This file lists all changes made between Owl 0.1-prerelease and its corresponding stable branch. Please note that the prerelease itself remains fixed; it's only the stable branch which has these changes. Changes made between Owl 0.1-prerelease and Owl 0.1-stable. (2002/07/30 - 2002/08/03) 2002/07/31 - 2002/08/03 Package: openssl SECURITY FIX Severity: high, remote, passive to active Applied the official patch with 4 security fixes to vulnerabilities discovered by Ben Laurie and others of A.L. Digital Ltd and The Bunker under DARPA's CHATS program, by consultants at Neohapsis, and by Adi Stav and James Yonan. Added two post-0.9.6e security-related changes from the CVS. The first patch has been prepared by Ben Laurie and Dr. Stephen Henson, with one of the fixes partly based on a version by Adi Stav, and back-ported to OpenSSL 0.9.6a by Ademar de Souza Reis Jr. of Conectiva. The vulnerabilities affect only applications that use OpenSSL to provide SSL or TLS or use OpenSSL's ASN.1 parsing code on untrusted input. It hasn't been fully researched whether OpenSSH is affected, but the ASN.1 parsing vulnerability may affect OpenSSH's implementation of SSH protocol 2 in both the server and the client. As Owl currently only includes SSL clients (lftp and links), only passive attacks are possible via the SSL/TLS vulnerabilities on default installs. If, however, any SSL server software that uses OpenSSL is added, active attacks will likely become possible as well. (2002/02/11) 2002/03/07 Package: zlib SECURITY FIX Severity: high, remote, active There was a vulnerability in the zlib data compression library which, on certain invalid input to decompression, could cause segments of dynamically allocated memory to be deallocated twice (a double-free bug). The second attempt at deallocation would incorrectly treat what may happen to be user-supplied input as data structures internal to the dynamic memory implementation. As a result, the worst case impact is ability to execute arbitrary code within the context of the process doing decompression via carefully crafted invalid "compressed" input. On Owl, the zlib vulnerability affected the following packages: gnupg, openssh, rpm, texinfo, and any third-party software which may use the library. Of these, the rpm and texinfo packages contain binaries statically linked against zlib and thus aren't fully fixed by simply installing this zlib update. OpenSSH could potentially allow for an active remote attack resulting in a root compromise. If only SSH protocol version 1 is allowed in the OpenSSH server this is reduced to a local attack, but reverse remote attack possibilities by a malicious server remain. (2002/03/05) 2002/03/07 Package: openssh SECURITY FIX Severity: high, local/remote, active/passive Patched an off by one channel id check bug discovered by Joost Pol. The bug could be exploited by either a user able to login into a vulnerable OpenSSH server or a malicious SSH server attacking a vulnerable OpenSSH client. If successful, this could let one execute arbitrary code in the context of the remote server or client process. 2002/03/03 kernel SECURITY FIX Severity: medium to high, local to remote, active Updated to Linux 2.2.20-ow2. This fixes an x86-specific vulnerability in the Linux kernel discovered by Stephan Springl where local users could abuse a binary compatibility interface (lcall) to kill processes not belonging to them (including system processes). Additionally, a kernel instance of the zlib double-free vulnerability is now fixed. Fortunately, the affected parts of the Linux kernel (Deflate compression support for PPP and the experimental Deflate compression extension to IrDA) are normally not used by the Owl userland. 2001/12/14 Package: glibc SECURITY FIX Severity: none to high, remote, active Back-ported a glob(3) buffer overflow fix from the CVS. The bug has been discovered and an initial patch produced by Flavio Veloso of Magnux. While no Owl package is known to be affected by this glibc bug, it is likely that it may result in a security hole with certain third-party software such as FTP servers which support globbing and make use of the glob(3) interface. At the same time, asprintf(3) and vasprintf(3) have been modified to behave on errors and match the semantics of Todd Miller's implementation found on *BSD, the uses by glibc itself will now handle possible errors, -- thanks to Dmitry V. Levin of ALT Linux for discovering and looking into these issues. syslog(3) will no longer blindly trust __progname for the syslog ident if called by a SUID/SGID program without a preceding call to openlog(3). Certain minor corrections to the crypt(3) manual page have been applied. In general, the package has been mostly synced with Owl-current, except for one fix specific to the Alpha. 