Re: scrollkeeper loading external (online) DTD
> > From: Hubert Chan <[EMAIL PROTECTED]> > Subject: Re: scrollkeeper loading external (online) DTD > Date: 10/01/2003 6:33:22 snip > DTDs cannot introduce any vulnerabilities (unless the XML parser is > horribly buggy). The worst that can happen is that the file doesn't > validate, and scrollkeeper complains. snip Is this strictly true? There have been a few articles on bugtraq recently around this kind of thing. One in the area of "bugs", and one around external entities and the potential for a "rogue" DTD to specify bad URIs. In particular an external reference might cause a parser to open a connection to a site that the user would not wish. Alternately, an entity reference might translate to some form of control string for the application that is later using the parsed XML. And even if the only concern is around bugs, surely experience would indicate that given the growing use of XML parsers in a wide range of applications, we should be careful of all input? External Entities : http://online.securityfocus.com/archive/1/297714 and DTD DoS bug : http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 (Doesn't say much). This message was sent through MyMail http://www.mymail.com.au replyAll Description: PGP signature
unsubscribe
Re: scrollkeeper loading external (online) DTD
> > From: Hubert Chan <[EMAIL PROTECTED]> > Subject: Re: scrollkeeper loading external (online) DTD > Date: 10/01/2003 6:33:22 snip > DTDs cannot introduce any vulnerabilities (unless the XML parser is > horribly buggy). The worst that can happen is that the file doesn't > validate, and scrollkeeper complains. snip Is this strictly true? There have been a few articles on bugtraq recently around this kind of thing. One in the area of "bugs", and one around external entities and the potential for a "rogue" DTD to specify bad URIs. In particular an external reference might cause a parser to open a connection to a site that the user would not wish. Alternately, an entity reference might translate to some form of control string for the application that is later using the parsed XML. And even if the only concern is around bugs, surely experience would indicate that given the growing use of XML parsers in a wide range of applications, we should be careful of all input? External Entities : http://online.securityfocus.com/archive/1/297714 and DTD DoS bug : http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 (Doesn't say much). This message was sent through MyMail http://www.mymail.com.au replyAll Description: PGP signature
unsubscribe
Re: Gnutella? (was Re: TCP port 6352?)
On Wed, 8 Jan 2003, Javier Fernández-Sanguino Peña wrote: > You will see that the listing for many servers/clients in the network are > usually port 6346 [1]. But it seems port 6352 is also used sometimes. That seems to be the case. I found some more info on this page: http://outpostfirewall.com/guide/rules/preset_rules/p2p.htm (search for "Gnotella outgoing connection" on that page). Cheers, Cristian
Re: ssh and lastlog
* Thomas Gebhardt <[EMAIL PROTECTED]> [2003-01-07 16:23 +0100]:
> as far as I can see, one can get at least 2 out of the following 3 items:
^"most"? otherwise trivial :-)
> * sshd Privilege Separation
> * /var/log/lastlog not world readable
> * users get a lastlog message at ssh login
If you
- set UsePrivilegeSeparation=yes in /etc/ssh/sshd_config,
- chmod o-r /var/log/lastlog,
- configure sudo ("%users ALL=NOPASSWD:/usr/bin/lastlog -u *"), and
- add "[ ${-//[^i]/} ] && sudo /usr/bin/lastlog -u $LOGNAME"
to /etc/profile,
the user's bash will display the date and origin of your last login
for interactive sessions.
