From owner-freebsd-security-notifications Mon Aug 28 12:41:28 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7249837B424; Mon, 28 Aug 2000 12:41:12 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:39.netscape Message-Id: <20000828194112.7249837B424@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:41:12 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:39 Security Advisory FreeBSD, Inc. Topic: Two vulnerabilities in Netscape Category: ports Module: netscape Announced: 2000-08-28 Credits: Solar Designer (Vulnerability #1) Dan Brumleve (Vulnerability #2) Affects: Ports collection prior to the correction date. Corrected: 2000-08-19 Vendor status: Updated version released FreeBSD only: NO I. Background Netscape is a popular web browser, available in several versions in the FreeBSD ports collection. II. Problem Description There are two security problems in recent versions of netscape: 1) Versions prior to 4.74 A client-side exploit may be possible through a buffer overflow in JPEG-handling code. Although an exploit is not known, attackers may be able to execute arbitrary code on the local machine as the user running netscape, or at the very least cause the netscape binary to crash. 2) Versions prior to 4.75 The Java Virtual Machine implementation has security vulnerabilities allowing a remote user to read the contents of local files accessible to the user running netscape, and to allow these files to be transmitted to any user on the internet. The netscape ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.1 are vulnerable to these problems. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can read files on the local system accessible to the user running netscape, if java is enabled, and may be able to execute arbitrary code on the local system as that user. If you have not chosen to install a netscape port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the netscape port/package, if you you have installed it. Vulnerability 2) can be worked around by disabling Java in the "Advanced" section of the Preferences control panel. Vulnerability 1) can be worked around by disabling the "Automatically load images" option in the same location, although this is not a very practical workaround. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the relevant netscape port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/ Since there are so many variations of the netscape ports in the FreeBSD ports collection they are not listed separately here. Localized versions are also available in the respective language subdirectory. 3) download a new port skeleton for the netscape port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqy41UuHi5z0oilAQGsgAP/TGyAq7u74FJ/rYkfmTd4qyiyjN2XF0nH 9Pikcu4EAJo8R0yhIU0mmXdK3HXWKRTKzH43+gLH6yZGVTr5SQu4a4RYgS4T8sbD Iu3p45DwYfZVQCjsJoseF48kaXlScheoxoR3+Et5khzhBDuwRedUXAK4VMWAm3Fp /4vWrTKykTc= =A0Wy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Aug 28 12:43:31 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id AE08D37B440; Mon, 28 Aug 2000 12:43:18 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:40.mopd Message-Id: <20000828194318.AE08D37B440@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:43:18 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:40 Security Advisory FreeBSD, Inc. Topic: mopd port allows remote root compromise Category: ports Module: mopd Announced: 2000-08-28 Credits: Matt Power , OpenBSD Affects: Ports collection prior to the correction date. Corrected: 2000-08-09 Vendor status: Contacted FreeBSD only: NO I. Background mopd is used for netbooting older DEC machines such as VAXen and DECstations. II. Problem Description The mopd port contains several remotely exploitable vulnerabilities. An attacker exploiting these can execute arbitrary code on the local machine as root. The mopd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5-RELEASE and 4.1-RELEASE contain this problem, since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can execute arbitrary code on the local machine as root. If you have not chosen to install the mopd port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the mopd port/package, if you have installed it. 2) Restrict access to the mopd port using a perimeter firewall, or ipfw(8)/ipf(8) on the local machine. Note that users who pass these access restrictions may still exploit the vulnerability. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mopd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/mopd-1.2b.tgz NOTE: Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the mopd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqy6FUuHi5z0oilAQG14gQAn9RVxulK3pIyHi3aQ5j9p0OnlOoP9Wg2 yKEPARafL+WXHS1oJ+5ZGdhUG2rZjU1QktS0xTy5PXSo0mcX91jLJ7ASwg6K5w2e rpZMBRHZVFy3HltzFxwygZGGbENIbZNzZ9Qd9Luq/OPPxZzb/9NsHnUovk5/lyIE yCAt/USxiDs= =tlfC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Aug 28 12:46: 3 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 2D1A537B662; Mon, 28 Aug 2000 12:43:47 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:41.elf Message-Id: <20000828194347.2D1A537B662@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:43:47 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:41 Security Advisory FreeBSD, Inc. Topic: Malformed ELF images can cause a system hang Category: core Module: kernel Announced: 2000-08-28 Credits: Adam McDougall Affects: FreeBSD 3.x, 4.x and 5.x prior to the correction date Corrected: 2000-07-25 (FreeBSD 5.0-CURRENT) 2000-07-23 (FreeBSD 4.0-STABLE) FreeBSD only: Yes I. Background The ELF binary format is used for binary executable programs on modern versions of FreeBSD. II. Problem Description The ELF image activator did not perform sufficient sanity checks on the ELF image header, and when confronted with an invalid or truncated header it suffered a sign overflow bug which caused the CPU to enter into a very long loop in the kernel. The result of this is that the system will appear to lock up for an extended period of time before control returns. This bug can be exploited by unprivileged local users. This vulnerability is not present in FreeBSD 4.1-RELEASE, although 3.5-RELEASE and 3.5.1-RELEASE are vulnerable. III. Impact Local users can cause the system to lock up for an extended period of time (15 minutes or more, depending on CPU speed), during which time the system is completely unresponsive to local and remote users. IV. Workaround None available. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE, 4.1-STABLE or 5.0-CURRENT after the respective correction dates. FreeBSD 3.5-STABLE has not yet been fixed due to logistical difficulties (and the patch below does not apply cleanly). Consider upgrading to 4.1-RELEASE if this is a concern - this advisory will be reissued once the patch has been applied to the 3.x branch. 2) Apply the patch below and recompile your kernel. Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:41/elf.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:41/elf.patch.asc # cd /usr/src/sys/kern # patch -p < /path/to/patch_or_advisory [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] --- imgact_elf.c 2000/04/30 18:51:39 1.75 +++ imgact_elf.c 2000/07/23 22:19:49 1.78 @@ -190,6 +190,21 @@ object = vp->v_object; error = 0; + /* + * It's necessary to fail if the filsz + offset taken from the + * header is greater than the actual file pager object's size. + * If we were to allow this, then the vm_map_find() below would + * walk right off the end of the file object and into the ether. + * + * While I'm here, might as well check for something else that + * is invalid: filsz cannot be greater than memsz. + */ + if ((off_t)filsz + offset > object->un_pager.vnp.vnp_size || + filsz > memsz) { + uprintf("elf_load_section: truncated ELF file\n"); + return (ENOEXEC); + } + map_addr = trunc_page((vm_offset_t)vmaddr); file_addr = trunc_page(offset); @@ -341,6 +356,12 @@ } error = exec_map_first_page(imgp); + /* + * Also make certain that the interpreter stays the same, so set + * its VTEXT flag, too. + */ + if (error == 0) + nd.ni_vp->v_flag |= VTEXT; VOP_UNLOCK(nd.ni_vp, 0, p); if (error) goto fail; @@ -449,6 +470,17 @@ /* * From this point on, we may have resources that need to be freed. */ + + /* + * Yeah, I'm paranoid. There is every reason in the world to get + * VTEXT now since from here on out, there are places we can have + * a context switch. Better safe than sorry; I really don't want + * the file to change while it's being loaded. + */ + simple_lock(&imgp->vp->v_interlock); + imgp->vp->v_flag |= VTEXT; + simple_unlock(&imgp->vp->v_interlock); + if ((error = exec_extract_strings(imgp)) != 0) goto fail; @@ -610,9 +642,6 @@ imgp->auxargs = elf_auxargs; imgp->interpreted = 0; - /* don't allow modifying the file while we run it */ - imgp->vp->v_flag |= VTEXT; - fail: return error; } -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaq1hlUuHi5z0oilAQGpvgQAoaeqjoU1QppgQ+yXF7KOL6EfTQ9mrdEe zKQ6vU//hc1ejKx9C4zmQybflQIpkHS2TMNAfXuvFG74hvETwa8cpVqolJU29CCf FKlGTCAGCSzosWrndBuvakKqjeVvvQR4JydVhkO04neVEfbUXkich/2PT+3h3dKW GuW3coG8nYE= =2w2A -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Aug 28 12:46:56 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 1AFE737B682; Mon, 28 Aug 2000 12:44:25 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:42.linux Message-Id: <20000828194425.1AFE737B682@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:44:25 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:42 Security Advisory FreeBSD, Inc. Topic: Linux binary compatability mode can cause system compromise Category: core Module: kernel Announced: 2000-08-28 Credits: Boris Nikolaus Affects: FreeBSD 3.x, 4.x and 5.x prior to the correction date Corrected: 2000-07-23 (FreeBSD 5.0-CURRENT) 2000-07-29 (FreeBSD 4.1-STABLE) 2000-08-24 (FreeBSD 3.5-STABLE) FreeBSD only: Yes I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. II. Problem Description The linux binary-compatability module implements a "shadow" filesystem hierarchy rooted in /compat/linux, which is overlayed against the regular filesystem hierarchy so that Linux binaries "see" files in the shadow hierarchy which can mask the native files. Filenames in this shadow hierarchy are treated incorrectly by the linux kernel module under certain circumstances, and a kernel stack overflow leading to a system compromise by an unprivileged user may be possible when very long filenames are used. This is only possible when the linux kernel module is loaded, or the equivalent functionality is statically compiled into the kernel. It is not enabled by default. This vulnerability was fixed just after the release of FreeBSD 4.1-RELEASE, and 3.5-RELEASE is also vulnerable. III. Impact Local users may be able to obtain root privileges on the system when linux compatability mode is enabled. IV. Workaround To determine whether the linux compatability module has been loaded, execute the following command as root and look for a 'linux.ko' entry: # kldstat Id Refs Address Size Name 1 7 0xc0100000 270be0 kernel 2 1 0xc0371000 5540 vesa.ko 3 1 0xc0377000 10094 randomdev.ko 4 1 0xc0e17000 4e000 nfs.ko 5 1 0xc0e83000 11000 linux.ko If present, unload the "linux" module by executing the following command as root: # kldunload linux For safety, remove the /modules/linux.ko file to prevent it being reloaded accidentally, and add or change the following line in /etc/rc.conf: linux_enable="NO" # Linux binary compatibility loaded at startup (or NO). If the module is not loaded, to determine whether the functionality has been statically compiled into the kernel, check the kernel configuration file for the following line: options COMPAT_LINUX If present, remove and recompile the kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 3.5-STABLE, 4.1-STABLE or 5.0-CURRENT after the respective correction dates. 2) Apply the patch below and recompile your kernel. Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:42/linux.patch.asc # cd /usr/src/sys/i386/linux # patch -p < /path/to/patch_or_advisory [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] Index: linux_misc.c =================================================================== RCS file: /home/ncvs/src/sys/i386/linux/linux_misc.c,v retrieving revision 1.77.2.3 retrieving revision 1.77.2.4 diff -u -r1.77.2.3 -r1.77.2.4 --- linux_misc.c 2000/07/20 05:31:56 1.77.2.3 +++ linux_misc.c 2000/07/30 05:36:11 1.77.2.4 @@ -954,6 +954,8 @@ tv[1].tv_usec = 0; /* so that utimes can copyin */ tvp = (struct timeval *)stackgap_alloc(&sg, sizeof(tv)); + if (tvp == NULL) + return (ENAMETOOLONG); if ((error = copyout(tv, tvp, sizeof(tv)))) return error; bsdutimes.tptr = tvp; Index: linux_util.c =================================================================== RCS file: /home/ncvs/src/sys/i386/linux/linux_util.c,v retrieving revision 1.9.2.1 retrieving revision 1.9.2.2 diff -u -r1.9.2.1 -r1.9.2.2 --- linux_util.c 2000/07/07 01:23:45 1.9.2.1 +++ linux_util.c 2000/07/30 05:36:11 1.9.2.2 @@ -162,7 +162,10 @@ else { sz = &ptr[len] - buf; *pbuf = stackgap_alloc(sgp, sz + 1); - error = copyout(buf, *pbuf, sz); + if (*pbuf != NULL) + error = copyout(buf, *pbuf, sz); + else + error = ENAMETOOLONG; free(buf, M_TEMP); } Index: linux_util.h =================================================================== RCS file: /home/ncvs/src/sys/i386/linux/linux_util.h,v retrieving revision 1.10 retrieving revision 1.10.2.1 diff -u -r1.10 -r1.10.2.1 --- linux_util.h 1999/12/04 11:10:22 1.10 +++ linux_util.h 2000/07/30 05:36:11 1.10.2.1 @@ -56,29 +56,27 @@ static __inline caddr_t stackgap_init(void); static __inline void *stackgap_alloc(caddr_t *, size_t); +#define szsigcode (*(curproc->p_sysent->sv_szsigcode)) + static __inline caddr_t stackgap_init() { -#define szsigcode (*(curproc->p_sysent->sv_szsigcode)) return (caddr_t)(PS_STRINGS - szsigcode - SPARE_USRSPACE); } - static __inline void * stackgap_alloc(sgp, sz) caddr_t *sgp; size_t sz; { - void *p = (void *) *sgp; - *sgp += ALIGN(sz); + void *p = (void *) *sgp; + + sz = ALIGN(sz); + if (*sgp + sz > (caddr_t)(PS_STRINGS - szsigcode)) + return NULL; + *sgp += sz; return p; } - -#ifdef DEBUG_LINUX -#define DPRINTF(a) printf a; -#else -#define DPRINTF(a) -#endif extern const char linux_emul_path[]; -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaq1wFUuHi5z0oilAQFcVQQAlYhhDM6T/qEDqVTvG9yr9mv++LVGqqRE SI4MEbmwbV5NvmFqTM2OzGpKsUaAy9gEfA5mjVKR+PRFoY7g68heFGAKWSRHmgs5 ramrzVxBHOeviaHeAXpH7LgJOdFo8EwhqehLtv+M0I5n9JJjPvAEWXG9cdiYXTto pKJAPVXr9NU= =r8gN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Aug 28 12:48:10 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3387437B63D; Mon, 28 Aug 2000 12:44:48 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:43.brouted Message-Id: <20000828194448.3387437B63D@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:44:48 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:43 Security Advisory FreeBSD, Inc. Topic: brouted port allows gid kmem compromise Category: ports Module: brouted Announced: 2000-08-28 Credits: Discovered during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2000-08-22 Vendor status: Contacted FreeBSD only: NO I. Background brouted is a dynamic routing daemon. II. Problem Description The brouted port is incorrectly installed setgid kmem, and contains several exploitable buffer overflows in command-line arguments. An attacker exploiting these to gain kmem privilege can easily upgrade to full root access by manipulating kernel memory. The brouted port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5-RELEASE and 4.1-RELEASE contain this problem, since it was discovered after the releases during internal auditing. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can obtain group kmem privileges, and upgrade further to full root privileges. If you have not chosen to install the brouted port/package, then your system is not vulnerable to this problem. IV. Workaround Execute the following command as root to remove the setgid bit on the /usr/local/sbin/brouted file: # chmod g-s /usr/local/bin/brouted V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the brouted port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/brouted-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/brouted-1.2b.tgz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the brouted port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqy+lUuHi5z0oilAQHDzwQApGoedKCQAZcpjqafuNA9jPQ0fQ2PaScu OZlBlflrUVNAMcEkL3y9lmahdVTcdOBpKAALDzIxYnKYlSxGg1RTtxHoWhJiCD97 c2mc9Ni65YCHab5O90WBHK+VjTiFzfq+dpG+rXLB1W2Pfq68Xf8O2rb2eSjdVW3d /wazSPNLcSg= =V2xB -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Aug 28 12:49:59 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 945FF37B6A4; Mon, 28 Aug 2000 12:45:08 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:44.xlockmore Message-Id: <20000828194508.945FF37B6A4@hub.freebsd.org> Date: Mon, 28 Aug 2000 12:45:08 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:44 Security Advisory FreeBSD, Inc. Topic: xlockmore port allows reading of password