4 Jul 2005
(updated 4 Jul 2005 at 14:17 UTC) »
Almost a month ago I told about a security bug I found and I was very excited about. Since enough time has passed, and the involved package, HelixPlayer, has now been released, I believe I can mention it now. The Red Hat guys told me they have fixed the issue, but they preferred that I keep my mouth shut about it until they release the updated HelixPlayer.
The problem was with the CVS system of Fedora Core, and the way it and related policies was implemented. In short, it was like this:
In Fedora Core, only the distro-related patches are kept in the CVS, and the upstream tarballs for the packages are kept somewhere else behind an HTTP server. There is anonymous access to the CVS, but through a little weird setup and directory hierarchy which is very probably not the same as what the people with commit access see. The tarballs are then supposed to be downloaded by a makefile system that reads a file (available in the CVS) called "sources" which has filenames and MD5 sums for them. They are downloaded through an HTTP server specially configured for this, which would only give you the file if you give it the right filename, package name, and checksum.
The problem was with the CVS commits mailing list. I was browsing through the list and suddenly found that there are a few emails about commits to branches called "FC3-embargo" and "FC4-embargo", which I tried several ways to access using the CVS, to no avail. Being the ignorant guy I am about the software security processes, I even had no clue what the hell "embargo" could mean.
Anyway, after searching the Red Hat site and the Google over those two branch tags, and coming to nothing, I tried the "embargo" word, and after lots of confusion found what it really means. (It is a term for cases when a security bug is known to the maintainer of the software but he doesn't tell the public about it and doesn't commit a patch to the CVS either, but tells the vendors, mostly distro people, about it and they arrange a time for simultaneous release of patches and keep everything secret before that.)
When I found it, I thought "Fine, it's a security thing, and I probably shouldn't know about it". But I suddenly thought "But weren't the committed patch about a new version, 1.0.5? If there is a new upstream tarball, maybe I could get it and feed the curiosity?" Helping the curiosity was that it was committed by GNOME's J5, who I had assumed could read Han characters when I met him in Norway, based on his face, which I am still ashamed of (he is half Italian-half Thai, IIRC), who had made the commit.
After playing a little with the HTTP server, and seeing that I can get nowhere without the MD5 sum, I suddenly realized that may be the changes to the "sources" file are also in the emails. Yes, they were there. So I constructed the URL and got the tarball easily. I had an embargoed tarball in my hands.
I tried to find J5 on the IRC, couldn't find him, tried the Red Hat bugzilla, found that there is no security checkbox for bugs related to Fedora Core infrastructure, but found the link there about security bugs and Red Hat's "secalert" team. Imported their GPG key and emailed them about it. (The sad thing is that I can no longer read the email I sent, because evolution keeps it under secalerts' chain and lock.) They confirmed the issue, fixed it to some degree, and asked me very politely (but with lots of rechecking to make sure I understand them) to not disclose the issue until the new HelixPlayer (the package I tried) is released.
The lessons I learned: Be curious and try things, apart from the educational benefits it may prove good for lots of other people. You never know when you have found a security issue. Several other people may have overseen it by simply thinking the way they do and not thinking the way you do. Don't underestimate your own eyeball.