I've been thinking about the format of my Security Week in Review weekly posting. After some useful input from
Mark I've decided to slant this toward Fedora and Red Hat issues. I'll make the occasional general comment if it permits, but I think there is more value if I narrow my focus. The most notable addition will be noting last weeks security updates released from Fedora and Red Hat.
Security Updates
- xorg/XFree86
Fixed in FC5, FC6, and Red Hat Enterprise Linux 2.1, 3, and 4.
iDefense reported several integer overflow flaws in the DBE and Render extensions of X.org and XFree86. This flaw affected all versions of XFree86 and X.org shipped in Fedora Core and Red Hat Enterprise Linux. A flaw of this type could allow a local user to leverage this flaw to elevate their privileges to 'root'.
- libgsf
Fixed in Red Hat Enterprise Linux 3 and 4.
A heap overflow flaw in libgsf was fixed for Red Hat Enterprise Linux. This is not a new flaw, it was discovered in 2006, but it was rated moderate by the Red Hat Security Response Team. There are more security flaws than there is time to fix them. One of the important pieces of keeping a distribution up to date on security issues is to rank them all by priority and fix them in order of importance. That means that a fix such as this one, which is of minor severity, will get pushed onto the back burner when something like the X flaws are discovered.
- acroread
Fixed in Red Hat Enterprise Linux Extras 4.
Red Hat ship the Adobe Acrobat Reader as part of Red Hat Enterprise Linux Extras. Acrobat Reader is a closed source application which only Adobe has access to the source code of. There are several unique challenges when releasing updates for a closed source application such as the Acrobat Reader. We must rely on the analysis of the flaws that Adobe gives us, and use the new binaries provided. Rarely will an Acrobat Reader update only fix security issues. New features and various bugs are fixed. This can cause serious problems when updating these packages. In this instance, the new Acrobat Reader will not run on Red Hat Enterprise Linux 3. We're currently working on making this happen, but it causes far more pain than we would normally see with our usual open source updates. I'd say in this instance, open source has rather obvious advantages.
- flash-plugin
Fixed in Red Hat Enterprise Linux Extras 3 and 4.
The Adobe Flash Player was also updated for Red Hat Enterprise Linux Extras. This was an instance of a new binary package (see the acroread explanation above), and a moderate flaw (the libgsf explanation). The update wasn't painless, but wasn't terribly painful either.
- wget
Fixed in FC5 and FC6.
Wget was updated to fix a denial of service flaw when connecting to a malicious FTP server. This is considered a low severity flaw, and while it also affects Red Hat Enterprise Linux, we won't be releasing an wget update just for this flaw. We try to wait and fix several bugs at a time rather than just one low issue here and there.
- krb5
Fixed in FC5 and FC6.
These flaws did not affect the versions of krb5 shipped in Red Hat Enterprise Linux.
- xterm
Fixed in FC5 and FC6.
- avahi
Fixed in FC5
- mono
Updated in FC5 and FC6
My biggest gripe of the week would be the Month of Apple Bugs project finding a
multi-vendor PDF flaw. They claim the flaw is in the PDF spec itself. The most annoying part of their analysis is they show an xpdf debugging session on Fedora Core 5, and claim the flaw is exploitable. They fail to mention that the segfault is caused by an infinite recursion flaw. Infinite recursions flaws are not exploitable to allow arbitrary code execution, they will only crash the application. One of the goals of any security response team should be to add value by analyzing information such as this and determining when it's untrue.
