Distribution advisories
Here at LWN, we get a chance to see a fair number of security advisories in the course of a week—sometimes even in just a single day—so we tend to notice the quality, or lack thereof, of these important announcements. There are a few important pieces of information that need to be a part of any security update announcement, but sadly sometimes they aren't included. Overall, the quality of advisories seems to be declining, which is something that we would like to see change. While it clearly would make collecting security advisories easier for us, that is not the primary motivation for this look at security reporting—users are not being well-served by the current state of affairs.
Distributions need to remember that the audience for their security announcements is their users. Those users require some basic information to make an informed choice about whether they need to apply the update as well as how urgently. In order to make those decisions, the following should be present in advisories:
- the package affected
- the problem that is being fixed
- the impact of the vulnerability
- some kind of unique identifier for the alert
- links to relevant additional information (CVE, bugzilla, ...)
- where and how to update the package
- consistent formatting of advisories is a definite plus
The biggest problem seen with alerts of late is a lack of information about the problem they are fixing. As an example, consider the recent Fedora advisory on kvm. It refers to a recent CVE number (CVE-2008-4539) which is "reserved", but no details are present, and says that it fixes a "cirrus vulnerability". It also references a bugzilla entry that apparently addresses a separate CVE from 2007 (CVE-2007-1320), if you follow that link in the bugzilla, you finally end up somewhere with actual information, though the connection between the two problems is not particularly obvious.
Another example of this is CentOS advisories, which suffer from a number of problems, but the most vexing for folks trying to determine whether they need to update is this lack of bug information. It is not all that hard to get the information as a typical alert has a link to the appropriate Red Hat advisory, but why make users take that step? A concise summary of the bug(s), as well as a reference to the—generally very complete—Red Hat errata, would be quite useful. There is certainly nothing wrong with linking to sources of additional information, but the basics of the problem and its impact should be available in the alert.
Unique identifiers for advisories are useful for a number of reasons: keeping track of which have been addressed, having a unique search string to use, or referring to them in conversations, bug reports, etc. When the identifier is not unique, it muddies the waters a bit, making it more difficult than it needs to be. Sometimes mistakes are made (like the spate of recent Fedora alerts with the same FEDORA-2008-10000 identifier), but there appear to be distribution policies about using identifiers multiple times. CentOS uses the same identifier on multiple advisories, one per architecture, but also shared between CentOS releases. So the same identifier will be applied to an s390 update for CentOS 4 as is applied to x86_64 for CentOS 5.
Another identifier reuse problem comes from Fedora. When mozilla (or more recently xulrunner) library vulnerabilities occur, Fedora pro-actively rebuilds and updates all of the packages that depend on those libraries. This is very much to its credit as the API is not (yet) stable, but all of the resulting alerts refer to the same identifier. For those who try to track vulnerabilities along with alerts, that results in messy listings that don't provide much in the way of helpful information. Other library bugs result in much saner listings where one could relatively easily track down—and keep straight—the advisories for various packages.
There are others problems as well. Alerts that combine unrelated fixes do "avoid flooding mailing lists", but they are a bit painful to tease apart for users that are tracking specific packages. Too much history, in the form of changelogs (example) can also be confusing. If there is only a link to provide vulnerability information, as is the CentOS way, it should probably go directly to a page about the flaw, not to some page that lists all recent upstream flaws (example). And on and on.
Certain distributions have been singled out here, but that is not really the point. These are just recent examples of problems that are regularly seen in distribution security alerts. It should be noted that the commercial distributions (SUSE, Ubuntu, Red Hat, Mandriva) seem to do a much better job overall, which is not surprising, but sometimes they fail as well. The key thing to remember is that security announcements are meant to be read by users and acted upon. If information is lacking, the communication will fail.
This is not the first time we have looked at the problem, way back in 2000 security page editor Liz Coolbaugh took a look at security advisories, and had some of the same complaints seen here. Her conclusion is still valid: it is not that distributions are not trying or that they don't care, but at times the contents of their advisories slip below the radar. After her article, things got better with security alerts, hopefully this gentle prodding will have a similar effect.
