From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 07:35:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 951C916A41F for ; Wed, 7 Sep 2005 07:35:34 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 725C543D45 for ; Wed, 7 Sep 2005 07:35:32 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id j877ZLok092982 for ; Wed, 7 Sep 2005 10:35:21 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Wed, 7 Sep 2005 10:35:21 +0300 (EEST) From: Dmitry Pryanishnikov To: freebsd-security@freebsd.org Message-ID: <20050907102833.J79716@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Wed, 07 Sep 2005 11:23:40 +0000 Subject: Problem with portaudit's database X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 07:35:34 -0000 Hello! Yesterday portaudit notified me about squid's vulnerability, but today it didn't (despite I haven't upgraded squid). This has attracted my attention, so I've compared yesterday's and today's auditfile.tbz: -r--r--r-- 1 root wheel 29875 Sep 6 15:40 auditfile.tbz vs. -r--r--r-- 1 root wheel 5685 Sep 7 10:11 auditfile.tbz I don't see commits to vuln.xml during this time, so I suspect auditfile generation error. Most known vulnerabilities are now unlisted. Please check this issue. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 11:34:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A964616A41F for ; Wed, 7 Sep 2005 11:34:38 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: from eddie.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AE8143D68 for ; Wed, 7 Sep 2005 11:34:37 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: by eddie.nitro.dk (Postfix, from userid 1000) id 3ED8511A31A; Wed, 7 Sep 2005 13:34:36 +0200 (CEST) Date: Wed, 7 Sep 2005 13:34:36 +0200 From: "Simon L. Nielsen" To: Dmitry Pryanishnikov Message-ID: <20050907113435.GC68197@eddie.nitro.dk> References: <20050907102833.J79716@atlantis.atlantis.dp.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline In-Reply-To: <20050907102833.J79716@atlantis.atlantis.dp.ua> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org Subject: Re: Problem with portaudit's database X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 11:34:38 -0000 --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.09.07 10:35:21 +0300, Dmitry Pryanishnikov wrote: > Yesterday portaudit notified me about squid's vulnerability, but today it > didn't (despite I haven't upgraded squid). This has attracted my attentio= n, > so I've compared yesterday's and today's auditfile.tbz: >=20 > -r--r--r-- 1 root wheel 29875 Sep 6 15:40 auditfile.tbz >=20 > vs. >=20 > -r--r--r-- 1 root wheel 5685 Sep 7 10:11 auditfile.tbz >=20 > I don't see commits to vuln.xml during this time, so I suspect auditfile > generation error. Most known vulnerabilities are now unlisted. Please che= ck=20 > this issue. Hmm, I just ran portaudit -F and got: -r--r--r-- 1 root wheel 29857 7 Sep 13:10 auditfile.tbz Could you try forcing a new download (portaudit -F) to see if it fixes the problem? --=20 Simon L. Nielsen FreeBSD Security Team --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDHtBLh9pcDSc1mlERAmGLAKCz2EHQ6nMBnY3RamCHxsKBOx1BUgCgmEz5 N79AYjKKwhVGFHD/ZjF9/fU= =t+XS -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 11:56:39 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE63216A41F; Wed, 7 Sep 2005 11:56:39 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from 0.mail.spammertrap.net (0.mail.spammertrap.net [204.89.241.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id A455E43D55; Wed, 7 Sep 2005 11:56:38 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 830F818F3E4; Wed, 7 Sep 2005 07:56:37 -0400 (EDT) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 5C7E618F3DF; Wed, 7 Sep 2005 07:56:36 -0400 (EDT) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Wed, 7 Sep 2005 07:56:49 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Problem with portaudit's database Thread-Index: AcWzoDqXHbc2bfdNQnGnGmdJh79rcQAAt5AQ From: "Michael Scheidell" To: "Simon L. Nielsen" , "Dmitry Pryanishnikov" X-Virus-Scanned: SpammerTrap(tm) SME-250 1.45 at spammertrap.net X-Spam-Status: No, score=-7.107 tagged_above=-999 required=6.9 tests=[AWL=-0.106, BAYES_00=-2.599, J_CHICKENPOX_93=0.6, LOCAL_RCVD=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] X-Spam-Score: -7.107 X-Spam-Level: Cc: freebsd-security@freebsd.org Subject: RE: Problem with portaudit's database