From owner-freebsd-security@FreeBSD.ORG Tue Jul 10 09:56:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B60D16A485 for ; Tue, 10 Jul 2007 09:56:04 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from mx3.netclusive.de (mx3.netclusive.de [89.110.132.133]) by mx1.freebsd.org (Postfix) with ESMTP id 9E6E213C480 for ; Tue, 10 Jul 2007 09:56:03 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from nermal.rz1.convenimus.net (c-134-227-243.d.dsl.de.ignite.net [62.134.227.243]) (Authenticated sender: ncf1534p2) by mx3.netclusive.de (Postfix) with ESMTP id 530056059F5 for ; Tue, 10 Jul 2007 11:28:12 +0200 (CEST) Received: by nermal.rz1.convenimus.net (Postfix, from userid 8) id 1307D15213; Tue, 10 Jul 2007 11:28:10 +0200 (CEST) To: freebsd-security@freebsd.org Path: not-for-mail From: Christian Baer Newsgroups: gmane.os.freebsd.security.general Date: Tue, 10 Jul 2007 11:28:10 +0200 (CEST) Organization: Convenimus Projekt Lines: 51 Message-ID: NNTP-Posting-Host: garfield.rz1.convenimus.net X-Trace: nermal.rz1.convenimus.net 1184059690 79039 192.168.100.11 (10 Jul 2007 09:28:10 GMT) X-Complaints-To: abuse@convenimus.net NNTP-Posting-Date: Tue, 10 Jul 2007 09:28:10 +0000 (UTC) User-Agent: slrn/0.9.8.1 (FreeBSD) Subject: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 09:56:04 -0000 Hello Folks! For a special application I needed to create digests (or hashes) using the whirlpool algorithem. It was kind of hard to find something that actually did that. But I found digest in the ports tree - ok, with some help from someone who seemed to know what to look for. :-) What irritates me is the Wikipedia-page on Whirlpool: http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 There is a chance that the author of the article messed up somehow but when you are handling sensitive stuff, chances aren't really the things you want to take. My irritations in detail: My zero-hash is the same as the example shown for whirlpool (whirlpool-2). That's a good sign so far. My hash for "The quick brown fox jumps over the lazy dog" is: 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 And that is nowhere near the examples shown in the article. The same basic thing applies for the change of "dog" to "eog". My hashes are completely different - as in "no chance the hashes were transfered by typing and a typo snuck in". I've tried changing the first letter to a small 't' in case the author didn't hash the sentence with a capital, but that didn't resolve the problem, nor did adding a full stop. I even added the quotes to the string that whirlpool digested - didn't change anything. I know I could try changing the input until kingdom come without finding the error, so I left it at that. I could however verify (using a few tests, if you want to call that "veryfying") that the results were the same on both i386 and sparc64 plattforms - but since the port was taken from NetBSD, there aren't any surprises in that. Just to make things a little more complex, I encoded "Telegraph Road" off one of my Dire Straits CDs to mp3, hashed that with digest and compared the hash to the result a friend of mine got with Jacksum[1] on a Windows box. These were the same and Jacksum says the algorithm is WHIRLPOOL-2 (which is usually named without the number). This may be only a small irritation but since we are talking about a security issue, I don't want to dismiss it too easily either. Are there any opinions to this out there? Regards Chris [1] http://www.jonelo.de/java/jacksum/ From owner-freebsd-security@FreeBSD.ORG Tue Jul 10 10:49:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 644FA16A468 for ; Tue, 10 Jul 2007 10:49:49 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 4022F13C448 for ; Tue, 10 Jul 2007 10:49:49 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 412E55C5A; Tue, 10 Jul 2007 06:36:55 -0400 (EDT) Date: Tue, 10 Jul 2007 06:36:55 -0400 From: Wesley Shields To: Christian Baer Message-ID: <20070710103655.GA87426@atarininja.