From owner-freebsd-security@FreeBSD.ORG Sun May 20 16:21:46 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E5CB16A400 for ; Sun, 20 May 2007 16:21:46 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 5F76D13C44C for ; Sun, 20 May 2007 16:21:46 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 8B3552083; Sun, 20 May 2007 17:49:20 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 7F3962084; Sun, 20 May 2007 17:49:20 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 55FC65075; Sun, 20 May 2007 17:49:20 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Zane C.B." References: <20070519130533.722e8b57@vixen42> Date: Sun, 20 May 2007 17:49:19 +0200 In-Reply-To: <20070519130533.722e8b57@vixen42> (Zane C. B.'s message of "Sat\, 19 May 2007 13\:05\:33 -0400") Message-ID: <86bqgfh4w0.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Security Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 16:21:46 -0000 "Zane C.B." writes: > I figure some one here may find this interesting. I just begun work > on allowing a smb home directory to be automounted upon login. Your patch opens a gaping security hole. Sensitive information should never be placed in the environment. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun May 20 17:10:37 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C17EE16A46E for ; Sun, 20 May 2007 17:10:37 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 81CB913C48A for ; Sun, 20 May 2007 17:10:37 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 0B3142087; Sun, 20 May 2007 19:10:34 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id F343A2086; Sun, 20 May 2007 19:10:33 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id D5C955092; Sun, 20 May 2007 19:10:33 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Zane C.B." References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> Date: Sun, 20 May 2007 19:10:33 +0200 In-Reply-To: <20070520120142.39e86eae@vixen42> (Zane C. B.'s message of "Sun\, 20 May 2007 12\:01\:42 -0400") Message-ID: <86tzu7ifp2.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Security Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 17:10:37 -0000 "Zane C.B." writes: > Dag-Erling Sm=C3=B8rgrav writes: >> Your patch opens a gaping security hole. Sensitive information >> should never be placed in the environment. > Unless I am missing something, this is only dangerous if one is doing > something stupid with what ever is being executed by pam_exec. Environment variables may be visible to other processes and users through e.g. /proc. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun May 20 17:21:43 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D030516A400 for ; Sun, 20 May 2007 17:21:43 +0000 (UTC) (envelope-from SRS0=AAamUv=KV=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailout19.yourhostingaccount.com (mailout19.yourhostingaccount.com [65.254.253.154]) by mx1.freebsd.org (Postfix) with ESMTP id 9F3BC13C4C6 for ; Sun, 20 May 2007 17:21:43 +0000 (UTC) (envelope-from SRS0=AAamUv=KV=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailscan10.yourhostingaccount.com ([10.1.15.10] helo=mailscan10.yourhostingaccount.com) by mailout19.yourhostingaccount.com with esmtp (Exim) id 1Hpp6E-0005Ty-BM for freebsd-security@freebsd.org; Sun, 20 May 2007 13:21:42 -0400 Received: from authsmtp08.yourhostingaccount.com ([10.1.18.8] ident=exim) by mailscan10.yourhostingaccount.com with spamscanlookuphost (Exim) id 1Hpp6E-0003Gb-94 for freebsd-security@freebsd.org; Sun, 20 May 2007 13:21:42 -0400 Received: from authsmtp08.yourhostingaccount.com ([10.1.18.8] helo=authsmtp08.yourhostingaccount.com) by mailscan10.yourhostingaccount.com with esmtp (Exim) id 1Hpp6D-0003GK-Ev; Sun, 20 May 2007 13:21:41 -0400 Received: from cpe-65-185-51-114.columbus.res.rr.com ([65.185.51.114] helo=vixen42) by authsmtp08.yourhostingaccount.com with esmtpa (Exim) id 1Hpp6C-0003Uf-OW; Sun, 20 May 2007 13:21:40 -0400 Date: Sun, 20 May 2007 13:24:10 -0400 From: "Zane C.B." To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20070520132410.58989605@vixen42> In-Reply-To: <86tzu7ifp2.fsf@dwp.des.no> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: base64 X-EN-UserInfo: 0d1ca1697cdb7a831d4877828571b7ab:1570f0de6936c69fef9e164fffc541bc X-EN-AuthUser: vvelox2 Sender: "Zane C.B." X-EN-OrigIP: 65.185.51.114 X-EN-OrigHost: cpe-65-185-51-114.columbus.res.rr.com Cc: FreeBSD Security Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 17:21:43 -0000 T24gU3VuLCAyMCBNYXkgMjAwNyAxOToxMDozMyArMDIwMA0KRGFnLUVybGluZyBTbfhyZ3JhdiA8 