file Category: ports Module: xlockmore Announced: 2000-08-28 Credits: bind Affects: Ports collection prior to the correction date. Corrected: 2000-08-15 Vendor status: Updated version released FreeBSD only: NO I. Background xlockmore is a utility for locking console access to an X terminal. II. Problem Description The xlockmore port, versions 4.17 and below, installs the setuid root binary xlock, which contains a vulnerability due to incorrect use of the syslog() function. The xlock program correctly drops root privileges prior to the point of vulnerability, however it may retain in memory part of the hashed password database for the user accounts on the system. Attackers who can retrieve hashed password information from the memory space of the process can mount attacks against the user account passwords and possibly gain access to accounts on the system if successful. The xlockmore port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5-RELEASE and 4.1-RELEASE contain this problem, since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may be able to gain unauthorised access to parts of the /etc/spwd.db file, allowing them to mount guessing attacks against user passwords. If you have not chosen to install the xlockmore port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: Deinstall the xlockmore port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the xlockmore port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/xlockmore-4.17.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/xlockmore-4.17.1.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the xlockmore port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOaqzxFUuHi5z0oilAQEJJgP/cpBPXxsnmcGysBYnZkq0+mhMYxxDyX/D czvyS90uO3k9slC+QYsmgLeTRrDpULcHNsePwxYKbt+zEydcENLhpiiGRuGkKrvD b5UH9Sjle3rF3nTecxKRPTPD0009Tk356YeYOPVofqfZzCQpR8MqUHGz9cmhBuXH t/y3LtBhLDo= =sJTv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Thu Aug 31 10:57:23 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C6AB337B422; Thu, 31 Aug 2000 10:57:17 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:45.esound Message-Id: <20000831175717.C6AB337B422@hub.freebsd.org> Date: Thu, 31 Aug 2000 10:57:17 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:45 Security Advisory FreeBSD, Inc. Topic: esound port allows file permissions to be modified Category: ports Module: esound Announced: 2000-08-31 Credits: Brian Feldman during internal auditing Affects: Ports collection prior to the correction date Corrected: 2000-06-30 Vendor status: Contacted FreeBSD only: NO I. Background EsounD is a component of the GNOME desktop environment which is responsible for multiplexing access to audio devices. II. Problem Description The esound port, versions 0.2.19 and earlier, creates a world-writable directory in /tmp owned by the user running the EsounD session, which is used for the storage of a unix domain socket. A race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable. This can give the attacker access to the victim's account, or lead to a system compromise if esound is run by root. The esound port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.0 and 3.5 contain this problem, but it was corrected prior to the release of FreeBSD 4.1. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users can cause files or directories owned by the target user to become world-writable when that user runs the esd daemon (e.g. by starting a GNOME session), allowing a security breach of that user account (or the entire system if esd is run by root) If you have not chosen to install the esound port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the esound port/package, if you have installed it (see the pkg_delete(1) manual page for more information). V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the esound port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/esound-0.2.19.tgz 3) download a new port skeleton for the esound port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOa6cE1UuHi5z0oilAQGGPwP/ePOVTscGQ6G4deQqeYVehEk8KTPr0nhm nWgQln3jZW46maoMgBHq/Zdj5DM+H9xmC9qaVjdJ2mYcNQIL3ldntO8IIeQfZ/zA kqy+CthlLiF7FSnwC4XwpzBU4OWxuNPT02naD2kK1p6ERcn1QKbqfvzel40Sc2wQ +XnHbXpx4qE= =RtJ1 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message