--
Johannes Franken
Professional unix/network development
mailto:[EMAIL PROTECTED]
http://www.jfranken.de/
Re: scrollkeeper loading external (online) DTD
> "Sebastien" == Sebastien Chaumat <[EMAIL PROTECTED]> writes: Sebastien> Hi, This a real example : Sebastien> The xbill package contains : Sebastien> /usr/share/gnome/help/xbill/C/xbill.xml Sebastien> In this file the DTD is refered by an absolute external link Sebastien> : Sebastien> V4.1.2//EN" Sebastien> "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; That is necessary for a DocBook file. Sebastien> Thus : scrollkeeper-update blindly connect to Sebastien> www.oasis-open.org to get the docbookx.dtd. Sebastien> I can trust signed debian packages but I can't trust Sebastien> www.oasis-open.org. DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. Sebastien> More than 18 files in /usr/share/gnome/help/ induce this Sebastien> download. Sebastien> I'am about to make bug report against scrollkeeper (for Sebastien> acting blindly, and dowloading the same file more than once) IMHO, the severity of such a bug would be at most "wishlist". Sebastien> and against packages that provides the xml files (for using Sebastien> external DTD instead of provinding it)... It should not be providing the DTD. At most, it should depend on docbook-xml, which provides the DTD, although I would suggest making it a "Recommends" rather than "Depends". AFAIK, if docbook-xml is installed, scrollkeeper will use the local copy, rather than fetching it over the network. (If not, this should be another wishlist bug.) (Hmm. On my system (sid), scrollkeeper already depends on docbook-xml.) -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgp3SadAAFnYh.pgp Description: PGP signature
Re: Gnutella? (was Re: TCP port 6352?)
On Wed, 8 Jan 2003, Javier Fernández-Sanguino Peña wrote: > You will see that the listing for many servers/clients in the network are > usually port 6346 [1]. But it seems port 6352 is also used sometimes. That seems to be the case. I found some more info on this page: http://outpostfirewall.com/guide/rules/preset_rules/p2p.htm (search for "Gnotella outgoing connection" on that page). Cheers, Cristian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh and lastlog
* Thomas Gebhardt <[EMAIL PROTECTED]> [2003-01-07 16:23 +0100]:
> as far as I can see, one can get at least 2 out of the following 3 items:
^"most"? otherwise trivial :-)
> * sshd Privilege Separation
> * /var/log/lastlog not world readable
> * users get a lastlog message at ssh login
If you
- set UsePrivilegeSeparation=yes in /etc/ssh/sshd_config,
- chmod o-r /var/log/lastlog,
- configure sudo ("%users ALL=NOPASSWD:/usr/bin/lastlog -u *"), and
- add "[ ${-//[^i]/} ] && sudo /usr/bin/lastlog -u $LOGNAME"
to /etc/profile,
the user's bash will display the date and origin of your last login
for interactive sessions.
--
Johannes Franken
Professional unix/network development
mailto:[EMAIL PROTECTED]
http://www.jfranken.de/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scrollkeeper loading external (online) DTD
> "Sebastien" == Sebastien Chaumat <[EMAIL PROTECTED]> writes: Sebastien> Hi, This a real example : Sebastien> The xbill package contains : Sebastien> /usr/share/gnome/help/xbill/C/xbill.xml Sebastien> In this file the DTD is refered by an absolute external link Sebastien> : Sebastien> V4.1.2//EN" Sebastien> "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; That is necessary for a DocBook file. Sebastien> Thus : scrollkeeper-update blindly connect to Sebastien> www.oasis-open.org to get the docbookx.dtd. Sebastien> I can trust signed debian packages but I can't trust Sebastien> www.oasis-open.org. DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. Sebastien> More than 18 files in /usr/share/gnome/help/ induce this Sebastien> download. Sebastien> I'am about to make bug report against scrollkeeper (for Sebastien> acting blindly, and dowloading the same file more than once) IMHO, the severity of such a bug would be at most "wishlist". Sebastien> and against packages that provides the xml files (for using Sebastien> external DTD instead of provinding it)... It should not be providing the DTD. At most, it should depend on docbook-xml, which provides the DTD, although I would suggest making it a "Recommends" rather than "Depends". AFAIK, if docbook-xml is installed, scrollkeeper will use the local copy, rather than fetching it over the network. (If not, this should be another wishlist bug.) (Hmm. On my system (sid), scrollkeeper already depends on docbook-xml.) -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. msg08412/pgp0.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat <[EMAIL PROTECTED]> wrote: > Hi, > > This a real example : > > The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml > > In this file the DTD is refered by an absolute external link : > > "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; > > Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get > the docbookx.dtd. > > I can trust signed debian packages but I can't trust > www.oasis-open.org. > > More than 18 files in /usr/share/gnome/help/ induce this download. > > I'am about to make bug report against scrollkeeper (for acting blindly, > and dowloading the same file more than once) and against packages that > provides the xml files (for using external DTD instead of provinding > it)... > > Your opinion? > > Cheers, > > SEb > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > pgpua9VQx6pEu.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
hello sebastien..