X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 11:56:40 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of=20 > Simon L. Nielsen > Sent: Wednesday, September 07, 2005 7:35 AM > To: Dmitry Pryanishnikov > Cc: freebsd-security@freebsd.org > Subject: Re: Problem with portaudit's database > On 2005.09.07 10:35:21 +0300, Dmitry Pryanishnikov wrote: >=20 > > Yesterday portaudit notified me about squid's vulnerability, but=20 > > today it didn't (despite I haven't upgraded squid). This=20 > has attracted=20 > > my attention, so I've compared yesterday's and today's=20 > auditfile.tbz: > >=20 > > -r--r--r-- 1 root wheel 29875 Sep 6 15:40 auditfile.tbz > >=20 > > vs. > >=20 > > -r--r--r-- 1 root wheel 5685 Sep 7 10:11 auditfile.tbz I had a similar problem (which was fixed with portaudit -F) so, I assume that for a short time, the audit db was corrupted. From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 12:37:17 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E511D16A41F; Wed, 7 Sep 2005 12:37:17 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0452443D46; Wed, 7 Sep 2005 12:37:16 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id j87Cb9CI020436; Wed, 7 Sep 2005 15:37:09 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Wed, 7 Sep 2005 15:37:09 +0300 (EEST) From: Dmitry Pryanishnikov To: "Simon L. Nielsen" In-Reply-To: <20050907113435.GC68197@eddie.nitro.dk> Message-ID: <20050907151509.D94334@atlantis.atlantis.dp.ua> References: <20050907102833.J79716@atlantis.atlantis.dp.ua> <20050907113435.GC68197@eddie.nitro.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Wed, 07 Sep 2005 12:52:17 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Problem with portaudit's database X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 12:37:18 -0000 Hello! On Wed, 7 Sep 2005, Simon L. Nielsen wrote: >> >> -r--r--r-- 1 root wheel 5685 Sep 7 10:11 auditfile.tbz >> >> I don't see commits to vuln.xml during this time, so I suspect auditfile >> generation error. Most known vulnerabilities are now unlisted. Please check >> this issue. > > Hmm, I just ran portaudit -F and got: > > -r--r--r-- 1 root wheel 29857 7 Sep 13:10 auditfile.tbz > > Could you try forcing a new download (portaudit -F) to see if it fixes > the problem? I noticed the problem at 10:15 (using EEST, it's 07:15 GMT); problem disappeared approx. at 10:50 EEST. Now audit db is correct again. I just think that it's correctness is quite important issue, that's why I've decided to post this information immediately. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 13:53:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A91416A420; Wed, 7 Sep 2005 13:53:52 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D9BF43D4C; Wed, 7 Sep 2005 13:53:51 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j87Drpmb091794; Wed, 7 Sep 2005 13:53:51 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j87DrpBr091791; Wed, 7 Sep 2005 13:53:51 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 7 Sep 2005 13:53:51 GMT Message-Id: <200509071353.j87DrpBr091791@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:20.cvsbug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 13:53:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:20.cvsbug Security Advisory The FreeBSD Project Topic: Race condition in cvsbug Category: contrib Module: contrib_cvs Announced: 2005-09-07 Credits: Marcus Meissner Affects: All FreeBSD releases Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5) 2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE) 2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7) 2005-09-07 13:43:50 UTC (RELENG_5_3, 5.3-RELEASE-p21) 2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE) 2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12) 2005-09-07 13:44:36 UTC (RELENG_4_10, 4.10-RELEASE-p17) CVE Name: CAN-2005-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background cvsbug(1) is a utility for reporting problems in the CVS revision control system. It is based on the GNATS send-pr(1) utility. II. Problem Description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug(1) is based on the send-pr(1) utility, this problem does not exist in the version of send-pr(1) distributed with FreeBSD. III. Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. IV. Workaround Do not use the cvsbug(1) utility on any system with untrusted users. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs/cvsbug # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.13 src/sys/conf/newvers.sh 1.44.2.39.2.16 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.3.2.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.18 src/sys/conf/newvers.sh 1.44.2.34.2.19 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.2.6.1 RELENG_5 src/contrib/cvs/src/cvsbug.in 1.1.1.3.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.16 src/sys/conf/newvers.sh 1.62.2.18.2.12 src/contrib/cvs/src/cvsbug.in 1.1.1.3.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.24 src/sys/conf/newvers.sh 1.62.2.15.2.26 src/contrib/cvs/src/cvsbug.in 1.1.1.3.4.1 RELENG_6 src/contrib/cvs/src/cvsbug.in 1.1.1.3.8.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2693 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:20.cvsbug.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDHu/6FdaIBMps37IRAhxYAJ49MNDG679kpBjO2EXAWpoWez97KQCfS1fp 6Rte2l8JoEPFfgene8dVWy0= =d52A -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 19:37:19 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFF9016A41F for ; Wed, 7 Sep 2005 19:37:19 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5761043D46 for ; Wed, 7 Sep 2005 19:37:18 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id D3AFB119EB; Wed, 7 Sep 2005 21:37:17 +0200 (CEST) Date: Wed, 7 Sep 2005 21:37:17 +0200 From: "Simon L. Nielsen" To: Dmitry Pryanishnikov Message-ID: <20050907193717.GC859@zaphod.nitro.dk> References: <20050907102833.J79716@atlantis.atlantis.dp.ua> <20050907113435.GC68197@eddie.nitro.dk> <20050907151509.D94334@atlantis.atlantis.dp.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline In-Reply-To: <20050907151509.D94334@atlantis.atlantis.dp.ua> User-Agent: Mutt/1.5.9i Cc: freebsd-security@FreeBSD.org Subject: Re: Problem with portaudit's database X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 19:37:19 -0000 --dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.09.07 15:37:09 +0300, Dmitry Pryanishnikov wrote: >=20 > Hello! >=20 > On Wed, 7 Sep 2005, Simon L. Nielsen wrote: > >> > >>-r--r--r-- 1 root wheel 5685 Sep 7 10:11 auditfile.tbz > >> > >>I don't see commits to vuln.xml during this time, so I suspect auditfile > >>generation error. Most known vulnerabilities are now unlisted. Please= =20 > >>check > >>this issue. > > > >Hmm, I just ran portaudit -F and got: > > > >-r--r--r-- 1 root wheel 29857 7 Sep 13:10 auditfile.tbz > > > >Could you try forcing a new download (portaudit -F) to see if it fixes > >the problem? >=20 > I noticed the problem at 10:15 (using EEST, it's 07:15 GMT); problem=20 > disappeared approx. at 10:50 EEST. Now audit db is correct again. I just= =20 OK, at least that's good. > think > that it's correctness is quite important issue, that's why I've decided > to post this information immediately. Indeed, and thanks for doing that! Once I get a chance I will look more into what exactly is going on with the portaudit database generation and try to make sure it won't generate an incomplete database again, or if it does, make sure it detects the problem. Should the problem reappear please don't hesitate to let me/us know. --=20 Simon L. Nielsen FreeBSD Security Team --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDH0Fth9pcDSc1mlERAm15AKCp1pZxeMhQZfQiYsLN45QmD2kE5QCghL1C x1VM5LeD3Oe1D7sZp55knJg= =Obbe -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 22:27:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92DFD16A41F for ; Wed, 7 Sep 2005 22:27:23 +0000 (GMT) (envelope-from talonz@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FE5C43D45 for ; Wed, 7 Sep 2005 22:27:22 +0000 (GMT) (envelope-from talonz@gmail.com) Received: by wproxy.gmail.com with SMTP id 36so1488110wra for ; Wed, 07 Sep 2005 15:27:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=MwFhRjbtSsirB49FYPO/Romx7xZgVUPjsPgSII+/lIvNV8OTyX+KI+GVCN0+ywEKmx1debrjSgti3yNmr0X9RAuXE/LROMAsKT0gJ3a0GCxBa8QVkLfz7Lsr5cHEoNHUaR0TQkH4Yk8lifSHyHJiV8EWOMdp8HtreYQtP21xWGA= Received: by 10.54.57.46 with SMTP id f46mr183967wra; Wed, 07 Sep 2005 15:27:20 -0700 (PDT) Received: from ?144.139.93.215? ( [144.139.93.215]) by mx.gmail.com with ESMTP id 15sm11246039wrl.2005.09.07.15.27.18; Wed, 07 Sep 2005 15:27:20 -0700 (PDT) Message-ID: <431F6941.20006@gmail.com> Date: Thu, 08 Sep 2005 08:27:13 +1000 From: talonz User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 22:27:23 -0000 Recently i have been using a dialup 