Security
Enabling DRM in the kernel?
Back in April, we looked at the Linux kernel patches for Intel's Trusted Execution Technology (TXT), a mechanism to verify the integrity of the kernel before booting it. Since that time, another version of the patchset has surfaced. The relatively few comments on the feature were largely concerned that there might be opposition to its inclusion—not because of technical considerations, but instead because of ethical concerns about what TXT could enable.
Ted Ts'o had the most to say about what TXT (also known as LaGrande)
enables, not necessarily in
opposition to adding the feature, but outlining the concerns of those who
might. He warned: "So we should
expect a certain amount of controversy and people
lobbying to resist the acceptance of this patch.
" The basic problem
is that TXT can enable Digital Rights Management (DRM) systems that are
largely uncrackable.
Pointing to a "Trusted Computing"
FAQ from 2003, Ts'o noted that five years ago, FAQ author Ross Anderson
"was able to predict the emergence of the LaGrande Technology
(see question 15 in the above FAQ).
" But, Joseph Cihula, author
of the TXT patch noted that some of the FAQ (and other Trusted Computing
complaints) had been rebutted
[PDF] in an IBM whitepaper by David Safford. But, as Ts'o pointed out, much of Safford's response was
specific to the Trusted Computing Platform Alliance (TCPA) technology,
which is essentially broken as a DRM lockdown solution:
With TXT, however, all of these problems go away. What you end up booting is completely under "[Circuit] City's DIVX's" control, and may include a miniature Windows environment running in the trusted environment; it could then take over a portion of the screen for the video output, and the hardware would have special features set up to prevent the host OS from having any access to the video output of the movie player running in the TXT environment.
Ts'o's message is worth reading in its entirety, but the basic point is that TXT enables Hollywood (or another DRM-happy entity) to take away some of the basic functionality of the hardware in order to preserve their "rights". Essentially, this takes away users' rights to protect companies' perceived or actual rights. The truly nightmarish scenario is one where one cannot do anything on a computer that isn't contained in a signed (presumably proprietary and closed source) application, running on a signed operating system. TXT could enable just that kind of functionality.
But, there are some scenarios (Ts'o mentions medical record access) under which TXT could be beneficial to the user. Other devices (voting machines and ATMs are the standard example) could benefit from TXT as well. Should kernel hackers stand in the way of adding this code to the kernel simply because it can be used for ill? The consensus, from the extremely limited subset of the kernel development community participating in the discussion, seems to be "no".
James Morris notes Linus Torvalds's famous "Flame Linus to a crisp!" message wherein he
says: "I want to make it clear that DRM is perfectly ok with
Linux!
". Morris more-or-less agrees with that view:
That sentiment is also shared by Ts'o: "That being said, it's not
clear to me that stopping the technology from going into Linux really isn't
going to help matters; realistically, the Linux desktop is miniscule[1],
and whether or not we add support for TXT in the mainline Linux kernel
isn't going to stop Hollywood's plans.
" His footnote refers to the
potential risk of TXT being used in Moblin to lock down those devices, but
"realistically, even if we don't let it into mainline kernel, it
won't stop Moblin hardware vendors from shipping it
".
This is a social, not a technical problem, as Ts'o says. There are powerful interests that certainly want to have that kind of power over the actions of their customers. It will be up to those who value their hardware and software freedoms (and, very likely, the courts) to ensure that those freedoms are still available. Avoiding DRM is not something that has gotten onto the radar of most consumers, but the content providers are doing their best to raise its visibility. One wonders how many revoked features for Kindle books or how much music that expires because it is crippled with DRM it will take before consumers start to rebel.
In the meantime, though, it seems likely that Linux will end up with TXT support somewhere down the road. The objections have been few—technical or ethical—at least so far, and the code obviously exists. There is no barrier to a hardware manufacturer (or distribution) incorporating it and enforcing whatever restrictions it wishes. Given that there are benign uses as well, the code is likely to improve from its inclusion in the mainline. When (almost certainly not "if") those uses turn towards total lockdown, it will be a social battle, on multiple fronts, to preserve the hardware and software freedoms we enjoy today.
New vulnerabilities
cyrus-sasl: buffer overflow
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2009-0688 | ||||||||||||||||||||||||||||||||||||||||
| Created: | May 15, 2009 | Updated: | December 3, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Slackware advisory: A buffer overflow in the sasl_encode64() function could lead to a denial of service or possible execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
drupal: cross-site scripting
| Package(s): | drupal | CVE #(s): | CVE-2008-3661 | ||||||||
| Created: | May 18, 2009 | Updated: | May 20, 2009 | ||||||||
| Description: | From the Drupal advisory: Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports. | ||||||||||
| Alerts: |
| ||||||||||
giflib: several vulnerabilities
| Package(s): | giflib | CVE #(s): | CVE-2005-2974 CVE-2005-3350 | ||||||||||||
| Created: | May 19, 2009 | Updated: | June 18, 2009 | ||||||||||||
| Description: | From the Fedora advisory: CVE-2005-2974: NULL pointer dereference crash. CVE-2005-3350: Memory corruption via a crafted GIF | ||||||||||||||
| Alerts: |
| ||||||||||||||
gnutls: incorrect certificate validation
| Package(s): | gnutls | CVE #(s): | CVE-2009-1417 | ||||||||||||
| Created: | May 18, 2009 | Updated: | December 4, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup (CVE-2009-1417). | ||||||||||||||
| Alerts: |
| ||||||||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2009-1574 | ||||||||||||||||||||||||||||||||
| Created: | May 14, 2009 | Updated: | December 3, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva alert: racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attackers to cause a denial of service (crash) via crafted fragmented packets without a payload, which triggers a NULL pointer dereference. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2009-1632 | ||||||||||||||||||||||||||||||||||||||||
| Created: | May 18, 2009 | Updated: | July 3, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c (CVE-2009-1632). | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1527 | ||||
| Created: | May 18, 2009 | Updated: | May 20, 2009 | ||||
| Description: | From the CVE entry: Race condition in the ptrace_attach function in kernel/ptrace.c in the Linux kernel before 2.6.30-rc4 allows local users to gain privileges via a PTRACE_ATTACH ptrace call during an exec system call that is launching a setuid application, related to locking an incorrect cred_exec_mutex object. | ||||||
| Alerts: |
| ||||||
kernel: SELinux check bypass
| Package(s): | kernel | CVE #(s): | CVE-2009-1184 | ||||||||||||||||||||||||
| Created: | May 20, 2009 | Updated: | July 2, 2009 | ||||||||||||||||||||||||
| Description: | There is a bug in the SELinux code which can cause a number of networking-related checks to be bypassed when running with compat_net=1. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
nsd: buffer overflow
| Package(s): | nsd | CVE #(s): | |||||||||||||
| Created: | May 20, 2009 | Updated: | May 20, 2009 | ||||||||||||
| Description: | Versions of the nsd name server daemon prior to 3.2.2 contain a single-byte buffer overflow which can be exploited to crash the daemon. Code-execution exploits are considered to be unlikely. See this advisory for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ntp: buffer overflow
| Package(s): | ntp | CVE #(s): | CVE-2009-1252 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 19, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpmyadmin: multiple vulnerabilities
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2009-1150 CVE-2009-1151 | ||||||||||||
| Created: | May 18, 2009 | Updated: | June 30, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie (CVE-2009-1150). Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action (CVE-2009-1151). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>