[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

Reputations Won and Lost. This week, a less-media-hyped issue than the Windows backdoor also surfaced. A commercial, perl-based shopping cart, the Dansie Shopping Cart, was reported to contain a backdoor, one that automatically sent mail to the author of the software as well as allowing the author to execute commands on the machine on which the software is installed. The Bugtraq discussion (see previous link) seems to indicate that the backdoor was created by the author in an attempt to allow him to check for unauthorized usage and/or automatically disable the software if he found it to be installed illegally. Unfortunately, acquiring the "key" from the code is reasonably easy to do and allows much more illicit actions to be taken by an unauthorized person.

Whatever the original author's intentions, the revelation of his particular programming choices has both broken the faith of people who might use the product (it is very apparent in the code that the existence of the backdoor was meant to be hidden from a quick source code scan) and laid open his knowledge of security and programming techniques to severe criticism. In actions intended to better secure his revenue from the software, he has created a publicity roadblock to its adoption. Do note, however, that an updated version of the software without the backdoor is claimed to now be available.

QNX password encryption broken. Here's a brief article on Advogato on the breaking of the password encryption scheme for QNX - which is used in the Netpliance iOpener and a lot of other systems. Evidently the QNX folks decided to roll their own, closed-source, unreviewed encryption, with the usual results.

Encryption Matters, part 2. Inoshiro has posted part 2 of his series of articles on the importance of encryption.

Security Reports

Three security problems with GNU Emacs 20. RUS-CERT has issued an advisory outlining three security problems with all versions of GNU Emacs 20, up to and including emacs 20.6. The severity of the problems vary, but are high on multi-user systems. A patch is provided against emacs 20.6, though it requires glibc 2.1.

XFree86 server overflow. Michal Zalewski posted a report of a buffer overflow in XFree86 which he is confident can be exploited. The followup messages to this posting, however, did not confirm the problem, either with vanilla XFree86 3.3.6, 4.0.0 or the XFree86 package as shipped with Red Hat 6.2. We'll post additional information as it becomes available.

imapd. Debates are nothing new in the security arena. This week, an overflow in imapd 4.7 was reported. This can be used to gain access to the mail account of an imapd user - a problem if a mail client is not supposed to have interactive access to the server. The usual discussions and workarounds are posted, but then followed later by a debate on whether or not the problem really needed to be fixed, since it did not allow unprivileged access. In that space, we would have to weigh in that it is a problem -- anytime a program has unexpected side effects or unintended capabilities, it should be either documented to warn people or fixed. In this case, it is to be hoped that the problem will be repaired, not just documented.

xfs. A denial of service vulnerability in the X font server under Red Hat 6.X has been reported. Later, Chris Evans posted a followup, pointing out that this is just one of many security problems in xfs that have been around for over a year without any fixes being produced.

Star Office 5.1. Michal Zalewski posted a note about the multitude of ways in which Star Office 5.1 could be made to overflow and crash. It seems that Star Office is mimicking Microsoft products right now to the bug level ...

nmh-1.0.4 released. Security problems were formerly reported in nmh-1.0.2. Unfortunately, the fixes to these problems in version 1.0.3 introduced other errors. Version 1.0.4 resolves the new errors and the original security problems, as well as introducing a list of new features and non-security fixes.

Updates

gpm-root improper permissions handling. Improper permissions handling in gpm was discussed in the March 30th LWN Security Summary.

This week's updates:

Previous updates:

pam and usermode. See discussion in the January 6th, 2000 LWN Security Summary.

imwheel. For more information, check the BugTraq vulnerability database entry. This vulnerability was first reported on March 13th, 2000.

Events

Final Call for extended abstracts, RAID 2000. The final call for extended abstracts for the RAID 2000 conference, scheduled for October 2nd through the 4th, 2000, in Toulouse, France, has been issued. Note also that the online proceedings for RAID 1998 and RAID 1999 are now available.

Section Editor: Liz Coolbaugh


April 20, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds