Red Hat programmer discovers major security flaw in Linux

Mar 06, 2014 by Bob Yirka report

(Phys.org) —Programmer Nikos Mavrogiannopoulos who works for Red Hat, has discovered a major security problem with the Linux operating system—a bug that could allow a hacker to create a certificate that could bypass the normal authenticity checks. Red Hat sent out an immediate alert and suggests all those who use its product update their software with a fix they've made available.

Officially known as CVE-2014-0092, the appears to be a simple programming error—one that has been in a part of the Linux operating system for over a decade. More specifically, the bug involves GnuTLS's (a library of functions used for processing certificate requests) validation of X509 certificates. In many respects, the error appears to be similar to the "goto fail" that cropped up in iOS and OS X recently. At issue in both cases is the infamous GOTO computer command which has been criticized by several high profile programmers for several years. Problems occur with it due to a programmer failing to consider one or more events. GOTO commands are called on demand, i.e. IF condition GOTO some other part of the code. The problem can be made worse if negative conditions are used because humans can't always think of every possible outcome.

In this instance, GOTO commands were being executed under certain conditions that allowed for bypassing certificate authentication, allowing unauthenticated certificates to be processed as if they were authentic. If a hacker discovered the flaw, they could cause their own certificates to be authenticated, allowing for decrypting data. That of course could impact a lot of users as Linux, especially the Red Hat version, is very commonly used as a web server operating system.

What is most surprising about the bug is that it went undetected for so long. Linux is an open source operating system which means thousands, if not millions, have access to the source code—every one of whom can test any part of it. That no one thought to independently test every part of the highly important GnuTLS's library seems almost unfathomable.

Now that the bug has been identified, fixes have been made in virtually all Linux variants, which users can download. Sadly, not everyone keeps up on such reports, however, which means the bug could very well live on in many web servers and others systems around the world for many years to come.

Explore further: Symantec discovers worm that targets systems running Linux—threat to other devices

More information: rhn.redhat.com/errata/RHSA-2014-0246.html

add to favorites email to friend print save as pdf

Related Stories

Bringing the world reboot-less updates

Jan 24, 2014

It's an annoyance for the individual computer user: You've updated your operating system, and now you need to reboot. This is so the computer can switch to the modified source code.

Valve releases both Steam Machine and SteamOS

Dec 16, 2013

(Phys.org) —Video game maker Valve Corporation has officially made SteamOS available for download for anyone who wishes to do so. At the same time, the company announced that it has also shipped Steam Machines ...

Linux camp has key to Windows 8 boot lockout

Oct 14, 2012

(Phys.org)—Microsoft's rocky reputation with the open source community was not exactly obliterated with hardware news surrounding the upcoming launch of the operating system, Windows 8. Systems will come ...

Recommended for you

Does your computer know how you're feeling?

Aug 22, 2014

Researchers in Bangladesh have designed a computer program that can accurately recognize users' emotional states as much as 87% of the time, depending on the emotion.

Microsoft to unveil new Windows software

Aug 21, 2014

A news report out Thursday indicated that Microsoft is poised to give the world a glimpse at a new-generation computer operating system that will succeed Windows 8.

Unlocking the potential of simulation software

Aug 21, 2014

With a method known as finite element analysis (FEA), engineers can generate 3-D digital models of large structures to simulate how they'll fare under stress, vibrations, heat, and other real-world conditions.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka
5 / 5 (2) Mar 06, 2014
every one of whom can test any part of it


Technically, but not practically speaking.

Extremely few people go around poking the source code of their operating system for fun without a pressing need - and even when they do it's a snowball's chance in hell they'll just stumble on the particular line of code that contains the bug amongs the millions of lines of code - assuming they're competent enough to notice or do anything about it in the first place.

It all takes time, money and effort, and unless you're paid to do it you probably just don't give a toss. Meanwhile, people who are trying to break into these systems do have the motivation and time, and often the money to spend the time poking around to see what breaks - and then tell nobody else about it.

That's why I find the Linus's law of "Many eyes make all bugs shallow" a load of rubbish because the eyes are blind. If there is a bug in open source software, chances are the black hats are going to find it first.
rjflory
5 / 5 (1) Mar 06, 2014
Technically the problem is not with the operating system itself, but with an accessory library maintained by a completely different group. This library is also used by several other operating systems besides Linux.

To claim the problem is with the Linux operating system is akin to claiming a bug in the quicktime player or acrobat reader is the fault of microsoft- it isn't...
Bonia
Mar 06, 2014
This comment has been removed by a moderator.
EnricM
not rated yet Mar 07, 2014
LOL, I hope that my fellow geeks at Slashdot don't discover this article, we will be laughing our butts sore for decades:

GOTO commands are called on demand


Well, yes, GOTO instructions as any other instructions are called on demand... I still haven't seen any other instruction that is called spontaneously or in any other way than "On demand"

Sadly, not everyone keeps up on such reports, however, which means the bug could very well live on in many web servers and others systems around the world for many years to come.


Besides the grammar errors, the whole comment is devoid of meaning.

Here an explanation in ARS TECHNICA (http://arstechnic...pping/), safe for consumption by IT personal ;)