Received at 2003-01-08 / 23:10 by Sebastien Chaumat:
> The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
>
> In this file the DTD is refered by an absolute external link :
>
> "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd";
>
> Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
> the docbookx.dtd.
>
> I can trust signed debian packages but I can't trust
> www.oasis-open.org.
>
> More than 18 files in /usr/share/gnome/help/ induce this download.
>
> I'am about to make bug report against scrollkeeper (for acting blindly,
> and dowloading the same file more than once) and against packages that
> provides the xml files (for using external DTD instead of provinding
> it)...
>
> Your opinion?
file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):
find -name *.xml -exec perl -i -pe
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
{} \;
the gnome-applets package does it this way.
bye,
sebastian
--
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import
pgpKLwbKqZ2qm.pgp
Description: PGP signature
Re: scrollkeeper loading external (online) DTD
Thats absolutely ridiculous. I would file one at once, that should definitely not go unchecked, at least. I can appreciate the motivation, but for my own sanity I'm too paranoid to a) accept strange unknown files/connections or b) send out requests for such data. Especially considering since it all happens without my knowledge, which thanks, now I know. Who knows if the file is the original? The checksum is verified, but that doesn't mean much all things considered, where did the checksum come from? On 08 Jan 2003 22:54:12 +0100 Sebastien Chaumat <[EMAIL PROTECTED]> wrote: > Hi, > > This a real example : > > The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml > > In this file the DTD is refered by an absolute external link : > > "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; > > Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get > the docbookx.dtd. > > I can trust signed debian packages but I can't trust > www.oasis-open.org. > > More than 18 files in /usr/share/gnome/help/ induce this download. > > I'am about to make bug report against scrollkeeper (for acting blindly, > and dowloading the same file more than once) and against packages that > provides the xml files (for using external DTD instead of provinding > it)... > > Your opinion? > > Cheers, > > SEb > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > msg08411/pgp0.pgp Description: PGP signature
Re: scrollkeeper loading external (online) DTD
hello sebastien..
Received at 2003-01-08 / 23:10 by Sebastien Chaumat:
> The xbill package contains : /usr/share/gnome/help/xbill/C/xbill.xml
>
> In this file the DTD is refered by an absolute external link :
>
> "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd";
>
> Thus : scrollkeeper-update blindly connect to www.oasis-open.org to get
> the docbookx.dtd.
>
> I can trust signed debian packages but I can't trust
> www.oasis-open.org.
>
> More than 18 files in /usr/share/gnome/help/ induce this download.
>
> I'am about to make bug report against scrollkeeper (for acting blindly,
> and dowloading the same file more than once) and against packages that
> provides the xml files (for using external DTD instead of provinding
> it)...
>
> Your opinion?
file a bug report against xbill (and the others). there are (or were) some
issues with libxml2, check bug #153720.
you can tell the maintainer to include something like this in
debian/rules (target config.status):
find -name *.xml -exec perl -i -pe
's,http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd,/usr/share/sgml/docbook/dtd/xml/4.1.2/docbookx.dtd,'
{} \;
the gnome-applets package does it this way.
bye,
sebastian
--
::: sebastian henschel
::: kodeaffe
::: lynx -source http://www.kodeaffe.de/shensche.pub | gpg --import
msg08410/pgp0.pgp
Description: PGP signature
