[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Ports
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


A couple of security patches have come out. Most people probably won't need these, but for those who do...
  • There is a new version of pam_smb available. This is a PAM module which allows Linux users to be authenticated from a Samba or NT server, for those who want to have a single authentication database for a mixed network.

  • A patch for knfsd is also available. Knfsd is the kernel NFS daemon, which is currently only used with 2.1 kernels. If you're running kernel NFS under 2.1, you may want to have a look at this one.

Savetextmode, a script from svgalib, has security problem in some distributions due to its use of files under /tmp. Adrian Voinea reported the problem initially. Ben Collins confirms the potential problem, but indicates that it has been fixed in Debian 2.0. According to reports, it is not fixed in RedHat 5.1, svgalib-1.2.13-5. The problem appears to have been fixed in svgalib-1.3.1.

In another comment on the security of svgalib, Nergal posted a note to Bugtraq about problems in zgv These were reviously reported to Bugtraq by Paul Boehm, but believed to be unexploitable. Nergals' note describes the fallacies in this belief. He does not provide a patch, but instead recommends that zgv be installed non-suid if possible. Expect to see new svgalib advisories coming out in the near future, as a result. Patches for zgv have already been forwarded to the security-audit group.

Matt Watson and Brian Mitchell discussed problems with iplogger on the Bugtraq list this week. The upshot is that there are concerns about iplogger's use of a double fork, and an ident overflow in the latest version.

For anyone who picked up der Mouse's version of tar with his evil-archive paranoia code, this note from der Mouse points out a bug that has been found in his tar.

The topic of the Netscape browser "What's Related" button has come up. This button allows a user to look for sites "related" to the page they are currently viewing. This functionality is provided by a query which sends the URL of the current page to www-rl.netscape.com. However, depending on your browser's preferences, this information may be sent either only when you click on the button, or for every page you view once you have clicks on this button once, or even for every page you view whether or not you have ever clicked on this button. Flemming S. Johansen provided this description.

Depending on the version of Netscape you are running, 4.06 or later, the default setting is apparently either to always send the information or to send it after first use. The latter behavior has been confirmed for Linux running Netscape 4.5.

If you do not like this behavior, it is recommended that you check your preferences and set them to something more appropriate than the default behavior.

Here is a site that has been following this issue closely and has many pungent remarks to make about this feature. The privacy forum digest also contains comments from Lauren Weinstein who has opened a dialogue with Netscape about these issues.

Speaking of Netscape, here is their acknowledgement of the Buffer Overflow vulnerability in Netscape found by Dan Brumleve that we reported last week. Note that they mention that the vulnerability is only theoretically exploitable, but this is incorrect, as Dan points out.

On a more simple note, but thought-provoking, apparently under 4.07, your preferences may be ignored when a new Window is opened. Here is the report from Bill Becker. This has not yet been confirmed by any alternate source.

In a last comment on problems with Netscape this week, confirmation has been received that, in some versions of Netscape, Javascript may continue to be processed even when it has been disabled in your preferences. This is definitely a problem if you have turned off javascript in order to protect yourself against recently reported security problems. Here is a confirmation of this from Jukka Suomela.

Serge Orlov has announced the first release of his multi-stack allocator for C programs. This is a technique that helps prevent exploits for most bufferflows. He commented that it is not a complete solution. Several people asked him questions about multi-stack, particularly how it compares to StackGuard. He posted this followup.


October 29, 1998

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1998 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds