I've decided to put an effort forth to summarize the previous weeks security events and how they relate to the Red Hat and Fedora community. There is a great deal of misleading information anytime a security vulnerability is found and fixed. Sometimes it's the result of researchers looking for more press than they deserve, but most likely it's the result of misunderstanding. Security vulnerabilities are usually difficult to understand and are usually even harder to assign a proper severity rating to. If you're unfamiliar with how severity is assigned to security issues found in Fedora Core and Red Hat Enterprise Linux, the
Security Classification page should help define the ratings. The thing to keep in mind is that the goal of the ratings are to be clear and simple.
So on to this weeks issues.
The two most prominent security updates this week were in PHP 5.2.0 and Wireshark 0.99.4. The PHP update is the most severe of the two.
Wireshark
Wireshark is usually assigned a severity rating of moderate due to the nature of the program. Most of the flaws will only cause one of the Wireshark dissectors to crash or sometimes execute arbitrary code. This means that the user will have to capture data off the network or open a malicious network dump file and use the appropriate broken dissector to view the data. Due to the high level of user interaction needed for this attack to succeed, a rating of Important or Critical would be most inappropriate. My only issue with this update was listing this bug as a security issue:
If AirPcap support was enabled, parsing a WEP key could sometimes cause a crash.
Versions affected: 0.99.3.
That bug is a buffer overflow caused when a user of AirPcap enters a very long WEP key into a dialog box. If you can be tricked into entering a very long, very odd looking WEP key into a dialog box, it's likely easier to trick you into running a dangerous command as root. Luckily though, AirPcap is a Windows Wireshark addon, so it doesn't affect us anyhow.
PHP
The most important fix in the PHP release is this one:
Fixed a possible buffer overflow in the underlying code responsible for htmlspecialchars() and htmlentities() functions
This flaw could allow a script that passes arbitrary data from a website into the htmlspecialchars() or htmlentities() functions to overflow a buffer and possibly execute arbitrary code. We've assigned it a severity of Important. This issue isn't deserving of a Critical rating since there are too many "ifs". Most notably, your PHP application has to pass unsanitized data into one of the vulnerable functions in a certain way.
Most of the other PHP security fixes are in open_basedir and safe_mode functions. These fixes probably shouldn't be considered security fixes as they are band aides, not actual fixes. PHP's built in safe_mode and open_basedir restrictions are fundamentally broken by design and should not be trusted as ways to secure a PHP installation.
Press
I think the most frustrating security article from last week was a Slashdot story:
Another Denial of Service Bug Found in Firefox 2. I fail to understand how this is considered news. All web browsers have lots of bugs that will crash them. If you've ever tried to load a large XML document in Firefox, you'll also see what is best described as a DoS bug too. At Red Hat we classify this bug as the "don't do that" sort (bug, not security issue). If a user visits a web page that crashes their web browser, they're just not going to visit that page again. I could understand this issue being news perhaps if it could prevent Firefox from starting without blowing away ~/.mozilla, but the actual issue is just plain silly to make a big deal about.
In general the week was fairly slow with nothing terribly exciting surfacing. See you next week.
