Security
Brief items
Bitten by old bugs
Michal Zalewski recently publicized a couple of denial of service problems with the Postfix mailer. Distributors responded quickly; here's a quick look at who released updates and when:
| Distributor | Updated versions | Response time (days) |
|---|---|---|
| Conectiva | 7.0, 8 | 1 |
| Debian | 3.0 (woody) | 0 |
| EnGarde | Community 1.0.1, 2 Professional 1.1, 1.2, 1.5 | 1 |
| MandrakeSoft | 8.2, 9.0, Corp. Svr. 2.1 Firewall 8.2 | 1 |
| Red Hat | 7.3, 8.0, 9 | 1 |
| SuSE | 7.2, 7.3, 8.0, 8.1... | 1 |
| Trustix | 1.2, 1.5 | 3 |
(See the LWN vulnerability entry for current information on distributor updates). Here, "response time" is calculated as the number of days between the posting of Michal's advisory and the distributor update. Distributors clearly had a bit of advance notice with which to produce their updates, which is a good thing. There was very little delay before updates were made available to users.
The only problem is that, as Postfix creator Wietse Venema pointed out, both of the vulnerabilities had been fixed a long time ago. One of the problems was fixed in version 1.1.12, released in November, 2002. The other (fixed in 1.1.13) does not exist in Postfix 2.x, which has been available since February. But even relatively modern distributions (such as Red Hat Linux 9) are built with version 1.1.11, which dates back to May, 2002. It is laudable that the distributors were so quick to make updates available. But if they had stayed a little closer to the current release of Postfix, much of this scramble might have been unnecessary, at least for more recent distribution releases.
One can always come up with possible reasons for the shipping of such old software. For most distributions, only a small minority of users run Postfix, so it is probably relatively low on the prioritized list of packages to update. Switching to a new major release (2.0) is always a bit of a scary move; distributors tend not to rush into that sort of change. And, then, there is the little fact that neither fix was marked by the Postfix developers as a security fix. As we have seen in this case, distributors move quickly when a security issue is outstanding, but slowly otherwise.
The fixes were not advertised as being security related for a simple reason: the developers did not know - in either case - that a security bug was being fixed. One fix just sort of happened during a big (2.0) code reorganization, and the other fix looked like just another bug fix at the time. The end result is that, as a result of inaction on the part of both developers and distributors, users have been running vulnerable code for months when a fix was available.
GNU project FTP server compromised
As described in this statement from the FSF, the GNU FTP server was compromised, and a trojan horse was found there. Interestingly, the compromise appears to have happened last March (via an exploit of the 2.4 ptrace() vulnerability), but it has only come to light now. The project has been going through a detailed effort to compare files against known checksums, and is cautiously concluding that no source code was modified by the crackers.
New vulnerabilities
ddskk: insecure temporary file
| Package(s): | ddskk | CVE #(s): | CAN-2003-0539 | ||||
| Created: | August 11, 2003 | Updated: | August 12, 2003 | ||||
| Description: | Daredevil SKK is a simple Kana to Kanji conversion program, an input method
of Japanese for Emacs and XEmacs.
ddskk does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and skk. The Common Vulnerabilities and Exposures project (cve.mitre.org) has allocated the name CAN-2003-0539 to this issue. | ||||||
| Alerts: |
| ||||||
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql | CVE #(s): | CAN-2003-0672 | ||||
| Created: | August 11, 2003 | Updated: | October 1, 2003 | ||||
| Description: | Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication. | ||||||
| Alerts: |
| ||||||
xpcd: buffer overflow
| Package(s): | xpcd | CVE #(s): | CAN-2003-0649 | ||||
| Created: | August 13, 2003 | Updated: | August 13, 2003 | ||||
| Description: | The xpcd utility contains a buffer overflow which can be exploited via over-long environment variables. | ||||||
| Alerts: |
| ||||||
zblast: buffer overflow
| Package(s): | zblast | CVE #(s): | CAN-2003-0613 | ||||
| Created: | August 11, 2003 | Updated: | October 1, 2003 | ||||
| Description: | Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving the high score file. This vulnerability could be exploited by a local user to gain gid 'games', if they can achieve a high score. | ||||||
| Alerts: |
| ||||||
Resources
Phrack #61
Phrack issue 61 has been announced; it includes articles with titles like "Hijacking the Linux page fault handler," "Infecting loadable kernel modules," and "Hacking da Linux kernel network stack." Have fun...LinuxSecurity.com newsletters
The latest Linux Advisory Watch and Linux Security Week newletters from LinuxSecurity.com are available.
Page editor: Jonathan Corbet
Next page:
Kernel development>>