Slashdot Mirror
New RedHat Kernel Patch Illegal to Explain to U.S. Users
Russellkhan writes "The Register is running a story about a new RedHat kernel patch that cannot be explained to U.S. citizens or others in the U.S. because of DMCA restrictions. The illegal explanation is hosted at Thefreeworld.net, a site created specifically to deal with these DMCA issues."
-- LEGALESE --
PLEASE READ FIRST.
Unfortunately the DMCA prevents this document being issued to US citizens.
This document is a copyrighted work. The authors choose to exercise their
first distribution rights to prohibit the distribution of this work in the
United States Of America, its dependancies, embassies and anywhere else
under US law.
Redistibuting this document in the USA may be a criminal offence under the
Digital Millenium Copyright Act with punishment including jail sentences.
Attempting to test these holes in the USA, even with the permission of the
system owner may be an offence. Discussing this document with a US citizen
may be an offence.
This document is made available for free without warranty or other right of
recourse implied or otherwise. No statement save one in writing by the owner
of the copyright changes this usage agreement. Any export download is at your
own risk and liability.
There is no other user agreement, should your local law make such an
agreement invalid you are prohibited from using this document, and may be
committing an offence by redistributing it.
NO WARRANTY
BECAUSE THE DOCUMENT IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE DOCUMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE DOCUMENT IS WITH YOU. SHOULD THE
DOCUMENT PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE DOCUMENT AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE DOCUMENT (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE DOCUMENT TO OPERATE WITH ANY OTHER
DOCUMENTS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
-- END LEGALESE --
Security Holes Fixed In Linux 2.4.19
None of the holes documented here are remote. All these problems were
uncovered by auditing and there are no current exploits available. In
the interest of openness and ensuring people are aware of the security
fixes they are documented.
- If the Stradis driver is loaded (hardware must be present) a
maths overflow allowed the user to scribble into kernel memory
- It was possible to feed the SE401 USB hardware driver signed
values and fool kernel checks. This requires the hardware is
present
- The usbvideo driver could be fooled due to a maths overflow corner
case. This requires drivers to be present
- The
corruption of the kernel. This is really beyond user control but
if it occurs then the user can trigger the corruption
- By setting the TF flag a carefully constructed binary could hang
the kernel dead
- By misusing the rlimit resource limits it was possible to avoid
acct data being written on your process exit
- The joystick driver had erroneous copies in obscure ioctl cases
that could be used to patch the kernel as any user. Hardware
must be present and the module loaded for this vulnerability
to occur
- Multiple errors in the vm86 handling allowed users to force an
"Oops" from the kernel and in some cases to corrupt kernel data.
An additional small fix is needed for 2.4.19 but not 2.4.19-ac
(see bottom)
- The rt_cache_proc file could be tricked into returning chunks of
kernel data.
- On a system with over 1Gb of RAM the loop driver could in some
cases fail and expose kernel data. This is not under user control.
On 2.4.19 the loop driver works fine with large memory systems.
- Multiple
due to a sanity checking bug in the proc file handlers
- The XMM SSE registers were not always cleared for new processes
and could expose data from a different task. While it was not
possible to modify another tasks registers there is a small risk
because some cryptographic systems have XMM acceleration functions
We also fixed problems that required privileges to exploit. These affected
the IBM S/390 dasd driver, Openprom on Sparc systems, the Intermezzo file
system, the ewrk3 network driver, module loading, the microcode driver and
vm86. We document these in the interest of completeness.
Finally on a -ac based tree with PnPBIOS enabled a problem existed in some
quite common BIOS implementations that causes a crash when certain 32bit
BIOS calls are made. This allowed users to crash some systems by reading
files in
affected as it lacks PnPBIOS support
Credits
The authors would like to thank Silvio Cesare, Stas Sergeev, Andi Kleen,
Alan Cox, Solar Designer, and many others for their work on making 2.4.19 a
more secure kernel.
