Slashdot Mirror
New RedHat Kernel Patch Illegal to Explain to U.S. Users
Russellkhan writes "The Register is running a story about a new RedHat kernel patch that cannot be explained to U.S. citizens or others in the U.S. because of DMCA restrictions. The illegal explanation is hosted at Thefreeworld.net, a site created specifically to deal with these DMCA issues."
-- LEGALESE --
PLEASE READ FIRST.
Unfortunately the DMCA prevents this document being issued to US citizens.
This document is a copyrighted work. The authors choose to exercise their
first distribution rights to prohibit the distribution of this work in the
United States Of America, its dependancies, embassies and anywhere else
under US law.
Redistibuting this document in the USA may be a criminal offence under the
Digital Millenium Copyright Act with punishment including jail sentences.
Attempting to test these holes in the USA, even with the permission of the
system owner may be an offence. Discussing this document with a US citizen
may be an offence.
This document is made available for free without warranty or other right of
recourse implied or otherwise. No statement save one in writing by the owner
of the copyright changes this usage agreement. Any export download is at your
own risk and liability.
There is no other user agreement, should your local law make such an
agreement invalid you are prohibited from using this document, and may be
committing an offence by redistributing it.
NO WARRANTY
BECAUSE THE DOCUMENT IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE DOCUMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE DOCUMENT IS WITH YOU. SHOULD THE
DOCUMENT PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE DOCUMENT AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE DOCUMENT (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE DOCUMENT TO OPERATE WITH ANY OTHER
DOCUMENTS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
-- END LEGALESE --
Security Holes Fixed In Linux 2.4.19
None of the holes documented here are remote. All these problems were
uncovered by auditing and there are no current exploits available. In
the interest of openness and ensuring people are aware of the security
fixes they are documented.
- If the Stradis driver is loaded (hardware must be present) a
maths overflow allowed the user to scribble into kernel memory
- It was possible to feed the SE401 USB hardware driver signed
values and fool kernel checks. This requires the hardware is
present
- The usbvideo driver could be fooled due to a maths overflow corner
case. This requires drivers to be present
- The
corruption of the kernel. This is really beyond user control but
if it occurs then the user can trigger the corruption
- By setting the TF flag a carefully constructed binary could hang
the kernel dead
- By misusing the rlimit resource limits it was possible to avoid
acct data being written on your process exit
- The joystick driver had erroneous copies in obscure ioctl cases
that could be used to patch the kernel as any user. Hardware
must be present and the module loaded for this vulnerability
to occur
- Multiple errors in the vm86 handling allowed users to force an
"Oops" from the kernel and in some cases to corrupt kernel data.
An additional small fix is needed for 2.4.19 but not 2.4.19-ac
(see bottom)
- The rt_cache_proc file could be tricked into returning chunks of
kernel data.
- On a system with over 1Gb of RAM the loop driver could in some
cases fail and expose kernel data. This is not under user control.
On 2.4.19 the loop driver works fine with large memory systems.
- Multiple
due to a sanity checking bug in the proc file handlers
- The XMM SSE registers were not always cleared for new processes
and could expose data from a different task. While it was not
possible to modify another tasks registers there is a small risk
because some cryptographic systems have XMM acceleration functions
We also fixed problems that required privileges to exploit. These affected
the IBM S/390 dasd driver, Openprom on Sparc systems, the Intermezzo file
system, the ewrk3 network driver, module loading, the microcode driver and
vm86. We document these in the interest of completeness.
Finally on a -ac based tree with PnPBIOS enabled a problem existed in some
quite common BIOS implementations that causes a crash when certain 32bit
BIOS calls are made. This allowed users to crash some systems by reading
files in
affected as it lacks PnPBIOS support
Credits
The authors would like to thank Silvio Cesare, Stas Sergeev, Andi Kleen,
Alan Cox, Solar Designer, and many others for their work on making 2.4.19 a
more secure kernel.
