Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsNon-executable stack and heap for Linux. Discussion regarding the security value and cost of implementing non-executable stack and heap for Linux was revived this week with the announcement of RSC, a non-executable stack and heap kernel module for Linux by author Paul Starzetz. Other projects with similar goals were discussed, such as PAX, announced back in October. Non-executable data areas, of course, are interesting to some because they can block certain types of buffer overflow attacks.
During the discussion, Crispin Cowan posted
this message
which provides links to prior discussions on this topic, related
papers and more. We recommend perusing it if you are interested
in the topic.
He summed up the argument for non-executable heap and stack fairly
succintly, presuming, of course, that the implementation costs
are not too high. Crispin writes:
That is, of course, not the end of the conversation - not everybody thinks that the "security through obscurity" approach of non-executable data segments is worth the trouble. Open source to the rescue (ZDNet UK). This article in ZDNet UK looks at the European Parliament's stand on open source. "I thought this particularly interesting since it was among the resolutions voted for by the European Parliament, and must surely be the first time any parliament has come out and said that open source software is intrinsically more secure than closed source software. Microsoft take note. More interesting still was the European Parliament's resolution to urge member states to devise ''measures to promote, develop and manufacture European encryption technology and software and, above all, to support projects aimed at developing user-friendly open-source encryption software.''" Pittsburgh Company Helps Write Code for European Privacy Standards on Web (Pittsburgh Post-Gazette). Bright Plaza, Inc., a Pittsburgh, USA based technology firm, will be working with the European Commission as they look at developing a prototype for new software to protect privacy on the Web. "The EC initiative is driven by a widespread European belief that life in the Information Age makes personal information far too accessible, said [Carnegie Mellon University scientist Robert] Thibadeau. 'The Europeans are ahead of the U.S.,' he said. 'They regard privacy as if it's part of you as a human being. And they say the state has an obligation to protect your privacy, just as it has an obligation to protect your life'". Fluffy Bunny speaks on IRC. The cracker behind the SourceForge, Themes.org and Apache break-ins has apparently done an IRC interview, the summary of which has been posted to SecurityFocus. "The cracker also explained how all the recent compromises were related. The common link: a packet sniffer Fluffy Bunny put in place on Exodus. "There was a sniffer on exodus yes, but there are sniffers everywhere," Bunny wrote." The identity of the interviewee has not been confirmed, however. (Thanks to Joe Barr) Security ReportsLPRng supplemental group membership vulnerability. LPRng fails to drop membership in supplemental groups at the same time it drops setuid and setgid privileges. As a result, such supplemental groups may provide access to enhanced privileges. This bug was not referenced on the LPRng home page, but Red Hat has issued updated packages with a fix for the problem. This is also covered in BugTraq ID 2865.XFree86 X font server (xfs) denial-of-service vulnerability. The X font server xfs, part of XFree86, has been reported to contain a denial-of-service vulnerability. When connected to "numerous" times and given random data, xfs may crash, which can, in turn, cause the X server to crash as well. This is only applicable to font servers that are listening to TCP/IP, which is likely only the case for a machine that is serving X terminals. No workaround or fix for the problem has been reported so far.gdm cookie vulnerability. gdm 2.2.2.1 has been released and, according to the changelog, contains a fix for a security problem under which an attacker could log in, save his cookie and then have that cookie used by the next person to log in.
xinetd buffer overflow. A buffer overflow has been reported in xinetd which may be exploitable either to gain elevated privileges or to cause a denial-of-service. The buffer overflow is in the ident logging portion of xinetd, so one workaround to the problem is to disable ident logging.Linux FPF kernel module denial of service vulnerability. FPF is a Linux kernel module which can be used to alter the Linux TCP/IP stack in order to emulate other operating systems when the system is probed by tools such as nmap or Queso. With the patch applied, it is possible to cause the kernel to panic by sending it multiple fragmented packets. A fix for the problem has been released. Nonetheless, the authors still state that the module has some problems and they recommend against using it on servers.exim format string vulnerability. A locally-exploitable format string vulnerability has been reported in exim, a GPL-d Mail Transfer Agent. Root access may be gained if the 'syntax checking' mode is turned on (not the default). Workarounds and an unofficial patch are available. The patch will be rolled into exim 3.30, which is expected to be released "soon".man-db nested calls vulnerability. The man-db vulnerability of the week involves the manner in which calls to drop_effective_privs and regain_effective_privs are handled. Nested versions of such calls can be used to cause man-db to regain privileges too early, which could result in a user being able to create files as user man.su-wrapper buffer overflow. su-wrapper is used to execute processes under different uids. A buffer overflow has been reported in su-wrapper 1.1.1. No official patch or upgrade has been released, but an unofficial, untested patch has been posted.Fcron symbolic link vulnerability. fcron is a periodic command scheduler which implements the functionality of vixie cron but does not assume that your system runs all the time or regularly. A symbolic link vulnerability has been reported in fcron 1.0. Versions 1.0.1, 1.0.2 and 1.0.3 have been reported not vulnerable, so presumably an upgrade to one of these versions will resolve the problem. No information on whether or not the latest development version, 1.1.0, is affected has been posted.TIAtunnel remote access vulnerability. TIAtunnel is a simple IRC bouncer, released under the GPL. A vulnerability has been reported in TIAtunnel that can be exploited by a remote attacker to gain a local shell under the TIAtunnel account. This was found in PKCrew TIAtunnel 0.9alpha2 and has been fixed in TIAtunnel 0.9alpha3. Note that a stable version of the software has not yet been released.Proprietary products. The following proprietary products were reported to contain vulnerabilities:
Updatesispell symbolic link vulnerabilities. Check the June 7th LWN Security Summary for the original report.This week's updates:
xinetd default umask vulnerability. Check the June 7th LWN Security Summary for the original report. Fixing the problem simply requires that the default umask for xinetd be set to 022 instead of 000. This is also covered in BugTraq ID 2826.This week's updates: Previous updates:
gnupg format string vulnerability. Check the May 31st LWN Security Summary for the initial report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Werner Koch also sent out a note warning of minor build problems with gnupg 1.0.6 when compiled without gcc.This week's updates:
multiple imapd buffer overflows. Check the March 15th LWN Security Summary for the original report. This is also covered in BugTraq ID 2856.This week's updates: Previous updates:GTK+ module use in setgid/setuid programs. Check the January 4th, 2001 Security Summary for the original discussion of this issue. The official position of the GTK+ team is that setuid and setgid programs are a bad idea for GUI toolkits and are not supported by the GTK+ toolkit.This week's advisories:
Multiple buffer overflows in tcpdump. Multiple buffer overflows in tcpdump were reported in our November 2nd, 2000 edition. Check also BugTraq ID 1870This week's updates: Previous updates:
ResourcesIBM Whitepaper: The Linux Security 'State of the Union'. Dated May 11, 2001, nonetheless it was this week that this IBM whitepaper first came our way. It contains a nice description of Linux security efforts, such as LIDS, Snort, RSBAC, NSA Security Enhanced Linux, StackGuard, packet filtering, LOMAC, PortSentry and TCS. New Security Portal moderated security discussion list. SecurityPortal has started a new, moderated discussion list for security issues, seeded with a few SecurityPortal people to make sure that an effort is made to answer questions posed to the list. EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
June 14, 2001
LWN Resources | |||||||||||||||||||||||||||||||||