Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsGTK+ Modules - are they secure?. An extended discussion on BugTraq brought up the issue of whether GTK+ modules (and modules in other widget sets) are a security risk. The problem lies in whether or not a setuid or setguid program which tries to run a bogus module should know whether or not this is safe.Owen Taylor, one of the primary developers for GTK+, posted a response stating that the official GTK+ position is that setuid and setguid programs are, essentially, a bad idea for GUI toolkits and are not supported by the GTK+ toolkit. "In the opinion of the GTK+ team, the only correct way to write a setuid program with a graphical user interface is to have a setuid backend that communicates with the non-setuid graphical user interface via a mechanism such as a pipe and that considers the input it receives to be untrusted." Their argument is that setuid/setguid programs need to be small and specific, not large and generic like the GTK+ library itself. Workarounds for the current state of GTK+ were also posted for this discussion, such as checking the effective id against the real id in gtkmain.c itself, a simple patch which is not addressed directly by the GTK+ teams response. However, such patches in general are considered the wrong solution by the GTK+ team according to their official stance on this issue. It can be argued that GTK+ should force an abort if the program using that library is running as setuid or setguid. But this is the wrong way to handle this issue. Libraries shouldn't enforce policy - if you want to shoot yourself in the foot, you should be able to do so. What GTK+ could do is provide hooks for applications to request this enforcement, but not enable it by default. What if, for example, an individual wants to run applications as setuid root on his box which is not connected to any other system and is used only in the field for data acquisition? Should you deny this option within the GUI library? Of course not. The user should have control of their system and should not be controlled by the libraries upon which their application depends. Shockwave Flash buffer overflow. A report was posted to BugTraq this past week regarding yet another buffer overflow problem. While the problem (buffer overflow) is rather mundane (where haven't we seen this sort of problem?) and the reported effects rather modest (can potentially crash a browser or perhaps corrupt image data), the real issue is the widespread effect. Shockwave plug-ins exists for nearly all desktop platforms, including Windows, Mac, and Linux based systems and all are based on a single source code implementation. While the author of the report achieved crashes and corrupted data, he also believes that a multi-platform self modifying virus may also be possible here.Unfortunately, the report came via trial and error and not by code inspection. The actual code for the plug-ins can be found online at Macromedia's web site (under their specific source code license) and further examination is necessary to determine just how problematic this particular buffer overflow issue really is. Of course, this seems to explain why all Flash sites crashed my version of Netscape. Time to remove that plug-in.... Sendmail 8.11.2 released. Sendmail, Inc. posted to BugTraq that version 8.11.2 of their mail transfer agent, sendmail, has been released. This version addresses a number of security issues and general bugs found after 8.11.1 was released.Security ReportsSecurity Enhanced Linux buffer overflow vulnerability. A buffer overflow was reported in NSA Security Enhanced Linux's implementation of libsecure. An updated release of NSA Security Enhanced Linux has been made available with a fix for the problem. Check BugTraq ID 2154 for more details.Web scripts. The following cgi-bin or other web scripts were reported to contain vulnerabilities:
UpdatesGnuPG web of trust circumvention. A couple of new GnuPG security problems were covered in the December 21st LWN Security Summary. A security patch against gnupg-1.0.4 was also issued.Note that the original discussion mentioned two vulnerabilities but only discussed one of them, a problem with trust circumvention. Also fixed with the security patch was a problem with detached signatures, which could cause false-positive verifications. This week's updates: Previous updates:
fetchmail AUTHENTICATE GSSAPI bug. Check the November 16th Security Summary for the original report.This week's updates: Previous updates:GNU emacs inadequate PTY permissions vulnerability. Check the June 22nd, 2000 LWN Security Summary for the initial report of this problem, affecting GNU emacs 20.6 and earlier. GNU emacs 20.7 contains a fix for the problem.This week's updates: Previous updates:
EventsUpcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
January 4, 2001
LWN Resources | |||||||||||||||