Re: Linux /usr/bin/gnuplot overflow

[marc () SUSE DE (Marc Heuse)]

Hi,

I apology that SuSE isn't currently fast with it's security fixes :-(
We've got a heavy work load currently, suse 6.1 is being build, cebit fair
is coming, holiday of some important guys, and our 2nd security guy will
begin his work in april. additionally we are currently redesigning our
security fix process to make it fast and reliable. But we are no magicians
:-((

below are responses to several comments people made:

> I strongly second this recommendment. I'll mail S.u.S.E. about it, if
> no-one else does (but then, they're bound to have someone reading bugtraq,
> right?).

of course ;-)

> Not necessarily. SuSE has still not fixed the lsof buffer overflow either,
> even though lsof is setgid kmem and /dev/kmem is group writable (!)
> I mailed them earlier this week and got as response that they have a new
> lsof which unfortunately would require kernel 2.2. As quick fix they suggested
> removing the group write permissions from /dev/kmem....

right, this is our current problem. However, this not a solution because an
attacker can still read from kmem (sniff passwords etc.).
our paket maintainer in also on holiday that adds to our current trouble,
not to mention we are currently under heavy activity to release SuSE 6.1.

However I'll try to make a fix available for lsof monday->wednesday.

> If you use SuSE and you care a _lot_ about local security you must edit
> /etc/rc.config and set PERMISSION_SECURITY="paranoid". That way gnuplot
> would _not_ be suidroot. See the contents of /etc/permissions.paranoid:
> [...]

Well, maybe this is the point to talk about seom stuff we are currently
developing:

1) an (inofficial) SuSE harding script which reconfigures your system after
answering nine questions
2) OpenBSD like /etc/security checks which run on a regular basis
3) two mailing lists:
 suse-security () suse com               for public discussions and our announcements
 suse-security-announce () suse com only for your announcements
 note that you can already subscribe to suse-security, suse-security-announce
 will be set up this week. Both lists will be activated mid march, please be
 patient, we've got a very heavy load currently :-(
4) automatic announcements ;-) this is currently under development.

I'll email betas of 1) and 2) on our public security mailinglist so people
can comment and discuss about enhancements.

> I just tried once to fix the disinformation on the list about SuSE
> xtvscreen suidroot but Aleph One didn't accepted my email. I don't know
> why Aleph One didn't accepted my first email. Aleph?

xtvscreen is fixed, updated to the newest version and we did put some more
security checks in. it should be available monday->wednesday on our ftp
servers

> OTOH, no-one with any kind of security concern on their mind would install
> SVGAlib, in its current state, would they?

well, I think even a home-end-user might be interesting in a security fix ;-)


Greets,
        Marc
--
  Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: marc () suse de      Function: Security Support & Auditing
  issue a  "finger marc () suse de | pgp -fka" for my public pgp key