56k account to access the net and have noticed that when my ssh session times out and I am editing a file in ` ee ' the system goes to 99% cpu usage and stays like this till the pid is killed. This is a standard user account (not root/su) Would a user be able to create a denial of service condition on the remote system using this bug? (sorry if this is posted to the incorrect list) Details: System - FreeBSD 5.4-RELEASE-p5 ee using 99% cpu after user session terminates abnormaly PID reported by top. The output from ps looks like this [root@blah][~]$ ps aux| grep 70464 someuser 70464 93.5 0.1 1920 1372 p1- R 7:09PM 687:07.27 ee file Regards Jason M From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 22:37:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC25916A41F for ; Wed, 7 Sep 2005 22:37:48 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9284C43D48 for ; Wed, 7 Sep 2005 22:37:48 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j87Mbmak004663; Wed, 7 Sep 2005 15:37:48 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j87MbmJC004662; Wed, 7 Sep 2005 15:37:48 -0700 Date: Wed, 7 Sep 2005 15:37:48 -0700 From: Brooks Davis To: talonz Message-ID: <20050907223748.GB563@odin.ac.hmc.edu> References: <431F6941.20006@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9zSXsLTf0vkW971A" Content-Disposition: inline In-Reply-To: <431F6941.20006@gmail.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu Cc: freebsd-security@freebsd.org Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 22:37:49 -0000 --9zSXsLTf0vkW971A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 08, 2005 at 08:27:13AM +1000, talonz wrote: > Recently i have been using a dialup 56k account to access the net > and have noticed that when my ssh session times out and I am editing > a file in ` ee ' the system goes to 99% cpu usage and stays like > this till the pid is killed. > This is a standard user account (not root/su) >=20 > Would a user be able to create a denial of service condition > on the remote system using this bug? No more then they could with the ablity to run any other program that loops. > (sorry if this is posted to the incorrect list) >=20 > Details: >=20 > System - FreeBSD 5.4-RELEASE-p5 >=20 > ee using 99% cpu after user session terminates abnormaly > PID reported by top. >=20 > The output from ps looks like this >=20 > [root@blah][~]$ ps aux| grep 70464 > someuser 70464 93.5 0.1 1920 1372 p1- R 7:09PM 687:07.27 ee file I can't seem to trigger this bug on a 7.0 machine either by killing the client or using tcpdrop to kill the tcp session. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --9zSXsLTf0vkW971A Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDH2u6XY6L6fI4GtQRArkNAJ9SOXr8aBvKwWuL/SoIJAYHDK7CkwCgzRJ1 /HIL+ahXnwgKMY1+djjrts8= =LzZd -----END PGP SIGNATURE----- --9zSXsLTf0vkW971A-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 23:00:49 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C59F416A41F for ; Wed, 7 Sep 2005 23:00:49 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 589A243D45 for ; Wed, 7 Sep 2005 23:00:49 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from synapse.brainbox.winbot.co.uk ([10.0.0.2] helo=[192.168.1.10]) by brainbox.winbot.co.uk with esmtp (Exim 4.24; FreeBSD) id 1EDByr-000Phi-Ix; Thu, 08 Sep 2005 03:17:37 +0100 Message-ID: <431F7183.7080405@winbot.co.uk> Date: Thu, 08 Sep 2005 00:02:27 +0100 From: Craig Edwards User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050823) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brooks Davis References: <431F6941.20006@gmail.com> <20050907223748.GB563@odin.ac.hmc.edu> In-Reply-To: <20050907223748.GB563@odin.ac.hmc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 23:00:49 -0000 I can duplicate this with nano on freebsd 5.4 and 5.2.1 It seems that the process ignores the HUP signal maybe or ignores the EOF condition on stdin, and the select loop, or whatever it uses, just loops infinitely with nothing to read, constantly returning an error condition. At least this is what i suspect happens. Lazy programming somewhere... Thanks Craig Edwards Brooks Davis wrote: > On Thu, Sep 08, 2005 at 08:27:13AM +1000, talonz wrote: > >>Recently i have been using a dialup 56k account to access the net >>and have noticed that when my ssh session times out and I am editing >>a file in ` ee ' the system goes to 99% cpu usage and stays like >>this till the