[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

Immunix 7.0 commercial release. Immunix 7.0 is now commercially available for those wishing to buy their own CD. It comes with a subset of Red Hat 7.0 with the majority of the binaries recompiled using StackGuard and FormatGuard-enhanced compilers, thus protecting users from most buffer overflows and format string vulnerabilities, whether known or unknown. It also includes SubDomain, a kernel extension providing "least privilege confinement", the ability to specify exactly precisely what files a program can access and what actions it can perform.

Before you go out to purchase Immunix 7.0, though, you need to be aware of the licensing changes that have occurred between the release of Immunix 6.2 and the release of Immunix 7.0. Immunix 6.2 was available as a free download under the GPL. Immunix 7.0 is, instead, under a new license, which includes this phrase:

The license granted to End User by WireX shall be a non-exclusive, non-transferable license to use Licensed Software on the Designated Equipment in machine-readable form only, solely for End User?s internal business purposes (Authorized Use). End User is not entitled to receipt or use of the source code to any Licensed Software. End User shall not modify, decompile, disassemble or otherwise reverse engineer the Licensed Products.

This language means that the Immunix distribution itself cannot be freely redistributed. That may, initially, seem to be impossible legally, since it includes a great deal of software licensed under the GPL. However, there is no restriction on the GPL'd software within Immunix, just on the bundled product itself.

The restrictions on Immunix stem from both the inclusion of the SubDomain product, the non-kernel portions of which are both proprietary and closed source, and the inclusion of BSD-licensed binaries, for which they currently include source (but may not in the future) but which they place under a proprietary license.

This would imply that you could take Immunix, remove SubDomain from it, remove or replace the BSD-based binaries with ones that you've compiled yourself (with or without StackGuard or FormatGuard) and then distribute the result freely. However, if you haven't done the above, then legally you are not allowed to freely distribute what you download or purchase or to use the CD on multiple machines.

A full discussion of WireX's choice of license for Immunix can be found in this thread on the immunix-users mailing list.

As a result of this licensing choice, the Immunix distribution itself no longer meets the requirements of the Debian Free Software Guidelines. In essence, it is a Linux distribution that is not Free Software; although built primarily with free software, it is a proprietary product.

It is notable that this move resembles comments made this week by Caldera's Ransom Love. "Love said he thinks Microsoft was right in its claim that the GPL doesn't make much business sense. Consequently, Caldera is likely to add a non-GPL licensing mechanism -- most likely one based on the BSD license -- to its repertoire in the coming months". We disagree with Mr. Love on this point; we believe the GPL makes a great deal of sense, both for business and non-business users. Nonetheless, both Caldera and WireX are, to the best of our knowledge, making choices that are legal.

It is possible that, in reaction to these licensing changes, someone else may step forward to make a competing Linux distribution with StackGuard and FormatGuard-protected binaries that is actually Free Software. This would mirror what happened when the licensing behind QT affected KDE and speared the development of Gnome. Alternately, if the audience for this product is small and does not, in general, care about the issue of free software versus proprietary software, Immunix may move forward uncontested in this arena.

We have always been strong proponents of WireX and their work in the past; StackGuard and FormatGuard have been important contributions to the community and Immunix 7.0 looks like an excellent product. Their licensing choices, though, while understandable from a revenue perspective, may end up hampering the adoption of Immunix. In particular, the use of closed source programs for security is one that we particularly distrust, so their choice to make portions of SubDomain closed source is a bit disheartening.

Turbolinux security advisories return. After a period of total inactivity lasting almost six months, Turbolinux has issued a spate of new advisories this week. The turnaround on the advisories is admittedly terrible; the vulnerabilities that they fix go as far back as July 20, 2000. Presumably, the cause of that terrible response has now been addressed.

As a result, Turbolinux appears to be doing a general house-cleaning, checking known vulnerabilities against its distribution and trying to get fixes out for them (no matter how old). Before Turbolinux gets all the negative attention, though, it is worth taking a look at the vulnerabilities they've now addressed, as we've done below in our Update Section. The vulnerabilities in it are listed in reverse order of when they were reported (most recent ones first).

You'll quickly notice that many of the vulnerabilities, even the ones that have been known for quite a while, have not been addressed by all the other distributions either. Perhaps a "spring cleaning" should be on the list for all the security teams.

OpenSSH 2.9 released. OpenSSH 2.9 has been announced. This release includes a number of new features, some fixes, and makes version 2 of the SSH protocol the default. "OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support."

'No limits' browser planned (BBC News). The BBC News talks about a promised new browser, Peekabooty, which The Cult of the Dead Cow is planning on releasing this year. The goal of Peekabooty is to combine encryption and a Gnutella-like network to circumvent censorship. "The inventors of the new browser said they were developing it for people living under restrictive regimes who wanted to see information they were otherwise denied."

Although China, Malaysia, Singapore and many Arabic countries are given as specific examples of countries that restrict what their constituents can view on the web, the DeCSS case might arguably add the USA to the list and Germany could be argued for inclusion as well. (Thanks to Fred Mobach).

Open Source Security Testing Methods (LinuxSecurity.com). The folks at LinuxSecurity.com talk with Pete Herzog, creator of the Open-Source Security Testing Methodology Manual. "As it is, security testers are an innovative group who need to be both methodical and radical to perform their job well. This manual works with them, guiding their hand, not forcing it."

Security Reports

vixie-cron crontab permissions lowering failure. It has been reported that a security fix applied to fix a problem back in January has resulted in a failure to drop permissions properly. As a result, a local root exploit has been introduced. Paul Vixie Vixie Cron 3.0pl1 fixes this latest problem.

Samba 2.0.9 released (security fix). Andrew Tridgell has released Samba 2.0.9, which fixes the security bug (from April 19th) that he had thought was fixed in 2.0.8. If you're running a 2.0 version of Samba, an upgrade is recommended; look for one from your favorite distributor soon. 2.2.0 users are not affected by this problem.

Minicom XModem Format String Vulnerability. Multiple format string vulnerabilities have been reported in Minicom which can be triggered when sending files via XModem. As a result, uucp privileges can be gained by a local user. An exploit has been published. No patch or update has been published so far, though removing the setgid bit from minicom will close the hole (and disable minicom for non-privileged users) temporarily. Check BugTraq ID 2681 for more details.

Red Hat 7.1-specific improper swapfile creation vulnerability. Red Hat has issued an advisory warning swap files (not swap partitions) created during an upgrade to installation of Red Hat 7.1 are created with improper permissions, allowing world-read access. Red Hat Linux 7.1 offers the option of creating swapfiles during the upgrade if the amount of swap space available is less than the physical RAM.

The world read-access exposes data in the swapfile, including potentially passwords. An updated mount package has been issued to fix the problem.

mandb symlink vulnerability. Debian reported a symlink vulnerability in mandb, a tool distributed with the man-db package. The vulnerability was found by Ethan Benson. Debian has provided updated packages to fix the problem. Other distributions that install man setgid will also be impacted.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Al-Stats is a freeware CGI package that can be used to track website traffic. Vulnerabilities have been reported in Al-Stats that can be used both to view files outside the web server tree and possibly overwrite files. Downloading the latest version will resolve the problems. BugTraq ID 2705.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Updates

gnupg 1.0.5 released with multiple security fixes. gnupg 1.0.5 was released on April 29th. Check the May 3rd LWN Security Summary for details. An upgrade to 1.0.5 is recommended.

This week's updates:

Previous updates:

KDEsu tmplink vulnerability. Check the May 3rd LWN Security summary for details. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1.

This week's updates:

Previous updates:

Zope Zclass security update. Check the May 3rd LWN Security Summary for the original report. Sites running Zope should upgrade as soon as possible.

This week's updates:

gftp format string vulnerability. Check the May 3rd LWN Security Summary for the original report or BugTraq ID 2657 for additional details. The problem is fixed in gftp 2.0.8 and later.

This week's updates:

Previous updates:

NEdit temporary file link vulnerability. Check the April 26th LWN Security Summary for the original report or BugTraq ID 2627 for additional details.

This week's updates:

Previous updates:

ntp remotely exploitable static buffer overflow. Check the April 12th LWN Security Summary for the original report. An exploit for this vulnerability has been published and it is remotely exploitable to gain root access, so updating ntp is a high priority for anyone using it. For more details and links to related posts, check BugTraq ID 2540.

This week's updates:

Previous updates:

Netscape 4.76 GIF comment vulnerability. Check the April 12th LWN Security Summary for the original report. The vulnerability can be used to embed executable Javascript in GIF comments which are then executed by the viewer when loading the GIF file. This has been fixed in Netscape 4.77, which is available for download from ftp.netscape.com.

This week's updates:

Previous updates:

sgml-tools temporary file vulnerability. See the March 15th LWN security page for the initial report or 2683 for more details.

This week's updates:

Previous updates:

vixie-cron long username buffer overflow. Check the February 22nd LWN Security Summary for the original report.

This week's updates:

Previous updates:

Analog buffer overflow. An exploitable buffer overflow in analog was reported in the February 22nd LWN Security Summary. Version 4.16 contains a fix for the problem, which affects all earlier versions. Check BugTraq ID 2377 for additional details.

This week's updates:

Previous updates:

dhcp buffer overflow. Check the January 18th LWN Security Summary for the original report from Caldera.

This week's updates:

Previous updates:

squid tmprace problem. Check the January 11th LWN Security Summary for the initial report.

This week's updates:

Previous updates:

dialog lockfile symlink vulnerability. Check the December 28th, 2000 LWN Security Summary for the original report of this problem.

This week's updates:

Previous updates:
  • Debian (December 28th, 2000)

pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.

This week's update:

Previous updates:

ed symlink vulnerability. Originally reported on November 30th, 2000, Alan Cox noticed that GNU ed, a basic line editor, creates temporary files unsafely. The problem has subsequently been fixed in ed 0.2-18.1.

This week's updates:

Previous updates:

ncurses buffer overflow. Check the October 12th, 2000 LWN Security Summary for the initial report of this problem.

This week's updates:

Previous updates:
  • Caldera (October 19th, 2000)
  • SuSE (November 2nd, 2000)
  • FreeBSD (November 16th, 2000)
  • Debian (November 30th, 2000)
  • Red Hat (November 30th, 2000)
  • Red Hat, Alpha packages added for RH7 (November 30th, 2000)
  • Immunix (December 7th, 2000)

Format string vulnerability in locale. Check the September 7th, 2000 LWN Security Summary for the initial report or BugTraq ID 1634 (updated January 18th, 2001) for more details. The updates below also address other glibc security issues discussed in the past five months, including the glibc LD_PRELOAD file overwriting vulnerability and the glibc RESOLV_HOST_CONF file read access vulnerability.

This week's updates:

Previous updates:

cvsweb. Versions of cvsweb prior to 1.86 may allow remote reading/writing of arbitrary files as the cvsweb user. Check the July 20th, 2000 Security Summary for the original report from Joey Hess. The FreeBSD advisory also contains a good summary of the problem.

  • Turbolinux, an update to cvsweb-1.93-1 without comment on why the previous update to cvsweb-1.91-3 was not sufficient. This is the same version of cvsweb that FreeBSD provided as a fix.
Older updates:

Resources

Prelude 0.3. Prelude is a Network Intrusion Detection system that MandrakeSoft will be shipping with MandrakeSecurity as an alternative to Snort. Version 0.3 has just been released, but is reportedly much further along than one might expect from a 0.3 level release.

PIKT 1.13.0. PIKT, otherwise known as the Problem Informant/Killer Tool, version 1.13.0 was released on Tuesday, May 8th. "PIKT, an innovative new paradigm for administering heterogeneous networked workstations, is a cross-platform, multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. You can also use PIKT as a basis for managing system security".

Events

Kernel Security Extensions BOF at Usenix. NAI Labs is sponsoring a Kernel Security Extensions BOF (Birds of a Feather session) at the upcoming USENIX Technical Conference being held June 25th through the 30th in Boston, Massachusetts, USA. "Crispin Cowan (WireX), Peter Loscocco (NSA), Amon Ott (RSBAC) and Robert Watson (NAI Labs and the FreeBSD Project) have kindly agreed to kick off the session with short presentations on their work".

For those people unfamiliar with Birds of a Feather (BOF) sessions, they are generally informal events that bring together experts and enthusiasts in a given field. This looks like an excellent one; we wish we could be there.

Digital Rights v. Free Speech: a focus of the upcoming Internet Security Conference. TISC 2001 is coming up June 4th through the 8th, in Los Angeles, CA, USA. It will include a CEO Roundtable entitled "Digital Rights Enforcement". "The TISC CEO Roundtable will include discussion of the current events, technologies and constitutional rights debate surrounding the Secure Digital Music Initiative (SDMI) as it relates to the Digital Millennium Copyright Act (DMCA)".

Upcoming Security Events.
Date Event Location
May 13 - 16, 20012001 IEEE Symposium on SecurityOakland, CA, USA
May 13 - 16, 2001CHES 2001Paris, France
May 29, 2001Security of Mobile Multiagent Systems (SEMAS - 2001)Montreal, Canada
May 31 - June 1, 2001The first European Electronic Signatures SummitLondon, England, UK
June 1 - 3, 2001Summercon 2001Amsterdam, Netherlands
June 4 - 8, 2001TISC 2001Los Angeles, CA, USA
June 5 - 6, 20012nd Annual IEEE Systems, Man, and Cybernetics Information Assurance WorkshopUnited States Military Academy, Westpoint, New York, USA
June 11 - 13, 20017th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and RiskOrlando, FL, USA.
June 17 - 22, 200113th Annual Computer Security Incident Handling Conference (FIRST 2001)Toulouse, France
June 18 - 20, 2001NetSec Network Security Conference(NetSec '01)New Orleans, Louisiana, USA.
June 19 - 20, 2001The Biometrics SymposiumChicago, Illinois, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


May 10, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds