think they see in the GPL generally are the result of not understanding it, not from any weakness in the GPL itself.
Similarly, when you hear that the GPL is viral and can force proprietary code to become GPL, which a couple of lawyers have been saying, you'll know that isn't true. If you steal GPL code, you can expect an enforcement action. But this action can only be enforcement of a license, not a contract, and a forced release under the GPL can't be imposed on you under copyright law. It's not one of the choices, as Professor Moglen has explained. You do have a choice under the GPL: you can stop using the stolen code and write your own, or you can decide you'd rather release under the GPL. But the choice is yours. If you say "I choose neither," the court can impose an injunction to stop you from further distribution, but it won't order your code released under the GPL. Your code remains yours, as you can see, even in a worst case scenario.
Of course, you could avoid all such troubles in the first place by not stealing GPL code to begin with. But if something happens inadvertently and some rogue employee sneaks some GPL code into your proprietary product, the sky isn't falling. It's a manageable risk and a solvable problem. No one wants to steal your code in retaliation or force it to be something you don't want it to be. The GPL is unequivocally a license, and that's the truth.
Page editor: Jonathan Corbet
Security
Security news
Peer to Peer Freedom of Speech
One necessary precondition for true freedom of speech is a way to communicate that does not identify the speaker or the listener. Several projects are working to provide that ability through peer-to-peer networking protocols that use cryptography to enable this kind of communication: Freenet, Entropy, and GNUnet. The goals of these projects are quite similar, to provide for the free exchange of ideas while thwarting any attempts to censor the information or punish the participants.The basic framework for each of these networks is a decentralized, peer-to-peer communications model where a node in the network talks to some number of other nodes, sending requests to these peer nodes and handling requests that come from them. The messages sent between nodes are encrypted using a session key that has been negotiated between the nodes using public key encryption. This encryption should be sufficient to deny a 'man in the middle' from determining anything useful about the traffic (other than its existence).
When a node sends a request to one of its peers, there is no reason to assume that the request actually originated on that node as nodes will forward requests that they receive, but cannot satisfy. Any response that is generated to a node is likewise not necessarily ultimately bound for that node and could be the response to a request that was forwarded by the node. With a sufficient number of nodes and amount of traffic, no analysis of the traffic to or from nodes will reveal the true source and destinations of the requests. This stands in stark contrast to the more common peer-to-peer networks where, once the content is found, a direct connection is made from the destination to the source to retrieve the content.
Each node that fully participates in the network provides some local storage for information in the network and can immediately satisfy requests for any data that it has stored locally. In order to provide deniability for the operators of these nodes, this data is encrypted and the operators are unable to determine what content actually resides on their node at any given time. Cryptographic hash functions on the file contents are typically used to identify particular files that have been inserted into the network. These identifiers are not particularly user friendly - for instance a copy of Kevin Mitnick's book The Art of Deception can be found in the Entropy network using the identifier:
SSK@zpxOK~ounTzoDwJKguoUHib8G7sBCMA/ArtOfDeception//
To make the system easier to use, various
network users have put together directories of content to help navigation.
The popularity of a file governs how long it stays in the network and how often it is replicated. Each of the networks has limits on the amount of storage available to it (based on the number of active nodes and the amount of storage allocated to the nodes by each operator) and must sometimes prune content when new content is added. GNUnet tries to overcome the problem of 'freeloaders' (nodes that request content but do not serve any) by adding an 'economic' layer to its network. Each node keeps track of its 'opinion' of the other nodes that it has talked to; nodes that satisfy requests have a better reputation and will be treated preferentially under higher network loads.
Both Freenet and Entropy provide an HTTP proxy that allows the use of standard web browsers as clients to view some of the content on the network. Entropy also adopted the Freenet Client Protocol so that all of the client applications originally written for Freenet will work with Entropy as well. Frost is one of the most widely used clients and provides file sharing and message board functionality. GNUnet appears to mainly use command line tools, though gnunet-gtk provides a graphical front-end.
Security is clearly taking precedence over performance, as it should, but this causes the user experience browsing Freenet or Entropy (at least) to be fairly frustrating. Sites can take tens of minutes to load or fail to load altogether, presumably because the information has either dropped out of the network or any sites that contain the information are currently offline or too far away (in network, not geographic, terms).
Critics of these projects complain that they could be used by criminals for nefarious purposes and, obviously, that is true. There is no way to provide for anonymous communication that cannot be abused and these projects have decided that freedom of communication is more important than stopping illegal uses. In the end, these networks are tools like computers or phones and they can be used for good or for ill. It would be impossible and a serious affront to liberty to outlaw all tools that could be used to commit a crime.
Security reports
Savanna.gnu.org compromised too
If you go to Savannah, the GNU project's development server, you'll find a note stating that it, too, has been broken into. "The compromise seems to be of the same nature as the recent attacks on Debian project servers; the attacker seemed to operate identically." Savannah will be down until (at least) December 5. (Thanks to "sdoyon", who posted the news in an LWN comment).
