Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsCode scanners. Two new security related tools were announced this week, both relating to code scanning: RATS and flawfinder. Both tools perform tests on source code in an attempt to find common coding problems that can lead to security vulnerabilities. Such problems are limited to function calls for both RATS and flawfinder. Any functions specified in a flawfinder database are known as hits and will cause any references to them in the source to be examined to be flagged. Flawfinder and RATS join another application its4, which was noted by LWN.net late last year. According to David Wheeler, author of the Secure Programming for Linux and Unix HOWTO, flawfinder is Python based and was developed in response to issues surrounding Cigital's use of the term open source with its its4 product. Additionally, both flawfinder and RATS developers have agreed to work together. The developers [of flawfinder and RATS] didn't know about each other's efforts until just before their releases, but they have agreed to coordinate in some way to create a "best of breed" source code scanner. These scanners are very useful for finding function calls that are often the cause of security problems. Unfortunately, RATS wouldn't compile even though the required Expat library was installed under /usr/lib. Flawfinder worked out of the box, as did its4. Each produced varying results on the same piece of code. While such tools are helpful, they shouldn't be considered cures for security illnesses in any software. They should be used in conjunction with memory checkers to catch potential buffer overflows. And, of course, nothing beats following some simple programming guidelines. Hacker-tracking site throws in the towel (ZDNet). Defacement of web sites has become such a common problem that Attrition.org, a volunteer run web site that follows computer security issues, is halting their tracking of these events. According to the ZDNet story, when online vandals deface a site, they typically tip off Attrition, which then confirms the defacement by going to the tagged page itself, copying the page and putting it in the archive.
Rethinking Music Security (Wired). SDMI appears to be mired in its members own political posturing, according to this Wired News story. "SDMI's Phase II specifications were to provide hardware and software makers with parameters to build players that would work with secure formats, legally obtained MP3s and CDs, while blocking access to files that had been hacked. But the consortium became entangled in its own internal politics, which ended any chance of the screening specifications getting developed." Security ReportsReiserfs kernel race condition. A race condition in reiserfs has been reported that can expose raw data from the disk to an unprivileged user. Chris Mason has made a patch available to fix the problem. Check the reiserfs mailing list for more details. The same problem has been reported to affect the ufs and ext2fs drivers in FreeBSD systems.
MIT Kerberos FTP daemon buffer overflows. Multiple buffer overflows have been reported and confirmed in the gssapi-aware ftpd daemon included with MIT Kerberos 5, all versions. If anonymous ftp is enabled, a remote root exploit is possible. Otherwise, a local root exploit or a remote root exploit via an authorized login.
Red Hat update to mktemp. Red Hat has issued a security update for mktemp which does not support making temporary directories in certain versions of their distributions.Updatesman -S heap overflow. Check the May 17th LWN Security Summary for the initial report. The exploitability is definitely on whether or not the man command is installed setgid group man.This week's updates: ptrace/execve/procfs race condition in the Linux kernel 2.2.18. Exploits were released the week of March 29th for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. As a result, an upgrade to Linux 2.2.19 is recommended.The Linux 2.2.19 release notes give the specifics on all the security-related fixes in 2.2.19 (all thirteen of them!) and give credit to the Openwall project and Chris Evans, for the majority of the third-party testing and auditing work that turned up these bugs. Fixes for the same bugs have also been ported forward into the 2.4.X kernel series. This week's updates: Previous updates:
XEmacs/gnuserve. Check the February 8th Security Summary for details.This week's updates: Previous updates:
mgetty tmp file race problem. mgetty was one of twelve packages reported in January to contain tmp file race problems. Check the January 11th LWN Security Summary for the initial report.This week's updates: Previous updates:
Minicom XModem Format String Vulnerabilities. Check the May 10th LWN Security Summary for the original report or BugTraq ID 2681.This week's updates: Previous updates:
gnupg. gnupg 1.0.5 was released on April 29th. Check the May 3rd LWN Security Summary for details. An upgrade to 1.0.5 is recommended.This week's updates: Previous updates:
Samba local disk corruption vulnerability. Check the April 19th LWN Security Summary for the original report. This problem has been fixed in Samba 2.0.8 and an upgrade is recommended. Note that all versions of Samba from (and including) 1.9.17alpha4 are vulnerable (except 2.0.8, of course). BugTraq ID 2617.Note that recently Andrew Tridgell released Samba 2.0.9 stating that the fix in 2.0.8 did not really resolve the problem. Samba 2.2.0 users are not affected by this problem. This week's updates:
OpenSSH 2.5.2p2 released. Check the March 29th LWN Security Summary for the original report.This week's updates:
ResourcesLinux Kernel Instrumentation Project. John Munson has formed a group to work in instrumenting various kernels from Linux to BSD. Here is the introduction from the Sourceforge home of the project: Hand instrumentation of common kernel for the purpose of behavioral analysis. And kernel modifications that insure that proper execution of the processes analyzing the behavioral profiles produced. Proposed kernels: linux, *bsd, and solaris.
Worldwide Copyrights a Quagmire? (Wired). Wired News has an article on Richard Stallman's presence on a Commerce Department roundtable on the Hague Convention. "Currently the Hague Convention includes copyright offenses in a section that Stallman, Internet providers, and consumer groups are lobbying to remove. Stallman, for instance, claims countries that are even more permissive about awarding software patents could sue U.S. programmers for violating them -- and thereby wreak havoc on the free software movement." EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Michael J. Hammel |
May 24, 2001
LWN Resources | |||||||||||||||||||||||||||||||||