LWN.net Weekly Edition for February 19, 2004 [LWN.net]

321 Studios and the free software community

In the Bunner DVD case, the DVD Copy Control Association attempted to suppress the distribution (or even linking to) of the DeCSS code (which decrypts content from DVDs) with the claim that the code contained trade secrets. The court's rulings suggested that the trade secret claim was not going to hold up, and the Bunner case was dropped last year. The trade secret weapon had proved ineffective in this case.

The DVDCCA has responded with a change of direction: the group is now suing 321 Studios, which makes a proprietary DVD copying program, for patent infringement. 321 and its DVD Copy program have been in and out of the courts for a while; the company started the litigation with a suit which attempted to obtain a ruling stating that its products do not violate the DMCA. The bringing of a patent suit changes the nature of this battle, however. It is a living demonstration of one of the free software community's deepest fears: that software patents will be used to prevent us from programming our computers to work the way we want them to.

It is interesting to note that patents are incompatible with trade secrets. Patent applications require full disclosure of the technology for which protection is sought; any technology which has been publicly disclosed in this manner cannot, by definition, be a trade secret. Thus far, we have been unable to turn up a reference for the exact patent which is being claimed by the DVDCCA; if anybody has a pointer, we would appreciate hearing about it. Given the timing, however, the patent application must have been in the works while the trade secret case was pending. Filing trade secret suits while having already disclosed the relevant technology would be, at the least, an act of bad faith.

321 Studios is also being sued by Macrovision, which is also claiming patent infringement along with DMCA violations. 321 has just filed a response pointing out that, among other things, Macrovision's patents cover an analog copy-protection mechanism which is not relevant to a digital copying program.

This company has been fighting many of the same digital rights battles as the free software community. But there has been no big outpouring of support for 321 studios; for the most part, its battles have been ignored. 321 Studios has not been able to obtain the same level of interest and support as, say, Elcomsoft has. One might point out that 321 Studios is a proprietary software company; that is true, but so is Elcomsoft. The real answer, perhaps, is that the community has sensed that 321 Studios does not really share its values; 321 appears to have little interest in any issues beyond immediate sales of DVD copying software.

The difference in values has just become rather more apparent, however; see this triumphant press release from February 5. Therein, 321 notes that one of its customers was said to be using DVDXCopy for "piracy." The company responded by shutting down the software remotely. This program, it seems, puts a watermark into every disk it creates allowing the company to identify who performed the copy and, should it feel so inclined, to shut down the software altogether.

This feature highlights one of the largest differences between free software and (at least some of) its proprietary relatives. The DeCSS code does not come with watermarking and remote shutdown capabilities. The Gimp will not attempt to prevent its users from creating an image that might look like some nations' currencies, and Ghostscript will not try to prevent that user from printing such images. Neither Freevo nor MythTV will phone home with details of just how often the user replayed the latest banal Superbowl publicity stunt. Nothing prevents anybody from coding any such features, but, equally, nothing prevents the rest of the world from taking them back out. Free software evolves toward one specific end: meeting the needs of its users. There is no room for conflicts of interest, no space for the agendas of industry consortia, advertisers, or governments.

321 Studios is not fighting for that view of the software universe; the company simply wants to be able to sell its product. We can certainly sympathize with the company as it deals with familiar problems like the DMCA and software patents. But, while 321 is fighting many of the same battles as the free software community, it is fighting them as part of a different war.

Comments (5 posted)

SCO Weekly News

Let us start off this week's SCO update with some quotes:

SCO has since backed off the billing plan, but the company is still serious about enforcing its copyrights, said Chris Sontag, senior vice president in charge of SCO's legal efforts. He said lawsuits targeting Linux users will be filed within 90 days, with initial suits targeting 1,500 companies that have significant Linux systems.

-- ZDNet, November 18, 2003.

If someone says they want to see a court ruling before they pay, we'll say, "Fine, you're the lucky winner. We'll take you first.' I'd be surprised if we make it to the end of the year without filing a lawsuit.

-- Darl McBride, November 24, 2003

So we have basically said within the next few weeks, by February 18th we are going to be in the courtroom with an end user to go through the copyright-related problems that we are having from an infringement standpoint.

-- Darl McBride, February 2, 2004

There are many more quotes available on this theme, but certainly the idea is clear by now. Like so many other bits of SCO bluster, the threats of suits against end users have not been followed up by any sort of action. Yet.

Whether such a suit will eventually come remains an open question, however. SCO is currently fighting IBM, Red Hat, and Novell in three separate cases, and none of the three appear to be going particularly well. At some point SCO's management should be forced to conclude that the company simply does not have the resources to open any more legal fronts. Dividing SCO's scarce cash and (possibly not so scarce) lawyers among even more courtrooms would not appear to be a wise strategy.

