Security
Voting machine integrity through transparency
It is hard to believe that governments would spend money on voting equipment that they are not allowed to test, but that is exactly what multiple counties in New Jersey appear to have done. They are certainly not alone, many other places are likely to have the same restrictions on "their" voting machines. This begs the question: where are the free software voting systems?
Union County wanted to ask Ed Felten to look at the voting machines it purchased from Sequoia Voting Systems because of several anomalies—less charitably known as miscounts—observed when using them in the primary elections. Once Sequoia got wind of the plan, they emailed Felten a nastygram because he might engage in "non-compliant analysis" of the machines in violation of the Sequoia license. It seems quite likely that is exactly what Felten and the county clerk had in mind as a third-party analysis is the only sensible way to evaluate voting machines.
Other jurisdictions have done better of late, with Felten's Freedom to Tinker weblog noting that California has denied certification for two voting machines from Election Systems & Software (ES&S). California Secretary of State Debra Bowen has been at the forefront of trying to ensure that voting machines work correctly. LWN's home state of Colorado also decertified a number of voting machines, but, like the earlier California study, it was done after those machines were purchased. As in California, it seems likely that Colorado will be using those machines in November.
Things are getting a little better, perhaps, but no one has, as yet, tried to take on the four major voting machine makers with a system that is built with security in mind. There is no reason that the source code for a voting machine could not be made available for study. The voting machine vendors claim all sorts of proprietary secret sauce in their code, but that isn't the real reason they hide it. Covering up their shoddy code is much more likely.
Every independent review of voting machines has found numerous, fundamental security flaws that should make anyone with an interest in the integrity of the election process cringe. Many of those analyses were done without the source code, so there is little doubt that even uglier problems would have been found in the code itself. It just cannot be that difficult to produce something vastly more secure than what is made available today.
One could speculate about the motives of these companies, but instead looking at what could be built, with mostly off-the-shelf software, is more fruitful. The place to start is by hiring a few good security-minded developers, while lining up an independent review team. One might guess that Felten and his associates would be a good place to start.
A stripped down Linux system could very easily be the basis for a voting machine, but other free software choices would serve just as well. Some user interface code for touchscreens and alternative input methods for those with disabilities would need to be written. Some kind of printing output device would need to be made a part of the system so that voter-verifiable audit trails—better yet, ballots that can be put into a locked box—can be created.
Source code availability does not, in and of itself, ensure vote security. That code needs to be reviewed by as many experts as can be found. In addition, there needs to be some mechanism to show that the source code being reviewed is the same as that being run.
For that reason, the system itself might run on some kind of Trusted Platform Module (TPM) chip so that interested parties can verify that the published code is the same as that running on the system. If the system runs Linux, it might use the integrity management patches for that. Most importantly, the outside interfaces (network, USB, PCMCIA, etc.) to the device would either not be present or be very tightly controlled. Any kind of removable vote recording memory would need adequate cryptographic safeguards to eliminate tampering between vote taking and vote tabulating machines.
Instead of an emphasis on PR, schmoozing, and bamboozling non-technical folks, the focus of a free software voting system would be on transparency. The number one goal would be to give everyone, from the least technical voter to the Bruce Schneiers of the world: confidence in the machines and the process. It is hard to fathom how anyone could want anything less.
The last updated vulnerabilities section
It would seem that the majority of the readers of this page are willing to part with the updated vulnerabilities section. Based on the comments we got over the last two weeks, we decided to remove it in future editions. So, this is the last week you will find one on the security page. You can always visit http://lwn.net/Vulnerabilities/ to get a look at the most recent vulnerabilities in our database.