-- Additional Required Patch --
diff -u --new-file --recursive --exclude-from
--- linux.20pre1/arch/i386/kernel/traps.c 2002-08-06 15:40:50.000000000 +0100
+++ linux.20pre1-ac1/arch/i386/kernel/traps.c 2002-08-06 15:42:19.000000000 +0100
@@ -305,8 +319,13 @@
static void inline do_trap(int trapnr, int signr, char *str, int vm86,
struct pt_regs * regs, long error_code, siginfo_t *info)
{
- if (vm86 && regs->eflags & VM_MASK)
- goto vm86_trap;
+ if (regs->eflags & VM_MASK) {
+ if (vm86)
+ goto vm86_trap;
+ else
+ goto trap_signal;
+ }
+
if (!(regs->xcs & 3))
goto kernel_trap;
@@ -514,10 +533,15 @@
{
unsigned int condition;
struct task_struct *tsk = current;
+ unsigned long eip = regs->eip;
siginfo_t info;
__asm__ __volatile__("movl %%db6,%0" : "=r" (condition));
+
+ if ((eip >=PAGE_OFFSET) && (regs->eflags & TF_MASK))
+ goto clear_TF;
+
if (condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)) {
if (!tsk->thread.debugreg[7])
you fuckin idiot, clinton was the president when the dmca was passed, what the fuck does Bush have to do with this? sounds like more knee jerk america bashing again.
and yet, on slashdot this is +5 insightful! hooray for this great moderation system!
SIG:Slashdot: indymedia for nerds.
you can bypass that scary disclaimer and read all that hidden information here (reg. req'd, blah blah) :)
Satanists get good grades too...suspiciously good grades
Updated kernel packages are now available which fix an oops in the i810 3D kernel code. This kernel update also fixes a difficult to trigger race in the dcache (filesystem cache) code, as well as some potential security holes, although we are not currently aware of any exploits.
The 2.4.18-5 kernel introduced some safety checks in the VM subsystem that were triggered when exiting an X session while using 3D acceleration with the Intel i810/i815 chipset. Additionally, there was a difficult to trigger race in the dcache of the file system subsystem.
This kernel update addresses both of these issues.
In addition, there are fixes for potential security holes in the following drivers:
stradis
rio500
se401
usbvideo
apm
Finally, this kernel fixes a few files in the
All of the security issues found during an audit and none of them, at the time of this writing, have any known exploits.
We would like to thank Silvio Cesare, Stas Sergeev, Andi Kleen, Solar Designer, and others for their auditing work.
You may be allowed to read it, but the point is the posters don't want to be prosecuted for publishing it.
The Reg had a neat explanation of this, a lot of people outside the US don't want to get arrested if they set foot on US soil because they published something on a web site hosted in another country that violates the DMCA.
Apparently RH is respecting the copyright of the people who discovered the flaws and chose to license the text under the "TheFreeWorld" blanket to prevent the authors from being accused of distributing potentially infringing documentation in the US. Read the article at The Register, it is almost as poorly written as this post but according to this excerpt:
The document has been copyrighted, and the authors have chosen to restrict its distribution, and to use Thefreeworld.net licence as the mechanism for doing so. Note that it is the copyright, rather than fear of the DMCA, that has forced Red Hat to join in.
RH is only doing this to protect the authors who for whatever reason chose to copyright the document. Possibly the wish to make a point as well concerning the idiocy of the DMCA.
with the rules governing prisoners of war
No. No we are not.
Whether you agree with the "enemy combatent" theory or not, the prisoners do not have POW status or rights.
There is a list of some of the requirements here
Furthermore, they are members of an enemy force. Comparing that to people talking about computer patches is absurd.
Yes, quite.