ZGVzQGRlcy5ubz4gd3JvdGU6DQoNCj4gIlphbmUgQy5CLiIgPHYudmVsb3hAdnZlbG94Lm5ldD4g d3JpdGVzOg0KPiA+IERhZy1FcmxpbmcgU234cmdyYXYgPGRlc0BkZXMubm8+IHdyaXRlczoNCj4g Pj4gWW91ciBwYXRjaCBvcGVucyBhIGdhcGluZyBzZWN1cml0eSBob2xlLiAgU2Vuc2l0aXZlIGlu Zm9ybWF0aW9uDQo+ID4+IHNob3VsZCBuZXZlciBiZSBwbGFjZWQgaW4gdGhlIGVudmlyb25tZW50 Lg0KPiA+IFVubGVzcyBJIGFtIG1pc3Npbmcgc29tZXRoaW5nLCB0aGlzIGlzIG9ubHkgZGFuZ2Vy b3VzIGlmIG9uZSBpcw0KPiA+IGRvaW5nIHNvbWV0aGluZyBzdHVwaWQgd2l0aCB3aGF0IGV2ZXIg aXMgYmVpbmcgZXhlY3V0ZWQgYnkNCj4gPiBwYW1fZXhlYy4NCj4gDQo+IEVudmlyb25tZW50IHZh cmlhYmxlcyBtYXkgYmUgdmlzaWJsZSB0byBvdGhlciBwcm9jZXNzZXMgYW5kIHVzZXJzDQo+IHRo cm91Z2ggZS5nLiAvcHJvYy4NCg0KQ29vbC4gRm9yZ290IGFib3V0IC9wcm9jLiBJcyBkZWZpbml0 ZWx5IGEgaXNzdWUuIEhtbW0sIGFueSBpZGVhcyBpbg0KdGhlIGFyZWEgb2YgcGFzc2luZyBpdCB0 aGVuPw0KDQpNeSBjdXJyZW50IHRob3VnaHRzIGFyZSBhbG9uZyB0aGUgbGluZXMgb2YgcGFzc2lu ZyBpdCB0aHJvdWdoIHN0ZGluDQpjdXJyZW50bHkuDQo= From owner-freebsd-security@FreeBSD.ORG Sun May 20 18:23:44 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B835816A46F for ; Sun, 20 May 2007 18:23:43 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.freebsd.org (Postfix) with ESMTP id 48B5F13C46C for ; Sun, 20 May 2007 18:23:43 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kulesh.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l4KI6Khg023706 for ; Sun, 20 May 2007 20:06:21 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <46508E1B.8030302@obluda.cz> Date: Sun, 20 May 2007 20:06:19 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.2) Gecko/20070327 SeaMonkey/1.1.1 MIME-Version: 1.0 To: FreeBSD Security References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> In-Reply-To: <86tzu7ifp2.fsf@dwp.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 18:23:44 -0000 Dag-Erling Sm=C3=B8rgrav napsal/wrote, On 05/20/07 19:10: > "Zane C.B." writes: >> Dag-Erling Sm=C3=B8rgrav writes: >>> Your patch opens a gaping security hole. Sensitive information >>> should never be placed in the environment. >> Unless I am missing something, this is only dangerous if one is doing >> something stupid with what ever is being executed by pam_exec. >=20 > Environment variables may be visible to other processes and users > through e.g. /proc. Many sensitive informations can be accessible via /dev/kmem but the=20 default mode of the device doesn't allow regular user access. We trust the responsible administrator he doesn't load the mem.ko=20 module and change the mode/ownership of /dev/kmem the way that open a hol= e. So we shall trust the same administrator he doesn't load the procfs.ko=20 and mount /proc creating the security hole this way. Please note I agree with the conclusion - the offered patch shall be=20 rejected. I disagree with explanation only. It's not as simple as=20 presented. Dan --=20 Dan Lukes SISAL MFF UK AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Sun May 20 18:29:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1D0E16A46E for ; Sun, 20 May 2007 18:29:49 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7772F13C4BD for ; Sun, 20 May 2007 18:29:49 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kulesh.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l4KITlYe025959 for ; Sun, 20 May 2007 20:29:48 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4650939B.6020004@obluda.cz> Date: Sun, 20 May 2007 20:29:47 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.2) Gecko/20070327 SeaMonkey/1.1.1 MIME-Version: 1.0 To: freebsd security References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> <20070520132410.58989605@vixen42> In-Reply-To: <20070520132410.58989605@vixen42> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 18:29:50 -0000 Zane C.B. napsal/wrote, On 05/20/07 19:24: > My current thoughts are along the lines of passing it through stdin > currently. You can select the channel which can be used for information passing ? It seems you have sources of the program you want to call from pam_exec. The better way is to add a few function into sources and convert the standalone binary into regular pam module. In the fact, the program in question: 1. is not PAM aware, so it can't work with PAM data without source code change - patch doesn't help 2. is PAM aware, so it shall to be written as regular PAM module - patch is not required 3. want's to be PAM aware, but it's programmer is too lazy to write it the clean way (as regular pam module) - we need the patch The patch shall be rejected because the only purpose of it is to support