On the other hand, few people have accused SCO of acting wisely in recent times. The company is due to post a quarterly earnings report that, by all estimates, will be dismal. SCO stock is well below the peak values it hit in September and October. The mainstream media is beginning to wake up, and its coverage is increasingly hostile. SCO's only hope for continued existence would appear to be to somehow shake money out of some easily-cowed Linux users, but those users are proving to have rather more backbone than SCO may have anticipated. The SCO Group may yet decide that its best interests lie in even more litigation.

One view into how the shakedown effort is proceeding can be found in Red Hat's motion to supplement its filings in its suit against SCO. That case is (still!) waiting for the judge to come to a conclusion on SCO's motion to dismiss the case, which was filed in September. Since then, a few things have happened which have made it increasingly clear that SCO does, indeed, intend to go after Red Hat and its customers. Red Hat's motion is an attempt to bring SCO's more recent actions to the judge's attention.

One of the things Red Hat is pointing out is a letter sent by SCO to Lehman Brothers Holdings. It is a variant on the standard SCO shakedown letter; the point here is that Lehman Brothers is a Red Hat customer. Happily, Lehman Brothers saw no point in giving in to SCO; its response is short and clear, and is best paraphrased as "go bug Red Hat."

Part of the problem for SCO is that Novell's claims on the Unix copyrights make it easy for prospective SCO victims to ignore the letters. If SCO can't put forward a clear claim to the Unix copyrights, it will have a hard time collecting from anybody regardless of the validity of its statements about the provenance of Linux. For that reason, the company was compelled to file suit against Novell, in hopes of clearing that obstruction.

Unfortunately for SCO, Novell has filed a compelling motion to dismiss the suit. Essentially, says Novell, the SCO suit is missing two things that are required in "slander of title" suits: proof that the defendant's statements are false, and a demonstration that actual damages have been suffered. As Novell points out, SCO's demand that the court force Novell to transfer the copyrights proves that Novell's claims are true; SCO's suit contradicts itself. See Groklaw for a far more detailed discussion of Novell's motion.

Meanwhile, as of this writing, the Utah court still has not issued any rulings regarding the motions to compel in the IBM case. There is no way to know what this delay means until the court speaks. Chances are it will be something interesting, however.

Comments (6 posted)

The Grumpy Editor's browser review - a followup

The review of Gecko-based browsers we ran last week generated a great deal of feedback; this is evidently an area of great interest to many users. We have just a few things to add to that review this time around.

Thanks primarily to reader comments, your editor was able to resolve almost all of his complaints with the Firefox browser. Image animation can be controlled via the user-hostile about:config screen, the prefs.js file found in a randomly-named directory under ~/.phoenix, or via plugin extensions. Antialiased fonts are to be had by downloading the correct version of the browser. And so on. The situation has improved to the point where your editor is now using Firefox as his preferred browser.

The real key to the success of Firefox may well prove to be its extension architecture. History has shown many times that, if an application provides an easy mechanism for users to graft in additional or different functionality, those users will run with it. The lengthy list of extensions available for Firefox shows that this browser has reached a critical mass in this regard. Extensions are available to provide all kinds of navigation tools, to help with weblogging, to assist in web page authoring, and many other tasks including, inevitably, playing Tetris. It would be nice not to have to go find an extension to replace the missing "up" navigation button, but it's nice that you can. One can only hope that the security implications of encouraging users to download and install browser plugins have been thought through.

If last week's review were to be written today, the conclusion might have been written a little differently. Firefox has a level of performance, reliability, and features that well exceeds the other Gecko-based browsers available. One might well wonder why Galeon and Epiphany continue to exist; they appear to be trying to do the same thing as Firefox but - at this moment in time, anyway - they do it less reliably and with fewer features. (Do see, however, this posting on why Red Hat is shipping Epiphany for a different view). As we noted last week, there could well be a place for multiple browser projects, but each should be looking for a unique way to extend the state of the art.

Meanwhile, your editor also found the time to get Konqueror 3.2 working. Konqueror is everything its proponents claim it is: a fast, powerful and robust tool for navigating through information, be it on the local system or on the net. Your editor has never had much use for file managers, and so does not place much value on Konqueror's implementation. He can see, however, that Konqueror does look like a very nice file manager. The web browser is capable and fast, and highly configurable. Some features, such as the ability to change the identification string to get past certain difficult web site programmers, are unique.

What Konqueror still seems to be lacking, however is a password manager. Security-conscious users may feel better off without this feature, but the simple fact is that it has gotten hard to keep track of the long list of usernames and passwords needed to access many useful sites on the web. A password manager can be most useful when trying to remember which login information was used to get into some obscure site with its own strange rules. It is surprising, really, that Konqueror has not picked up this capability yet.

That notwithstanding, if Konqueror were the only browser available for Linux systems, we would be in good shape. Linux is second to no other system now in the quality of its web browsing support. It will be more than interesting to see where things go from here as the various projects look for new ways to extend the state of the art.

Comments (20 posted)

FOSDEM 2004

The 2004 edition of the Free and Open Source Developers Meeting will be happening on February 21 and 22 in Brussels.