So close and yet so far from the world's perfect ID number
As I understand it, there is far too many bills every year for either the House or the Senate to actually debate every single one of them. So what they do is once it is out of committee, it goes on the calender, if nobody raises any objections to it, they have a voice vote on it, which is very quick, but there is no official record on who voted and how, only that it passed or not. I could be wrong, so please correct me if I am. This is more or less how the DMCA was passed. Anyone who was sitting at the time should be held accountable, if for no other reason than they didn't raise any objections, force a public debate and a formal vote.
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
As for "one of the FEW nations that follows the Laws of War and Peace", I'd like to point out that the US has demanded (and unfortunately, gotten) concessions that no US military personnel can be tried for war crimes on UN missions. This effectively gives US soldiers carte blanche to rape, pillage and burn in a manner that would make the atrocities in the Balkans seems like a Sunday School picnic with no chance of war crimes charges ever being laid. They may get some kind of court martial or charges laid in the US court or they may not. There would be no recourse for an aggrieved party in the Internation Courts.
The more I hear about the US in recent times, the more I despair about a nation that claims to be the home of Democracy. I have my own rant about another such incident, which you're free to read.
In case you don't know it, we will be getting something similar to the DMCA in Europe soon :(
You can read more here.
I believe it passed unopposed. Leaving you three options:
1) spoil your vote
2) vote for someone other than the incumbent
3) don't even show up to vote
http://www.dfc.org/dfc1/Active_Issues/graphic/grap hic.html
passed Senate by Unanimous Consent
(similar to voice vote in House)
passed House by Voice Vote
Eve Fairbanks says I drive a hybrid!LOL
Thus, it gives you information you can use to break into these systems, bypassing their "rights management". More info in the thread from last year here.
I would say that the owner is in Brasil, not US. You know, that BR abbreviation and +55 phone prefix...
We didn't vote for Bush the first time. He siezed power in a coup. Read more.
The Uncoveror: It's the real news.
i just posted the relevant file from thefreeworld site. http://yro.slashdot.org/comments.pl?sid=42463&cid= 4461419. use it wisely.
I'm not USian...so:
/proc/slabinfo file could exceed a buffer size and cause
/proc files could be persuaded to dump kernel data
/proc. These files are now root private. The base tree is not
Security Holes Fixed In Linux 2.4.19
None of the holes documented here are remote. All these problems were
uncovered by auditing and there are no current exploits available. In
the interest of openness and ensuring people are aware of the security
fixes they are documented.
- If the Stradis driver is loaded (hardware must be present) a
maths overflow allowed the user to scribble into kernel memory
- It was possible to feed the SE401 USB hardware driver signed
values and fool kernel checks. This requires the hardware is
present
- The usbvideo driver could be fooled due to a maths overflow corner
case. This requires drivers to be present
- The
corruption of the kernel. This is really beyond user control but
if it occurs then the user can trigger the corruption
- By setting the TF flag a carefully constructed binary could hang
the kernel dead
- By misusing the rlimit resource limits it was possible to avoid
acct data being written on your process exit
- The joystick driver had erroneous copies in obscure ioctl cases
that could be used to patch the kernel as any user. Hardware
must be present and the module loaded for this vulnerability
to occur
- Multiple errors in the vm86 handling allowed users to force an
"Oops" from the kernel and in some cases to corrupt kernel data.
An additional small fix is needed for 2.4.19 but not 2.4.19-ac
(see bottom)
- The rt_cache_proc file could be tricked into returning chunks of
kernel data.
- On a system with over 1Gb of RAM the loop driver could in some
cases fail and expose kernel data. This is not under user control.
On 2.4.19 the loop driver works fine with large memory systems.
- Multiple
due to a sanity checking bug in the proc file handlers
- The XMM SSE registers were not always cleared for new processes
and could expose data from a different task. While it was not
possible to modify another tasks registers there is a small risk
because some cryptographic systems have XMM acceleration functions
We also fixed problems that required privileges to exploit. These affected
the IBM S/390 dasd driver, Openprom on Sparc systems, the Intermezzo file
system, the ewrk3 network driver, module loading, the microcode driver and
vm86. We document these in the interest of completeness.