lazy programmers creating hacks instead of solutions. I don't want to start a flame. It's my $0.02. Your's mileage may vary. Dan -- Dan Lukes SISAL MFF UK AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Sun May 20 23:38:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DCF516A400 for ; Sun, 20 May 2007 23:38:04 +0000 (UTC) (envelope-from SRS0=AAamUv=KV=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailout19.yourhostingaccount.com (mailout19.yourhostingaccount.com [65.254.253.154]) by mx1.freebsd.org (Postfix) with ESMTP id 2BF1E13C44B for ; Sun, 20 May 2007 23:38:03 +0000 (UTC) (envelope-from SRS0=AAamUv=KV=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailscan24.yourhostingaccount.com ([10.1.15.24] helo=mailscan24.yourhostingaccount.com) by mailout19.yourhostingaccount.com with esmtp (Exim) id 1HpuyR-0006Ge-2p for freebsd-security@freebsd.org; Sun, 20 May 2007 19:38:03 -0400 Received: from authsmtp09.yourhostingaccount.com ([10.1.18.9] ident=exim) by mailscan24.yourhostingaccount.com with spamscanlookuphost (Exim) id 1HpuyQ-0005i6-Vh for freebsd-security@freebsd.org; Sun, 20 May 2007 19:38:03 -0400 Received: from authsmtp09.yourhostingaccount.com ([10.1.18.9] helo=authsmtp09.yourhostingaccount.com) by mailscan24.yourhostingaccount.com with esmtp (Exim) id 1HpuyP-0005hO-FF; Sun, 20 May 2007 19:38:01 -0400 Received: from cpe-65-185-51-114.columbus.res.rr.com ([65.185.51.114] helo=vixen42) by authsmtp09.yourhostingaccount.com with esmtpa (Exim) id 1HpuyO-00027R-FL; Sun, 20 May 2007 19:38:00 -0400 Date: Sun, 20 May 2007 19:40:32 -0400 From: "Zane C.B." To: Dan Lukes Message-ID: <20070520194032.4ae23aaa@vixen42> In-Reply-To: <46508E1B.8030302@obluda.cz> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> <46508E1B.8030302@obluda.cz> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: base64 X-EN-UserInfo: 0d1ca1697cdb7a831d4877828571b7ab:1570f0de6936c69fef9e164fffc541bc X-EN-AuthUser: vvelox2 Sender: "Zane C.B." X-EN-OrigIP: 65.185.51.114 X-EN-OrigHost: cpe-65-185-51-114.columbus.res.rr.com Cc: FreeBSD Security Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 23:38:04 -0000 T24gU3VuLCAyMCBNYXkgMjAwNyAyMDowNjoxOSArMDIwMA0KRGFuIEx1a2VzIDxkYW5Ab2JsdWRh LmN6PiB3cm90ZToNCg0KPiBEYWctRXJsaW5nIFNt+HJncmF2IG5hcHNhbC93cm90ZSwgT24gMDUv MjAvMDcgMTk6MTA6DQo+ID4gIlphbmUgQy5CLiIgPHYudmVsb3hAdnZlbG94Lm5ldD4gd3JpdGVz Og0KPiA+PiBEYWctRXJsaW5nIFNt+HJncmF2IDxkZXNAZGVzLm5vPiB3cml0ZXM6DQo+ID4+PiBZ b3VyIHBhdGNoIG9wZW5zIGEgZ2FwaW5nIHNlY3VyaXR5IGhvbGUuICBTZW5zaXRpdmUgaW5mb3Jt YXRpb24NCj4gPj4+IHNob3VsZCBuZXZlciBiZSBwbGFjZWQgaW4gdGhlIGVudmlyb25tZW50Lg0K PiA+PiBVbmxlc3MgSSBhbSBtaXNzaW5nIHNvbWV0aGluZywgdGhpcyBpcyBvbmx5IGRhbmdlcm91 cyBpZiBvbmUgaXMNCj4gPj4gZG9pbmcgc29tZXRoaW5nIHN0dXBpZCB3aXRoIHdoYXQgZXZlciBp cyBiZWluZyBleGVjdXRlZCBieQ0KPiA+PiBwYW1fZXhlYy4NCj4gPiANCj4gPiBFbnZpcm9ubWVu dCB2YXJpYWJsZXMgbWF5IGJlIHZpc2libGUgdG8gb3RoZXIgcHJvY2Vzc2VzIGFuZCB1c2Vycw0K PiA+IHRocm91Z2ggZS5nLiAvcHJvYy4NCj4gDQo+IAlNYW55IHNlbnNpdGl2ZSBpbmZvcm1hdGlv bnMgY2FuIGJlIGFjY2Vzc2libGUgdmlhIC9kZXYva21lbQ0KPiBidXQgdGhlIGRlZmF1bHQgbW9k ZSBvZiB0aGUgZGV2aWNlIGRvZXNuJ3QgYWxsb3cgcmVndWxhciB1c2VyDQo+IGFjY2Vzcy4NCj4g DQo+IAlXZSB0cnVzdCB0aGUgcmVzcG9uc2libGUgYWRtaW5pc3RyYXRvciBoZSBkb2Vzbid0IGxv YWQgdGhlDQo+IG1lbS5rbyBtb2R1bGUgYW5kIGNoYW5nZSB0aGUgbW9kZS9vd25lcnNoaXAgb2Yg L2Rldi9rbWVtIHRoZSB3YXkNCj4gdGhhdCBvcGVuIGEgaG9sZS4NCj4gDQo+IAlTbyB3ZSBzaGFs bCB0cnVzdCB0aGUgc2FtZSBhZG1pbmlzdHJhdG9yIGhlIGRvZXNuJ3QgbG9hZA0KPiB0aGUgcHJv Y2ZzLmtvIGFuZCBtb3VudCAvcHJvYyBjcmVhdGluZyB0aGUgc2VjdXJpdHkgaG9sZSB0aGlzIHdh eS4NCj4gDQo+IAlQbGVhc2Ugbm90ZSBJIGFncmVlIHdpdGggdGhlIGNvbmNsdXNpb24gLSB0aGUg b2ZmZXJlZCBwYXRjaA0KPiBzaGFsbCBiZSByZWplY3RlZC4gSSBkaXNhZ3JlZSB3aXRoIGV4cGxh bmF0aW9uIG9ubHkuIEl0J3Mgbm90IGFzDQo+IHNpbXBsZSBhcyBwcmVzZW50ZWQuDQoNCkkgYWdy ZWUgd2l0aCBELkUuUy4gYWJvdXQgcHJvY2ZzLCBidXQgYnkgeW91ciBhcmd1bWVudCBieSB3aGF0 IEkgd3JvdGUNCmlzIGEgYmFkIGlkZWEsIHdvdWxkIG5vdCBQQU0gYW5kIGFueSBvdGhlciBmb3Jt IG9mIGF1dGhlbnRpY2F0aW9uIGJlIGENCmJhZCBpZGVhPw0K From owner-freebsd-security@FreeBSD.ORG Sun May 20 23:59:40 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CBD7A16A469 for ; Sun, 20 May 2007 23:59:40 +0000 (UTC) (envelope-from SRS0=AAamUv=KV=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailout07.yourhostingaccount.com (mailout07.yourhostingaccount.com [65.254.253.57]) by mx1.freebsd.org (Postfix) with ESMTP id A010413C44C for ; Sun, 20 May 2007 23:59:38 +0000 (UTC) (envelope-from SRS0=AAamUv=KV=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailscan21.yourhostingaccount.com ([10.1.15.21] helo=mailscan21.yourhostingaccount.com) by mailout07.yourhostingaccount.com with esmtp (Exim) id 1Hpnoh-0002tX-JE for freebsd-security@freebsd.org; Sun, 20 May 2007 11:59:31 -0400 Received: from authsmtp08.yourhostingaccount.com ([10.1.18.8] helo=authsmtp08.yourhostingaccount.com) by mailscan21.yourhostingaccount.com with esmtp (Exim) id 1Hpnog-0006aS-A0; Sun, 20 May 2007 11:59:31 -0400 Received: from cpe-65-185-51-114.columbus.res.rr.com ([65.185.51.114] helo=vixen42) by authsmtp08.yourhostingaccount.com with esmtpa (Exim) id 1HpnoP-00073c-TH; Sun, 20 May 2007 11:59:14 -0400 Date: Sun, 20 May 2007 12:01:42 -0400 From: "Zane C.B." To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20070520120142.39e86eae@vixen42> In-Reply-To: <86bqgfh4w0.fsf@dwp.des.no> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: base64 X-EN-UserInfo: 0d1ca1697cdb7a831d4877828571b7ab:1570f0de6936c69fef9e164fffc541bc X-EN-AuthUser: vvelox2 Sender: "Zane C.B." X-EN-OrigIP: 65.185.51.114 X-EN-OrigHost: cpe-65-185-51-114.columbus.res.rr.com Cc: FreeBSD Security Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 23:59:40 -0000 T24gU3VuLCAyMCBNYXkgMjAwNyAxNzo0OToxOSArMDIwMA0KRGFnLUVybGluZyBTbfhyZ3JhdiA8 ZGVzQGRlcy5ubz4gd3JvdGU6DQoNCj4gIlphbmUgQy5CLiIgPHYudmVsb3hAdnZlbG94Lm5ldD4g d3JpdGVzOg0KPiA+IEkgZmlndXJlIHNvbWUgb25lIGhlcmUgbWF5IGZpbmQgdGhpcyBpbnRlcmVz dGluZy4gSSBqdXN0IGJlZ3VuDQo+ID4gd29yayBvbiBhbGxvd2luZyBhIHNtYiBob21lIGRpcmVj dG9yeSB0byBiZSAgYXV0b21vdW50ZWQgdXBvbg0KPiA+IGxvZ2luLg0KPiANCj4gWW91ciBwYXRj aCBvcGVucyBhIGdhcGluZyBzZWN1cml0eSBob2xlLiAgU2Vuc2l0aXZlIGluZm9ybWF0aW9uDQo+ IHNob3VsZCBuZXZlciBiZSBwbGFjZWQgaW4gdGhlIGVudmlyb25tZW50Lg0KDQpVbmxlc3MgSSBh bSBtaXNzaW5nIHNvbWV0aGluZywgdGhpcyBpcyBvbmx5IGRhbmdlcm91cyBpZiBvbmUgaXMgZG9p bmcNCnNvbWV0aGluZyBzdHVwaWQgd2l0aCB3aGF0IGV2ZXIgaXMgYmVpbmcgZXhlY3V0ZWQgYnkg cGFtX2V4ZWMuDQo= From owner-freebsd-security@FreeBSD.ORG Mon May 21 00:34:38 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E76F916A421 for ; Mon, 21 May 2007 00:34:37 +0000 (UTC) (envelope-from SRS0=P9Shik=KW=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailout13.yourhostingaccount.com (mailout13.yourhostingaccount.com [65.254.253.105]) by mx1.freebsd.org (Postfix) with ESMTP id A866513C45D for ; Mon, 21 May 2007 00:34:37 +0000 (UTC) (envelope-from SRS0=P9Shik=KW=vvelox.net=v.velox@yourhostingaccount.com) Received: from mailscan36.yourhostingaccount.com ([10.1.15.36] helo=mailscan36.yourhostingaccount.com) by mailout13.yourhostingaccount.com with esmtp (Exim) id 1HpvKJ-0005LZ-Cl for freebsd-security@freebsd.org; Sun, 20 May 2007 20:00:39 -0400 Received: from authsmtp09.yourhostingaccount.com ([10.1.18.9] ident=exim) by mailscan36.yourhostingaccount.com with spamscanlookuphost (Exim) id 1HpvKJ-0006Wo-8I for freebsd-security@freebsd.org; Sun, 20 May 2007 20:00:39 -0400 Received: from authsmtp09.yourhostingaccount.com ([10.1.18.9] helo=authsmtp09.yourhostingaccount.com) by mailscan36.yourhostingaccount.com with esmtp (Exim) id 1HpvKI-0006Wc-9i; Sun, 20 May 2007 20:00:38 -0400 Received: from cpe-65-185-51-114.columbus.res.rr.com ([65.185.51.114] helo=vixen42) by authsmtp09.yourhostingaccount.com with esmtpa (Exim) id 1HpvKI-0003WE-1B; Sun, 20 May 2007 20:00:38 -0400 Date: Sun, 20 May 2007 20:03:10 -0400 From: "Zane C.B." To: Dan Lukes Message-ID: <20070520200310.4a79954e@vixen42> In-Reply-To: <4650939B.6020004@obluda.cz> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> <20070520132410.58989605@vixen42> <4650939B.6020004@obluda.cz> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EN-UserInfo: 0d1ca1697cdb7a831d4877828571b7ab:1570f0de6936c69fef9e164fffc541bc X-EN-AuthUser: vvelox2 Sender: "Zane C.B." X-EN-OrigIP: 65.185.51.114 X-EN-OrigHost: cpe-65-185-51-114.columbus.res.rr.com Cc: freebsd security Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2007 00:34:38 -0000 On Sun, 20 May 2007 20:29:47 +0200 Dan Lukes wrote: > Zane C.B. napsal/wrote, On 05/20/07 19:24: > > My current thoughts are along the lines of passing it through > > stdin currently. > > You can select the channel which can be used for > information passing ? It seems you have sources of the program you > want to call from pam_exec. In regards to pam_exec, my interested started out towards writing a shell script to call mount_smbfs and then possibly mounting any other shares the user wishes and that would require their password. Currently looking at what to do about mount_smbfs as well. I found that it throws up the password prompt in such a manner I can pipe the password to it. One idea that was