Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
The trouble with big libraries. Chris Evans has turned up a number of security problems with libX11 - the low-level library that handles communication with the X window system server. The details can be found in this posting. Suffice to say that they are problematic.
But the real problem, as pointed out by Mr. Evans, is that libX11 is a very large body of code. The difficulty of securing large programs has been well known for some time. Even though libX11 is high-quality code that has had more than a decade of debugging, it's still not possible to have a high degree of confidence in its security.
So one of the keys to security is to write small, auditable programs. But even small programs can end up linking to very large libraries. Thus, in this case, any program that presents a graphical interface is a large program, whether it looks that way or not. The implication is that no graphical program, no matter how carefully written, can be secure if it is run in a privileged mode.
To an extent this problem can be worked around by separating out privileged operations into a separate program. That is what was done with xterm, for example; the "utempter" program handles the privileged operation of changing the utmp file, so that xterm itself can run unprivileged. But more complicated situations will not always lend themselves to this sort of easy separation of tasks. Just another reminder that security is a hard problem.
(Chris Evans has also posted on problems he found with the libICE library and xdm. Since the xdm source is used for many other display managers, including KDE's kdm, problems in that program could turn up in many other places.)
Another fix for the 2.2 capability bug. The proper way to fix the 2.2 capability bug, which has been much discussed over the last couple of weeks, is to upgrade to the 2.2.16 or 2.2.17pre kernel. However, a kernel upgrade is not an easy thing for every site to do, and the newer kernels have some difficulties of their own. Those not wanting to perform the upgrade may want to have a look at the "capcheck" module, announced by Lionel Cons at CERN.
Capcheck is a loadable kernel module which replaces the "capset" system call with a much more restrictive version. It can be loaded into a running kernel, and immediately closes the capability hole. Those who are interested can get the source from the capcheck download site. There are also binary modules there, but loading random binary modules as a security fix is a bit of a self-contradictory action.
This fix is a clever use of loadable kernel modules. It also demonstrates the scope of what these modules can do. A module, once loaded into the system, can change its behavior in wide-ranging and subtle ways. Kernel modules have been little-used in attacks on systems thus far, but eventually some clever attacker will find a use for this mechanism. For this reason, many security-conscious sites disable module loading entirely, either via explicit kernel configuration or by using the capability bounding set. For those not wanting to go so far, a degree of caution is necessary. The capcheck module is short and easy to look over; paranoid administrators may want to do that before installing it.
Crypto-gram newsletter. Here is the latest Crypto-gram newsletter from Bruce Schneier. The main topic is the new SOAP protocol, which is being promoted as an open source standard. " Because no security is required in either HTTP, XML, or SOAP, it's a pretty simple bet that different people will bungle any embedded security in different ways, leading to different holes on different implementations. SOAP is going to open up a whole new avenue for security vulnerabilities."
Remote exploit in Zope 2.1.6.Digital Creations has issued an alert describing a remotely-exploitable security problem with Zope 2.1.6 and earlier. A new 2.1.7 release has been put out (along with a patch for those needing to stay at 2.1.6) that fixes the problem. Upgrades are strongly recommended. Note that the problem affects the 2.2 beta 1 release as well. (Thanks to Paul Hewitt and John Rowell).
A new Kerberos problem. A vulnerability in the Kerberos 1.1 (and later) gssftp daemon has been announced. The daemon allows remote users to perform certain FTP commands that shouldn't be allowed, leading to possible denial of service attacks and, in some cases, root compromise. A small patch is included with the announcement which fixes the problem. Note that the krb5-1.0.x distributions are not vulnerable.
PHP disclosure problems. PHP 3.0 can, when faced with certain illegal POST requests, disclose more information (including local file names) than is desirable. This information is not enough to compromise a system in itself, but it could prove useful to an attacker. This announcement from H.D. Moore describes the problem and gives a workaround.
Insecure communications in emacs.GNU emacs uses subprocesses to perform a great deal of work, including compilations, shell mode, and running debuggers. It turns out that it is easy for outsiders to listen in on the communications between emacs and these processes. The hole has been closed with the release of emacs 20.7.
This week's updates:
Common Unix Print System. A remotely-exploitable denial of service problem exists with CUPS, a replacement for the old lpd print system. See this alert for details; it also contains pointers to fixed Debian "potato" and "woody" packages. (Debian 2.1 did not include CUPS). Users of the CUPS beta series should be at 1.1b3 or higher.
Red Hat setgid vulnerabilities. Michal Zalewski has posted the results of a survey he did looking for setgid executables with vulnerabilities on a Red Hat 6.2 system. The results are not encouraging. Since setgid programs run at a lower level of privilege, they have not necessarily received the same degree of attention as those that run setuid. If they are compromised, however, they can still bring about unpleasant consequences.
UpdatesZope. Few distributors package Zope currently, so there are only two updates out there:
Kernel. A couple more distributors straggled in with updates to fill in the kernel capabilities hole. Red Hat, which is usually quick to get updates out, waited until June 21, a full two weeks after the problem and the fix were published.
Kerberos. There's only one new update to kerberos, fixing a number of older problems and the new FTP problem described above as well:
Call for participation - RAID 2000. A call for participation has been issued for the Third International Workshop on the Recent Advances in Intrusion Detection, which will be held in Toulouse, France on October 2-4, 2000.
June/July security events.
Section Editor: Liz Coolbaugh
June 22, 2000