Beware...
Of people issuing "security" patches. Last week a couple of Linux distributions were suckered into updating lcms with a patch coming from a certain Andrea Barsiani. Because of an alleged security risk... Well, this patch completely and utterly broke lcms. And right at the time when we were tagging KOffice RC1, so people who run up-to-date distros started reporting crashes in Krita. We nearly got a heart attack thinking it was our code...
To quote Marti Maria, the lcms maintainer:
The short history is, a guy called Adrea Barisani, claiming to represent some obscure security company called oCERT, was providing a patch to fix a "vulnerability" they found.
At the end, the oCERT company was just Andrea Barsiani who setup ocert in 2008 to get google sponsoring.
The whole internet is now filled with hype about this "vulnerability", and in truth this "patch" breaks littlecms functionality, and probably opens some back door, so, please:
DON'T USE PATCHES FROM UNTRUSTED SOURCES.
I guess you were told something similar in school right? :-)
The problem, if any, is restricted to a very specific architecture (x86, no DEP, crafted profile).
With this patch lcms does not work at all. Please upgrade to 1.18 and let's forgot all this nasty stuff.
So, if you're packaging lcms for your distro, please upgrade to 1.18. And, please, if you patch lcms, make sure it's an official patch, from a trusted source. Like, Marti Maria...
Update: Kubuntu has a fix, and Marc Deslauriers has identified the possible culprit from the security patch. This patch was also in on 1.18b1, but removed in 1.18b2.
/software | permanent link | 26 comments |
Re: Beware...
Francesco wrote on Fri, 03 Apr 2009 14:05
I do know the Andrea in subject, he's involved from many years in open source, devolving time and efforts for it. May be the patch has been made in a hurry and with errors, but for how you put it here it seem it has been done volountary to put a backdoor. Every one does errors, what sense make put names in a so strong manner, would be fine if someone do the same with you the next time you introduce a bug?
Re: Beware...
Diego E. 'Flameeyes' Pettenò wrote on Fri, 03 Apr 2009 14:48
Okay, so let's start calling names to everybody who ever committed something to any open source project that could have caused an issue?
There is no backdoor nor malice, shit happens. The fact that one patch from Andrea was moot does not mean that the rest of his patches (and whether you and lcms upstream know that or not, there have been many in the past four years at least) is.
Really not a good thing to spread FUD around people, especially those working hard for the good of the community.
Re: Re: Beware...
Emto wrote on Fri, 03 Apr 2009 15:27
You don't understand Diego. This post was mainly an advice to packagers that they should check with upstream if the proposed security patch is known to upstream developers. And packagers in my opinion should check this before applying patch.
Re: Re: Re: Beware...
Xake wrote on Sat, 04 Apr 2009 11:00
...and what you seems to not get is relaying info is good, but relaying the bullshit a person who obvious dos not have a clue about what he is writing.
"DON'T USE PATCHES FROM UNTRUSTED SOURCES" means that you should never ever use a patch even when you have reviewed it. And if you or Marti Maria just had taken your time google that name you would have found links like http://eecue.com/log_archive/eecue-log-725-Black_Hat_2007___Day_2___Andrea_Barisani__amp__Daniele_Bianco.html showing why many of Marti's assumption in this comment is pure bullshit.
So I understand Diego for getting upset about you relaying bullshit, but still he should handle the source, this Marti Maria, that I think I should add to my list of "UNTRUSTED SOURCES".
Re: Re: Re: Re: Beware...
Boudewijn Rempt wrote on Sat, 04 Apr 2009 13:17
Then you'd better uninstall gimp, krita, firefox and a lot of other apps, xake, because they all use lcms.
Re: Beware...
joe wrote on Fri, 03 Apr 2009 16:06
The part of the patch that broke Krita was included upstream in 1.18beta1. It's not an "untrusted" patch that broke Krita, it was a patch the upstream had accepted into official source.
Re: Beware...
Tim wrote on Fri, 03 Apr 2009 18:35
No, oCERT isn't just Andrea, please check http://www.ocert.org/team_and_members.html. The oCERT team provide valuable support when dealing with the free/open source community regarding vulnerabilities that are indepently discovered, even with large projects such as KDE.
Re: Beware...
marti wrote on Fri, 03 Apr 2009 21:56
Please read my message. I didn't release any patch. I only realeased version 1.18 which works and has the bug solved. Beta1 and 2 were internal release candidates. I didn't release any of those. My complain was about a person not related with lcms releasing a patch that breaks functionality after I specifically warned him that the patch was ill-beheaved. I have been those 10 years very strict on qualifying releases, just to avoid things like that. And frankly, detailing how this bug can be used to write a virus doesn't help very much to security stuff: http://scarybeastsecurity.blogspot.com/2009/03/littlecms-exploit.html But please, let's forgot this story completely, we had lcms1.18 with all this solved, and this is the only
Re: Re: Beware...
Tim wrote on Sat, 04 Apr 2009 18:33
"I have been those 10 years very strict on qualifying releases, just to avoid things like that."
But not strict enough to stop the vulnerability in the first place. Mistakes happen I'm sure you will agree.
"And frankly, detailing how this bug can be used to write a virus doesn't help very much to security stuff"
It the problem is as restricted as you say, how will this hurt? What Chris (not Andrea) has done is post some analysis of the bug and how it might be exploited. His post isn't weaponised, nor is it a virus. The analysis is useful for people that need to analyse the risk that the bug poses.
Re: Re: Re: Beware...
Marti wrote on Sat, 04 Apr 2009 19:21
>Mistakes happen I'm sure you will agree.
Sure, and I'm the first one to blame to introduce the bug. You are right. When I first posted a beta, there was many other fixes like that. So, why to do all that noise? Why not just tell me about the bug and wait a month until the 1.18 final release? This is what made me suspicious. Anyway, this is going out of control, so let's stop it now. I've post a mail in the lcms mailing list regarding that.
Now I have some real work to do.
Re: Beware...
Marti wrote on Fri, 03 Apr 2009 20:37
beta1 was the result of applying this patch (among other things) I just created beta2 when detected the patch was faulty. The patch was NOT from upstream, just the contrary.
Re: Beware...
Joshua Jackson wrote on Fri, 03 Apr 2009 21:12
I'm sure this won't actually be posted...however:
I actually looked at the patch and I'm no c or c++ programmer, just able to read code well enough to get the jist of things.
The patch was not malicious in nature. Marti, seems to be placing the blame on others in this case instead of accepting responsibility. Ultimately its the upstream who accepted the patch, applied it, and released it.
Was the patch possibly a source of a problem, sure. Could it of been tested better before submitting sure, but it could and should of been reviewed like all other patches should be before being included in any release. If it indeed, was tested at all...
I'm disappointed in both Marti and you Rempt. If you looked at the code, you'd see that the patch in question didn't add any huge backdoors.
By blindly posting this, you do a disservice to not only your organization, but also to everyone who is involved with this.
Re: Beware...
Boudewijn wrote on Fri, 03 Apr 2009 22:51
Sorry for the interruption. Apparently my comment system has a problem with some characters in the comments. I had to hack the comments file to fix that.
At the same time I did, intentionally, and I will do it again, remove a few comments I found offensive. These are my bytes, on my harddisk, and I'll do with them what I want.
Re: Beware...
Andrea Barisani wrote on Sun, 05 Apr 2009 01:03
The patch didn't come from me, the patch came from Chris Evans and was evaluated by Marti for improving the security of lcms.
oCERT, which is not a company but an open source project committed to helping other open source projects (see http://ocert.org for the facts) acts as a clearinghouse and mediator in making sure the patches are promptly reviewed and accepted by maintainers and pushed to vendors in a timely fashion.
Vendors were told to patch lcms with the available beta version (authored by Marti) but they decided to use Chris Evan's patch which had a minor issue (and we warned vendors beforehand that the patch was not 100% tested and that beta version was to be favoured). Marti was unable to provide an incremental security patch and some vendors felt that switching to the new version was too much of a big deal evidently and they went against our advice. Such is life. Patch intention was to protect lcms from a real security issue (we have PoC that executes arbitrary code), the patch broke it, vendor used it, we are sorry that happened.
But oCERT is not an "obscure company" and the security risk in lcms was real and proved by a PoC. We don't provide "backdoors" and anyone compentent enough to read the patch knows that it provides some integer checking and fixes lcms issues rather than opening a security risk.
"At the end, the oCERT company was just Andrea Barsiani who setup ocert in 2008 to get google sponsoring."
This is plain FUD, Marti. Check your facts before accusing projects that are just trying to help you (and which you thanked for our coordination effort, quite a change of mind now).
I think this thread comments itself, there isn't too much to add.
It's sad to see these kind of reactions.
The people who know better and know the good work of oCERT I am sure will ignore all of this.
Cheers
Re: Re: Beware...