LWN editor Jonathan Corbet will be there. In a moment of weakness last month (he blames Australian wine), he agreed to give two different talks at the event. Happily, FOSDEM has three tracks this year, so it should be possible to avoid those talks and see something interesting. The schedule has the details. Keynote speakers include Tim O'Reilly, Richard Stallman, and, of course, Jon 'maddog' Hall. FOSDEM looks to be an interesting event.

For the first time, LWN is happy to be sponsoring this event. With luck, this sponsorship will allow us to help a community event while simultaneously bringing in more subscribers. If things work out, we'll be sponsoring more events in the future.

Meanwhile, we're looking forward to meeting some of our European readers; see you there.

Comments (2 posted)

Page editor: Jonathan Corbet

Security

Brief items

A new mremap() vulnerability

The mremap() system call allows a process to change its virtual memory layout by adjusting the size and location of a virtual memory area. One of the things mremap() can do is move one virtual memory area (VMA) into the middle of another one. In that case, the target VMA will be split in two so that the space in the middle can be freed and reused for the VMA being moved. As long as the calling process knows what it is doing (it doesn't need the pages being replaced by the moved area, for example), all of this is fine.

An interesting thing can happen in the 2.4.24 and 2.6.2 kernels, however. The kernel enforces a limit on the maximum number of VMAs that any one process can have. If the kernel attempts to split a VMA in response to the sort of mremap() call described above, it will check the process's VMA usage against the limit. Splitting requires the addition of a new VMA, so this check is necessary. If the limit has been reached, the internal call which splits the VMA (do_munmap()) will return a failure status. So far, so good.

The problem is that mremap() did not check to see if do_munmap() succeeded or not. If the split failed, mremap() would continue anyway. The end result is that the old target VMA would remain, with its existing permissions, but some of its associated page table entries would be overwritten by entries from the VMA being moved. In other words, an attacker can exploit this bug to obtain access to a set of pages which the kernel would not otherwise have allowed. This vulnerability can be exploited by a local hacker to obtain root access on any Linux system running a vulnerable kernel.

The solution is to upgrade to 2.4.25 or 2.6.3, or to apply the appropriate distributor security update. The LWN vulnerability entry tracks the available updates. For more information on the vulnerability, see this advisory from Paul Starzetz.

Comments (6 posted)

New vulnerabilities

cgiemail vulnerability allows unauthorized mail relaying

Package(s):

cgiemail

CVE #(s):

CAN-2002-1575

Created:

February 13, 2004

Updated:

February 18, 2004

Description:

A vulnerability in cgiemail, a cgi program, allows mail to be sent to arbitrary addresses, making the host capable of generating spam. New cgiemail packages fix open mail relaying.

Alerts:

Debian

DSA-437-1

2004-02-11

LWN.net Weekly Edition for February 19, 2004

cgiemail vulnerability allows unauthorized mail relaying

elm: vulnerability in frm command

kernel: local root exploit

metamail: integer and buffer overflows

phpMyAdmin: directory traversal

PWLib: possible Denial of Service

samba: access to disabled accounts

apache: buffer overflows in mod_alias, mod_rewrite

apache2: Denial of Service vulnerability

bind: cache poisoning

CUPS: denial of service

cvs: possible root compromise

ethereal: protocol dissector and other vulnerabilities

Filename disclosure vulnerability in fam

fetchmail may crash on specially crafted message

fileutils/wu-ftpd: denial of service

gaim: remote overflows

gallery: code injection

GnuPG: ElGamal signing keys compromised

gtkhtml: malformed messages cause crash

iproute: local denial of service

kdepim: VCF file information reader vulnerability

kernel: privilege vulnerability on AMD64

kernel: local root exploit in 2.4.22

kernel-utils: setuid vulnerability

lftp buffer overflows

libpng, libpng3: buffer overflow

libtool - Insecure handling of temporary files

mailman: cross-site scripting vulnerabilities

mailman denial of service

mc: arbitrary code execution

mikmod: buffer overflow

mod_python: denial of service vulnerability

monkeyd: denial of service

mpg123: heap overflow

mpg321: format string vulnerability

mplayer: remotely exploitable buffer overflow vulnerability

mutt: buffer overflow

Nessus NASL scripting engine security issues

netpbm: insecure temporary files

Net-SNMP: security bugs in versions before 5.0.9

nfs-utils xlog() off-by-one bug

openssh: timing attack leads to information disclosure

perl information leak

PHP setting leaks from .htaccess files on virtual hosts

postfix: denial of service vulnerabilities

rsync - remotely exploitable heap overflow

Multiple-use vulnerability in Safe.pm

sane-backends: several vulnerabilities

screen: privilege escalation

slocate: buffer overflow

File overwrite vulnerability in tar and unzip

tcpdump: flaws in the ISAKMP decoding routines

Multiple vendor telnetd vulnerability

util-linux: information leak in the login program

XFree86: buffer overflow