From owner-freebsd-security-notifications Mon Apr 16 12:37:26 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 254B637B43F; Mon, 16 Apr 2001 12:37:23 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3GJbNh51248; Mon, 16 Apr 2001 12:37:23 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 16 Apr 2001 12:37:23 -0700 (PDT) Message-Id: <200104161937.f3GJbNh51248@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:32.ipfilter Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:32 Security Advisory FreeBSD, Inc. Topic: IPFilter may incorrectly pass packets Category: core Module: IPFilter Announced: 2001-04-16 Credits: Thomas Lopatic Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE, and 4.2-STABLE prior to the correction date. Corrected: 2001-04-07 (FreeBSD 4.2-STABLE) Vendor status: Corrected FreeBSD only: NO I. Background IPFilter is a multi-platform packet filtering package. II. Problem Description When matching a packet fragment, insufficient checks were performed to ensure the fragment is valid. In addition, the fragment cache is checked before any rules are checked. Even if all fragments are blocked with a rule, fragment cache entries can be created by packets that match currently held state information. Because of these discrepancies, certain packets may bypass filtering rules. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2, contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected during the beta cycle before the release. III. Impact Malicious remote users may be able to bypass filtering rules, allowing them to potentially circumvent the firewall. IPFilter is not enabled by default. If you have not enabled IPFilter, your system is not vulnerable to this problem. IV. Workaround Since fragment cache matching occurs before filtering rules checking, it is not possible to work around this problem using IPFilter rules. V. Solution [FreeBSD 3.x] Due to the age of the IPFilter package shipped with FreeBSD 3.x, it is recommended that FreeBSD 3.x systems update to IPFilter 3.4.17 using the package available from the authors website: http://coombs.anu.edu.au/~avalon/ip-filter.html [FreeBSD 4.x] One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.1-RELEASE through 4.2-STABLE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch If the system is using ipfilter as a kernel module, the module may be rebuilt and installed and ipfilter rules reloaded with the following commands: # cd /usr/src/sys/modules/ipfilter # make all install # kldunload ipl && kldload ipf && ipf -Fa -f /etc/ipf.rules Otherwise, if ipfilter is compiled into the kernel, a new kernel will need to be compiled and installed and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOttI71UuHi5z0oilAQHKwwP8CfuhsJA8z78zOJCLSGWPAJSgsi9aFvP7 oVd4eKkVHgHI5hC5QTRgOGg84KncXUu7DJjlOlZ+6nVxcxdp4DED/yRTWjqc14og guP3SBAcJwH5y44ZW/VV+LlbNJue77Igkq1u3dran6TPBMdiUeRIRsj0acn6k1nc ATwy7N0Ade8= =Wujh -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Tue Apr 17 12: 9:47 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 63F0537B42C; Tue, 17 Apr 2001 12:09:43 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3HJ9hh14238; Tue, 17 Apr 2001 12:09:43 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 17 Apr 2001 12:09:43 -0700 (PDT) Message-Id: <200104171909.f3HJ9hh14238@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd Category: core Module: ftpd/libc Announced: 2001-04-17 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOtyT/VUuHi5z0oilAQGiIAP8CJ6Hsp52DuBQhQnA4xBl23kTCtCUKdPf zRP5yg5B9w+j+6Q6+k2P1B9lv5JcdvmS8+fzfrWUpUAogqkbL5f0njS7fnA68a5H oiGJgWqLQiMQiszeOOpgqvd1fNRCcCX+SgYewIfP93Cvam+GG+TvZQziV2zcne3O tjBG/FVzXkg= =P1j0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Thu Apr 19 12:12: 0 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E7A5A37B42C; Thu, 19 Apr 2001 12:11:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3JJBuf38331; Thu, 19 Apr 2001 12:11:56 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 19 Apr 2001 12:11:56 -0700 (PDT) Message-Id: <200104191911.f3JJBuf38331@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob [REVISED] Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd [REVISED] Category: core Module: ftpd/libc Announced: 2001-04-17 Revised: 2001-04-19 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO 0. Revision History 2001-04-17 v1.0 Initial release 2001-04-19 v1.1 Corrected patch and patch instructions I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/include/glob.h /usr/include/ # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOt83elUuHi5z0oilAQGvLwP+Mg6yScJhgTuGnJ1037opvwPEbKb0JWF4 CuC8lKB0xV3BMQhQ8BRC3RVJWptFDv8qlWxW7kCyiuYk19oS8IUsllvwD6uftHZI iph5TF3F37DNiE2lEp4T5/VSPqkEaYoV0Iu9+S43V7M2dPWVPS4tziPQamtBupdQ OhsFSsEGgVU= =AV6T -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Thu Apr 19 12:24: 4 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 1C7FE37B634; Thu, 19 Apr 2001 12:23:55 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3JJNtN39592; Thu, 19 Apr 2001 12:23:55 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 19 Apr 2001 12:23:55 -0700 (PDT) Message-Id: <200104191923.f3JJNtN39592@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:32.ipfilter [REVISED] Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:32 Security Advisory FreeBSD, Inc. Topic: IPFilter may incorrectly pass packets [REVISED] Category: core Module: IPFilter Announced: 2001-04-16 Revised: 2001-04-19 Credits: Thomas Lopatic Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE, and 4.2-STABLE prior to the correction date. Corrected: 2001-04-07 (FreeBSD 4.2-STABLE) Vendor status: Corrected FreeBSD only: NO 0. Revision History v1.0 2001-04-16 Initial release v1.1 2001-04-19 Corrected patch location I. Background IPFilter is a multi-platform packet filtering package. II. Problem Description When matching a packet fragment, insufficient checks were performed to ensure the fragment is valid. In addition, the fragment cache is checked before any rules are checked. Even if all fragments are blocked with a rule, fragment cache entries can be created by packets that match currently held state information. Because of these discrepancies, certain packets may bypass filtering rules. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2, contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected during the beta cycle before the release. III. Impact Malicious remote users may be able to bypass filtering rules, allowing them to potentially circumvent the firewall. IPFilter is not enabled by default. If you have not enabled IPFilter, your system is not vulnerable to this problem. IV. Workaround Since fragment cache matching occurs before filtering rules checking, it is not possible to work around this problem using IPFilter rules. V. Solution [FreeBSD 3.x] Due to the age of the IPFilter package shipped with FreeBSD 3.x, it is recommended that FreeBSD 3.x systems update to IPFilter 3.4.17 using the package available from the authors website: http://coombs.anu.edu.au/~avalon/ip-filter.html [FreeBSD 4.x] One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.1-RELEASE through 4.2-STABLE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:32/ipfilter.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:32/ipfilter.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch If the system is using ipfilter as a kernel module, the module may be rebuilt and installed and ipfilter rules reloaded with the following commands: # cd /usr/src/sys/modules/ipfilter # make all install # kldunload ipl && kldload ipf && ipf -Fa -f /etc/ipf.rules Otherwise, if ipfilter is compiled into the kernel, a new kernel will need to be compiled and installed and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOt860lUuHi5z0oilAQF3YAP/QjuLc+e2gGAiuQSxfi9wE5Kw9Q4pYp66 SNFxhz1cvfg/zfCe81bM3+M/GYDAZEqrmWsfvObKXuU+8BCMeJ/C+Jifu+P6hO4K galMavQ5UTzwnw4lwK4VU/D7zefX5HHOXk0jb/Q6DFs/4KKIFCmGHoBYhuGKbwm0 soEQYwDEAps= =nkCa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message