2001/12/12 Package: openssh SECURITY FIX Severity: none to high, local, active Updated to 3.0.2p1 which fixes a security problem with UseLogin where, if UseLogin is enabled in the sshd configuration, a local user could gain root access by passing arbitrary environment variable settings to login(1) via authorized_keys file options. UseLogin has never been enabled on Owl by default and its use is discouraged. 2001/11/03 kernel SECURITY FIX Severity: none to medium, remote, active Updated to Linux 2.2.20-ow1. Compared to our previous recommended kernel version/patch (2.2.19-ow3 or 2.2.19-ow4), Linux 2.2.20 adds a workaround for a vulnerability with certain packet filter setups and SYN cookies (http://cr.yp.to/syncookies.html) where the packet filter rules could be bypassed. Additionally, 2.2.20-ow1 moves even more of the support for combined ELF/a.out setups (in particular, uselib(2) and its related a.out library loaders) under the configuration option introduced with 2.2.19-ow4. (2001/10/28) 2001/11/03 Package: popa3d Updated to 0.5 which adds a popa3d(8) man page. 2001/10/22 kernel RELIABILITY FIX: Updated to Linux 2.2.19-ow4 which fixes a symbol export issue introduced with 2.2.19-ow3 and moves the support for ELF executables which use an a.out format interpreter (dynamic linker) into a separate configuration option (disabled by default). 2001/10/18 kernel SECURITY FIX Severity: low to high, local, active A new revision of the Openwall Linux kernel patch, 2.2.19-ow3, is now available. It contains fixes for two Linux kernel vulnerabilities discovered by Rafal Wojtczuk and is strongly recommended for use with Owl. One of the vulnerabilities affected SUID/SGID execution by processes being traced with ptrace(2). It was possible to trick the kernel into recognizing an unsuspecting SUID root program as the (privileged) tracer process. Then, if that program would execute a program supplied by the malicious user (with the user's credentials), the user's program would inherit the ability to trace. Fortunately, there's no program that would meet all of the requirements for this attack in the default Owl install. However, certain supported non-default configurations of Owl are affected. In particular, if newgrp(1) is made available to untrusted users (which is a supported owl-control setting) or certain third-party software which contains SUID root binaries is installed, the vulnerability may become exploitable and result in a local root compromise. The other vulnerability allowed for an effective local DoS attack by causing the kernel to spend an almost arbitrary amount of time on dereferencing a single symlink, without giving a chance for processes to run. 2001/09/27 Package: gzip SECURITY FIX Severity: low, local, passive Patched unsafe temporary file handling in gzexe, zdiff, and znew based on work by Todd Miller of OpenBSD. (2001/06/29) 2001/09/27 Package: mktemp Switched to packaging the portable mktemp, now that Todd Miller maintains it in addition to the OpenBSD-specific version. :-) 2001/09/27 Package: openssh SECURITY FIX Severity: low to high, remote, passive to active Updated to 2.9.9p2, which fixes three security issues compared to our previous package version. The issues are: 1. The "from=" restriction in ~/.ssh/authorized_keys2 could fail to work when the file defines a mix of RSA and DSA keys. 2. A documentation problem that the authorized_keys* options didn't restrict the use of sftp. They do so now. sftp has never been enabled on Owl by default (it is owl-control'able). 3. As discovered by Yang Yu, the "echo simulation" traffic analysis countermeasure produced an extra echo packet for the carriage return after password entry. That could serve as a traffic signature for attackers. 2001/09/03 Package: groff SECURITY FIX Severity: none to high, remote, active zen-parse has demonstrated a security problem with format string processing in the plot command of pic(1) when groff is used with LPRng on Red Hat Linux. While Owl doesn't (yet?) include a print server, our groff package did have the unfortunate pic(1) property and did provide a print filter for use on potentially untrusted input by a third-party print server package one could install. This has now been corrected. A patch by Sebastian Krahmer of SuSE Security Team has been applied to pic(1) to restrict the format string processing. The print filter has been dropped from the package. 