Security
Complete coverage in Linux security modules
The Linux Security Module (LSM) framework is intended to allow security modules to lock down a system by inserting checks whenever the kernel is about to do something interesting. A security module hooks into those check points and, for each operation, convinces itself that the operation is allowed by the security policy currently in force. This approach can work well if checks have been placed in all of the relevant locations. A missing check could open a door allowing a user-space process to do something which the site's policy would disallow.Kostik Belousov recently noticed this sort of problem in the 2.6 kernel: it seems that the readv() and writev() system calls ran without calling the associated LSM hook. The missing check means that a process which uses these calls (rather than read() or write()) could perform file I/O which was not subject to oversight by any security modules currently loaded in the system. The practical effect of this vulnerability is minimal: any security module worth its bits will have done its access checks when the file is opened, so the ability to do unchecked reads and writes should not open any gaping holes in the system.
The more important point is how easily this sort of opening can come about. When the security modules patch was originally merged into the kernel, it included checks on readv() and writev(). But those system calls were later rewritten, and the LSM hooks fell by the wayside. This change apparently happened around 2.5.47, but it only came to light now.
Most kernel developers are only peripherally aware of the LSM system. Very few of them know how to code an LSM call, and the rules for the insertion of LSM checks are not particularly well documented. Code which is missing an LSM call still appears to work just fine in normal testing and use. The end result of all this is that it is trivially easy to omit an important check, or to delete one by accident. Such mistakes can then go unnoticed for years.
Anybody who depends on a Linux security module (such as SELinux) is depending on comprehensive checking within the kernel. But, as has been demonstrated here, it is hard to feel sure that the LSM checks are, indeed comprehensive. There are many code paths through the kernel. When a relatively simple system call can go unprotected for so long, how secure do we feel about the more complex paths? It would seem that a thorough audit is called for. An automated audit might even be better; it may well be possible to adapt a tool like sparse to detect unchecked paths through the kernel. Some work in this area could do a lot to increase the level of trust which can be placed in LSM-based modules.
New vulnerabilities
abiword: buffer overflow
| Package(s): | abiword | CVE #(s): | CAN-2005-2964 | ||||||||||||||||||||||||
| Created: | September 29, 2005 | Updated: | November 14, 2005 | ||||||||||||||||||||||||
| Description: | The RTF import module of the AbiWord word processor has a buffer overflow vulnerability. A user can be tricked into opening a maliciously crafted RTF file, giving the attacker the ability to execute code with the permissions of the user. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
apachetop: insecure temporary file
| Package(s): | apachetop | CVE #(s): | CAN-2005-2660 | ||||
| Created: | October 4, 2005 | Updated: | October 5, 2005 | ||||
| Description: | Eric Romang discovered an insecurely created temporary file in apachetop, a realtime monitoring tool for the Apache webserver that could be exploited with a symlink attack to overwrite arbitrary files with the user id that runs apachetop. | ||||||
| Alerts: |
| ||||||
arc: temporary file vulnerabilities
| Package(s): | arc | CVE #(s): | CAN-2005-2945 CAN-2005-2992 | ||||
| Created: | October 5, 2005 | Updated: | October 5, 2005 | ||||
| Description: | The arc archiver program suffers from two independent temporary file vulnerabilities. | ||||||
| Alerts: |
| ||||||
backupninja: insecure temporary file
| Package(s): | backupninja | CVE #(s): | |||||
| Created: | September 30, 2005 | Updated: | October 5, 2005 | ||||
| Description: | Moritz Muehlenhoff discovered the handler code for backupninja creates a temporary file with a predictable filename, leaving it vulnerable to a symlink attack. | ||||||
| Alerts: |
| ||||||
Berkeley MPEG Tools: multiple insecure temporary files
| Package(s): | mpeg-tools | CVE #(s): | CAN-2005-3115 | ||||
| Created: | October 3, 2005 | Updated: | October 5, 2005 | ||||