Marti wrote on Sun, 05 Apr 2009 16:11
>but they decided to use Chris Evan's patch which had a minor issue (and we warned vendors beforehand that the patch was not 100% tested and that beta version was to be favored).
Andrea, if that is true then vendors are who to blame. But I am still very disappointed by the way you managed all that. Now the whole internet is filled about lcms being insecure
http://blogsearch.google.de/blogsearch?hl=en&q=littlecms and there are some patches around, some distributed by you, that are capable to open back doors, yes, they can as I have received several reports of crashes after applying the patch. Crashes=possible backdoor. Maybe not in the library itself, but certainly possible on the application side.If you make money patching someone else's code, that's fine, I picked the MIT license which allows this usage too. But you have distributed Chris patch, when I specifically warned you it breaks lcms functionality. This affects lcms reputation, and is certainly unfortunate for me.
Otherwise, sorry if my words were too strong, I did send a mail clarifying that to lcms mailing list, but I am still receiving complaints of people saying that MY patch is breaking functionality.
Regarding my comments about oCERT origins, see here my sources: http://www.esecurityplanet.com/trends/article.php/3746186/Centralized-Security-Reporting-for-Open-Source.htm
Re: Re: Re: Beware...
Tim wrote on Sun, 05 Apr 2009 16:44
Erm, lcms was insecure. The search link you posted takes you to a bunch of posts related to the advisory. The attitude you are displaying is akin to that of Microsoft ~5 years ago and it does not put you in good light. What you need to do is eat a little humble pie, apologise to Andrea, Chris and oCERT and put your own house in order (for example, a page on the site giving linking to / giving details of previous vulnerabilities, and details of who to contact when new issues are found - http://www.littlecms.com/security.htm maybe?). Right now, you're just generating more negative noise for your project which is a shame for all the good it has done. Regarding oCERT specifically, perhaps the oCERT web site might be considered more authorative than a news article on a little recognised security news portal?
Re: Re: Re: Re: Beware...
Marti wrote on Sun, 05 Apr 2009 17:36
lcms is insecure, of course it is. I never intended to write a secure library. And thanks to many people it has become more and more secure. Sure, and I'm grateful for that. My complain is, people is scared by the advisory -> then they apply the patch -> then the library doesn't work -> then they blame me.
Ok, maybe Andrea is right and the vendors didn't follow his instructions. I will take that and close the issue.
Re: Beware...
Andrea Barisani wrote on Sun, 05 Apr 2009 19:18
"Regarding my comments about oCERT origins, see here my sources: http://www.esecurityplanet.com/trends/article.php/3746186/Centralized-Security-Reporting-for-Open-Source.htm"
I didn't setup oCERT in order to get Google sponsorship, I setup oCERT to accomplish its mission and vision, that resulted in getting (non monetary Goggle sponsorship).
I understand that you might have not intended that but your words sounded like an accusation about me doing oCERT "just" for getting some sponsorship from Google. Which you can understand it would be a bad interpretation.
If that wasn't the intention of your comment I apoligize, but that's how it looked like to me.
"Crashes=possible backdoors", that's very inaccurate. A backdoor is something intentionally placed by a coder in order to get access, it's not something "incidental". In the security circle a "backdoor" is a pretty defined concept, please use that word carefully".
Your comment implied that the patch deliberately placed a backdoor in the code, accusing Chris (or me) of doing so maliciously. You can see how that would be a problem right and that is clearly not the case?
Cheers
Re: Beware...
Marti wrote on Sun, 05 Apr 2009 19:53
Andreas, please see the reply message I sent to the lcms-usr mailing list, after the one Boudewijn is reproducing:
http://sourceforge.net/mailarchive/message.php?msg_name=20090404133935.2cginonekg8gcw4w%40212.87.196.4
On my first mail I was really disapointed. I was receiving reports of crashes from different sources, not all on the OSS side.
One of those sources sent me the offending patch and I discovered in dismay this was the first patch from Chris, so I assumed you were sending that patch. If this is not the case, I apologize.
It is true the way I used was probably too strong, but I still think the message of "don't blindly apply patches" applies"
Re: Re: Beware...
Andrea Barisani wrote on Mon, 06 Apr 2009 01:09
Marti, you continue to use the word "backdoor" in your reply.
" crash *may* open a backdoor."
Again that is incorrect and you should be careful about using the word 'backdoor'. A backdoor is something *deliberately* placed for granting access, a bug and/or crash which leads to an attack vector is *not* a backdoor.
