Security
A desktop "secrets" API
There is often a fair amount of secret information that a Linux user might store on their computer—things like passwords for sensitive sites, private ssh keys, and Swiss bank account numbers. If multiple applications, typically desktop applications, need to access that information, there are solutions in the form of GNOME Keyring and KDE Wallet, but those solutions are only available to applications written for those specific desktop environments. A new freedesktop.org initiative, started by the developers of those two solutions, aims to create a "Secrets API" that can be used across desktop environments so that users can have access to their secrets from any application, regardless of which desktop it comes from.
The project was announced by KDE Wallet developer Michael Leupold on the XDG mailing list (as well as on his blog). The basic idea is fairly straightforward: users will still run Keyring or Wallet as part of their login session—which will depend on the desktop they use—but there will be an API that allows applications to extract these secrets without caring which secret storage program is providing them.
Not surprisingly, given that it is a cross-desktop API, D-Bus will be used
to implement a protocol for extracting the needed secrets. Applications
will then use the new API so that they are insulated from the underlying
secret storage service. In his blog posting, Leupold notes that he will be
trying to provide backward compatibility: "While I expect a new
client-side API (which I imagine to be more OO style than KWallet::Wallet),
I'll keep an eye on providing something the current class can wrap so even
applications using the old API will be able to use the new system.
"
It seems likely that Stef Walter, the Keyring developer, will do something
similar for GNOME applications.
In the Secrets API, secrets are just arrays of bytes that get transferred, possibly encrypted, between the application and the storage facility. Each secret is associated with a simple dictionary (i.e. set of name, value pairs) called "lookup attributes", which are to be used to find the secret. In addition, secrets have a label and properties associated with them. Secrets can then be grouped into "collections", which more or less correspond to today's keyrings or wallets.
Items and collections can be locked, such that an unlocking process needs to happen before they can be accessed. In practice, that would generally mean that the user was prompted for a password before the item or collection could be retrieved by the application.
Clients can negotiate encryption of the secret information as it is transferred to or from the storage service. While that may seem like a good idea overall, the API documentation comes with some fairly strong caveats:
Many client applications may choose not to make use of the provisions to encrypt secrets in transit. In fact for applications unable to prevent their own memory from being paged to disk (eg: Java, C# or Python apps), [transferring] encrypted secrets would be an [exercise] of questionable value.
There are more details, of course, and the API specification is being discussed and revised on the freedesktop.org Authentication mailing list. In addition, there is discussion of higher-level topics on the list, such as how browsers will identify their secrets so that moving between browsers, while still being able to use the password information stored for the user, is easy. As Leupold notes that is one of the most likely scenarios for users needing the Secrets API.
With this API in place, GNOME users could use Konqueror and still have access to their passwords, and the same goes for KDE users and Epiphany. As Leupold points out in his blog posting, though, Mozilla has not shown any interest, at least yet. Integrating with the Linux desktop has not really ever been a priority for Mozilla, so one might expect Firefox, et al. to lag in this area.
Even for those not running one of the "big two" desktop environments, a suitably configured system—with D-Bus and one of the secret storage services enabled—could take advantage of the Secrets API. Interoperability between desktop environments is a good thing, and not having to store passwords somewhere external, so that one can "browser hop" can only be a good thing as well. As it matures, other applications needing to store secrets will presumably use it too. Having a single, hopefully well-vetted, location for storing this kind of information—encrypted and password-protected—may also lead to better security for users.
Brief items
BIND 9 denial of service being actively exploited
Internet Systems Consortium, the developers of the BIND DNS server, is reporting a denial of service vulnerability that is being actively exploited. "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert. [...] This vulnerability affects all servers that are masters for one or more zones it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround." ISC is urgently suggesting that everyone upgrade BIND to 9.4.3-P3, 9.5.1-P3, or 9.6.1-P1.
Finding Linux Bugs Before they Become Exploits (internetnews.com)
Over at internetnews.com, there is a look at the role the Coverity scanner played in finding the bad code that allowed the recent kernel NULL pointer exploit. "The issue of patching aside, the public exploit could easily have been a zero day exploit on the Linux kernel itself, were it not for the fact that the bug that enables the exploit was caught by a scan from code scanning vendor Coverity. The Linux kernel has been actively scanned by Coverity since at least 2004 in an effort to find bugs and improve code quality."
