[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.

News and Editorials

The trouble with big libraries. Chris Evans has turned up a number of security problems with libX11 - the low-level library that handles communication with the X window system server. The details can be found in this posting. Suffice to say that they are problematic.

But the real problem, as pointed out by Mr. Evans, is that libX11 is a very large body of code. The difficulty of securing large programs has been well known for some time. Even though libX11 is high-quality code that has had more than a decade of debugging, it's still not possible to have a high degree of confidence in its security.

So one of the keys to security is to write small, auditable programs. But even small programs can end up linking to very large libraries. Thus, in this case, any program that presents a graphical interface is a large program, whether it looks that way or not. The implication is that no graphical program, no matter how carefully written, can be secure if it is run in a privileged mode.

To an extent this problem can be worked around by separating out privileged operations into a separate program. That is what was done with xterm, for example; the "utempter" program handles the privileged operation of changing the utmp file, so that xterm itself can run unprivileged. But more complicated situations will not always lend themselves to this sort of easy separation of tasks. Just another reminder that security is a hard problem.

(Chris Evans has also posted on problems he found with the libICE library and xdm. Since the xdm source is used for many other display managers, including KDE's kdm, problems in that program could turn up in many other places.)

Another fix for the 2.2 capability bug. The proper way to fix the 2.2 capability bug, which has been much discussed over the last couple of weeks, is to upgrade to the 2.2.16 or 2.2.17pre kernel. However, a kernel upgrade is not an easy thing for every site to do, and the newer kernels have some difficulties of their own. Those not wanting to perform the upgrade may want to have a look at the "capcheck" module, announced by Lionel Cons at CERN.

Capcheck is a loadable kernel module which replaces the "capset" system call with a much more restrictive version. It can be loaded into a running kernel, and immediately closes the capability hole. Those who are interested can get the source from the capcheck download site. There are also binary modules there, but loading random binary modules as a security fix is a bit of a self-contradictory action.

This fix is a clever use of loadable kernel modules. It also demonstrates the scope of what these modules can do. A module, once loaded into the system, can change its behavior in wide-ranging and subtle ways. Kernel modules have been little-used in attacks on systems thus far, but eventually some clever attacker will find a use for this mechanism. For this reason, many security-conscious sites disable module loading entirely, either via explicit kernel configuration or by using the capability bounding set. For those not wanting to go so far, a degree of caution is necessary. The capcheck module is short and easy to look over; paranoid administrators may want to do that before installing it.

Crypto-gram newsletter. Here is the latest Crypto-gram newsletter from Bruce Schneier. The main topic is the new SOAP protocol, which is being promoted as an open source standard. " Because no security is required in either HTTP, XML, or SOAP, it's a pretty simple bet that different people will bungle any embedded security in different ways, leading to different holes on different implementations. SOAP is going to open up a whole new avenue for security vulnerabilities."

Security Reports

Remote exploit in Zope 2.1.6. Digital Creations has issued an alert describing a remotely-exploitable security problem with Zope 2.1.6 and earlier. A new 2.1.7 release has been put out (along with a patch for those needing to stay at 2.1.6) that fixes the problem. Upgrades are strongly recommended. Note that the problem affects the 2.2 beta 1 release as well. (Thanks to Paul Hewitt and John Rowell).

A new Kerberos problem. A vulnerability in the Kerberos 1.1 (and later) gssftp daemon has been announced. The daemon allows remote users to perform certain FTP commands that shouldn't be allowed, leading to possible denial of service attacks and, in some cases, root compromise. A small patch is included with the announcement which fixes the problem. Note that the krb5-1.0.x distributions are not vulnerable.

PHP disclosure problems. PHP 3.0 can, when faced with certain illegal POST requests, disclose more information (including local file names) than is desirable. This information is not enough to compromise a system in itself, but it could prove useful to an attacker. This announcement from H.D. Moore describes the problem and gives a workaround.

Insecure communications in emacs. GNU emacs uses subprocesses to perform a great deal of work, including compilations, shell mode, and running debuggers. It turns out that it is easy for outsiders to listen in on the communications between emacs and these processes. The hole has been closed with the release of emacs 20.7.

This week's updates:

Common Unix Print System. A remotely-exploitable denial of service problem exists with CUPS, a replacement for the old lpd print system. See this alert for details; it also contains pointers to fixed Debian "potato" and "woody" packages. (Debian 2.1 did not include CUPS). Users of the CUPS beta series should be at 1.1b3 or higher.

Red Hat setgid vulnerabilities. Michal Zalewski has posted the results of a survey he did looking for setgid executables with vulnerabilities on a Red Hat 6.2 system. The results are not encouraging. Since setgid programs run at a lower level of privilege, they have not necessarily received the same degree of attention as those that run setuid. If they are compromised, however, they can still bring about unpleasant consequences.


Zope. Few distributors package Zope currently, so there are only two updates out there:

Kernel. A couple more distributors straggled in with updates to fill in the kernel capabilities hole. Red Hat, which is usually quick to get updates out, waited until June 21, a full two weeks after the problem and the fix were published.

Kerberos. There's only one new update to kerberos, fixing a number of older problems and the new FTP problem described above as well:


Linux Security Week newsletter. Here is the Linux Security Week Newsletter for June 19, from the folks at LinuxSecurity.com.


Call for participation - RAID 2000. A call for participation has been issued for the Third International Workshop on the Recent Advances in Intrusion Detection, which will be held in Toulouse, France on October 2-4, 2000.

June/July security events.
Date Event Location
June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.
June 27-28, 2000. CSCoRE 2000,"Computer Security in a Collaborative Research Environment" Long Island, New York, USA.
July 3-5, 2000. 13th IEEE Computer Security Foundations Workshop Cambridge, England.
July 10-12, 2000. Fifth Australasian Conference on Information Security and Privacy (ACISP 2000) Brisbane, Australia.
July 14-16, 2000. H2K / HOPE 2000 New York, New York, USA.
July 26-27, 2000. The Black Hat Briefings Las Vegas, Nevada, USA.
July 28-30, 2000. DEF CON VIII Las Vegas, Nevada, USA.

Section Editor: Liz Coolbaugh

June 22, 2000

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds