Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and Editorialsmodutils issues remain. Back in our November 16th edition, we discussed security problems with modutils on both our Security and Kernel weekly pages. Modutils 2.3.20 was quickly released to try to resolve the problem, but the issues involved are not so simple. This week, as part of the ongoing effort to resolve the issue properly, modutils 2.3.21 was released. It specifically fixes some side effects from the fixes applied in 2.3.20. Meanwhile, Adam Richter pointed out that even 2.3.21 only fixes half the problem. Currently, querying a nonexistent network interface named, say, "eth0" results in a result_module call for "eth0". I want to change that to "if-eth0". This will make it impossible for users to pass things like "-C/my/bogus/modules.config", or to cause the loading of legitimate but buggy module to crash the system. The changes to modutils that Keith Owens posted address the former problem, but not the latter, which is a pretty real possibility given that our current builds install 786 modules.Adam has requested feedback on his idea, so take a look and pass your comments back to him. While Adam's idea makes a lot of sense, it will also require every existing system to modify its modules.conf file. There are ways around that, but the potential for problems is very high. BSD coverage feedback. We received twenty notes from readers regarding last week's editorial, Why Cover BSD?. The responses were uniformly positive, so you can rest assured our BSD coverage will continue. Four of those notes asked for more BSD coverage, including coverage outside the LWN Security page. We are taking those suggestion under consideration, but for now we'll move slowly. We've got friends over at Daemon News that are already doing a good job of global BSD coverage. As always, we prefer not to duplicate the work of others, but instead step in only when we think we can provide some unique perspective, value or service. Still, in places like the Security page where a contrast of BSD information and Linux information provides a special value, you may indeed see increased coverage in the future. Improved Security Advisories. We'd like to say that our November editorial, Credit Your Source, had a similar impressive response. However, we didn't see any unilateral change in advisories as a result. So, since complaining apparently works poorly, we thought we'd take a different approach and use praise. Two distributions have improved their security advisories noticeably over the past two week, Debian and Immunix, and we pass them our grateful thanks. Debian has standardized their header for security advisories, started numbering them and does a good job of crediting the person who originally reported the vulnerability. Many thanks! The addition of a URL or the forum in which that vulnerability was reported would also be useful, but let's not get picky. Their header also contains a new entry indicating whether or not the vulnerability is "Debian-specific". This is quite useful, something we've only previously enjoyed in FreeBSD advisories. Immunix has also straightened up the look of their advisories, adding their own header, complete with numbering scheme and author. This week, they also included URLs to the relevant BugTraq postings. This is a noticeable improvement over the casual announcements they made previously. Note we aren't holding the Debian and Immunix advisories up as examples of perfection, but their efforts to improve are much appreciated. Signed code: Security or censorship? (ZDNet). ZDNet takes a look at Microsoft's plans for code signing. "Known as code signing, the technique links a software developer's name with a program or Internet applet using digital signatures. The code cannot be changed without destroying the signature, giving users a way to link a company with a program. If something goes wrong, the user will know whom to blame." The article discusses concerns for possible misuse of code signatures (to punish a commercial rival, for example), its limitations in terms of providing real security and its impact on small developers. "Virus writers could still sign their code and cause it to execute as soon as someone installs another piece of software, he said. To the user, it would seem that the software he or she just installed caused the problem". Security Reportsghostscript vulnerabilities. Two vulnerabilities were reported in ghostscript this week, a symlink vulnerability and a shared library usage vulnerability. Both could potentially lead to elevated privileges. We don't know exactly who to credit for finding these problems; the distribution advisories were the first notice of them we saw and none of them either claim credit or offer it elsewhere.This week's updates: koules buffer overflow. Guido Bakker reported a buffer overflow in koules, an arcade-style game authored by Jan Hubicka, which could be exploited locally to gain root privileges.This week's updates:
bash tmpfile vulnerability. Reports of ways in which the Unix /bin/sh could be exploited, via its use of temporary files, led to an examination of Linux' bash. That turned up very similar problems. The vulnerability can be used to overwrite arbitrary files, particularly a problem when root runs bash. This week's updates:pine remote code execution. In October, FreeBSD released a report of a pine buffer overflow that can be exploited remotely to execute arbitrary code via a specially-crafted mail message. Unfortunately, we mixed up that report with an earlier pine problem reported in September, that was not as serious. Since then, we've been listing updates for both problems together, with an inaccurate description. Please accept our apologies for the confusion. The following packages prevent the remote exploit as well as fixing the earlier pine problem.This week's updates:
Previous updates:
syslog-ng remote denial-of-service. Balazs Scheidler posted an advisory this week for a remote denial-of-service vulnerability in syslog-ng. Check the syslog-ng home page for syslog-ng news. All versions prior to and including syslog-ng 1.4.8 are vulnerable. syslog-ng 1.4.9 and higher are no longer vulnerable.twig remote execution of arbitrary code. Joćo Gouveia posted an advisory on BugTraq this week pointing out twig, a GPL'd "Web Information Gateway", can be used to execute arbitrary code on a server under the uid of the httpd server. Shaun Clowes followed up with a suggested workaround to use until a new version of twig has been released.ed symlink vulnerability. Alan Cox noticed that GNU ed, a basic line editor, creates temporary files unsafely. The problem has subsequently been fixed in ed 0.2-18.1.This week's updates: fsh temporary directory vulnerability. fsh, a "fast" rsh/ssh/lsh tool, uses a directory under /tmp to hold its sockets. Colin Phipps examined the program and reported how this could be exploited via a symlink. Patched versions of fsh have been made available for Debian. This week's updates: identd. A buffer overflow in identd was reported by Niels Heinen. He used the SuSE platform to demonstrate the vulnerability. The SuSE Security Team followed up the report and confirmed multiple problems in the code. Updates from SuSE, and other impacted distributions, should show up over the next week.cons.saver file overwrite vulnerability. Maurycy Prodeus reported a problem in cons.saver which can be used to write a NUL character to the file given as its parameter. The problem has been fixed in version 4.5.42-11. New versions of mc are being distributed with this fix.This week's updates: elvis-tiny /tmp file vulnerability. Debian reported a problem in elvis-tiny caused by the creation of files in /tmp in an insecure manner, which was discovered by Topi Miettinen during an audit of the code. They have issued updated packages with a fix for the problem. Any distribution using elvis-tiny will also require an update.Secure Locate buffer overflow. Michel Kaempf reported a buffer overflow in Secure Locate (slocate) this week. Secure Locate 2.3 should fix the problem. However, Olaf Kirch pointed out other potential problems that still remain.xmcd untrustworthy privileged binaries. A Debian-specific vulnerability in xmcd was reported this week. The xmcd package installs helpers for accessing cddb databases and SCSI CDrom drives. Two of the helper binaries were installed setuid. The previously reported ncurses buffer overflow allowed these two binaries to be exploited. Check the ncurses update below for a link to Debian's just-released fix for ncurses as well.cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities
Commercial products. The following commercial products were reported to contain vulnerabilities:
Updatesethereal buffer overflow. Check last week's Security Summary for the initial report of this problem. An update to ethereal 0.8.14 should fix this problem.This week's updates: Previous updates:
joe symlink vulnerability. Check last week's Security Summary for the original report.This week's updates:
Local root exploit problem in modutils. Check the November 16th Security Summary and Kernel Page for the original report and details. Note, however, that the updates listed below include either modutils 2.3.19 or modutils 2.3.20. As mentioned above, modutils 2.3.21 has been released with still more fixes.This week's updates:
Hostile server vulnerability in OpenSSH. Check the November 16th LWN Security Summary for details. Upgrading to 2.3.0 is recommended.This week's updates: Previous updates:
fetchmail AUTHENTICATE GSSAPI bug. Check the November 16th Security Summary for the original report.This week's updates:
Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.This week's updates: Previous updates:nss_ldap race condition. Check the November 2nd LWN Security Summary for the original report and the November 9th LWN Security Summary for a correction to our original report.This week's updates:
tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details.This week's updates: Previous updates:
Red Hat cyrus-sasl authentication problem. Check the November 2nd Security Summary for the original report. Only Red Hat 7 is impacted.This week's updates:
curl buffer overflow. A buffer overflow in curl, a command-line tool for getting data from a URL, was reported in October.This week's updates:
Format string vulnerabilities in PHP. Check the October 19th LWN Security Summary for the original report. PHP 3.0.17 and 4.0.3 contain the fixes for these problems.This week's updates:
ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem. Updates for this vulnerability continue to trickle in more slowly than usual.This week's updates: Previous updates:usermode inherited environment variable vulnerability. Check the October 12th LWN Security Summary for details.This week's updates:
gnorpm tmpfile link vulnerability. Check last week's LWN Security Summary for more details.This week's updates:
Previous updates:
ResourcesICMP error message use in fingerprinting. Ofir Arkin posted a description of using ICMP error messages in fingerprinting. EventsUpcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
November 30, 2000
LWN Resources | ||||||||||||||||||||||||