pid is killed. >>This is a standard user account (not root/su) >> >>Would a user be able to create a denial of service condition >>on the remote system using this bug? > > > No more then they could with the ablity to run any other program that > loops. > > >>(sorry if this is posted to the incorrect list) >> >>Details: >> >>System - FreeBSD 5.4-RELEASE-p5 >> >>ee using 99% cpu after user session terminates abnormaly >>PID reported by top. >> >>The output from ps looks like this >> >>[root@blah][~]$ ps aux| grep 70464 >>someuser 70464 93.5 0.1 1920 1372 p1- R 7:09PM 687:07.27 ee file > > > I can't seem to trigger this bug on a 7.0 machine either by killing the > client or using tcpdrop to kill the tcp session. > > -- Brooks > From owner-freebsd-security@FreeBSD.ORG Thu Sep 8 00:13:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9C4416A41F for ; Thu, 8 Sep 2005 00:13:15 +0000 (GMT) (envelope-from nielsen-list@memberwebs.com) Received: from mail.npubs.com (mail.npubs.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCD6E43D4C for ; Thu, 8 Sep 2005 00:13:11 +0000 (GMT) (envelope-from nielsen-list@memberwebs.com) From: Nate Nielsen User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: talonz References: <431F6941.20006@gmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20050908001830.6A33270DCDB@mail.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Thu, 8 Sep 2005 00:18:36 +0000 (GMT) Cc: freebsd-security@freebsd.org Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nielsen@memberwebs.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2005 00:13:16 -0000 talonz wrote: > Recently i have been using a dialup 56k account to access the net > and have noticed that when my ssh session times out and I am editing > a file in ` ee ' the system goes to 99% cpu usage and stays like > this till the pid is killed. > This is a standard user account (not root/su) This happens all the time on servers I manage. It's a real pain because it's hard to see the actual load of the machine. We have a dumb hack of a script that kill these off when they happen. > Would a user be able to create a denial of service condition > on the remote system using this bug? Don't think so, unless there's a process getting starved somewhere, in which case the DOS would be basically impossible to prevent. Cheers, Nate From owner-freebsd-security@FreeBSD.ORG Thu Sep 8 00:21:44 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9330916A427 for ; Thu, 8 Sep 2005 00:21:44 +0000 (GMT) (envelope-from fbsd-security@mawer.org) Received: from mail10.syd.optusnet.com.au (mail10.syd.optusnet.com.au [211.29.132.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2C3543D45 for ; Thu, 8 Sep 2005 00:21:41 +0000 (GMT) (envelope-from fbsd-security@mawer.org) Received: from c211-30-90-140.belrs3.nsw.optusnet.com.au (c211-30-246-162.belrs3.nsw.optusnet.com.au [211.30.246.162]) by mail10.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j880Lc98016013 for ; Thu, 8 Sep 2005 10:21:39 +1000 Received: (qmail 74012 invoked from network); 8 Sep 2005 00:21:38 -0000 Received: from unknown (HELO ?127.0.0.1?) (unknown) by unknown with SMTP; 8 Sep 2005 00:21:38 -0000 Message-ID: <431F841A.1060302@mawer.org> Date: Thu, 08 Sep 2005 10:21:46 +1000 From: Antony Mawer User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: nielsen@memberwebs.com References: <431F6941.20006@gmail.com> <20050908001830.6A33270DCDB@mail.npubs.com> In-Reply-To: <20050908001830.6A33270DCDB@mail.npubs.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2005 00:21:44 -0000 On 8/09/2005 10:18 AM, Nate Nielsen wrote: > talonz wrote: >>Recently i have been using a dialup 56k account to access the net >>and have noticed that when my ssh session times out and I am editing >>a file in ` ee ' the system goes to 99% cpu usage and stays like >>this till the pid is killed. >>This is a standard user account (not root/su) > > This happens all the time on servers I manage. It's a real pain because > it's hard to see the actual load of the machine. We have a dumb hack of > a script that kill these off when they happen. Another "me too" -- usually when we notice our server (running FreeBSD 4.11) starting to crawl, the culprit is an "ee" session using up 99% cpu. I just reproduced it then by logging in via ssh, running "ee" (not opening any file) and then killing the Putty window. Cheers Antony From owner-freebsd-security@FreeBSD.ORG Wed