Finally on a -ac based tree with PnPBIOS enabled a problem existed in some
quite common BIOS implementations that causes a crash when certain 32bit
BIOS calls are made. This allowed users to crash some systems by reading
files in
affected as it lacks PnPBIOS support
Credits
The authors would like to thank Silvio Cesare, Stas Sergeev, Andi Kleen,
Alan Cox, Solar Designer, and many others for their work on making 2.4.19 a
more secure kernel.
Or so I guess, since I can't read it.
Err, I don't think you can release a patch for GPL software (ie, Linux) under a non-GPL license.
The patch itself is perfectly legal, and GPL licensed, and downloadable by anyone, etc.
The documentation accompanying the patch, that explains what security holes were closed, is licensed so as to be undistributable to people in the US jurisdiction. This is because the act of distributing this info is illegal under the DCMA.
I believe posters are recognized by their sig. So I made one.
Digital Copyright
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
Begin obligitory karma whoring. that is the website for the people who vote on what bills, and this is specifically for the DMCA
"Martha Stewart can lick my Scrotum......do i have a scrotum?" -- Sharon Osbourne
HP threatened Snosoft over a post to bugtraq, so apparently HP, a large company with lots of lawyers, belives the DMCA covers security notices.
Does this mean that when MS decides to release a "security patch" for one of its releases, and explains why this patch is necessary and how it might be exploited, that they are in breach of the DMCA?
...
Probably not, but if YOU were to do this, you would be in violation of the DMCA. The main point of the DMCA is to protect companies from you and me revealing that security-related products are shoddy.
I recently got involved in a specific discussion where this might apply. Some people discovered that they could get the text out of most MS Word docs using the unix "strings" command. The format isn't pretty, but the text is there. The problem is that you also get "deleted" text that Word has just marked deleted but hasn't erased. This text can be from other docs that the sender's copy of Word has processed. This could be a very serious security leak in some cases.
This could be fixed in a unix mail reader, if the programmers could get enough info about the Word format to identify the deleted text and skip over it. This would presumably be legal. But if you were to describe the security issue when releasing the patch, you would be guilty of publicising a security flaw in MS software, and would thus be in violation of the DMCA.
So far, the decision seems to be to keep quiet about this, and just treat it as Someone Else's Problem.
There is the outstanding question of whether we unix/linux geeks are committing a serious crime if we warn Word users about this security issue. In particular, what sort of danger am I in by mentioning it here?
Maybe I should submit this as an Anonymous Coward? Nah
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Aha, yet another benefit of Big Government: incompetency, along with its twin brother, inefficiency.
Next time we have a problem we think is solvable only by government, let's remember to think twice. Our current bloat of a government is built on the special interests of people just like me and you: people who don't consider that somebody, somewhere, doesn't want to be forced into adopting the special interests of other people. The solution? Government needs to go on a diet. See this website if you like the sound of this.
Sound does travel in the land, and a lot further than in the air.
Anonymous Cowards suck.
People are making a big deal about the fact that the explaination document is copyrighted. copyright does not protect ideas only the particular expression of an idea. In otherwords if someone were to release a paraphrase of the explaination document, it might violate DCMA, but it would not violate copyright.
http://www.vote-smart.org
Click on "Voting Records" ->State -> Your Senator -> Telecommunications 1998 -> "DMCA Passage"
The vote was unanimous, though
I know a court has ruled deCSS to be in violation of the DMCA, but that was because the judge was stupid, and the MPAA was smart enough to convince him that the utility is "primarily intended for circumvention of a protection mechanism". The keyword there is "primarily".
First of all, DeCSS is illegal under the DMCA, it has nothing to do with the judge being stupid or the MPAA being smart. The whole purpose of DeCSS is to circumvent CSS, which is a protection mechanism. That's not it's primary purpose, or even it's secondary purpose; that is it's only purpose. Since that is specifically what the DMCA was crafted to make illegal, I don't see how anyone who isn't completely ignorant can say that DeCSS doesn't violate the DMCA.