New vulnerabilities
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2007-6430 CVE-2008-1332 CVE-2008-1333 | ||||||||||||||||||||
| Created: | March 20, 2008 | Updated: | April 25, 2008 | ||||||||||||||||||||
| Description: | From the Debian alert:
CVE-2007-6430: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. CVE-2008-1332: Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2008-1289 CVE-2008-1390 | ||||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | ||||||||
| Description: | From the Red Hat bugzilla: CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation. The first overflow is caused by sending a payload number that surpasses the programmed maximum payload number of 256. This causes an invalid memory write outside of the buffer. While this does not allow the attacker to write arbitrary data it does allow the attacker to write a 0 to other memory locations. The second overflow is caused by sending more than 32 RTP payloads. This causes a buffer on the stack to overflow allowing the attacker to write values between 0 and 256 (the maximum payload number) to memory locations after the buffer. CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely to have a much larger than average number of 1s, which greatly reduces the number of guesses an attacker would have to make to successfully predict the manager ID, which is used across multiple HTTP queries to hold manager state. | ||||||||||
| Alerts: |
| ||||||||||
bzip2: denial of service
| Package(s): | bzip2 | CVE #(s): | CVE-2008-1372 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 24, 2008 | Updated: | March 30, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
Firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 26, 2008 | Updated: | July 28, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Firefox 2.0.0.13 release contains fixes for several vulnerabilities; see this list for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
JBoss: inject and execute arbitrary commands
| Package(s): | JBoss | CVE #(s): | CVE-2007-6306 CVE-2007-6433 | ||||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | ||||
| Description: | The JFreeChart component was vulnerable to multiple cross-site scripting (XSS) vulnerabilities. An attacker could misuse the image map feature to inject arbitrary web script or HTML via several attributes of the chart area. The setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed remote attackers to inject and execute arbitrary EJBQL commands via the order parameter. | ||||||
| Alerts: |
| ||||||
krb5: memory use after free
| Package(s): | krb5 | CVE #(s): | CVE-2007-5901 | ||||||||||||||||
| Created: | March 24, 2008 | Updated: | April 7, 2010 | ||||||||||||||||
| Description: | From the CVE entry: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libsilc: buffer overflow
| Package(s): | libsilc | CVE #(s): | |||||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | ||||||||
| Description: | From the Red Hat bugzilla: SILC Toolkit contains a possible buffer overflow from PKCS#1 message decoding in versions earlier than 1.1.7. Specially crafted digital signature can be used to crash the program. | ||||||||||
| Alerts: |
| ||||||||||
namazu: cross-site scripting
| Package(s): | namazu | CVE #(s): | CVE-2008-1468 | ||||||||||||
| Created: | March 26, 2008 | Updated: | August 29, 2008 | ||||||||||||
| Description: | The sanitizing of input to namazu does not work properly with certain encodings, allowing HTML directives and script code to be injected into content. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openssh: hijacking of forwarded X connections
| Package(s): | openssh | CVE #(s): | CVE-2008-1483 | ||||||||||||||||||||||||||||
| Created: | March 25, 2008 | Updated: | May 14, 2008 | ||||||||||||||||||||||||||||
| Description: | OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
ruby: directory traversal
| Package(s): | ruby | CVE #(s): | CVE-2008-1145 | ||||||||||||||||||||
| Created: | March 25, 2008 | Updated: | August 29, 2008 | ||||||||||||||||||||
| Description: | Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
serendipity : insufficient input sanitizing
| Package(s): | serendipity | CVE #(s): | CVE-2007-6205 CVE-2008-0124 | ||||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | ||||
| Description: | Serendipity, a weblog manager, did not properly sanitize input to several scripts which allowed for cross site scripting. | ||||||
| Alerts: |
| ||||||
ssl-cert: certificate disclosure
| Package(s): | ssl-cert | CVE #(s): | CVE-2008-1383 | ||||
| Created: | March 20, 2008 | Updated: | March 26, 2008 | ||||
| Description: | From the Gentoo alert:
Robin Johnson reported that the docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs). A local attacker could recover the SSL keys from publicly readable binary packages when "emerge" is called with the "--buildpkg (-b)" or "--buildpkgonly (-B)" option. Remote attackers can recover these keys if the packages are served to a network. | ||||||
| Alerts: |
| ||||||
viewvc: multiple vulnerabilities
| Package(s): | viewvc | CVE #(s): | CVE-2008-1290 CVE-2008-1291 CVE-2008-1292 | ||||
| Created: | March 20, 2008 | Updated: | March 26, 2008 | ||||
| Description: | From the Gentoo alert:
Multiple unspecified errors were reportedly fixed by the ViewVC development team. A remote attacker could send a specially crafted URL to the server to list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT folders, and view restricted content via the revision view, the log history, or the diff view. | ||||||
| Alerts: |
| ||||||
xine-lib: arbitrary code execution
| Package(s): | xine-lib | CVE #(s): | CVE-2008-0073 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 24, 2008 | Updated: | October 30, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla: Secunia Research has discovered a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large "streamid" SDP parameter included in a malicious RTSP stream. Successful exploitation allows execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
xwine: several vulnerabilities
| Package(s): | xwine | CVE #(s): | CVE-2008-0930 CVE-2008-0931 | ||||
| Created: | March 21, 2008 | Updated: | March 26, 2008 | ||||
| Description: | The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>