Sep 7 23:51:42 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE78216A41F for ; Wed, 7 Sep 2005 23:51:42 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 290E143D4C for ; Wed, 7 Sep 2005 23:51:41 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226]) by aiolos.otenet.gr (8.13.4/8.13.4/Debian-1) with SMTP id j87NpbXJ000691; Thu, 8 Sep 2005 02:51:37 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) by orion.daedalusnetworks.priv (8.13.4/8.13.4) with ESMTP id j87Npa5f013673; Thu, 8 Sep 2005 02:51:36 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost) by orion.daedalusnetworks.priv (8.13.4/8.13.4/Submit) id j87NpWUH013672; Thu, 8 Sep 2005 02:51:32 +0300 (EEST) (envelope-from keramida@freebsd.org) X-Authentication-Warning: orion.daedalusnetworks.priv: keramida set sender to keramida@freebsd.org using -f Date: Thu, 8 Sep 2005 02:51:32 +0300 From: Giorgos Keramidas To: Craig Edwards Message-ID: <20050907235132.GB13522@orion.daedalusnetworks.priv> References: <431F6941.20006@gmail.com> <20050907223748.GB563@odin.ac.hmc.edu> <431F7183.7080405@winbot.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <431F7183.7080405@winbot.co.uk> X-Mailman-Approved-At: Thu, 08 Sep 2005 11:34:32 +0000 Cc: freebsd-security@freebsd.org, talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 23:51:43 -0000 On 2005-09-08 00:02, Craig Edwards wrote: > At least this is what i suspect happens. Lazy programming somewhere... > Brooks Davis wrote: > >On Thu, Sep 08, 2005 at 08:27:13AM +1000, talonz wrote: > >>Recently i have been using a dialup 56k account to access the net > >>and have noticed that when my ssh session times out and I am editing > >>a file in ` ee ' the system goes to 99% cpu usage and stays like > >>this till the pid is killed. This is a standard user account (not > >>root/su) > >> > >>Would a user be able to create a denial of service condition on the > >>remote system using this bug? > > > >No more then they could with the ablity to run any other program that > >loops. > > I can duplicate this with nano on freebsd 5.4 and 5.2.1 > > It seems that the process ignores the HUP signal maybe or ignores the > EOF condition on stdin, and the select loop, or whatever it uses, just > loops infinitely with nothing to read, constantly returning an error > condition. FWIW, pico seems to handle HUP just fine. So whatever causes nano to enter a loop is something that is done differently in nano. From owner-freebsd-security@FreeBSD.ORG Fri Sep 9 06:33:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6DAE16A41F for ; Fri, 9 Sep 2005 06:33:38 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 139BF43D48 for ; Fri, 9 Sep 2005 06:33:34 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j896XUZr050913; Fri, 9 Sep 2005 10:33:30 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j896XSgT050912; Fri, 9 Sep 2005 10:33:29 +0400 (MSD) (envelope-from yar) Date: Fri, 9 Sep 2005 10:33:28 +0400 From: Yar Tikhiy To: Antony Mawer Message-ID: <20050909063328.GA47579@comp.chem.msu.su> References: <431F6941.20006@gmail.com> <20050908001830.6A33270DCDB@mail.npubs.com> <431F841A.1060302@mawer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <431F841A.1060302@mawer.org> User-Agent: Mutt/1.5.9i Cc: freebsd-security@freebsd.org, nielsen@memberwebs.com, talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 06:33:39 -0000 On Thu, Sep 08, 2005 at 10:21:46AM +1000, Antony Mawer wrote: > On 8/09/2005 10:18 AM, Nate Nielsen wrote: > > talonz wrote: > >>Recently i have been using a dialup 56k account to access the net > >>and have noticed that when my ssh session times out and I am editing > >>a file in ` ee ' the system goes to 99% cpu usage and stays like > >>this till the pid is killed. > >>This is a standard user account (not root/su) > > > > This happens all the time on servers I manage. It's a real pain because > > it's hard to see the actual load of the machine. We have a dumb hack of > > a script that kill these off when they happen. > > Another "me too" -- usually when we notice our server (running FreeBSD > 4.11) starting to crawl, the culprit is an "ee" session using up 99% > cpu. I just reproduced it then by logging in via ssh, running "ee" (not > opening any file) and then killing the Putty window. BTW, isn't the problem in bin/65892? http://www.freebsd.org/cgi/query-pr.cgi?pr=65892 -- Yar From owner-freebsd-security@FreeBSD.ORG Fri Sep 9 