Brief items
A "Grey Hat" guide for security researchers
Jennifer Granick of the Electronic Frontier Foundation (EFF) has created a guide for security researchers who may have run afoul of computer crime laws. It looks at the risks and some possible solutions for revealing information about vulnerabilities so that they can get fixed. Granick is seeking comments to improve the guide. "The researcher is in a quandary when she has potentially broken the law, but never intended to steal information or invade privacy and wants to see the problem fixed. Reporting the information raises a red flag that could result in an investigation and civil claims or even criminal charges. Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent. What is the grey hat hacker to do?"
New vulnerabilities
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-5183 CVE-2008-5184 | ||||||||||||||||||||||||||||||||||||||||
| Created: | November 25, 2008 | Updated: | March 2, 2011 | ||||||||||||||||||||||||||||||||||||||||
| Description: | cupsd in CUPS before 1.3.8 allows local users, and possibly remote
attackers, to cause a denial of service (daemon crash) by adding a large
number of RSS Subscriptions, which triggers a NULL pointer
dereference. NOTE: this issue can be triggered remotely by leveraging
CVE-2008-5184.
The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
dovecot: access restriction bypass
| Package(s): | dovecot | CVE #(s): | CVE-2008-4578 | ||||||||
| Created: | November 20, 2008 | Updated: | December 15, 2008 | ||||||||
| Description: | Dovecot has an access restriction bypass vulnerability. From the National Vulnerability Database entry: The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes. | ||||||||||
| Alerts: |
| ||||||||||
gvim: multiple vulnerabilities
| Package(s): | gvim | CVE #(s): | CVE-2008-3074 CVE-2008-3075 CVE-2008-3076 | ||||||||||||||||||||||||||||
| Created: | November 24, 2008 | Updated: | March 24, 2009 | ||||||||||||||||||||||||||||
| Description: | From the rPath advisory: Previous versions of the vim package contain multiple vulnerabilities, the most serious of which allow user-assisted attackers to execute arbitrary commands via maliciously crafted file and directory names. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
hf: arbitrary code execution
| Package(s): | hf | CVE #(s): | CVE-2008-2378 | ||||
| Created: | November 24, 2008 | Updated: | November 25, 2008 | ||||
| Description: | From the debian-hams mailing list posting: The hf package, Described by Debian as an amateur-radio protocol suite using a soundcard as a modem, is a program that eventually becomes setuid(0), and has a trivial security hole in it. By default the package installs "/usr/bin/hfkernel" as a typical binary, but when first started via the program "hf" the binary is changed to be setuid(root). [...] Unfortunately the hfkernel program contains a trivial root hole:
int main(int argc, char *argv[])
{
// snip
while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
switch (c) {
// snip
case 'k':
system ("killall hfkernel");
//
}
Creating ~/bin/killall is sufficient to gain root privileges.