New vulnerabilities
bind: denial of service
| Package(s): | bind9 bind | CVE #(s): | CVE-2009-0696 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 29, 2009 | Updated: | January 21, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Bind 9 fails to validate certain dynamic DNS update packets, causing the server to crash. This vulnerability is being actively exploited. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
bugzilla: privilege escalation
| Package(s): | bugzilla | CVE #(s): | |||||||||
| Created: | July 28, 2009 | Updated: | July 29, 2009 | ||||||||
| Description: | From the bugzilla security advisory: Bug reporters could confirm their bugs and change their bugs' statuses, even if they didn't have the appropriate permissions. | ||||||||||
| Alerts: |
| ||||||||||
compface: buffer overflow
| Package(s): | compface | CVE #(s): | CVE-2009-2286 | ||||
| Created: | July 29, 2009 | Updated: | July 29, 2009 | ||||
| Description: | Compface 1.5.2 contains a buffer overflow which can be exploited to (at least) crash the process. It's worth noting that, while this is a 2009 CVE, Fedora fixed the bug in 2006. | ||||||
| Alerts: |
| ||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | CVE-2009-2478 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2009 | Updated: | July 29, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"Mozilla Firefox 3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors, related to a "flash bug."" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | CVE-2009-2479 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2009 | Updated: | July 29, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"Mozilla Firefox 3.0.x, 3.5, and 3.5.1 on Windows allows remote attackers to cause a denial of service (uncaught exception and application crash) via a long Unicode string argument to the write method. NOTE: this was originally reported as a stack-based buffer overflow. NOTE: on Linux and Mac OS X, a crash resulting from this long string reportedly occurs in an operating-system library, not in Firefox." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: arbitrary code execution
| Package(s): | firefox | CVE #(s): | CVE-2009-2477 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2009 | Updated: | July 29, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kdelibs: denial of service
| Package(s): | kdelibs | CVE #(s): | CVE-2009-1725 CVE-2009-2537 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
WebKit in Apple Safari before 4.0.2 does not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. (CVE-2009-1725) KDE Konqueror allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692. (CVE-2009-2537) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1897 | ||||||||||||||||||||||||||||||||
| Created: | July 27, 2009 | Updated: | October 5, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1895 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 27, 2009 | Updated: | March 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel, linux, linux-source-2.6.15 | CVE #(s): | CVE-2009-2287 CVE-2009-2406 CVE-2009-2407 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2009 | Updated: | February 18, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Matt T. Yourst discovered that KVM did not correctly validate the page table root. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-2287) Ramon de Carvalho Valle discovered that eCryptfs did not correctly validate certain buffer sizes. A local attacker could create specially crafted eCryptfs files to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-2406, CVE-2009-2407) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: denial of service and "unspecified other impact"
| Package(s): | mysql | CVE #(s): | CVE-2009-2446 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 27, 2009 | Updated: | March 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information (CVE-2009-2446). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openexr: several vulnerabilities
| Package(s): | openexr | CVE #(s): | CVE-2009-1720 CVE-2009-1721 CVE-2009-1722 | ||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2009 | Updated: | December 9, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
Drew Yao discovered integer overflows in the preview and compression code. (CVE-2009-1720) Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. (CVE-2009-1721) A buffer overflow was discovered in the compression code. (CVE-2009-1722) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
php: missing input validation
| Package(s): | php | CVE #(s): | |||||
| Created: | July 28, 2009 | Updated: | July 29, 2009 | ||||
| Description: | From the php bug report: There seems to be a problem in exif_read_data(), where some fields representing offsets(?) are taken directly from the file without being validated, resulting in a segmentation fault. | ||||||
| Alerts: |
| ||||||
squid: several vulnerabilities
| Package(s): | squid | CVE #(s): | |||||||||||||
| Created: | July 28, 2009 | Updated: | July 29, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: Multiple vulnerabilities has been found and corrected in squid:
Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses. Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses. See this Squid advisory for more details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
znc: directory traversal
| Package(s): | znc | CVE #(s): | |||||||||||||
| Created: | July 29, 2009 | Updated: | August 3, 2009 | ||||||||||||
| Description: | A directory traversal vulnerability in znc can enable a remote IRC user, with inadvertent local cooperation, to overwrite local files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>