floated to me on the FS list the modifying it to allow it to accept it through a socket. Going to dig more into what is happening with piping the password to it as well. > The better way is to add a few function into sources and > convert the standalone binary into regular pam module. > > In the fact, the program in question: > 1. is not PAM aware, so it can't work with PAM data without source > code change - patch doesn't help > 2. is PAM aware, so it shall to be written as regular PAM module - > patch is not required > > 3. want's to be PAM aware, but it's programmer is too lazy to write > it the clean way (as regular pam module) - we need the patch > > The patch shall be rejected because the only purpose of it > is to support lazy programmers creating hacks instead of solutions. Actually it does not support lazy programming, but makes life of a makes life of a administrator easier. The problem is the security hole opened up through procfs. If it can be done safely, I see no reason to expand pam_exec to do so as it gives it more flexibility. In regards to writing a module for it, I am actually looking at it given that currently I am looking at having to fix mount_smbfs and solve this issue as well. Currently going through and beginning to familiarize myself with the code in mount_smbfs and reading up a bit more on C. From owner-freebsd-security@FreeBSD.ORG Mon May 21 01:43:31 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A7F3616A468 for ; Mon, 21 May 2007 01:43:31 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.freebsd.org (Postfix) with ESMTP id 3EF0613C48C for ; Mon, 21 May 2007 01:43:31 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kulesh.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l4L1hNmL053792 for ; Mon, 21 May 2007 03:43:29 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4650F93A.3080603@obluda.cz> Date: Mon, 21 May 2007 03:43:22 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.2) Gecko/20070327 SeaMonkey/1.1.1 MIME-Version: 1.0 CC: freebsd security References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> <20070520132410.58989605@vixen42> <4650939B.6020004@obluda.cz> <20070520200310.4a79954e@vixen42> In-Reply-To: <20070520200310.4a79954e@vixen42> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2007 01:43:31 -0000 Zane C.B. napsal/wrote, On 05/21/07 02:03: >> 3. want's to be PAM aware, but it's programmer is too lazy to write >> it the clean way (as regular pam module) - we need the patch >> >> The patch shall be rejected because the only purpose of it >> is to support lazy programmers creating hacks instead of solutions. > > Actually it does not support lazy programming, but makes life of a > makes life of a administrator easier. The contrib/smbfs/mount_smbfs/mount_smbfs.c is very short and simple. Writing PAM module with same functionality require almost the same amount of time as patching it. In advance, you need catch not only pam_sm_session_open but pam_sm_session_close (i assume you plan to umount resource also). Unfortunately (unless I miss something) pam_exec has no way to pass about 'direction' to called program. You can't use simple heuristic "when not mounted mount it and vice versa" also because the same user can have more than one simultaneous active session. The logic you need to implement seems to require much more coding than simple patch on either pam_exec nor mount_smbfs ... pam_exec in chain more hurts than helps. IMHO, of course. But further discussion about it seems not to be security related, so we should not continue here. Dan -- Dan Lukes SISAL MFF UK AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz From owner-freebsd-security@FreeBSD.ORG Wed May 23 16:19:56 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5A61716A46D; Wed, 23 May 2007 16:19:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3C06813C4B7; Wed, 23 May 2007 16:19:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4NGJu0o017937; Wed, 23 May 2007 16:19:56 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4NGJuq7017935; Wed, 23 May 2007 16:19:56 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 23 May 2007 16:19:56 GMT Message-Id: <200705231619.l4NGJuq7017935@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:04.file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2007 16:19:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:04.file Security Advisory The FreeBSD Project Topic: Heap overflow in file(1) Category: contrib Module: file Announced: 2007-05-23 Affects: All FreeBSD