All articles

Like many gadgetphiles, I was intrigued by the story that appeared on Slashdot a couple of months ago about TecHomation's "Toys for Code" program, and applied for membership right away. A week later, the first package arrived, and since then, I've had an encouraging glimpse into a unique Open Source economy, one that doesn't ask how to make money from Free Software, but how to get Free Software in exchange for something all hackers love -- technotoys.

Comments sprinkled liberally through your code can be a godsend when someone else tries to understand what you've done. Better still, they can save you hours of time when you look at it yourself six months later. Unfortunately, including certain types of comments is as bad as not having any at all. Andrew Arensburger shares his thoughts on how to comment constructively.

With each new generation of operating systems, we are introduced to new ways of thinking about how our computers work. To simplify things for the user, we must deploy a consistent interface in which they can do their work. It is equally important to extend this consistency to programmers, so they too can benefit. As an operating system ages, it gradually becomes burdened with a plethora of interfaces which break the simplicity of its original architecture. Unix originally followed the "everything is a file" mantra, only to lose sight of that design with numerous task-specific APIs for transferring files (FTP, HTTP, RCP, etc.), graphics (X11, svgalib), printers (lp, lpr), etc. Plan 9, introduced in 1989, demonstrated how even a GUI can be represented as a set of files, revitalizing the "everything is a file" idea. The purpose of this paper is to describe a hypothetical operating system called OOS which aims to push this paradigm even further.

Leading an Open Source project is no simple task, as many of you know firsthand. Trying to manage all the bug reports, keep the developers in line, and stay on top of the mailing lists while still trying to have a life can be a very difficult, yet most rewarding experience.

This advisory covers several vulnerabilities in Zope that have been addressed. For details check the body of the advisory. Fixed packages can be obtained from security.debian.org.

Klaus Frank has found a vulnerability in the way gnuserv handled remote connections. Gnuserv is a remote control facility for Emacsen which is available as standalone program as well as included in XEmacs21. Gnuserv has a buffer for which insufficient boundary checks were made. Unfortunately this buffer affected access control to gnuserv which is using a MIT-MAGIC-COOKIE based system. It is possible to overflow the buffer containing the cookie and foozle cookie comparison. Fixed packages can be obtained from security.debian.org.

Christer Öberg of Wkit Security AB found a problem in joe (Joe's Own Editor). joe will look for a configuration file in three locations: the current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: an attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory. Fixed packages are available from security.debian.org.

Bill Nottingham reported a problem in the wrapping/unwrapping functions of the slrn newsreader. A long header in a message might overflow a buffer and which could result into executing arbitraty code encoded in the message. The default configuration does not have wrapping enabled, but it can easily be enabled either by changing the configuration or pressing W while viewing a message. Fixed packages are available from security.debian.org.

The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems. It was possible to use LD_PRELOAD to load libraries that are listed in /etc/ld.so.cache, even for suid programs. This could be used to create (and overwrite) files which a user should not be allowed to. Also, by using LD_PROFILE suid programs would write data to a file to /var/tmp, which was not done safely. Again, this could be used to create (and overwrite) files which a user should not have access to. Fixed packages can be obtained from security.debian.org.

Former versions of sgml-tools created temporary files directly in /tmp in an insecure fashion. Version 1.0.9-15 and higher create a subdirectory first and open temporary files within that directory. Fixed packages are available from security.debian.org.

It has been reported that the AsciiSrc and MultiSrc widget in the Athena widget library handle temporary files insecurely. Joey Hess has ported the bugfix from XFree86 to these Xaw replacements libraries. Updated packages can be obtained from security.debian.org.

It has been reported that a local user could tweak Midnight Commander of another user into executing a random program under the user id of the person running Midnight Commander. This behaviour has been fixed by Andrew V. Samoilov. Updated packages can be obtained from security.debian.org.

It has been reported that one can tweak man2html remotely into consuming all available memory. This has been fixed by Nicolás Lichtmaier with help of Stephan Kulow. Updated packages are available from security.debian.org.

When eperl is installed setuid root, it can switch to the UID/GID of the scripts owner. Although Debian doesn't ship the program setuid root, this is a useful feature which people may have activated locally. When the program is used as /usr/lib/cgi-bin/nph-eperl the bugs could lead into a remote vulnerability as well. Fixed packages are available from security.debian.org.