-- Additional Required Patch --
diff -u --new-file --recursive --exclude-from
--- linux.20pre1/arch/i386/kernel/traps.c 2002-08-06 15:40:50.000000000 +0100
+++ linux.20pre1-ac1/arch/i386/kernel/traps.c 2002-08-06 15:42:19.000000000 +0100
@@ -305,8 +319,13 @@
static void inline do_trap(int trapnr, int signr, char *str, int vm86,
struct pt_regs * regs, long error_code, siginfo_t *info)
{
- if (vm86 && regs->eflags & VM_MASK)
- goto vm86_trap;
+ if (regs->eflags & VM_MASK) {
+ if (vm86)
+ goto vm86_trap;
+ else
+ goto trap_signal;
+ }
+
if (!(regs->xcs & 3))
goto kernel_trap;
@@ -514,10 +533,15 @@
{
unsigned int condition;
struct task_struct *tsk = current;
+ unsigned long eip = regs->eip;
siginfo_t info;
__asm__ __volatile__("movl %%db6,%0" : "=r" (condition));
+
+ if ((eip >=PAGE_OFFSET) && (regs->eflags & TF_MASK))
+ goto clear_TF;
+
if (condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)) {
if (!tsk->thread.debugreg[7])
you can bypass that scary disclaimer and read all that hidden information here (reg. req'd, blah blah) :)
Satanists get good grades too...suspiciously good grades
You may be allowed to read it, but the point is the posters don't want to be prosecuted for publishing it.
The Reg had a neat explanation of this, a lot of people outside the US don't want to get arrested if they set foot on US soil because they published something on a web site hosted in another country that violates the DMCA.
Apparently RH is respecting the copyright of the people who discovered the flaws and chose to license the text under the "TheFreeWorld" blanket to prevent the authors from being accused of distributing potentially infringing documentation in the US. Read the article at The Register, it is almost as poorly written as this post but according to this excerpt:
The document has been copyrighted, and the authors have chosen to restrict its distribution, and to use Thefreeworld.net licence as the mechanism for doing so. Note that it is the copyright, rather than fear of the DMCA, that has forced Red Hat to join in.
RH is only doing this to protect the authors who for whatever reason chose to copyright the document. Possibly the wish to make a point as well concerning the idiocy of the DMCA.
As I understand it, there is far too many bills every year for either the House or the Senate to actually debate every single one of them. So what they do is once it is out of committee, it goes on the calender, if nobody raises any objections to it, they have a voice vote on it, which is very quick, but there is no official record on who voted and how, only that it passed or not. I could be wrong, so please correct me if I am. This is more or less how the DMCA was passed. Anyone who was sitting at the time should be held accountable, if for no other reason than they didn't raise any objections, force a public debate and a formal vote.
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
As for "one of the FEW nations that follows the Laws of War and Peace", I'd like to point out that the US has demanded (and unfortunately, gotten) concessions that no US military personnel can be tried for war crimes on UN missions. This effectively gives US soldiers carte blanche to rape, pillage and burn in a manner that would make the atrocities in the Balkans seems like a Sunday School picnic with no chance of war crimes charges ever being laid. They may get some kind of court martial or charges laid in the US court or they may not. There would be no recourse for an aggrieved party in the Internation Courts.
The more I hear about the US in recent times, the more I despair about a nation that claims to be the home of Democracy. I have my own rant about another such incident, which you're free to read.
In case you don't know it, we will be getting something similar to the DMCA in Europe soon :(
You can read more here.
http://www.dfc.org/dfc1/Active_Issues/graphic/grap hic.html
passed Senate by Unanimous Consent
(similar to voice vote in House)
passed House by Voice Vote
Eve Fairbanks says I drive a hybrid!LOL
Thus, it gives you information you can use to break into these systems, bypassing their "rights management". More info in the thread from last year here.
Digital Copyright
-c
I have discovered a truly remarkable proof which this margin is too small to contain.
Begin obligitory karma whoring. that is the website for the people who vote on what bills, and this is specifically for the DMCA
"Martha Stewart can lick my Scrotum......do i have a scrotum?" -- Sharon Osbourne
http://www.vote-smart.org
Click on "Voting Records" ->State -> Your Senator -> Telecommunications 1998 -> "DMCA Passage"
The vote was unanimous, though
Linux does not provide DMCA type copy protection -- PERIOD
YES, IT DOES -- PERIOD
Assuming you have a file named "copyrighted_file", which contains copyrighted text, the following command:
$ chmod 600 copyrighted_file.txt
will "effectively" prevent access to it by the system - this is all that's required under the DMCA to qualify as a "technological measure", as per section 1201-3:
(B) a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
In layspeak: if something stops you from looking at something without someone's permission, then it 'effectively controls access'.
This is the main purpose of the +r bit in file permissions.