New vulnerabilities
bind: cache poisoning
| Package(s): | bind | CVE #(s): | CAN-2003-0914 | ||||||||||||||||||
| Created: | November 26, 2003 | Updated: | February 19, 2004 | ||||||||||||||||||
| Description: | A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg | CVE #(s): | CAN-2003-0971 | ||||||||||||||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||||||||||||||
| Description: | A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
kernel: local root exploit in 2.4.22
| Package(s): | kernel | CVE #(s): | CAN-2003-0961 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2003 | Updated: | April 5, 2004 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP | CVE #(s): | CAN-2003-0935 | ||||||||||||
| Created: | December 2, 2003 | Updated: | February 13, 2004 | ||||||||||||
| Description: | The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
screen: privilege escalation
| Package(s): | screen | CVE #(s): | CAN-2003-0972 | ||||||||||||||||||
| Created: | November 28, 2003 | Updated: | March 3, 2004 | ||||||||||||||||||
| Description: | According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
stunnel: file descriptor leak
| Package(s): | stunnel | CVE #(s): | CAN-2003-0740 | ||||||
| Created: | November 26, 2003 | Updated: | December 3, 2003 | ||||||
| Description: | A vulnerability was discovered in stunnel versions 3.24 and earlier, as well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical file descriptor that can be used to hijack stunnel's services. See this advisory for more information. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Pan: denial of service
| Package(s): | Pan | CVE #(s): | CAN-2003-0855 | ||||||
| Created: | November 25, 2003 | Updated: | December 10, 2003 | ||||||
| Description: | Pan is a Gnome/GTK+ newsreader. A bug in Pan versions prior to 0.13.4 can cause Pan to crash when parsing an article header containing a very long author email address. This bug causes a crash (denial of service) but is not further exploitable. | ||||||||
| Alerts: |
| ||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ethereal: multiple remote and local vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 | |||||||||||||||
| Created: | November 10, 2003 | Updated: | December 17, 2003 | |||||||||||||||
| Description: | Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libnids: remotely exploitable buffer overflow
| Package(s): | libnids | CVE #(s): | CAN-2003-0850 | |||||||||
| Created: | October 29, 2003 | Updated: | January 6, 2004 | |||||||||
| Description: | libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123: heap overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0865 | |||||||||
| Created: | November 12, 2003 | Updated: | February 19, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
wget: buffer overflow
| Package(s): | wget | CVE #(s): | CAN-2003-1565 | |||||||||
| Created: | August 5, 2003 | Updated: | December 10, 2003 | |||||||||
| Description: | The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. | |||||||||||
| Alerts: |
| |||||||||||
zebra: denial of service vulnerability
| Package(s): | zebra | CVE #(s): | CAN-2003-0795 CAN-2003-0858 | ||||||||||||
| Created: | November 13, 2003 | Updated: | January 7, 2004 | ||||||||||||
| Description: | Zebra an open source implementation of TCP/IP routing software.
Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0795 to this issue. Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Resources
A mailing list for secure application development
A new mailing list (called "SC-L") has been set up for the discussion of secure application development. It is a moderated list. Click below for the full announcement, and instructions for signing up.
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.6.0-test11, otherwise known as "Beaver in Detox," which was released by Linus on November 26. This release contains a very small number of important fixes; the long-format changelog has the details.The -test11 announcements says "And after that it will be up to Andrew to say how to go on from here." Even so, Linus's BitKeeper tree contains a handful of other patches which, presumably, will find their way into a release at some point.
The current stable kernel is 2.4.23, which was released by Marcelo on November 28. No changes were made between -rc5 and the final release.
Kernel development news
RTAI 3.0-test1 released
The first test release for RTAI 3.0 is now available. RTAI is an extensive set of real-time extensions for the Linux kernel; this release includes a great many improvements, which are described in the announcement.
The first ALSA 1.0 release candidate
The Advanced Linux Sound Architecture (ALSA) project has been working at the creation of a new audio subsystem for the Linux kernel (along with user-space support) since early 1998. Now, almost six years later, the project has announced its first 1.0 release candidate. This release is not that far removed from what is in the 2.6.0-test11 kernel; still, it might be a good time for audio enthusiasts to test things out one last time.
What future for 2.4?
After the 2.4.23 release, maintainer Marcelo Tosatti let it be known that the development period for the 2.4 series is coming to an end. His plans are to accept relatively intrusive patches for 2.4.24 - especially driver patches. But, starting with 2.4.25, only serious bug fixes will be accepted. People will be running 2.4 kernels for some time yet, but the 2.4 series will not be acquiring new features.The result of this sort of announcement is always predictable: people start coming forward with the the patches that they feel, for whatever reason, absolutely have to be merged before the gate closes. One of those is Jeff Garzik's "libata" driver, which provides much improved serial ATA support. Marcelo initially said that he would incorporate libata, but has since changed his mind, saying that people who want libata should use 2.6.
The big discussion, however, concerned the inclusion of the XFS filesystem. XFS is relatively controversial because it requires some significant core VFS changes, and not everybody is happy with the quality of the code. There was enough clamor, however, that Marcelo has relented to the extent that, if some of the core filesystem maintainers can be made to agree, he will let XFS in.
The reasoning behind the policy change for 2.4 is that the 2.6 kernel is on the horizon. 2.6.0 may well be released before a 2.4.24 kernel could be prepared. At that point, attention is expected to shift to 2.6, and there won't be much interest in 2.4 anymore. This a