releases. Corrected: 2007-05-23 16:12:51 UTC (RELENG_6, 6.2-STABLE) 2007-05-23 16:13:07 UTC (RELENG_6_2, 6.2-RELEASE-p5) 2007-05-23 16:13:20 UTC (RELENG_6_1, 6.1-RELEASE-p17) 2007-05-23 16:12:10 UTC (RELENG_5, 5.5-STABLE) 2007-05-23 16:12:35 UTC (RELENG_5_5, 5.5-RELEASE-p13) CVE Name: CVE-2007-1536 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The file(1) utility attempts to classify file system objects based on filesystem, magic number and language tests. The libmagic(3) library provides most of the functionality of file(1) and may be used by other applications. II. Problem Description When writing data into a buffer in the file_printf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files. III. Impact An attacker who can cause file(1) to be run on a maliciously constructed input can cause file(1) to crash. It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1). The above also applies to any other applications using the libmagic(3) library. IV. Workaround No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.5] # fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch # fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch.asc [FreeBSD 6.1 and 6.2] # fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch # fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libmagic # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/file/file.h 1.1.1.7.2.1 src/contrib/file/funcs.c 1.1.1.1.2.1 src/contrib/file/magic.c 1.1.1.1.2.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.13 src/sys/conf/newvers.sh 1.62.2.21.2.15 src/contrib/file/file.h 1.1.1.7.8.1 src/contrib/file/funcs.c 1.1.1.1.8.1 src/contrib/file/magic.c 1.1.1.1.8.1 RELENG_6 src/contrib/file/file.h 1.1.1.8.2.1 src/contrib/file/funcs.c 1.1.1.2.2.1 src/contrib/file/magic.c 1.1.1.2.2.1 RELENG_6_2 src/UPDATING 1.416.2.29.2.8 src/sys/conf/newvers.sh 1.69.2.13.2.8 src/contrib/file/file.h 1.1.1.8.8.1 src/contrib/file/funcs.c 1.1.1.2.8.1 src/contrib/file/magic.c 1.1.1.2.8.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.19 src/sys/conf/newvers.sh 1.69.2.11.2.19 src/contrib/file/file.h 1.1.1.8.6.1 src/contrib/file/funcs.c 1.1.1.2.6.1 src/contrib/file/magic.c 1.1.1.2.6.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:04.file.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGVGjhFdaIBMps37IRAgogAJ9o/0yCxtRi527rgvhg/BoC/AvEsQCfcwMX ABl7JIb1XiY6QKWQ6UfwlGA= =meQ0 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed May 23 16:35:46 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BE1ED16A46E for ; Wed, 23 May 2007 16:35:46 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 5908D13C483 for ; Wed, 23 May 2007 16:35:46 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 23 May 2007 12:25:43 -0400 id 00056413.46546B07.00011C1E Received: from Internal Mail-Server by mx01 (envelope-from bseklecki@collaborativefusion.com) with RC4-MD5 encrypted SMTP; 23 May 2007 11:25:33 -0500 From: "Brian A. Seklecki" To: freebsd-security@freebsd.org In-Reply-To: <200705231619.l4NGJtHB017927@freefall.freebsd.org> References: <200705231619.l4NGJtHB017927@freefall.freebsd.org> Organization: Collaborative Fusion, Inc. Date: Wed, 23 May 2007 12:25:42 -0400 Message-Id: <1179937542.1121.4.camel@soundwave.pgh.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port X-Mailman-Approved-At: Wed, 23 May 2007 18:25:20 +0000 Cc: FreeBSD Security Advisories Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2007 16:35:46 -0000 I'll have to check, but I doubt anything other than file(1) on production systems is linked against libmagic. This is safe to do in real-time afaik. ~BAS On Wed, 2007-05-23 at 16:19 +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-07:04.file Security Advisory > The FreeBSD Project > > Topic: Heap overflow in file(1) > > Category: contrib > Module: file > Announced: 2007-05-23 > Affects: All FreeBSD releases. > Corrected: 2007-05-23 16:12:51 UTC (RELENG_6, 6.2-STABLE) > 2007-05-23 16:13:07 UTC (RELENG_6_2, 6.2-RELEASE-p5) > 2007-05-23 16:13:20 UTC (RELENG_6_1, 6.1-RELEASE-p17) > 2007-05-23 16:12:10 UTC (RELENG_5, 5.5-STABLE) > 2007-05-23 16:12:35 UTC (RELENG_5_5, 5.5-RELEASE-p13) > CVE Name: CVE-2007-1536 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The file(1) utility attempts to classify file system objects based on > filesystem, magic number and language tests. > > The libmagic(3) library provides most of the functionality of file(1) > and may be used by other applications. > > II. Problem Description > > When writing data into a buffer in the file_printf function, the length > of the unused portion of the buffer is not correctly tracked, resulting > in a buffer overflow when processing certain files. > > III. Impact > > An attacker who can cause file(1) to be run on a maliciously constructed > input can cause file(1) to crash. It may be possible for such an attacker > to execute arbitrary code with the privileges of the user running file(1). > > The above also applies to any other applications using the libmagic(3) > library. > > IV. Workaround > > No workaround is available, but systems where file(1) and other > libmagic(3)-using applications are never run on untrusted input are not > vulnerable. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the > RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the > correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 5.5, 6.1, > and 6.2 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 5.5] > # fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch > # fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch.asc > > [FreeBSD 6.1 and 6.2] > # fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch > # fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libmagic > # make obj && make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_5 > src/contrib/file/file.h 1.1.1.7.2.1 > src/contrib/file/funcs.c 1.1.1.1.2.1 > src/contrib/file/magic.c 1.1.1.1.2.1 > RELENG_5_5 > src/UPDATING 1.342.2.35.2.13 > src/sys/conf/newvers.sh 1.62.2.21.2.15 > src/contrib/file/file.h 1.1.1.7.8.1 > src/contrib/file/funcs.c 1.1.1.1.8.1 > src/contrib/file/magic.c 1.1.1.1.8.1 > RELENG_6 > src/contrib/file/file.h 1.1.1.8.2.1 > src/contrib/file/funcs.c 1.1.1.2.2.1 > src/contrib/file/magic.c 1.1.1.2.2.1 > RELENG_6_2 > src/UPDATING 1.416.2.29.2.8 > src/sys/conf/newvers.sh 1.69.2.13.2.8 > src/contrib/file/file.h 1.1.1.8.8.1 > src/contrib/file/funcs.c 1.1.1.2.8.1 > src/contrib/file/magic.c 1.1.1.2.8.1 > RELENG_6_1 > src/UPDATING 1.416.2.22.2.19 > src/sys/conf/newvers.sh 1.69.2.11.2.19 > src/contrib/file/file.h 1.1.1.8.6.1 > src/contrib/file/funcs.c 1.1.1.2.6.1 > src/contrib/file/magic.c 1.1.1.2.6.1 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-07:04.file.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (FreeBSD) > > iD8DBQFGVGjhFdaIBMps37IRAgogAJ9o/0yCxtRi527rgvhg/BoC/AvEsQCfcwMX > ABl7JIb1XiY6QKWQ6UfwlGA= > =meQ0 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > > > > > > -- Brian A. Seklecki Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. From owner-freebsd-security@FreeBSD.ORG Thu May 24 13:37:43 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E167A16A468 for ; Thu, 24 May 2007 13:37:43 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 9522A13C465 for ; Thu, 24 May 2007 13:37:41 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 0DA0E2087; Thu, 24 May 2007 15:37:38 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id E89EC2086; Thu, 24 May 2007 15:37:37 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 1BDE8507B; Thu, 24 May 2007 15:37:36 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Brian A. Seklecki" References: <200705231619.l4NGJtHB017927@freefall.freebsd.org> <1179937542.1121.4.camel@soundwave.pgh.priv.collaborativefusion.com> Date: Thu, 24 May 2007 15:37:36 +0200 In-Reply-To: <1179937542.1121.4.camel@soundwave.pgh.priv.collaborativefusion.com> (Brian A. Seklecki's message of "Wed\, 23 May 2007 12\:25\:42 -0400") Message-ID: <86myzugx5r.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Security Advisories , freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2007 13:37:44 -0000 "Brian A. Seklecki" writes: > I'll have to check, but I doubt anything other than file(1) on > production systems is linked against libmagic. This is safe to do in > real-time afaik. ~BAS AFAIK, Apache's mod_mime_magic either links against libmagic or against its own copy of the same code. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu May 24 14:37:13 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D69A16A41F for ; Thu, 24 May 2007 14:37:13 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.236]) by mx1.freebsd.org (Postfix) with ESMTP id 33DB513C45E for ; Thu, 24 May 2007 14:37:13 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: by wr-out-0506.google.com with SMTP id 70so132625wra for ; Thu, 24 May 2007 07:37:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer; b=GTNYWhGAtjRfIEi1HL7rLqmd5/X1l3hu6gYdQQPLFzJTDvn7EfuFbW8vyrgXp0Fby6FiuN2rs/SEp1MqlaTSnNDdriGobCM1AAbZvLlksfbIQohtKQmOBLidR4hOqXVr92qcs8gDJ134/vdsNNbZdfJ2HHxiyJcHCKP3Xh4EukU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:subject:from:to:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer; b=tlY0GsvWnijwGKtG+HitzYgXLHtw1JdgYgsOfkl5YvftzrbVT9BMTQLVaq6dt4AmBmQNpUAU/Va6zaQ6xvdpNDmYZudRZewZ55Z6xArGBekUN3IRYAzwNAz6wfoK7s/aF64X5BRsjogQy1V02K/AWZBN5R1VwU2a8CO7sqRu2D0= Received: by 10.90.118.8 with SMTP id q8mr1822053agc.1180015794256; Thu, 24 May 2007 07:09:54 -0700 (PDT) Received: from ?IPv6:::ffff:127.0.0.1? ( [217.206.187.79]) by mx.google.com with ESMTP id 31sm118790nfu.2007.05.24.07.09.51; Thu, 24 May 2007 07:09:53 -0700 (PDT) From: Tom Evans To: des@des.no, freebsd-security@freebsd.org In-Reply-To: <46559AAC.5030800@tomjudge.com> References: <46559AAC.5030800@tomjudge.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-T3fbTvum5BbzR916WGFq" Date: Thu, 24 May 2007 15:09:47 +0100 Message-Id: <1180015787.9846.22.camel@zoot.mintel.co.uk> Mime-Version: 1.0 X-Mailer: Evolution 2.10.0 FreeBSD GNOME Team Port Cc: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2007 14:37:13 -0000 --=-T3fbTvum5BbzR916WGFq Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable > Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory=20 > FreeBSD-SA-07:04.file > Date: Thu, 24 May 2007 15:37:36 +0200 > From: Dag-Erling Sm=C3=B8rgrav > To: Brian A. Seklecki > CC: FreeBSD Security Advisories ,=20 > freebsd-security@freebsd.org > References: <200705231619.l4NGJtHB017927@freefall.freebsd.org>=20 > <1179937542.1121.4.camel@soundwave.pgh.priv.collaborativefusion.com> >=20 > "Brian A. Seklecki" writes: > > I'll have to check, but I doubt anything other than file(1) on > > production systems is linked against libmagic. This is safe to do in > > real-time afaik. ~BAS >=20 > AFAIK, Apache's mod_mime_magic either links against libmagic or against > its own copy of the same code. >=20 > DES I've had an initial look over mod_mime_magic.c in Apache 1.3.37 and 2.2.4 . Both are essentially the same module, just adjusted for the different APIs in 2.x. The module does not use libmagic directly, nor does it appear to include large portions of similar code. The history of the module indicates that it was derived from Ian Darwin's magic(1) posted to comp.source.unix in ~1987, which is where FreeBSD's magic(1) originated. However FreeBSD's magic notes that it was extensively rewritten since then, and I cannot personally identify similar parts of the code between file/magic.c and mod_mime_magic.c - but I am not a security expert. If someone more qualified than me has some time to look at whether mod_mime_magic is affected, I'd appreciate it greatly. Regards Tom --=-T3fbTvum5BbzR916WGFq Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBGVZymlcRvFfyds/cRAuQSAKCi3h59aqco6jTdwKgWZzX5fv9xrgCgo2aG kgrw8xqQPzuhASjlQ9zulac= =lYgN -----END PGP SIGNATURE----- --=-T3fbTvum5BbzR916WGFq-- From owner-freebsd-security@FreeBSD.ORG Thu May 24 14:49:38 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EA12916A46E for ; Thu, 24 May 2007 14:49:38 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 9293E13C484 for ; Thu, 24 May 2007 14:49:38 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pgh.priv.collaborativefusion.com (vanquish.pgh.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Thu, 24 May 2007 10:39:33 -0400 id 00056410.4655A3A5.00004D1E Date: Thu, 24 May 2007 10:39:33 -0400 From: Bill Moran To: "=?ISO-8859-1?Q?\"Dag-Erling_Sm=F8rgrav\"?=" Message-Id: <20070524103933.98340818.wmoran@collaborativefusion.com> In-Reply-To: <86myzugx5r.fsf@dwp.des.no> References: <200705231619.l4NGJtHB017927@freefall.freebsd.org> <1179937542.1121.4.camel@soundwave.pgh.priv.collaborativefusion.com> <86myzugx5r.fsf@dwp.des.no> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.3.1 (GTK+ 2.10.11; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, "Brian A. Seklecki" Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2007 14:49:39 -0000 In response to "Dag-Erling Sm=F8rgrav" : > "Brian A. Seklecki" writes: > > I'll have to check, but I doubt anything other than file(1) on > > production systems is linked against libmagic. This is safe to do in > > real-time afaik. ~BAS >=20 > AFAIK, Apache's mod_mime_magic either links against libmagic or against > its own copy of the same code. According to the docs: http://httpd.apache.org/docs/2.2/mod/mod_mime_magic.html It would appear that Apache uses its own code for mod_mime_magic. That does not guarantee that it doesn't have the same problem, however. --=20 Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023