The author of analog, Stephen Turner, has found a buffer overflow bug in all versions of analog except of version 4.16. A malicious user could use an ALIAS command to construct very long strings which were not checked for length and boundaries. This bug is particularly dangerous if the form interface (which allows unknown users to run the program via a CGI script) has been installed. There doesn't seem to be a known exploit. Fixed packages can be obtained from security.debian.org.

Two problems have been reported for the version of proftpd in Debian 2.2 (potato). There is a configuration error in the postinst script, when the user enters 'yes', when asked if anonymous access should be enabled. The postinst script wrongly leaves the 'run as uid/gid root' configuration option in /etc/proftpd.conf, and adds a 'run as uid/gid nobody' option that has no effect. The second bug comes up when /var is a symlink, and proftpd is restarted. When stopping proftpd, the /var symlink is removed; when it's started again a file named /var is created. Fixed packages are available from security.debian.org.

I can imagine a lot of you looking at the title of this article and wondering what on earth you stumbled on. Before I go any further, I'll have to warn those under 18 or those with faint hearts (and those who despise any mention of nudity) to please hit the back button and search for some software. This is not for you.

When starting, joe looks for a configuration file in the current working directory, the user's home directory, and /etc/joe. A malicious user could create a .joerc file in a world writable directory such as /tmp and make users running joe inside that directory using a .joerc file that is customized to execute commands with their own userids. The current working directory has been removed from the list of possible directories with the .joerc configuration file. Updated packages are available from updates.redhat.com.

New Zope packages are available which fix numerous security vulnerabilities. See the body of the advisory for details. Updated packages for Red Hat Powertools 6.2 and 7.0 are available from updates.redhat.com.

If Linux is to become a more popular OS on the home and small office desktop, it needs to become friendlier not just to the people who use it there, but also to the people who help them when they run into trouble.

Previous releases of analog were vulnerable to a buffer overflow vulnerability where a malicious user could use an ALIAS command to construct very long strings which were not checked for length. This bug was discovered by the program author, and there is no known exploit. Updated packages are available from

Linux often sits far on the trailing edge of hardware support and plays catch-up on everything from USB to video cards. Vlatko Kosturjak offers his thoughts on how to improve the situation so new hardware is usable under Linux ASAP.

A buffer overflow existed in the 'crontab' command; if called by a user with a username longer than 20 characters. If the system administrator has created usernames of that length, it would be possible for those users to gain elevated privileges. Fixed packages are available from updates.redhat.com

One of the most-anticipated of recent Linux developments is the availability of journaling filesystems. In today's editorial, Philipp Tomsich provides an overview of the alternatives and his thoughts on which you should consider using, depending on your needs.

Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others have noted a number of problems in several components of the X Window System sample implementation (from which XFree86 is derived). While there are no known reports of real-world malicious exploits of any of these problems, it is nevertheless suggested that you upgrade your XFree86 packages immediately. New packages are available from security.debian.org.

Three problems have been reported for the version of proftpd in Debian 2.2 (potato) involving a memory leak in the SIZE command, a similar memory leak in the USER command, and some format string vulnerabilities. All three of the above vulnerabilities have been corrected, the updated packages are available from security.debian.org.

Three security holes have been fixed in the kernel. One involves ptrace, another involves sysctl, and the last is specific to some Intel CPUs. All three security holes involve local access only (they do not provide a hole to remote attackers without a local account). The ptrace and sysctl bugs provide local users with the potential to compromise the root account. Neither has an active exploit available at the time of this writing. The last security hole is a DOS (Denial Of Service) that does not provide access to the root account but does allow any user with shell access the ability to halt the CPU. The procedure for upgrading the kernel is documented at www.redhat.com.

Prior versions of OpenSSH are vulnerable to a remote arbitrary memory overwrite attack which may eventually lead into a root exploit. No exploit program is known yet but expected to come up soon. Also, CORE-SDI has described a problem with regards to RSA key exchange and a Bleichenbacher attack to gather the session key from an ssh session. Both problems have been fixed and updated packages are available from security.debian.org.

Styx has reported that the program `man' mistakenly passes malicious strings (i.e. containing format characters) through routines that were not meant to use them as format strings. Since this could cause a segmentation fault and privileges were not dropped it may lead to an exploit for the 'man' user. Fixed packages may be obtained from security.debian.org.

The XEmacs package as shipped with Red Hat Linux 7 has a security problem with gnuserv and gnuclient, due to a buffer overflow and weak security. This update also fixes other minor problems in XEmacs and adds MULE support. The packages are available from updates.redhat.com.