From owner-freebsd-announce Wed Feb 5 09:11:32 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA27612 for freebsd-announce-outgoing; Wed, 5 Feb 1997 09:11:32 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA27518 for ; Wed, 5 Feb 1997 09:11:22 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id JAA19771 for ; Wed, 5 Feb 1997 09:11:20 -0800 (PST) To: announce@freebsd.org Subject: 2.2-GAMMA is released. Date: Wed, 05 Feb 1997 09:11:19 -0800 Message-ID: <19767.855162679@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The final pre-release version of FreeBSD 2.2 is now available from: ftp://ftp.freebsd.org/pub/FreeBSD/2.2-GAMMA This release, modulo any final bug fixes, is what will be released as FreeBSD 2.2R at the end of February, the length of this GAMMA testing cycle being approximately 20 days. As the README.TXT file in this release indicates, I've also decided to try something a little different for this GAMMA test cycle. Our more sharp-eyed observers will notice that 2.2-GAMMA is actually a symbolic link pointing to 2.2-970205-GAMMA on ftp.freebsd.org. This was copied today from ftp://22gamma.freebsd.org/pub/FreeBSD, an FTP server which automatically generates a completely new release of 2.2 from the 2.2-branch (RELENG_2_2) code each day. When a release build is successful, it is moved into the FTP area on that machine (REPLACING the old, so be careful about installing directly from this machine around 0500 hours, PST :-). This will hopefully help to prevent the usual problems where new testers trip over bugs already reported and report them again, or someone breaks things unexpectedly while making repairs and we don't find out until the last moment. Another trick was figuring out how to do this in a way that didn't cause the many mirrors of ftp.freebsd.org to melt down under the strain, and it was finally decided that I should only update the ftp.freebsd.org bits once or twice during GAMMA and simply advertise ftp://22gamma.freebsd.org/pub/FreeBSD as the place to get the most recent version. This makes life a little hard on our international users, I do realize, and I'd welcome announcements or contact from other sites indicating their willingness to mirror the "GAMMA SNAPS" on other public FTP sites. Some reasonable number (where "reasonable" == "does not melt 22gamma.freebsd.org") would be a nice thing to have. As usual: Bug reports via: send-pr(1) or http://www.freebsd.org/send-pr.html or (as a last resort) to: bugs@freebsd.org Comments to: current@freebsd.org. Questions to: questions@freebsd.org mailing list comp.unix.bsd.freebsd.misc newsgroup #freebsd IRC channel (on irc.freebsd.org) [in that order] Bearer bonds, greasy paper bags full of unmarked bills & precious metals to: jkh@freebsd.org. More information also accompanies the release in the usual .TXT files. Thanks! Jordan From owner-freebsd-announce Wed Feb 5 18:45:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA06708 for freebsd-announce-outgoing; Wed, 5 Feb 1997 18:45:49 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA06685; Wed, 5 Feb 1997 18:45:39 -0800 (PST) Received: (from jkh@localhost) by time.cdrom.com (8.8.5/8.6.9) id SAA26311; Wed, 5 Feb 1997 18:45:36 -0800 (PST) Date: Wed, 5 Feb 1997 18:45:36 -0800 (PST) From: "Jordan K. Hubbard" Message-Id: <199702060245.SAA26311@time.cdrom.com> To: announce@freebsd.org Subject: setlocale() bug in all released versions of FreeBSD (SA-97:01) Cc: first-teams@first.org, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ============================================================================= FreeBSD-SA-97:01 Security Advisory Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. Topic: setlocale() bug in all released versions of FreeBSD Category: core Module: libc Announced: 1997-02-05 Affects: FreeBSD 2.1.6 and earlier systems suffer from this vulnerability for all binaries due to setlocale() being called from crt0.o. Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources Source: FreeBSD specific bug FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ============================================================================= I. Background The setlocale() call contains a number of potential exploits through string overflows during environment variable expansion. Because the 2.1.6 and earlier versions of FreeBSD called setlocale() in the C runtime code, the problem is especially acute there in that it essentially effects all binaries on the system. In FreeBSD 2.2 BETA and later releases, the setlocale() call was removed from crt0.c and the exploit closed through additional checks. There has also been some confusion over the implications of loading locale data by privileged programs. The facility for a user to supply their own (possibly corrupt or abused) locale data to non-privileged processes was removed in all releases on 1997-02-04. This was originally a debugging facility that got little use and the user can now only direct system binaries to load system administrator sanctioned locale files. This problem is present in all source code and binary distributions of FreeBSD released on or before 1996-11-27. II. Problem Description The setlocale() library function looks for the environment variable "PATH_LOCALE" in the current process's environment, and if it exists, later copies the contents of this variable to a stack buffer without doing proper bounds checking. If the environment variable was specially initialized with the proper amount and type of data prior to running a setuid program, it is possible to cause the program to overflow its stack and execute arbitrary code which could allow the user to become root. III. Impact Any binary linked on a system with setlocale() built into crt0.c (see list of affected releases in section I above) or which calls setlocale() directly has the buffer overrun vulnerability. If this binary has the setuid or setgid bits set, or is called by another setuid/setgid binary (even if that other setuid/setgid binary does not have this vulnerability), unauthorized access may be allowed. IV. Solution(s) Recompiling libc with the following patches and then recompiling all staticly linked binaries (all in /sbin and /bin as well as chflags, gunzip, gzcat, gzip, ld, tar and zcat in /usr/bin) eliminates this vulnerability in FreeBSD 2.1.6 and earlier releases: However, a full solution may require a re-link of all setuid/setgid local binaries or all local binaries likely to be called from another setuid/setgid program that were originally linked statically under one of the affected OSs. Dynamically linked executables will benefit directly from this patch once libc is rebuilt and reinstalled and do not need to be relinked. Because of the severity of this security hole, a full update release for FreeBSD 2.1.6 will also be released very shortly, that release being provisionally assigned the version number of 2.1.7. Index: lib/libc/locale/collate.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/collate.c,v retrieving revision 1.4.4.2 diff -c -r1.4.4.2 collate.c *** collate.c 1996/06/05 02:47:55 1.4.4.2 --- collate.c 1997/02/05 10:21:59 *************** *** 64,70 **** __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); --- 64,70 ---- __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); Index: lib/libc/locale/rune.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/rune.c,v retrieving revision 1.2.6.3 diff -c -r1.2.6.3 rune.c *** rune.c 1996/06/05 02:47:59 1.2.6.3 --- rune.c 1997/02/05 10:22:00 *************** *** 71,77 **** return(0); } ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); --- 71,77 ---- return(0); } ! if (!PathLocale) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); Index: lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.3.4.2.2.1 diff -c -r1.3.4.2.2.1 setlocale.c *** setlocale.c 1996/06/05 02:48:03 1.3.4.2.2.1 --- setlocale.c 1997/02/05 10:22:00 *************** *** 58,64 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 58,64 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) Index: lib/libc/locale/startup_setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/Attic/startup_setlocale.c,v retrieving revision 1.2.4.2 diff -c -r1.2.4.2 startup_setlocale.c *** startup_setlocale.c 1995/08/28 05:06:50 1.2.4.2 --- startup_setlocale.c 1997/02/05 10:22:00 *************** *** 23,29 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 23,29 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= From owner-freebsd-announce Wed Feb 5 19:16:05 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA06708 for freebsd-announce-outgoing; Wed, 5 Feb 1997 18:45:49 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA06685; Wed, 5 Feb 1997 18:45:39 -0800 (PST) Received: (from jkh@localhost) by time.cdrom.com (8.8.5/8.6.9) id SAA26311; Wed, 5 Feb 1997 18:45:36 -0800 (PST) Date: Wed, 5 Feb 1997 18:45:36 -0800 (PST) From: "Jordan K. Hubbard" Message-Id: <199702060245.SAA26311@time.cdrom.com> To: announce@freebsd.org Subject: setlocale() bug in all released versions of FreeBSD (SA-97:01) Cc: first-teams@first.org, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ============================================================================= FreeBSD-SA-97:01 Security Advisory Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. Topic: setlocale() bug in all released versions of FreeBSD Category: core Module: libc Announced: 1997-02-05 Affects: FreeBSD 2.1.6 and earlier systems suffer from this vulnerability for all binaries due to setlocale() being called from crt0.o. Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources Source: FreeBSD specific bug FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ============================================================================= I. Background The setlocale() call contains a number of potential exploits through string overflows during environment variable expansion. Because the 2.1.6 and earlier versions of FreeBSD called setlocale() in the C runtime code, the problem is especially acute there in that it essentially effects all binaries on the system. In FreeBSD 2.2 BETA and later releases, the setlocale() call was removed from crt0.c and the exploit closed through additional checks. There has also been some confusion over the implications of loading locale data by privileged programs. The facility for a user to supply their own (possibly corrupt or abused) locale data to non-privileged processes was removed in all releases on 1997-02-04. This was originally a debugging facility that got little use and the user can now only direct system binaries to load system administrator sanctioned locale files. This problem is present in all source code and binary distributions of FreeBSD released on or before 1996-11-27. II. Problem Description The setlocale() library function looks for the environment variable "PATH_LOCALE" in the current process's environment, and if it exists, later copies the contents of this variable to a stack buffer without doing proper bounds checking. If the environment variable was specially initialized with the proper amount and type of data prior to running a setuid program, it is possible to cause the program to overflow its stack and execute arbitrary code which could allow the user to become root. III. Impact Any binary linked on a system with setlocale() built into crt0.c (see list of affected releases in section I above) or which calls setlocale() directly has the buffer overrun vulnerability. If this binary has the setuid or setgid bits set, or is called by another setuid/setgid binary (even if that other setuid/setgid binary does not have this vulnerability), unauthorized access may be allowed. IV. Solution(s) Recompiling libc with the following patches and then recompiling all staticly linked binaries (all in /sbin and /bin as well as chflags, gunzip, gzcat, gzip, ld, tar and zcat in /usr/bin) eliminates this vulnerability in FreeBSD 2.1.6 and earlier releases: However, a full solution may require a re-link of all setuid/setgid local binaries or all local binaries likely to be called from another setuid/setgid program that were originally linked statically under one of the affected OSs. Dynamically linked executables will benefit directly from this patch once libc is rebuilt and reinstalled and do not need to be relinked. Because of the severity of this security hole, a full update release for FreeBSD 2.1.6 will also be released very shortly, that release being provisionally assigned the version number of 2.1.7. Index: lib/libc/locale/collate.