19:34:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1320416A421; Fri, 9 Sep 2005 19:34:14 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD89843D79; Fri, 9 Sep 2005 19:34:11 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j89JYBjC032531; Fri, 9 Sep 2005 19:34:11 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j89JYBf4032529; Fri, 9 Sep 2005 19:34:11 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 9 Sep 2005 19:34:11 GMT Message-Id: <200509091934.j89JYBf4032529@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:20.cvsbug [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 19:34:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:20.cvsbug Security Advisory The FreeBSD Project Topic: Race condition in cvsbug Category: contrib Module: contrib_cvs Announced: 2005-09-07 Credits: Marcus Meissner Affects: All FreeBSD releases Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5) 2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE) 2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7) 2005-09-09 19:26:19 UTC (RELENG_5_3, 5.3-RELEASE-p22) 2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE) 2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12) 2005-09-09 19:24:22 UTC (RELENG_4_10, 4.10-RELEASE-p18) CVE Name: CAN-2005-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-07-07 Initial release. v1.1 2005-07-09 Additional related issues fixed in FreeBSD 4.10 and 5.3. I. Background cvsbug(1) is a utility for reporting problems in the CVS revision control system. It is based on the GNATS send-pr(1) utility. II. Problem Description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug(1) is based on the send-pr(1) utility, this problem does not exist in the version of send-pr(1) distributed with FreeBSD. In FreeBSD 4.10 and 5.3, some additional problems exist concerning temporary file usage in both cvsbug(1) and send-pr(1). III. Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. IV. Workaround Do not use the cvsbug(1) utility on any system with untrusted users. Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3 system with untrusted users. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch.asc [FreeBSD 5.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch.asc [FreeBSD 4.11 and 5.4] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs/cvsbug # make obj && make depend && make && make install # cd /usr/src/gnu/usr.bin/send-pr # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.13 src/sys/conf/newvers.sh 1.44.2.39.2.16 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.3.2.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.19 src/sys/conf/newvers.sh 1.44.2.34.2.20 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.2.6.2 src/gnu/usr.bin/send-pr/send-pr.sh 1.13.2.13.2.1 RELENG_5 src/contrib/cvs/src/cvsbug.in 1.1.1.3.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.16 src/sys/conf/newvers.sh 1.62.2.18.2.12 src/contrib/cvs/src/cvsbug.in 1.1.1.3.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.25 src/sys/conf/newvers.sh 1.62.2.15.2.27 src/contrib/cvs/src/cvsbug.in 1.1.1.3.4.1 src/gnu/usr.bin/send-pr/send-pr.sh 1.35.6.1 RELENG_6 src/contrib/cvs/src/cvsbug.in 1.1.1.3.8.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2693 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:20.cvsbug.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDIeKFFdaIBMps37IRApOpAJ9RRKHLnuyFOuaM1pN09Sn3Rysv4gCgiF+/ QJ1c9krguLbujP/YL4LaDP0= =5W0R -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Sep 10 10:03:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C65D16A41F for ; Sat, 10 Sep 2005 10:03:22 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 827A243D45 for ; Sat, 10 Sep 2005 10:03:21 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j8AA3F2O020956; Sat, 10 Sep 2005 14:03:15 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j8AA3Aoh020954; Sat, 10 Sep 2005 14:03:10 +0400 (MSD) (envelope-from yar) Date: Sat, 10 Sep 2005 14:03:10 +0400 From: Yar Tikhiy To: Nielsen Message-ID: <20050910100309.GA19194@comp.chem.msu.su> References: <431F6941.20006@gmail.com> <20050908001830.6A33270DCDB@mail.npubs.com> <431F841A.1060302@mawer.org> <20050909063328.GA47579@comp.chem.msu.su> <20050909213137.C0C3470DBC4@mail.npubs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050909213137.C0C3470DBC4@mail.npubs.com> User-Agent: Mutt/1.5.9i Cc: freebsd-security@freebsd.org, talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 10:03:22 -0000 On Fri, Sep 09, 2005 at 09:31:38PM +0000, Nielsen wrote: > Yar Tikhiy wrote: > > On Thu, Sep 08, 2005 at 10:21:46AM +1000, Antony Mawer wrote: > >>Another "me too" -- usually when we notice our server (running FreeBSD > >>4.11) starting to crawl, the culprit is an "ee" session using up 99% > >>cpu. I just reproduced it then by logging in via ssh, running "ee" (not > >>opening any file) and then killing the Putty window. > > > > > > BTW, isn't the problem in bin/65892? > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=65892 > > For the record the same thing happens with basically any ncurses > program. Midnight commander has the same behavior for example. I'd like to rejoin that my favourite mutt-devel built against ncurses shipped with 4.11-RELEASE doesn't display this kind of behaviour. Perhaps it's Midnight commander that is really buggy, eh? As for ee, the fix from bin/65892 appears to have been applied to CURRENT and 5-STABLE, but not to 4-STABLE. Care to test the fix in 4.11 or 4-STABLE? It should be 100% safe. -- Yar From owner-freebsd-security@FreeBSD.ORG Fri Sep 9 21:26:02 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 763B216A41F for ; Fri, 9 Sep 2005 21:26:02 +0000 (GMT) (envelope-from nielsen@memberwebs.com) Received: from mail.npubs.com (npubs.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 446CB43D46 for ; Fri, 9 Sep 2005 21:26:01 +0000 (GMT) (envelope-from nielsen@memberwebs.com) From: Nielsen User-Agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Yar Tikhiy References: <431F6941.20006@gmail.com> <20050908001830.6A33270DCDB@mail.npubs.com> <431F841A.1060302@mawer.org> <20050909063328.GA47579@comp.chem.msu.su> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20050909213137.C0C3470DBC4@mail.npubs.com> X-Virus-Scanned: ClamAV using ClamSMTP Date: Fri, 9 Sep 2005 21:31:38 +0000 (GMT) X-Mailman-Approved-At: Sat, 10 Sep 2005 11:38:34 +0000 Cc: freebsd-security@freebsd.org, talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 21:26:02 -0000 Yar Tikhiy wrote: > On Thu, Sep 08, 2005 at 10:21:46AM +1000, Antony Mawer wrote: >>Another "me too" -- usually when we notice our server (running FreeBSD >>4.11) starting to crawl, the culprit is an "ee" session using up 99% >>cpu. I just reproduced it then by logging in via ssh, running "ee" (not >>opening any file) and then killing the Putty window. > > > BTW, isn't the problem in bin/65892? > > http://www.freebsd.org/cgi/query-pr.cgi?pr=65892 For the record the same thing happens with basically any ncurses program. Midnight commander has the same behavior for example. Cheers, Nate From owner-freebsd-security@FreeBSD.ORG Sat Sep 10 23:15:55 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B349416A41F for ; Sat, 10 Sep 2005 23:15:55 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: from mail1.fluidhosting.com (mail1.fluidhosting.com [204.14.90.61]) by mx1.FreeBSD.org (Postfix) with SMTP id 1CD6943D46 for ; Sat, 10 Sep 2005 23:15:55 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 41344 invoked by uid 399); 10 Sep 2005 23:15:54 -0000 Received: from localhost (HELO ?192.168.1.102?) (dougb@dougbarton.net@127.0.0.1) by localhost with SMTP; 10 Sep 2005 23:15:54 -0000 Message-ID: <43236929.2010909@FreeBSD.org> Date: Sat, 10 Sep 2005 16:15:53 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050908) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Yar Tikhiy References: <431F6941.20006@gmail.com> <20050908001830.6A33270DCDB@mail.npubs.com> <431F841A.1060302@mawer.org> <20050909063328.GA47579@comp.chem.msu.su> <20050909213137.C0C3470DBC4@mail.npubs.com> <20050910100309.GA19194@comp.chem.msu.su> In-Reply-To: <20050910100309.GA19194@comp.chem.msu.su> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Nielsen , talonz Subject: Re: ee using 99% cpu after user ssh session terminates abnormaly X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2005 23:15:55 -0000 Yar Tikhiy wrote: > As for ee, the fix from bin/65892 appears to have been applied to > CURRENT and 5-STABLE, but not to 4-STABLE. Care to test the fix > in 4.11 or 4-STABLE? It should be 100% safe. Since the diff in 1.32 was very clear, and it has already made it down to 5-stable, I tested this in RELENG_4 and committed it. I would still be interested in any reports about whether this does, or does not solve the problem. hth, Doug -- This .signature sanitized for your protection