| ||||||
| Alerts: |
| ||||||
imlib2: buffer overflow
| Package(s): | imlib2 | CVE #(s): | CVE-2008-5187 | ||||||||||||||||||||||||||||||||
| Created: | November 26, 2008 | Updated: | January 20, 2009 | ||||||||||||||||||||||||||||||||
| Description: | There is a buffer overflow vulnerability in imlib2; it can be exploited via a specially-crafted XPM file to execute arbitrary code. See this advisory for more information. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
imp: cross-site scripting
| Package(s): | imp | CVE #(s): | CVE-2008-4182 | ||||||||||||||||||||
| Created: | November 25, 2008 | Updated: | July 27, 2010 | ||||||||||||||||||||
| Description: | Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2008-4933 CVE-2008-4934 CVE-2008-5029 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 24, 2008 | Updated: | November 4, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. (CVE-2008-4933) The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image. (CVE-2008-4934) The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. (CVE-2008-5029) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libcdaudio: buffer overflow
| Package(s): | libcdaudio | CVE #(s): | CVE-2005-0706 | ||||||||||||||||||||||||||||
| Created: | November 21, 2008 | Updated: | December 7, 2009 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry: Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
mozilla: denial of service
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2008-5052 | ||||||||||||
| Created: | November 24, 2008 | Updated: | November 26, 2008 | ||||||||||||
| Description: | From the CVE entry: The AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js. | ||||||||||||||
| Alerts: |
| ||||||||||||||
nagios: authorization bypass
| Package(s): | nagios | CVE #(s): | CVE-2008-5027 | ||||||||||||||||||||
| Created: | November 26, 2008 | Updated: | July 20, 2009 | ||||||||||||||||||||
| Description: | Versions of nagios prior to 3.0.5 contain a bug which can allow an authenticated user to circumvent authorization checks and run arbitrary programs. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
openoffice.org: insecure temp files
| Package(s): | openoffice.org, openoffice.org-amd64 | CVE #(s): | CVE-2008-4937 | ||||||||||||||||
| Created: | November 25, 2008 | Updated: | March 10, 2009 | ||||||||||||||||
| Description: | From the Ubuntu advisory: Dmitry E. Oboukhov discovered that senddoc, as included in OpenOffice.org, created temporary files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
pidgin: multiple vulnerabilities
| Package(s): | pidgin | CVE #(s): | CVE-2008-2955 CVE-2008-2957 CVE-2008-3532 | ||||||||||||||||||||||||||||
| Created: | November 24, 2008 | Updated: | January 18, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955) It was discovered that Pidgin did not impose resource limitations in the UPnP service. A remote attacker could cause Pidgin to download arbitrary files and cause a denial of service from memory or disk space exhaustion. (CVE-2008-2957) It was discovered that Pidgin did not validate SSL certificates when using a secure connection. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This update alters Pidgin behaviour by asking users to confirm the validity of a certificate upon initial login. (CVE-2008-3532) | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
tog-pegasus: authentication issues
| Package(s): | tog-pegasus | CVE #(s): | CVE-2008-4313 CVE-2008-4315 | ||||||||
| Created: | November 25, 2008 | Updated: | November 27, 2008 | ||||||||
| Description: | From the Red Hat advisory:
After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these additional security enhancements were no longer being applied. As a consequence, access to OpenPegasus WBEM services was not restricted to the dedicated users as described in README.RedHat.Security. An attacker able to authenticate using a valid user account could use this flaw to send requests to WBEM services. Failed authentication attempts against the OpenPegasus CIM server were not logged to the system log as documented in README.RedHat.Security. An attacker could use this flaw to perform password guessing attacks against a user account without leaving traces in the system log. | ||||||||||
| Alerts: |
| ||||||||||
vim: heap-based overflow
| Package(s): | vim | CVE #(s): | CVE-2008-3432 | ||||||||
| Created: | November 25, 2008 | Updated: | November 26, 2008 | ||||||||
| Description: | From the Red Hat advisory: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially-crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
vim: sanitization flaws
| Package(s): | vim | CVE #(s): | CVE-2008-4101 | ||||||||||||||||||||||||||||||||||||
| Created: | November 25, 2008 | Updated: | March 3, 2009 | ||||||||||||||||||||||||||||||||||||
| Description: | Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
webkit: arbitrary code execution
| Package(s): | webkit | CVE #(s): | CVE-2008-3632 | ||||
| Created: | November 24, 2008 | Updated: | November 25, 2008 | ||||
| Description: | From the Ubuntu advisory: It was discovered that WebKit did not properly handle Cascading Style Sheets (CSS) import statements. If a user were tricked into opening a malicious website, an attacker could cause a browser crash and possibly execute arbitrary code with user privileges. | ||||||
| Alerts: |
| ||||||
yast2-backup: code injection
| Package(s): | yast2-backup | CVE #(s): | CVE-2008-4636 | ||||
| Created: | November 25, 2008 | Updated: | November 26, 2008 | ||||
| Description: | Insufficient shell quoting in yast2-backup allowed local users to craft special file names that inject shell code into the backup process. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>