From owner-freebsd-security-notifications Wed Mar 15 9:33:16 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C8D9737BADE; Wed, 15 Mar 2000 09:33:08 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:07.mh From: FreeBSD Security Officer Message-Id: <20000315173308.C8D9737BADE@hub.freebsd.org> Date: Wed, 15 Mar 2000 09:33:08 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:07 Security Advisory FreeBSD, Inc. Topic: mh/nmh/ja-mh/exmh/exmh2/ja-exmh2 ports allow remote execution of binary code Category: ports Module: mh/nmh/ja-mh/exmh/exmh2/ja-exmh2 Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: [See below for a more complete description] All versions fixed in 4.0-RELEASE. mh: 2000-03-04 nmh: 2000-02-29 ja-mh: 2000-03-11 exmh: 2000-03-05 exmh2: 2000-03-05 ja-exmh2: 2000-03-11 FreeBSD only: NO I. Background MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are TCL/TK-based front-ends to the MH system. There are also Japanese-language versions of the MH and EXMH2 ports. II. Problem Description The mhshow command used for viewing MIME attachments contains a buffer overflow which can be exploited by a specially-crafted email attachment, which will allow the execution of arbitrary code as the local user when the attachment is opened. The *MH ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An attacker who can convince a user to open a hostile MIME attachment sent as part of an email message can execute arbitrary binary code running with the privileges of that user. If you have not chosen to install any of the mh/nmh/ja-mh/exmh/exmh2/ja-exmh2 ports/packages, then your system is not vulnerable. IV. Workaround 1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will prevent the viewing of MIME attachments from within *mh. 2) Remove the mh/nmh/ja-mh/exmh/exmh2/ja-exmh2 ports, if you you have installed them. V. Solution The English language version of the MH software is no longer actively developed, and no fix is currently available. It is unknown whether a fix to the problem will be forthcoming - consider upgrading to use NMH instead, which is the designated successor of the MH software. EXMH and EXMH2 can both be compiled to use NMH instead (this is now the default behaviour). It is not necessary to recompile EXMH/EXMH2 after reinstalling NMH. The Japanese-language version of MH is being actively developed and has been patched to fix the problem. SOLUTION: Remove any old versions of the mail/mh, mail/nmh or japanese/mh ports and perform one of the following: 1) Upgrade your entire ports collection and rebuild the mail/nmh port, or the japanese/mh port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/ja-mh-6.8.4.3.03 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/ja-mh-6.8.4.3.03 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/ja-mh-6.8.4.3.03 3) download a new port skeleton for the nmh/ja-mh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/I9lUuHi5z0oilAQFCRgP/ZQNoWGqJN7M9M8cp4TD0F+8h1eUsROPs nIQ0n1nG+Ii68M4b8ZZYNOgGZQU8RrUGqoq4uKd8qPj0ORX0B1t0yaMvNU8W/ci+ f8nyqHAf3pkuh1SLmM3Gwd7W+8fCX/+D3zV8ZY3uPL0edrpO7wBGFReY6QmjzGmo m8pP6qMUUAA= =7cV0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Mar 15 9:34:51 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id F231737BA56; Wed, 15 Mar 2000 09:34:43 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx From: FreeBSD Security Officer Message-Id: <20000315173443.F231737BA56@hub.freebsd.org> Date: Wed, 15 Mar 2000 09:34:43 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:08 Security Advisory FreeBSD, Inc. Topic: Lynx ports contain numerous buffer overflows Category: ports Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: See below. FreeBSD only: NO I. Background Lynx is a popular text-mode WWW browser, available in several versions including SSL support and Japanese language localization. II. Problem Description The lynx software is written in a very insecure style and contains numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server. The lynx ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious server which is visited by a user with the lynx browser can exploit the browser security holes in order to execute arbitrary code as the local user. If you have not chosen to install any of the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then your system is not vulnerable. IV. Workaround Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you you have installed them. V. Solution Unfortunately, there is no simple fix to the security problems with the lynx code: it will require a full review by the lynx development team and recoding of the affected sections with a more security-conscious attitude. In the meantime, there are two other text-mode WWW browsers available in FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled version, and japanese/w3m for Japanese-localization) and www/links. Note that the FreeBSD Security Officer does not make any recommendation about the security of these two browsers - in particular, they both appear to contain potential security risks, and a full audit has not been performed, but at present no proven security holes are known. User beware - please watch for future security advisories which will publicize any such vulnerabilities discovered in these ports. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7 +541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+ +vcp5WAqDu4= =dtMU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Mar 15 9:36:33 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 120F537C0AF; Wed, 15 Mar 2000 09:36:26 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:09.mtr From: FreeBSD Security Officer Message-Id: <20000315173626.120F537C0AF@hub.freebsd.org> Date: Wed, 15 Mar 2000 09:36:26 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:09 Security Advisory FreeBSD, Inc. Topic: mtr port contains a local root exploit. Category: ports Module: mtr Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: 2000-03-07 (included in FreeBSD 4.0-RELEASE) FreeBSD only: NO I. Background mtr ("Multi Traceroute") combines the functionality of the "traceroute" and "ping" programs into a single network diagnostic tool. II. Problem Description The mtr program (versions 0.41 and below) fails to correctly drop setuid root privileges during operation, allowing a local root compromise. The mtr port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user can exploit the security hole to obtain root privileges. If you have not chosen to install the mtr port/package, then your system is not vulnerable. IV. Workaround 1) Remove the mtr port if you have installed it. 2) Disable the setuid bit - run the following command as root: chmod u-s /usr/local/sbin/mtr This will mean non-root users cannot make use of the program, since it requires root privileges to properly run. V. Solution 1) Upgrade your entire ports collection and rebuild the mtr port. 2) Reinstall a new package obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mtr-0.42.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/net/mtr-0.42.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/net/mtr-0.42.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the mtr port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/J3FUuHi5z0oilAQFdjQP+MCxSn1WYvRehaxky8xnOLP8sAOiLvxLf DG3emT6hgG7IFKTHNQ/KvHE5M9Y4/frk1tJGKVb/RKEbpbDDF3mmN0eq6S2B2Qda TB4YjbaLVAnFKVhFcbZjVfc4YTtutNgl7xd/4bvXennki77oQiO5T3VRNnIXkjD1 NUk4XQDyTQ4= =Rrxf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Mar 15 9:38: 8 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8949337BEBE; Wed, 15 Mar 2000 09:37:57 -0800 (PST) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:10.orville-write From: FreeBSD Security Officer Message-Id: <20000315173757.8949337BEBE@hub.freebsd.org> Date: Wed, 15 Mar 2000 09:37:57 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:10 Security Advisory FreeBSD, Inc. Topic: orville-write port contains local root compromise. Category: ports Module: orville-write Announced: 2000-03-15 Affects: Ports collection before the correction date. Corrected: 2000-03-09 FreeBSD only: Yes I. Background Orville-write is a replacement for the write(1) command, which provides improved control over message delivery and other features. II. Problem Description One of the commands installed by the port is incorrectly installed with setuid root permissions. The 'huh' command should not have any special privileges since it is intended to be run by the local user to view his saved messages. The orville-write port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3100 third-party applications in a ready-to-install format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user can exploit a buffer overflow in the 'huh' utility to obtain root privileges. If you have not chosen to install the orville-write port/package, then your system is not vulnerable. IV. Workaround Remove the orville-write port if you have installed it. V. Solution Remove the setuid bit from the huh utility, by executing the following command as root: chmod u-s /usr/local/bin/huh It is not necessary to reinstall the orville-write port, although this can be done in one of the following ways if desired: 1) Upgrade your entire ports collection and rebuild the orville-write port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/orville-write-2.41a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/misc/orville-write-2.41a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/misc/orville-write-2.41a.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the orville-write port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOM/KWlUuHi5z0oilAQHk3AP+PEWNZ95ou8Oyf0nFzgAvjRCc4T060cJf 8qncBFmbWKvl/VHGJnj+u5HPE2LciZb/SdQxH0Ibuvm45hjt7umRrNcHQABmhtYV 9kG2k2cG+w9QtPnWQUtk7UDAQ2nmbyvQBsUJI+wrILoTHaKU1nLBivzzQbZPX9Nr YTNtkrInpV0= =c84W -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message