Just like a PoC is not a "virus".
Also I'd like to point out that the timeline of events was already described in our existing advisory, if you would have read that beforehand maybe you would have seen immediately that we made every effort possible to handle this cleanly and that we warned vendors about the incorrect patch.
Reporting it here:
2009-02-13: vulnerability report and patch received 2009-02-16: contacted littlecms maintainer 2009-02-16: oCERT investigated for other potential affected projects 2009-02-20: maintainer provides updated patch 2009-02-20: reporter provides new patch fixing memory leak 2009-02-21: maintainer provides fixed beta version 2009-02-23: reporter confirms fixes 2009-02-24: contacted affected vendors providing combined security patch and beta version, recommending the latter 2009-03-02: patch found to break functionality, contacted affected vendors advising to use only beta version 2009-03-03: reporter provides additional patch based on feedback, patch provided to vendors 2009-03-06: Debian requests embargo lift 2009-03-08: embargo lifted from 03-09 to 03-19, affected vendors notified 2009-03-20: advisory release
We are the first ones to say that patches should be applied blindly, that's exactly why oCERT was born, to properly coordinate with vendors and make sure that security fixes are sane. It just happened that in this case a mistake was made.
Btw we are not a "Startup", we are an open source project. And we didn't make any "loud noise" we just do our work, which is publishing advisories and helping people out, you might want to check our other advisories for evidence of that.
The "loud noise" and attention that lcms got was because of its (valid) security issues, nothing more than that. And we will continue to publish advisories and handle matters if we get further reports about lcms.
Cheers
Re: Re: Re: Beware...
Andrea Barisani wrote on Mon, 06 Apr 2009 01:10
Sorry, I made a typo. The "should be applied blindly" obviously should read "shouldn't be applied blindly". Making posts at sunday evening == abd ;)
Re: Re: Re: Beware...
Marti wrote on Mon, 06 Apr 2009 12:44
Andrea, I understand your reasons, but please try also to understand me:
- I received a patch that broke the library
- I warned about that
- After that, I got 7 complains of lcms chrashing, some from people scared about some advisories they found in internet.
- I did a fast google search and found tons of reports on lcms vulnerabilities
- The 8th complain was with the patch, and I saw the same first patch I first discarded.
- At that point I began to get suspicious about the patch
- I did a quick search on oCERT and found the link I sent.
- Got a another report in the lcms mailing list.
- Then I replied that rude message
- Next day, after reading it again, I sent a correction.
What else do you want? My intent was to stop that damn patch. At that time I was convinced you were distributing the patch on purpose.
No the case? Great, no problem with you. Doing all that noise is not good for anybody.
Re: Re: Re: Re: Beware...
klon wrote on Mon, 06 Apr 2009 14:15
>> What else do you want? >> No the case? Great, no problem with you.
Well, the very least thing you could do, was to apologise.
Re: Re: Re: Re: Beware...
Andrea Barisani wrote on Mon, 06 Apr 2009 15:29
Marti, I don't want anything from you. The picture is clear.
I just hope that next time you will use a wording that could be interpreted like false accusations (it's very serious for a security professional being accused of placing backdoors and for an open source project being accused of being alive just because of sponsoring). You can see how that can upset people, possibly more than a bug in software (which happens all the time).
I also suggest that rather than doing 'quick searches' next time you get your fact straights, as both oCERT background information and advisory timeline was long published before you made the complain. As well as listening when someone tries to explain the meanin of "backdoor" to you (which you misused even after I tried to explain).
I can understand that some people might get upset about "tons of reports" pointing out security issues in their code, but such is life. Those reports are not uncalled for.
That's all, and I consider this closed. I don't want any apology from you as it's clear that your posting had bad wording and that you didn't mean what it sounded like, and I know that the (understandable) frustration in people and vendors using the wrong patch can lead to those kind of posts.
This will be my last post about this matter.
Cheers
Re: Re: Beware...
Boudewijn Rempt wrote on Fri, 03 Apr 2009 14:37
Yes, that's how it seemed to Marti, the maintainer of lcms, so that is how I report it. This was a very, very bad patch and the people who applied it to their distributions without checking with him are to be blamed, too, and I don't see any reason to hide who created the patch. Maybe people will remember his name next time they get a security patch from him and be more careful with it.
Reply
Re: Re: Re: Beware...
Tim wrote on Sat, 04 Apr 2009 18:35
You do know that KDE work with oCERT right?
Reply