[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.

News and Editorials

OpenBSD runs fuzz. For those of you with very good memories, the University of Wisconsin "Fuzz" program experimented with throwing garbage input onto the command line of common Unix commands and evaluating the result. Run twice, with a five-year interval, it turned up most of the same errors the second time. Theo de Raadt from OpenBSD picked up fuzz and ran it on OpenBSD to test the results. Here is what he found. Even with OpenBSD's emphasis on fixing all bugs and auditing code, fuzz still turned up errors in many basic commands.

It also turned up a debate on BugTraq as to the usefulness of such tools. The bugs found by fuzz previously and now are arguably not actually security bugs. However, they are still bugs and therefore deserve to be fixed. Theo commented, "I still consider fuzz to be somewhat of a crutch. For about half of these fixes, inspection found other things we could improve". Perhaps so, but inspection had not turned them up until fuzz gave them a reason to look again at code that has been around for a long, long time. In the end, such tools have their use and the current state of computer software in general argues a lot for the need for tools like this. However, Theo's point that software that passes all automated tests still likely has problems that are best found by a source code audit by trained staff shouldn't be forgotten either.

Also hypothesized in the report is the existence of commercial software from various vendor quality assurance groups to do "fuzz-like" testing and more. Such code is currently locked away within each organization; the release of such tools, and the pooling of ideas and knowledge to improve them, might be a boon. Of course, depending on the quality of the code, its availability might not make as much of a difference as we might hope.

Silence is the best security policy (ZDNet). This is apparently one argument that will never end. This ZDNet article argues that security holes should be "hushed up", not published. "Marcus Ranum, chief technology officer for intrusion detection software maker Network Flight Recorder Inc., used hard language to say that security can't be improved unless 'gray hat' hackers stop disclosing security holes to the public and stop creating tools for so-called 'script kiddies' to exploit the holes."

As someone who has followed vendor security reports for over ten years, this editor can testify that unpublished vendor security holes simply went unfixed. So much for "improving security".

Bull announces CDSA security software for Linux as open source. Bull has announced the forthcoming release of its Common Data Security Architecture implementation under an (unspecified) open source license. Code will be available on August 24.

New Security Reports

CVS vulnerabilities. Two CVS-related vulnerabilities were reported this past week. The first vulnerability impacts the CVS server, which can be made to execute an arbitrary binary via the Checkin.prog script. An unofficial patch for CVS 1.10.8 has been posted.

The second vulnerability impacts the CVS client, which blindly trusts path information from a CVS server and can thus be "tricked" into creating files in arbitrary locations. No workaround or patch has been posted, as of yet.

These vulnerabilities sparked a long discussion on the security of anonymous CVS servers. The consensus seems to be that CVS was simply not designed to be run in an "untrusted" mode (sound familiar?). Therefore, if you are running a CVS server, you should assume that the people authorized to use the CVS server are also authorized to get login access to the machine hosting the CVS server. A dedicated, highly controlled CVS server was recommended for less trusted circumstances.

Also mentioned in the discussion was a new open source project, subversion. Still in early development, it is meant to be a CVS replacement, presumably with better security built into the design. A "proof of concept" release is currently scheduled for September.

TurboLinux: cvsweb. TurboLinux has issued a security advisory for cvsweb-1.90 and earlier. Remote reading/writing of arbitrary files as the cvsweb user is possible. Updated packages for cvsweb-1.91 are provided.

Mailman. A vulnerability has been reported in mailman 2.0beta3 and 2.0beta4. Mailman can be exploited by a local user to read public and private data, passwords and potentially replace binaries and scripts. An unofficial patch against the current CVS tree is provided. Mailman 2.0beta5 has also been released and is reported to contain a fix for this problem.

GNU userv vulnerability. A security vulnerability in userv 1.0.0 and earlier has been reported which, under some circumstances, can allow a local user to carry out an unauthorized action. Userv is a system facility to allow one program to invoke another when there is only limited trust between the two programs.

GNU userv 1.0.1 has been released with a fix for this vulnerability.

Linux-Mandrake security update to kon2. MandrakeSoft has issued a security update to the kon2 package which patches up fld, a vulnerable setuid program. The Linux-Mandrake kon2 package contains KON, software for displaying kanji characters on Linux console screen.

OpenLDAP installation permissions. The installation permissions for openldap 1.2.11 (and possibly earlier versions) allow the binary itself to be writable by group. However, the installation does not choose the group that will be used, allowing it to potentially default to an untrusted group. This problem was reported on BugTraq by Dr. Christian Kleinewaechter. The problem can be dealt with by modifying the installation script itself or by checking the group ownership and permissions of the binary and modifying them, if necessary, after installation.

ntop. A BugTraq posting warns that ntop, a network usage display, can be used to remotely read any file on the system, if run in web mode. Ntop in web mode is a web server, run suid. Access to the server can be locked down via a configuration file, but the documentation incorrectly reports the proper location for this configuration file.

Commercial products. The following commercial products were reported to contain vulnerabilities:


Netscape/Mozilla JPEG marker vulnerability. Check last week's Security Summary for more information.

pam. A vulnerability in pam is triggered when a display manager and XDMCP are both enabled. It can allow unprivileged users to fake a console login and shut down the machine. Check the Red Hat advisory for more details

Multiple gpm vulnerabilities. New problems with gpm were reported last week, including the ability for a local user to execute arbitrary commands with elevated group privileges and a local denial-of-service attack.

This week's updates:

Previous updates:

dhcp. A second set of problems with the ISC dhcp client was reported in the July 20th Security Summary. New updates to dhcp-3.0b1pl17 (instead of pl12) are now coming out.

Linux-Mandrake: zope. Linux-Mandrake has put out Zope 2.1.6 packages, fixing a security flaw in the DocumentTemplate package that can allow documents to be changed without adequate authorization. Check the June 22nd Security Summary for information on the problem, which has also been fixed in Zope 2.1.7 and 2.2 beta 2.


Dan and Wietse's Forensic Tools. Dan Farmer and Wietse Venema have released The Coroner's Toolkit (TCT), a set of tools for doing a post-mortem on a Unix system after a break-in. "To set your expectations, the TCT software is not for the faint of heart. It is relatively unpolished compared to the software that we usually release. TCT can spend a lot of time collecting data. And although TCT collects lots of data, many analysis tools still need to be written. Nevertheless TCT sure beats the competition, which is non-existent, and beats them at the right price, too."

The tools are released under a combination of the IPL (IBM Public License) and a modified version of the BSD license.

TrinityOS. David Ranch, the IP Masquerade HOWTO author/maintainer and co-author of the SANS "Securing Linux: Step by Step" book, has also made available a website he calls TrinityOS. Like the Bastille Linux project, the website contains scripts for automating the process of securing various Linux services. Note, however, that the scripts themselves don't appear to have been heavily tested and provide no easy way to back out the changes they make. In many ways, they make a better reference for what ought to be done than a one-step method of securing a system for use by a novice.

Red Hat, Linux-Mandrake, and Slackware are all referenced. In addition to the afore-mentioned scripts, TrinityOS contains a wealth of links to additional security resources.

Hack Proofing Your Network. Hack Proofing Your Network is a new book from Syngress Publishing. Ryan Russell is the author and the list of contributing authors is quite interesting: " Contributing writers include: Rain Forest Puppy; Elias Levy, BugTraq moderator; Blue Boar, Vuln-dev moderator; Dan "Effugas" Kaminsky, Cisco Systems; Oliver Friedrichs, SecurityFocus.com; Riley "Caezar" Eller, Internet Security Advisors; Greg Hoglund, Click To Secure, Jeremy Rauch, and Georgi Guninski."

LinuxSecurity.com Weekly Newsletter. LinuxSecurity.com's weekly newsletter is also available, for those of you looking for additional Linux security news.


ToorCon pre-registration closes August 6th. Pre-registration for this year's ToorCon closes August 6th. The ToorCon Security Expo will be held on September 1st-3rd in San Diego, California, USA. "ToorCon is a comprehensive three day computer security extravaganza featuring lectures from some of the top experts in the field, hand-on demonstrations of the newest approaches to computer security, and a competitive game called RootWars which tests your penetration and defensive skills in a real-time simulation."

Check their web-page for more details.

August/September security events.
Date Event Location
August 14-17, 2000. 9th Usenix Security Symposium Denver, Colorado, USA.
August 14-18, 2000. Ne2000 (Networking 2000) Lunteren, The Netherlands
August 18-20, 2000. Hack Forum 2000 Ukraine
August 20-24, 2000. Crypto 2000 Santa Barbara, California, USA
August 22-23, 2000. WebSec 2000 San Francisco, California, USA
September 1-3, 2000. ToorCon Computer Security Expo San Diego, California, USA.
September 11-14, 2000. InfowarCon 2000 Washington, DC, USA.
September 13-14, 2000. The Biometric Consortium 2000 Gaithersburg, MD, USA.
September 19-21, 2000. New Security Paradigms Workshop 2000 Cork, Ireland.
September 26-28, 2000. CERT Conference 2000 Omaha, Nebraska, USA.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

August 3, 2000

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds