All articles

Applications are available for Linux to help with everything from balancing your checkbook to managing payroll and inventory for a Fortune 500 megacorp. This review hopes to point you in the right direction for whatever you need to do.

Cda, a setuid commandline part of xmcd, a X11/Motif audio CD player by Ti Kan <ti@amb.org>, was found vulnerable by a link attack and some buffer overflows. These bugs could be exploited by an adversary, who has access to the system, to overwrite files or gain higher privileges. As a temporary fix, just remove the setuid bit from cda or let just trusted users execute cda. Don't forget to add these changes to your /etc/permissions.local file. Users of SuSE 7.2 with permissions.secure or permissions.paranoid activated are safe, because setuid is already removed. Updated RPMs of the xmcd package can be found on ftp.suse.com.

A problem in the package could allow directory indexing, and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by placing a custom crafted request to the Apache server consisting of a long path name created artificially by using numerous slashes, this can cause these modules to misbehave, making it possible to escape the error page, and gain a listing of the directory contents. This vulnerability makes it possible for a malicious remote user to launch an information gathering attack, which could potentially result in compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. Fixed packages can be obtained from security.debian.org.

In October, I wrote an editorial on why VB should not be brought to Linux. One of the key points I touched upon was that VB's strengths lie in its IDE and its ties to ADO, MTS, and now .NET. I said that good replacements for VB were Python and Java. Now I would like to delve deeper into the importance of Java on Linux, and the importance of Linux to Java.

Steven van Acker reported on bugtraq that the version of cfingerd (a configurable finger daemon) as distributed in Debian GNU/Linux 2.2 suffers from two problems: The code that reads configuration files (files in which $ commands are expanded) copied its input to a buffer without checking for a buffer overflow. When the ALLOW_LINE_PARSING feature is enabled that code is used for reading users files as well, so local users could exploit this. Also, there also was a printf call in the same routine that did not protect against printf format attacks. Since ALLOW_LINE_PARSING is enabled in the default /etc/cfingerd.conf local users could use this to gain root access. Both problems have been addressed in version 1.4.1-1.2 which is available from security.debian.org.

zen-parse reported on bugtraq that there is a possible buffer overflow in the logging code from xinetd. This could be triggered by using a fake identd that returns special replies when xinetd does an ident request. Another problem is that xinetd sets it umask to 0. As a result any programs that xinetd start that are not careful with file permissions will create world-writable files. Fixed packages are available from security.debian.org.

Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in the tt_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute. Since rxvt is installed sgid utmp an attacker could use this to gain utmp which would allow him to modify the utmp file. Fixed packages are available from security.debian.org.

The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation) as distributed in Debian GNU/Linux 2.2 suffers from two problems. fish stiqz reported on bugtraq that there was a printf format problem in the do_get() function: it printed a prompt which included the filename that was being decrypted without checking for possible printf format attacks. This could be exploited by tricking someone into decrypting a file with a specially crafted filename. The second bug is related to importing secret keys: when gnupg imported a secret key it would immediately make the associated public key fully trusted which changes your web of trust without asking for a confirmation. To fix this you now need a special option to import a secret key. Fixed packages are available from security.debian.org.

Wolfram Kleff found a problem in fetchmail: it would crash when processing emails with extremely long headers. The problem was a buffer overflow in the header parser which could be exploited. Fixed packages are available from security.debian.org.

Megyer Laszlo found a printf format bug in the exim mail transfer agent. The code that checks the header syntax of an email logs an error without protecting itself against printf format attacks. This problem has been fixed in version 3.12-10.1. Since that code is not turned on by default a standard installation is not vulnerable, but it is still recommended to upgrade your exim package.

Lusers! Anyone who manages systems for any length of time will sooner or later deal with the difficult user. This user might be a new employee accustomed to doing her own thing, a long-time staffer under a deadline, a clueless newbie, a consultant brought in for an important project, a manager who wants some matter brought to the head of the line, or any other number of more or less impatient and irritating personalities. What they have in common is that they want something from you and they are standing at your desk.

During the past 10 years, I have been involved with several software development projects, and most of them turned bad along the way. Some of the projects I have been involved with started badly, and I was one of a group called in to attempt to correct things, or I was one of the developers who was involved for the whole duration of the project. These are some of my observations about the state of things and what might be done to correct them.

Information should be Free... but what if it's used to take away the freedom of others? The GPL places technical restrictions on the use of the software it protects. Bjorn Gohla believes it should also place political restrictions on it.

Ethan Benson found a bug in man-db packages as distributed in Debian/GNU/Linux 2.2. man-db includes a mandb tool which is used to build an index of the manual pages installed on a system. When the -u or - -c option were given on the command-line to tell it to write its database to a different location it failed to properly drop privileges before creating a temporary file. This makes it possible for an attacked to do a standard symlink attack to trick mandb into overwriting any file that is writable by uid man, which includes the man and mandb binaries. Fixed packages are available from security.debian.org.

The gftp package as distributed with Debian GNU/Linux 2.2 has a problem in its logging code: it logged data received from the network but it did not protect itself from printf format attacks. An attacker can use this by making a FTP server return special responses that exploit this. Fixed packages are available from security.debian.org.

A new Zope hotfix has been released which fixes a problem in ZClasses. The README for the 2001-05-01 hotfix describes the problem as `any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance.' This has been fixed in the latest zope packages available from security.debian.org.

A recent (fall 2000) security fix to cron introduced an error in giving up privileges before invoking the editor. A malicious user could easily gain root access. Though no exploits are known to exist, it is recommended that you upgrade to the new cron packages available from security.debian.org immediately.

By now, you've all had time to wander through freshmeat ][ and get the lay of the land. You've found your way around the Trove category system we've adopted, and many of you have recategorized your projects to fit into the Trove map, so people browsing through it will find your work. (Those of you who haven't are heartily encouraged to use the "recategorize" function on the project menu on your project's page. :) You may have noticed that there are categories available for software that runs on several operating systems, and that one of them is for PalmOS projects.

Who pays the developers? The company they work for, right? But what about those developers who develop Open Source software after hours, on their own time and equipment? Who pays them? Many say no one does and no one should. After all, it's Free Software. You don't get paid for Free Software. Before we develop such a closed attitude, let's take a look at what one of the founders of the Free Software movement has to say.

The nedit (Nirvana editor) package as shipped in the non-free section accompanying Debian GNU/Linux 2.2/potato had a bug in its printing code: when printing text it would create a temporary file with the to be printed text and pass that on to the print system. The temporary file was not created safely, which could be exploited by an attacked to make nedit overwrite arbitrary files. Fixed packages are available from security.debian.org.

Daniel Kobras has discovered and fixed a problem in sendfiled which caused the daemon not to drop privileges as expected when sending notification mails. Exploiting this a local user can easily make it execute arbitrary code under root privileges. Updated packages can be obtained from security.debian.org.

Florian Wesch has discovered a problem (reported to bugtraq) with the way how Netscape handles comments in GIF files. The Netscape browser does not escape the GIF file comment in the image information page. This allows javascript execution in the "about:" protocol and can for example be used to upload the History (about:global) to a webserver, thus leaking private information. This problem has been fixed upstream in Netscape 4.77. Updated Debian packages are available from security.debian.org.

Most software packages need to install a large number of files to work -- binaries, images, documentation, etc. Until now, this has been done by providing an install script (possibly in a Makefile or an RPM spec file) which puts each file in its correct location. If you're lucky, there may also be an uninstaller to get rid of them again. Both must be run as root, which is awkward and has security issues. In this article, I present an alternative system.

Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled' which caused it to drop privileges incorrectly. Exploiting this a local user can easily make it execute arbitrary code under root privileges. Fixed packages are available from security.debian.org.

Matthias Johnson shares his ideas on taking users groups a step further and providing a physical place where the world at large can meet the Free Software community.

Megyer Laszlo report on Bugtraq that the cfingerd Debian as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges. This has been fixed in version 1.4.1-1.1, which is available from security.debian.org.

Marcus Meissner discovered that samba was not creating temporary files safely in two places. Namely, when a remote user queried a printer queue samba would creates a temporary file in which the queue data would be written and smbclient's "more" and "mput" commands also create temporary files in /tmp insecurely. Both problems have been fixed in version 2.0.7-3.2 which is available from security.debian.org.

The kernels used in Debian GNU/Linux 2.2 have been found to have multiple security problems. A list of problems can be found at www.linux.org.uk, updated kernel packages can be obtained from security.debian.org.

Colin Phipps discovered that the exuberant-ctags packages as distributed with Debian GNU/Linux 2.2 creates temporary files insecurely. This has been fixed in version 1:3.2.4-0.1 of the Debian package, and upstream version 3.5.

Przemyslaw Frasunek reported that ntp daemons such as that released with Debian GNU/Linux are vulnerable to a buffer overflow that can lead to a remote root exploit. This has been corrected for Debian 2.2 (potato) in ntp version 4.0.99g-2potato1 which is available from security.debian.org.