[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

European Parliament Report on Echelon. A European Parliment report released on Tuesday, March 24th, 2001, based on seven months of testimony, concluded that a world-wide spy network does exist. A leaked copy of the report is available, thanks to the ever-useful Cryptome site.

It makes for interesting reading - if you have a lot of time. Those in a bit more of a hurry may need to content themselves with this CNN article. The report appears confident that the "world-wide spy network" exists, and that it directly involves the U.S., Britain, Canada, New Zealand and Australia. Note that, while confirming that such a network was started back in 1948, the US and British administrations flatly deny that it continues to exist.

Meanwhile, from the Free Software and Open Source community perspective, two strong recommendations are made in the report that concern us directly: "The report recommends the routine encryption of all electronic mail and the use of open source software -- where the code of programs is open to both private and official inspection."

This is a confirmation of what we've predicted for several years, that world-wide governmental security needs would push the demand for Free and Open Source software. It is fun to be watching as those predictions bear fruit.

Quarterly CERT summary. Here is the quarterly CERT summary listing the most significant outstanding security issues on the net. There are few surprises there - the same old BIND vulnerabilities continue to be exploited, indicating that many sites still have not applied fixes for them.

The RISKS of calculating Pi in binary. From the RISKS digest we have this bit of amusement on the dangers of calculating Pi in binary. Among other things, one risks prosecution for violation of the Digital Millennium Copyright Act and exposure to nasty cracking software. Be careful out there.

Spring Cleaning continues. We are continuing to see new distribution updates for old security problems come out this week. Being optimistic, we hope this means that all of the security teams are doing a comprehensive spring cleaning, checking to make sure they've closed all the known security holes. We're confident there are more out there that need to be plugged. In fact, if you check the update section below, several vulnerabilities clearly have only been addressed by a small number of the distributions.

Turbolinux, Linux-Mandrake and Engarde Security Linux are among the distributions plugging old holes this week.

Security Reports

gnupg format string vulnerability. A potential format string vulnerability has been reported in gnupg. A proof-of-concept exploit was published with the report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Here is the changelog for gnupg 1.0.6. BugTraq ID 2797.

Webmin environment variable inheritance vulnerability. Webmin, a Unix web-based systems administration tool, has been reported in versions 0.84 and earlier not to properly clear all environment variables before it runs. As a result, the environment variable HTTP_AUTHORIZATION can be used to gain access to the Webmin login and password.

Although Webmin 0.8.5 resolves this problem, it uses cookies in a manner that may also be exploitable to attach to a running Webmin session. No fix for this latter problem has yet been reported. Disabling Webmin until a fix is available is the only currently reported option. Check the BugTraq discussion for more details or BugTraq ID 2795.

  • Caldera, disabling Webmin recommended, no updated packages available yet.

TWIG Webmail SQL query modification vulnerability. TWIG is a PHP-based groupware tool released under the GNU GPL. Under TWIG 2.6.1 and earlier, it has been reported that an unauthorized user may be able to modify SQL queries by including form variables in SQL query strings. As a result, they may be able to perform unauthorized operations. The most recent version of TWIG is 2.6.2. We do not currently have any confirmed information on whether or not this problem was resolved in TWIG 2.6.2. A review of the Changelog was inconclusive, nor was it confirmed that the TWIG developers had been notified of the problem.

Distributed Queueing System (DQS) buffer overflow. The Distributed Queuing System (DQS) is an experimental Unix-based queueing system from the Supercomputer Computations Research Institute. It is "freely distributed Copyrighted software". A buffer overflow has been reported in DQS in the 'dsh' utility. This utility is installed setuid in some packages, making it possible for the vulnerability to be exploited to gain local root access. 'dsh' is not an essential feature of DQS, so it can be removed, or the setuid bit can be removed, to quickly resolve the problem.

DQS is apparently shipped with Debian and SuSE; Debian is not vulnerable, SuSE 6.3, 6.4 and 7.0 have been reported to be vulnerable. SuSE is aware of the problem and will be provided updated packages soon. Meanwhile, they recommend that either the package be removed or the setuid bit modified.

Drake Diedrich also noted that DQS is no longer supported by SCRI, but they have refused to relax distribution restrictions on the software, making it difficult for an active developer community to be founded.

Guardian Digital WebTool inherited environment variable vulnerability. Guardian Digital WebTool is a package provided with Engarde Secure Linux. It is apparently a tool that can be used to manage services; certainly one of the functions it has is to restart a service. Unfortunately, with WebTool 1.0.71 and earlier, certain environment variables are inherited by the restarted process when they should not be. As a result, WebTool can be exploited locally potentially to gain root access. An upgrade to WebTool 1.0.72 will resolve the problem. This issue should be specific to Engarde Secure Linux.

Turbolinux-specific pmake vulnerability. Turbolinux issued an advisory this week to fix a security problem specific to that distribution. Pmake was shipped setuid root, making it exploitable to a local root attack. Updated packages are provided.

NetBSD IPv4 denial-of-service vulnerability. NetBSD has issued an advisory warning that bogus IPv4 fragmented packets can be used to prevent a NetBSD node from communicating with other nodes. Exploits have been published but are not always successful. NetBSD 1.5.x systems can be upgraded to resolve the problem. There is no fix for NetBSD 1.4.x as of yet. BugTraq ID 2799.

NetBSD Hitachi Super-H port input verification vulnerability. NetBSD issued an advisory this week warning that a vulnerability was found in their Hitachi Super-H port where failure to validate input to a system call resulted in access to the Status Register by unauthorized users. Only the sh3 port (Hitachi Super-H) is affected. An upgrade to NetBSD-current will resolve the problem. BugTraq ID 2810.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • MIMAnet Source Viewer, a freely available CGI script for viewing source code files, has been reported vulnerable to a directory traversal attack. The vendor has been notified and has confirmed the vulnerability. A workaround is provided; a fix is pending.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

  • Nine vulnerabilities were reported this week in the Beck GmbH IPC@CHIP single chip embedded webserver. Check the Security Focus Vulnerability Database for details.

  • Computer Associates InoculateIT, an anti-virus package, has been reported to be vulnerable to a symbolic link file overwriting attack, e.g., a symbolic link is created in /tmp during installation which could be exploited by an attacker to overwrite an arbitrary file on the system. No vendor response has been reported so far.

  • Cisco has reported a vulnerability in Cisco IOS Software whereby security scanning software can trigger a memory leak. Fixes for the problem have been made available. BugTraq ID 2804.

Updates

vixie-cron crontab permissions lowering failure. Check the May 10th LWN Security Summary for the original report. Vixie Cron 3.0pl1 fixes this latest problem.

This week's updates:

Previous updates:

mandb symlink vulnerability. In the week of May 10th, Debian reported a symlink vulnerability in mandb, a tool distributed with the man-db package. The vulnerability was found by Ethan Benson. Other distributions that install man setgid are also impacted.

This week's updates:

Previous updates:

KDEsu tmplink vulnerability. Check the May 3rd LWN Security summary for details. Fixes for the problem are included in kdelibs-2.1.2. The KDE Project recommends an upgrade both to kdelibs-2.1.2 and to KDE 2.1.1.

This week's updates:

Previous updates:

Multiple security fixes in OpenSSL-0.9.6a. OpenSSL-0.9.6a was announced the week of April 26th and contains fixes for four security issues. An upgrade to the latest version is recommended.

This week's updates:

Previous updates:

Samba local disk corruption vulnerability. Check the April 19th LWN Security Summary for the original report. This problem has been fixed in Samba 2.0.9 and an upgrade is recommended. Note that all versions of Samba from (and including) 1.9.17alpha4 are vulnerable (except 2.0.9, of course). BugTraq ID 2617.

Note that 2.0.8 was originally believed to fix this problem, but did not. As a result, some of the original distribution updates had to be re-released with 2.0.9. Samba 2.2.0 users are not affected by this problem.

This week's updates:

Previous updates:

IP Filter fragment caching vulnerability. Check the April 12th LWN Security Summary for the initial report. IP Filter 3.4.17 has been released with a fix for the problem. BugTraq ID 2545.

This week's updates:

Previous updates:

VIM statusline Text-Embedded Command Execution Vulnerability. A security problem was reported in VIM the week of March 29th wherein VIM codes could be maliciously embedded in files and then executed in vim-enhanced or vim-X11. Check BugTraq ID 2510 for more details.

This week's updates:

Previous updates:

Multiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.

Note that the latest version of bind is now 8.2.4. It does not include any new security updates, but is recommended by some distributions in preference to 8.2.3.

This week's updates:

  • Trustix, packages updated to 8.2.4

Previous updates:

pico symbolic link vulnerability. Check the December 14th, 2000 LWN Security Summary for the initial report of this problem. Note that this has also been reported as a pine vulnerability, but the vulnerable component is still pico, not pine. Check BugTraq ID 2097 for more details.

This week's update:

Previous updates:

ncurses buffer overflow. Check the October 12th, 2000 LWN Security Summary for the initial report of this problem.

This week's updates:

Previous updates:

Resources

WireX releases FormatGuard. WireX has officially released FormatGuard. Its purpose is to protect programs against format string attacks. It's an extension to the C library, and is released under the LGPL.

vsftpd 0.9.1 released. vsftpd 0.9.1 is now available. Several nasty bugs and one race condition have been fixed.

Delivering Signals for Fun and Profit. Michal Zalewski has published a paper entitled "Delivering Signals for Fun and Profit" in which he discusses understanding, exploiting and preventing signal-handling related vulnerabilities. "According to a popular belief, writing signal handlers has little or nothing to do with secure programming, as long as handler code itself looks good. At the same time, there have been discussions on functions that shall be invoked from handlers, and functions that shall never, ever be used there. Most Unix systems provide a standarized set of signal-safe library calls. Few systems have extensive documentation of signal-safe calls - that includes OpenBSD, Solaris, etc".

TCTUTILs and the Autopsy Forensic Browser versions 1.0.1. Brian Carrier has released version 1.0.1 of TCLUTILS and the Autopsy Forensic Browser. "TCTUTILs is a set of tools that are built on the framework of The Coroners Toolkit (TCT). ... Autopsy is an HTML-based graphical interface to TCT, TCTUTILs, and basic UNIX utilities".

Events

Call-For-Papers: SANE 2002. Just in time to make you feel like the year has flown by, the Call-For-Papers for the 3rd International SANE Conference (SANE 2002) has been published. SANE 2002 will be held May 27th through the 31st, 2002, in Maastricht, The Netherlands.

Upcoming Security Events.
Date Event Location
May 31 - June 1, 2001The first European Electronic Signatures SummitLondon, England, UK
June 1 - 3, 2001Summercon 2001Amsterdam, Netherlands
June 4 - 8, 2001TISC 2001Los Angeles, CA, USA
June 5 - 6, 20012nd Annual IEEE Systems, Man, and Cybernetics Information Assurance WorkshopUnited States Military Academy, Westpoint, New York, USA
June 11 - 13, 20017th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and RiskOrlando, FL, USA.
June 17 - 22, 200113th Annual Computer Security Incident Handling Conference (FIRST 2001)Toulouse, France
June 18 - 20, 2001NetSec Network Security Conference(NetSec '01)New Orleans, Louisiana, USA.
June 19 - 20, 2001The Biometrics SymposiumChicago, Illinois, USA.
June 19 - 21, 2001PKI Forum Members Meeting(Kempinski Hotel Airport Munchen)Munich, Germany
July 11 - 12, 2001Black Hat Briefings USA '01Las Vegas, Nevada, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


May 31, 2001

LWN Resources
Security alerts archive

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds