Applications are available for Linux to help with everything from
balancing your checkbook to managing payroll and inventory for a
Fortune 500 megacorp. This review hopes to point you in the right
direction for whatever you need to do.
Cda, a setuid commandline part of xmcd, a X11/Motif audio CD player by Ti Kan <email@example.com>, was found vulnerable by a link attack and some buffer overflows. These bugs could be exploited by an adversary, who has access to the
system, to overwrite files or gain higher privileges. As a temporary fix, just remove the setuid bit from cda or let just trusted users execute cda. Don't forget to add these changes to your /etc/permissions.local file. Users of SuSE 7.2 with permissions.secure or permissions.paranoid activated are safe, because setuid is already removed. Updated RPMs of the xmcd package can be found on ftp.suse.com
A problem in the package could allow directory indexing, and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by placing a custom crafted request to the Apache server consisting of a long path name created artificially by using numerous slashes, this can cause these modules to misbehave, making it possible to escape the error page, and gain a listing of the directory contents. This vulnerability makes it possible for a malicious remote user to launch an information gathering attack, which could potentially result in compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. Fixed packages can be obtained from security.debian.org
In October, I wrote an editorial on why VB should not be brought to
Linux. One of the key points I touched upon was that VB's strengths
lie in its IDE and its ties to ADO, MTS, and now .NET. I said that
good replacements for VB were Python and Java. Now I would like to
delve deeper into the importance of Java on Linux, and the importance
of Linux to Java.
Steven van Acker reported on bugtraq that the version of cfingerd (a configurable finger daemon) as distributed in Debian GNU/Linux 2.2 suffers from two problems: The code that reads configuration files (files in which $ commands are expanded) copied its input to a buffer without checking for a buffer overflow. When the ALLOW_LINE_PARSING feature is enabled that code is used for reading users files as well, so local users could exploit this. Also, there also was a printf call in the same routine that did not protect against printf format attacks. Since ALLOW_LINE_PARSING is enabled in the default /etc/cfingerd.conf local users could use this to gain root access. Both problems have been addressed in version 1.4.1-1.2 which is available from security.debian.org
zen-parse reported on bugtraq that there is a possible buffer overflow in the logging code from xinetd. This could be triggered by using a fake identd that returns special replies when xinetd does an ident request. Another problem is that xinetd sets it umask to 0. As a result any programs that xinetd start that are not careful with file permissions will create world-writable files. Fixed packages are available from security.debian.org
Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in the tt_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute. Since rxvt is installed sgid utmp an attacker could use this to gain utmp which would allow him to modify the utmp file. Fixed packages are available from security.debian.org
The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation)
as distributed in Debian GNU/Linux 2.2 suffers from two problems. fish stiqz reported on bugtraq that there was a printf format problem in the do_get() function: it printed a prompt which included the filename that was being decrypted without checking for possible printf format attacks. This could be exploited by tricking someone into decrypting a file with a specially crafted filename. The second bug is related to importing secret keys: when gnupg imported a secret key it would immediately make the associated public key fully trusted which changes your web of trust without asking for a confirmation. To fix this you now need a special option to import a secret key. Fixed packages are available from security.debian.org
Wolfram Kleff found a problem in fetchmail: it would crash when processing emails with extremely long headers. The problem was a buffer overflow in the header parser which could be exploited. Fixed packages are available from security.debian.org
Megyer Laszlo found a printf format bug in the exim mail transfer agent. The code that checks the header syntax of an email logs an error without protecting itself against printf format attacks. This problem has been fixed in version 3.12-10.1. Since that code is not turned on by default a standard installation is not vulnerable,
but it is still recommended to upgrade
your exim package.
Lusers! Anyone who manages systems for any length of time will sooner
or later deal with the difficult user. This user might be a new
employee accustomed to doing her own thing, a long-time staffer
under a deadline, a clueless newbie, a consultant brought in for an
important project, a manager who wants some matter brought to the
head of the line, or any other number of more or less impatient and
irritating personalities. What they have in common is that they want
something from you and they are standing at your desk.
During the past 10 years, I have been involved with several software
development projects, and most of them turned bad along the way. Some
of the projects I have been involved with started badly, and I was one
of a group called in to attempt to correct things, or I was one of the
developers who was involved for the whole duration of the
project. These are some of my observations about the state of things
and what might be done to correct them.
Information should be Free... but what if it's used to take away the
freedom of others? The GPL places technical restrictions on the use
of the software it protects. Bjorn Gohla believes it should also
place political restrictions on it.
Ethan Benson found a bug in man-db packages as distributed in Debian/GNU/Linux 2.2. man-db includes a mandb tool which is used to build an index of the manual pages installed on a system. When the -u or - -c option were given on the command-line to tell it to write its database to a different location it failed to properly drop privileges before creating a temporary file. This makes it possible for an attacked to do a standard symlink attack to trick mandb into overwriting any file that is writable by uid man, which includes the man and mandb binaries. Fixed packages are available from security.debian.org
The gftp package as distributed with Debian GNU/Linux 2.2 has a problem in its logging code: it logged data received from the network but it did not protect itself from printf format attacks. An attacker can use this by making a FTP server return special responses that exploit this. Fixed packages are available from security.debian.org
A new Zope hotfix has been released which fixes a problem in ZClasses. The README for the 2001-05-01 hotfix describes the problem as `any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance.' This has been fixed in the latest zope packages available from security.debian.org
A recent (fall 2000) security fix to cron introduced an error in giving
up privileges before invoking the editor. A malicious user could
easily gain root access. Though no exploits are known to exist, it is recommended that you upgrade to the new cron packages available from security.debian.org
By now, you've all had time to wander through freshmeat ][ and get the
lay of the land. You've found your way around the Trove category
system we've adopted, and many of you have recategorized your projects
to fit into the Trove map, so people browsing through it will find your
work. (Those of you who haven't are heartily encouraged to use the
"recategorize" function on the project menu on your project's
page. :) You may have noticed that there are categories available for
software that runs on several operating systems, and that one of them
is for PalmOS projects.
Who pays the developers? The company they work for, right? But what
about those developers who develop Open Source software after hours,
on their own time and equipment? Who pays them? Many say no one does
and no one should. After all, it's Free Software. You don't get paid
for Free Software. Before we develop such a closed attitude, let's
take a look at what one of the founders of the Free Software movement
has to say.
The nedit (Nirvana editor) package as shipped in the non-free section accompanying Debian GNU/Linux 2.2/potato had a bug in its printing code: when printing text it would create a temporary file with the to be printed text and pass that on to the print system. The temporary file was not created safely, which could be exploited by an attacked to make nedit overwrite arbitrary files. Fixed packages are available from security.debian.org
Daniel Kobras has discovered and fixed a problem in sendfiled which caused the daemon not to drop privileges as expected when sending notification mails. Exploiting this a local user can easily make it execute arbitrary code under root privileges. Updated packages can be obtained from security.debian.org
Most software packages need to install a large number of files to
work -- binaries, images, documentation, etc. Until now, this has
been done by providing an install script (possibly in a Makefile or
an RPM spec file) which puts each file in its correct location. If
you're lucky, there may also be an uninstaller to get rid of them
again. Both must be run as root, which is awkward and has security
issues. In this article, I present an alternative system.
Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled' which caused it to drop privileges incorrectly. Exploiting this a local user can easily make it execute arbitrary code under root privileges. Fixed packages are available from security.debian.org
Matthias Johnson shares his ideas on taking users groups a step further
and providing a physical place where the world at large can meet the
Free Software community.
Megyer Laszlo report on Bugtraq that the cfingerd Debian as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain
root privileges. This has been fixed in version 1.4.1-1.1, which is available from security.debian.org
Marcus Meissner discovered that samba was not creating temporary
files safely in two places. Namely, when a remote user queried a printer queue samba would creates a temporary file in which the queue data would be written and smbclient's "more" and "mput" commands also create temporary files in /tmp insecurely. Both problems have been fixed in version 2.0.7-3.2 which is available from security.debian.org
The kernels used in Debian GNU/Linux 2.2 have been found to have multiple security problems. A list of problems can be found at www.linux.org.uk
, updated kernel packages can be obtained from security.debian.org
Colin Phipps discovered that the exuberant-ctags packages as distributed with Debian GNU/Linux 2.2 creates temporary files insecurely. This has been fixed in version 1:3.2.4-0.1 of the Debian package
, and upstream version 3.5.
Przemyslaw Frasunek reported that ntp daemons such as that released with Debian GNU/Linux are vulnerable to a buffer overflow that can lead to a remote root exploit. This has been corrected for Debian 2.2 (potato) in ntp version 4.0.99g-2potato1 which is available from security.debian.org