2001/07/30 Package: pam RELIABILITY FIX: Fixed a double-free bug in pam_pwdb which caused it to segfault after successful password changes in some cases. The bug was specific to Owl. :-( Fortunately, this had no security impact as the memory area was zeroed out before the second call to free(3) such that no user input would reach it. (2001/07/05 - 2001/07/22) 2001/07/22 Package: xinetd SECURITY FIX Severity: none to high, remote, active Performed an audit of the xinetd source code for several classes of vulnerabilities, and applied _many_ security and reliability fixes. The patch is 100 KB large. See AUDIT in the package documentation. None of the vulnerabilities are known to affect the default xinetd configuration on Owl. 2001/07/10 Package: tar RELIABILITY FIX: There was a bug which caused tar to loop endlessly on a read error when verifying archives (this affected both -W, --verify, and -d, --diff, --compare). The bug is now fixed. 2001/07/06 Package: openssl SECURITY FIX Severity: none to medium, remote, passive to active Applied patches provided by the OpenSSL team to correct a PRNG weakness which under unusual circumstances could allow an attacker to determine internal state of the PRNG and thus to predict future PRNG output. This problem has been discovered and reported to the OpenSSL team by Markku-Juhani O. Saarinen. No applications are known to be affected at this time. (2001/05/29 - 2001/06/29) 2001/06/29 Package: xinetd SECURITY FIX Severity: none to high, remote, active Updated to 2.3.0, which fixes the problem with xinetd's string handling routines discovered by Sebastian Krahmer of SuSE Security Team. This should complete an earlier security fix to the buffer overflow in the xinetd logging code discovered by zen-parse. The buffer overflow could be triggered by a remote attacker via xinetd's ident (RFC 1413) lookup feature and could allow for the execution of arbitrary code as the user xinetd is running as (typically root). ident lookups are and have always been disabled in the Owl xinetd package by default. Additionally, this update ensures the umask is no less restrictive than 022 when starting programs from xinetd (and is actually set to 077 by the startup scripts). The old xinetd behavior was to set the umask to 0 which resulted in a vulnerability on setups we support (Owl with third-party services installed). 2001/06/29 Owl/doc/fr/* Updated French translations, from Denis Ducamp. 2001/06/27 Package: gpm SECURITY FIX Severity: none to low, physical, active The mouse event handler gpm-root, if enabled, handled user-supplied configuration files unsafely, allowing a user with physical access to the mouse to gain root privileges on the running system. gpm-root was never started on Owl by default, and has now been moved to a separate subpackage which would need to be explicitly enabled to build. The support for user-supplied configuration files is now patched out and the documentation is updated accordingly. Additionally, many gpm-root reliability bugs including the format string bug reported by Colin Phipps to Debian (http://bugs.debian.org/102031) have been fixed. 2001/06/24 Owl/doc/CHANGES New file: the system-wide change log will now be maintained. (2001/06/21) 2001/06/23 Owl build environment First attempt at supporting multiple branches. (2001/06/21 - 2001/06/23) 2001/06/23 Package: owl-setup RELIABILITY FIX: Set the domain in /etc/resolv.conf, ensure the newly created /etc/resolv.conf and /etc/hosts are mode 644. (2001/06/15) 2001/06/23 Package: shadow-utils DOCUMENTATION FIX: Rewrote most of the login.defs(5) man page and enabled its packaging. Added more defaults to /etc/login.defs, added a reference to login.defs(5). Fixed a bug in the lastlog(8) man page reported by Jarno Huuskonen. (2001/06/14) 2001/06/23 Package: openssh SECURITY FIX Severity: none to low, remote, active Prevent additional timing leaks with null passwords (when allowed). The default OpenSSH server configuration on Owl doesn't allow null passwords, making this a non-issue (not that it's much of an issue either way). When null passwords were allowed, the old package made it somewhat easier for a remote attacker to check whether a username is valid. (2001/06/14) 2001/06/23 Package: pam_userpass RELIABILITY FIX: Deal with null passwords correctly. Before this change null passwords wouldn't work even when allowed for a service. (2001/06/12) 2001/06/23 Package: screen SECURITY FIX Severity: low, local, passive Updated to 3.9.9, patched the unsafe temporary file handling in the configure script (which made it unsafe to _build_ screen). (2001/06/11) 2001/06/23 Package: openssh SECURITY FIX Severity: low, local, active Switch credentials when cleaning up temporary files and sockets to fix the vulnerability reported by zen-parse on Bugtraq which could allow a local user to remove files named "cookies" located anywhere on the system. The patch is by Markus Friedl (intended for testing only) with a later OpenSSH CVS change added and two bugs fixed. (2001/06/04) 2001/06/23 Owl/doc/CONTACT New file: explains Owl public mailing lists (only owl-users at the moment) and e-mail contacts. (2001/06/03) 2001/06/23 Package: glibc SECURITY FIX Severity: low to medium, local, passive Synced the fts(3) routines with current OpenBSD and FreeBSD; this is triggered by Nick Cleaton's report of yet another FTS vulnerability to FreeBSD, and a discussion with Kris Kennaway and Todd Miller. It should no longer be possible to trick FTS into leaving the intended directory hierarchy, but DoS attacks on FTS itself remain possible. The FTS code is used by software ported from BSD, including the Owl mtree package. GNU software uses other implementations, several of which will need fixing as well (our findutils package includes a fix since before the 0.1-prerelease, but there's room for improvement). (2001/06/03) 2001/06/23 Package: glibc DOCUMENTATION FIX: Updated to crypt_blowfish-0.4.1 which includes a crypt.3 man page that is more friendly to makewhatis. (2001/05/30) 2001/06/23 Package: gnupg SECURITY FIX Severity: high, remote, passive Updated to 1.0.6, which includes a fix to the format string vulnerability discovered by fish stiqz of Synnergy Networks. This vulnerability can allow a (possibly remote) attacker to execute arbitrary code as the user who attempted decryption of a specially crafted file. While the potential impact of this vulnerability is high, the chances of its successful exploitation in a real-world attack are low due to technical and social reasons. (2001/05/29) 2001/06/23 Packages: SysVinit, owl-startup SECURITY FIX Severity: none to medium, local, passive to active Ensure the umask is no less restrictive than 022 when starting programs from init and start-stop-daemon. Set umask to 077 in daemon() for the case when a service is started manually rather than from rc.sysinit. The change to init is only critical when running certain 2.4.x Linux kernel versions, which we don't yet support. The changes to start-stop-daemon and owl-startup are redundant. (2001/05/27) 2001/06/23 Package: gawk SECURITY FIX Severity: low, local, passive Patched unsafe temporary file handling in igawk, based on report and patch from Jarno Huuskonen (updated the igawk example in the texinfo documentation for gawk, which is used as the source for building the final igawk script). This is a very minor security problem as igawk is hardly ever used. (2001/05/27 - 2001/06/19) 2001/06/23 Package: popa3d RELIABILITY FIX: Updated from an earlier development version to 0.4.9.1. (2001/05/23) 2001/06/23 Package: sysklogd SECURITY FIX Severity: none to medium, local, active Back-ported a klogd DoS fix from 1.4.1, thanks to the reports from Jarno Huuskonen and Thomas Roessler who initially reported the problem to Debian (see http://bugs.debian.org/85478). The problem would only show up when the kernel or a kernel module incorrectly passes a NUL byte for logging. Linux 2.2.19 isn't known to have bugs like this, some Linux 2.4.x kernels are. (2001/05/18) 2001/06/23 Owl/doc/CREDITS New file: presents our development team and others involved with Owl. (2001/05/18 - 2001/06/12) 2001/06/23 Package: man Updated to 1.5i and later to 1.5i2. These versions are meant to fix the published ways to attack man when it is installed SUID/SGID, but the fixes are imperfect by design. Owl has never installed man SUID or SGID. Additionally, our makewhatis script was fixed since before we've released. Thus, this isn't a security update. (2001/05/15) 2001/06/23 Owl/doc/fr/* New files: French translations of the documentation, from Denis Ducamp . $Id: CHANGES,v 1.2.2.24 2002/08/03 04:01:23 solar Exp $