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/collate.c,v retrieving revision 1.4.4.2 diff -c -r1.4.4.2 collate.c *** collate.c 1996/06/05 02:47:55 1.4.4.2 --- collate.c 1997/02/05 10:21:59 *************** *** 64,70 **** __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); --- 64,70 ---- __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); Index: lib/libc/locale/rune.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/rune.c,v retrieving revision 1.2.6.3 diff -c -r1.2.6.3 rune.c *** rune.c 1996/06/05 02:47:59 1.2.6.3 --- rune.c 1997/02/05 10:22:00 *************** *** 71,77 **** return(0); } ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); --- 71,77 ---- return(0); } ! if (!PathLocale) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); Index: lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.3.4.2.2.1 diff -c -r1.3.4.2.2.1 setlocale.c *** setlocale.c 1996/06/05 02:48:03 1.3.4.2.2.1 --- setlocale.c 1997/02/05 10:22:00 *************** *** 58,64 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 58,64 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) Index: lib/libc/locale/startup_setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/Attic/startup_setlocale.c,v retrieving revision 1.2.4.2 diff -c -r1.2.4.2 startup_setlocale.c *** startup_setlocale.c 1995/08/28 05:06:50 1.2.4.2 --- startup_setlocale.c 1997/02/05 10:22:00 *************** *** 23,29 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 23,29 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= From owner-freebsd-announce Wed Feb 5 20:53:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA06834 for freebsd-announce-outgoing; Wed, 5 Feb 1997 20:53:47 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA06811; Wed, 5 Feb 1997 20:53:40 -0800 (PST) Received: (from jkh@localhost) by time.cdrom.com (8.8.5/8.6.9) id UAA27279; Wed, 5 Feb 1997 20:53:38 -0800 (PST) Date: Wed, 5 Feb 1997 20:53:38 -0800 (PST) From: "Jordan K. Hubbard" Message-Id: <199702060453.UAA27279@time.cdrom.com> To: announce@freebsd.org Subject: My resignation as president of the FreeBSD Project. Cc: hackers@freebsd.org Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This short notice is just to announce my resignation as President of the FreeBSD Project, effective immediately, coinciding with the elimination of that position. This is entirely my own decision and was not prompted by anyone on the core team - if anything, they will probably be as surprised as anyone at the news (except for David & John D., with whom I've already discussed the matter). I do this for several reasons, all equally important: 1. The position of President has always been somewhat at-odds with our democratic core team structure and purely titular since to give the president any real "power" would also destroy the carefully balanced dynamic of core, and that would hardly be a desirable outcome. The reason the position of "President" was originally created at all was to give ISVs and other corporate contacts a more official-sounding person to talk to, and while this has been valuable to a certain extent I don't think that it's quite proven useful enough to justify the further existance of the position. As it is, it only creates the illusion of a "super core member", which the president is not, and creates false expectations of authority. 2. The president is generally assumed to be talking for FreeBSD at all times, depriving the wearer of that particular thorny crown of the right to voice strong opinions or otherwise be outspoken without damaging the reputation of the project. I'm not a punch-pulling kind of guy (as you no-doubt already guessed) and I almost certainly never will be, so it's time for me to have my own voice back and be able to talk to people without it being taken as implicit that I'm somehow speaking for all of core. If being "presidential" also means constantly turning the other cheek then I'll never be presidential enough and it's just not an adjustment I care to make (I'm not that kind of person) so I should step down from that responsibility. 3. Dropping back to core team status will make it easier for me to shed additional FreeBSD responsibilities, should I decide that I need to do that in the future, and get some semblance of a life back. I've been doing this for 4 years now and I'm tired. Just how tired I will need to evaluate before making any further decisions, but at least the burden of this artificial position will no longer be mine. It will, in fact, be no ones' and I think this is a vast improvement. In discussions with David and John, it was also expressed that the position was never really that popular with the core team and that my stepping down should coincide with the complete elimination of an unnecessary and somewhat flawed position, and so it will be. So, as of now the FreeBSD Project now longer has a President. It is run purely by the core team, as it always was in truth, and now I'm just the PR guy, release engineer and plain old run-of-the-mill core team member. As if that wasn't enough. :-) Jordan