Furthermore, the judge was not stupid at all, he was corrupt, which is a different thing entirely. He was one of the authors of the DMCA, and as such the ethical thing for him to do would have been to pass the case on to another judge due to his obvious conflict of interest. However, he knows that law as well as anyone does, and he is certainly capable of spotting a blatant violation of it, which DeCSS is, on his own.
The only question in the case was whether the source code to DeCSS was criminal under the DMCA or protected speech under the First Amendment. This is where Kaplan's corruption took hold, and he declared that the functional use of the code took precedence over it's educational or informative value.
Under capitalism man exploits man. Under communism it's the other way around.
Learning in school that we are a Republic... In fact, there was something that we did every morning to reinforce that...
"...and to the Republic, for which it stands..."
Are you saying that the Pledge of Allegiance is wrong?
Should it say, "...and to the Representative Democracy, for which it stands..."?
Check the following link, it leads to a site that will explain our form of government to you in elementary terms. You should take a few more politcal science classes before you start talking about government, my friend.
What is a Republic?
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
I can understand that people may be worried about publishing kernel patches, but careful reading of the above makes it very clear that these do not violate the DMCA, even if they inadvertantly or implicitly reveal information that could be used to defeat copyright protection. The reason is simply that this is not the primary design and purpose of the information. Rather, the information is designed to extend and improve the functionality of the Linux kernel.
Contrast this with the Sklyarov case, where the primary purpose of the information and technology he presented was to defeat copyright protection. The situations are completely different.
I can't blame Europeans for being excessively cautious with regard to American law, but they could consult with a lawyer and be reassured. My opinion is that this is really a political statement, and that they are being disingenuous in claiming to be afraid of prosecution.
If I'm not mistaken in those two things, isn't all patch documentation illegal under the DMCA?
...
The Patch documentation is not so much, the patch actually documents the hole. One of the key issues here is that the fix in the patch exposes the original problem, and thus makes "circumvention of digital security" (haven't read it in a while, so going by memory here) possible. It's a question of whether all you need is to communicate the problem, or to document it. In the case of a source patch and docs, both are done, and it's lose-lose for the author, distributor, or whatever.
On another note - UCITA makes click-through license agreements legally binding in the US. So if law-enforcement cracked down on these people, they would have committed a felony as well. Court case should be interesting
- - - Non Caffeine Drink or Drink Error
Linux does not provide DMCA type copy protection -- PERIOD
YES, IT DOES -- PERIOD
Assuming you have a file named "copyrighted_file", which contains copyrighted text, the following command:
$ chmod 600 copyrighted_file.txt
will "effectively" prevent access to it by the system - this is all that's required under the DMCA to qualify as a "technological measure", as per section 1201-3:
(B) a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
In layspeak: if something stops you from looking at something without someone's permission, then it 'effectively controls access'.
This is the main purpose of the +r bit in file permissions.
Although the bill was passed unanimously, the names of eleven sponsors are listed by thomas.loc.gov
0 22 81:|TOM:/bss/d105query.html|
2 03 7:
The house bill, HR 2281, was sponsored by Howard Coble and had nine cosponsors:
Rep Berman, Howard L. 2/11/1998
Rep Bono, Mary 6/5/1998
Rep Bono, Sonny 9/26/1997
Rep Conyers, John, Jr. 7/29/1997
Rep Frank, Barney 7/29/1997
Rep Hyde, Henry J. 7/29/1997
Rep McCollum, Bill 1/27/1998
Rep Paxon, Bill 6/5/1998
Rep Pickering, Charles 6/22/1998
The senate bill was S. 2037 and was sponsored by Orrin Hatch.
Bill summaries can be found at:
http://thomas.loc.gov/cgi-bin/bdquery/z?d105:HR
http://thomas.loc.gov/cgi-bin/bdquery/z?d105:S.
also note that you said "pure democracy" the second time around: this self-quibbling indicates that you even suspect that you are wrong.
To quote the American Red Cross FAQ:
Why are symbols other than a red cross used by other National Societies within the Movement?
Although the red cross is not a religious symbol, some societies view it as such. The symbol of the red crescent is used instead of the red cross by societies in most Islamic countries; and the Magen David Adom, or Red Shield of David, is used in Israel.
Executive Pope (small) Kallisti Engineering
the US military has been very determined about dealing harshly with the evildoers it finds in its ranks. If the Army sends you overseas and you rape a local girl, you're going to wish you had brought her home and done it where the US civilian courts could punish you.
Crap. Just one soldier, Calley, was convicted over the murder of over 300 unarmed civilians, including many children, at My Lai. He spent less than 5 years in prison.
As for the US soldiers who rape Japanese children, the penalty for a similar crime in some US states is death, so I don't know what you were smoking when you typed that bit of your comment.
Moreover, even if we make the gigantic leap that a prose descrption is a circumvention device, the DMCA only restricts devices that have NO COMMERCIALLY-SIGNIFICANT NON-INFRINGING USES . Because the "device" clearly has countless legitimate commercial uses in protecting information systems, it would still not violate the DMCA.
The alleged parallels to the Sklyarov case are completely erroneous. Sklyarov and his employer were selling systems to crack content protection. You handed Sklyarov a wad of money, he handed you a content extractor. Comparing this to an essay that merely states that a programming mistake occurred is ludicrous. (Incidentally, given the propensity of clueless corporate drones to accidentally lock up their content and delete the originals, the Sklyarov systems do have commercially significant purpose, and were likely non-infringing. Caveat: as long as Sklyarov and friends didn't advertise them as useful for violating copyright.)
Alan Cox and his useful-idiot friends at Red Hat need to actually try reading the fucking law. It emphatically does not mean what most people are assuming it means. This sort of political grandstanding is destructive and draws attention away from the real problems with the DMCA:
Incidentally, I have a support contract with Red Hat, which they are breaching due to this erroneous misinterpretation of the law. Their lawyers will be hearing from me if they don't get their act together.
Yes, you are correct, this story is similar to the changelog story from awhile back. I already know I'm not going to become very popular here saying this, but since I'm not a karma whore I could care less. Alan Cox is a coward. The fact that this information is not posted publically is a pure act of cowardice. First of all, this information has nothing to do with the DMCA and would not even stand a chance of holding up in a court if charges were brought against Alan especially if he's tried by a jury of his peers. Second, if, by some weird ass twist of fate, it did stand in a jury trial it would certainly be thrown out either by the appeals court or the supreme court which could result in parts of the DMCA becoming invalidated and thus liberating us from at least part of its tyranny.
Alan needs to turn over kernel development to someone with more balls than he has. I've thrown myself in front of the cannon several times in an attempt to get the DMCA overturned, but no one has fired it yet. I'm going to throw myself in front of it again by posting the secret text on my webserver located right here. Alan has no right to call himself a leader in any sense for as long as he refuses to do something to change what he knows is wrong. Any man who knowingly allows an unjust act to occur(the imprisonment of a fellow programmer), does nothing to change it, and hides in fear of it, has no right to call himself a man, much less a leader.
I hope you're reading this Alan because I know you read these articles on a regular basis and yes, I am attacking your values and principles. Perhaps it's time to reevaluate them because you sir, are a coward who will allow injustice to continue when you are one of the few people who has enough public acknowledgement to actually have the ability to make a difference, whereas I, a lowly network engineer with no fame or notoriety, am willing to put my personal freedom on the line to make that difference.
For those of you who are under US jurisdiction:
Read more of this story at Slashdot.Read more of this story at Slashdot.Read more of this story at Slashdot.