| Description: | Mike Frysinger of the Gentoo Security Team discovered that mpeg_encode and the conversion utilities were creating temporary files with predictable or fixed filenames. The 'test' make target of the MPEG Tools also relied on several temporary files created insecurely. | ||||||
| Alerts: |
| ||||||
cfengine: insecure temporary files
| Package(s): | cfengine | CVE #(s): | CAN-2005-2960 | ||||||||||||||||
| Created: | October 3, 2005 | Updated: | October 14, 2005 | ||||||||||||||||
| Description: | Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
dia: missing input sanitizing
| Package(s): | dia | CVE #(s): | CAN-2005-2966 | ||||||||||||||||||||||||
| Created: | October 4, 2005 | Updated: | April 6, 2006 | ||||||||||||||||||||||||
| Description: | Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gopher: buffer overflows
| Package(s): | gopher | CVE #(s): | CAN-2005-2772 | ||||
| Created: | September 30, 2005 | Updated: | October 5, 2005 | ||||
| Description: | Several buffer overflows have been discovered in gopher, a text-oriented client for the Gopher Distributed Hypertext protocol, that can be exploited by a malicious Gopher server. | ||||||
| Alerts: |
| ||||||
gtkdiskfree: insecure temp file
| Package(s): | gtkdiskfree | CVE #(s): | CAN-2005-2918 | ||||||||
| Created: | September 29, 2005 | Updated: | October 5, 2005 | ||||||||
| Description: | The gtkdiskfree utility creates temporary files in an insecure manner. | ||||||||||
| Alerts: |
| ||||||||||
Hylafax: insecure temporary file creation in xferfaxstats
| Package(s): | hylafax | CVE #(s): | CAN-2005-3069 | ||||||||||||
| Created: | September 30, 2005 | Updated: | October 13, 2005 | ||||||||||||
| Description: | Javier Fernandez-Sanguino has discovered that xferfaxstats cron script supplied by Hylafax < 4.2.2 insecurely creates temporary files with predictable filenames. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mod-auth-shadow: authorization bypass
| Package(s): | mod-auth-shadow | CVE #(s): | CAN-2005-2963 | ||||||||
| Created: | October 5, 2005 | Updated: | October 27, 2005 | ||||||||
| Description: | The apache mod-auth-shadow module can, incorrectly, override other authorization mechanisms, allowing access which would otherwise be denied. | ||||||||||
| Alerts: |
| ||||||||||
ntlmaps: wrong permissions
| Package(s): | ntlmaps | CVE #(s): | CAN-2005-2962 | ||||
| Created: | September 30, 2005 | Updated: | October 5, 2005 | ||||
| Description: | Drew Parsons noticed that the post-installation script of ntlmaps, an NTLM authorization proxy server, changes the permissions of the configuration file to be world-readable. It contains the user name and password of the Windows NT system that ntlmaps connects to and, hence, leaks them to local users. | ||||||
| Alerts: |
| ||||||
prozilla: arbitrary code execution
| Package(s): | prozilla | CVE #(s): | CAN-2005-2961 | ||||
| Created: | October 3, 2005 | Updated: | October 5, 2005 | ||||
| Description: | Tavis Ormandy discovered a buffer overflow in prozilla, a multi-threaded download accelerator, which may be exploited to execute arbitrary code. | ||||||
| Alerts: |
| ||||||
squid: authentication handling
| Package(s): | squid | CVE #(s): | CAN-2005-2917 | ||||||||||||||||||||||||
| Created: | September 30, 2005 | Updated: | March 15, 2006 | ||||||||||||||||||||||||
| Description: | Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
texinfo: temporary file vulnerability
| Package(s): | texinfo | CVE #(s): | CAN-2005-3011 | ||||||||||||||||||||||||
| Created: | October 5, 2005 | Updated: | November 9, 2006 | ||||||||||||||||||||||||
| Description: | Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
uim: privilege escalation
| Package(s): | uim | CVE #(s): | CVE-2005-3149 | ||||||||||||||||
| Created: | October 4, 2005 | Updated: | December 7, 2005 | ||||||||||||||||
| Description: | Masanari Yamamoto discovered that Uim uses environment variables incorrectly. This bug causes a privilege escalation if setuid/setgid applications are linked to libuim. This bug only affects immodule-enabled Qt (if you build Qt 3.3.2 or later versions with USE="immqt" or USE="immqt-bc"). | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
unzip: race condition
| Package(s): | unzip | CVE #(s): | CAN-2005-2475 | ||||||||||||||||||||
| Created: | September 29, 2005 | Updated: | January 12, 2006 | ||||||||||||||||||||
| Description: | Unzip has a race condition vulnerability in the handling of output files. During file unpacking, a local attacker can modify the permissions of arbitrary files in the victim's directory. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>