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 10:49:49 -0000 On Tue, Jul 10, 2007 at 11:28:10AM +0200, Christian Baer wrote: > Hello Folks! > > For a special application I needed to create digests (or hashes) using > the whirlpool algorithem. It was kind of hard to find something that > actually did that. But I found digest in the ports tree - ok, with some > help from someone who seemed to know what to look for. :-) > > What irritates me is the Wikipedia-page on Whirlpool: > http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 > > There is a chance that the author of the article messed up somehow but > when you are handling sensitive stuff, chances aren't really the things > you want to take. > > My irritations in detail: > > My zero-hash is the same as the example shown for whirlpool > (whirlpool-2). That's a good sign so far. > > My hash for "The quick brown fox jumps over the lazy dog" is: > 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae > 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 > And that is nowhere near the examples shown in the article. The same > basic thing applies for the change of "dog" to "eog". My hashes are > completely different - as in "no chance the hashes were transfered by > typing and a typo snuck in". I've tried changing the first letter to a > small 't' in case the author didn't hash the sentence with a capital, > but that didn't resolve the problem, nor did adding a full stop. I even > added the quotes to the string that whirlpool digested - didn't change > anything. I know I could try changing the input until kingdom come > without finding the error, so I left it at that. I think this illustrates what you're seeing... wxs@rst wxs > echo "The quick brown fox jumps over the lazy dog" > foo wxs@rst wxs > digest whirlpool foo WHIRLPOOL (foo) = 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 wxs@rst wxs > echo -n "The quick brown fox jumps over the lazy dog" > wxs@rst wxs > digest whirlpool foo WHIRLPOOL (foo) = b97de512e91e3828b40d2b0fdce9ceb3c4a71f9bea8d88e75c4fa854df36725fd2b52eb6544edcacd6f8beddfea403cb55ae31f03ad62a5ef54e42ee82c3fb35 wxs@rst wxs > It was including the trailing newline character in your example. -- WXS From owner-freebsd-security@FreeBSD.ORG Tue Jul 10 10:51:50 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 306EA16A468 for ; Tue, 10 Jul 2007 10:51:50 +0000 (UTC) (envelope-from johans@stack.nl) Received: from vaak.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.freebsd.org (Postfix) with ESMTP id E128B13C465 for ; Tue, 10 Jul 2007 10:51:49 +0000 (UTC) (envelope-from johans@stack.nl) Received: by vaak.stack.nl (Postfix, from userid 65534) id A2FFCBA1B; Tue, 10 Jul 2007 12:26:57 +0200 (CEST) X-Spam-DCC: : X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on meestal-mk5.stack.nl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DK_POLICY_SIGNSOME, NO_RELAYS autolearn=ham version=3.1.8 X-Spam-Relay-Country: Received: from mud.stack.nl (unknown [IPv6:2001:610:1108:5011:2e0:81ff:fe03:c4bf]) by vaak.stack.nl (Postfix) with ESMTP id B7F9CB8C0; Tue, 10 Jul 2007 12:26:54 +0200 (CEST) Received: by mud.stack.nl (Postfix, from userid 801) id 0BEC9B841; Tue, 10 Jul 2007 12:26:45 +0200 (CEST) Date: Tue, 10 Jul 2007 12:26:44 +0200 From: Johan van Selst To: Christian Baer Message-ID: <20070710102644.GA2017@mud2.stack.nl> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 10:51:50 -0000 --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Christian, Christian Baer wrote: > My hash for "The quick brown fox jumps over the lazy dog" is:=20 > 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae > 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 > And that is nowhere near the examples shown in the article. You have included the trailing newline in your hash calculation; the example in the article did not do this: echo The quick brown fox jumps over the lazy dog | openssl dgst -whirlpool (stdin)=3D 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae= 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 echo -n The quick brown fox jumps over the lazy dog | openssl dgst -whirlpo= ol (stdin)=3D b97de512e91e3828b40d2b0fdce9ceb3c4a71f9bea8d88e75c4fa854df36725f= d2b52eb6544edcacd6f8beddfea403cb55ae31f03ad62a5ef54e42ee82c3fb35 Greetings, Johan --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQFGk17kaOElK32lxTsRCMguAKCRfkM8iYrWQwEukRkHYed6hXbwmgCdEQA/ +Ai8C4a5n9Dt0d68RB6+G0Q= =mi03 -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 10 10:51:50 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3207816A46B for ; Tue, 10 Jul 2007 10:51:50 +0000 (UTC) (envelope-from johans@stack.nl) Received: from vaak.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.freebsd.org (Postfix) with ESMTP id E14CA13C468 for ; Tue, 10 Jul 2007 10:51:49 +0000 (UTC) (envelope-from johans@stack.nl) Received: by vaak.stack.nl (Postfix, from userid 65534) id 8C28CBA38; Tue, 10 Jul 2007 12:30:45 +0200 (CEST) X-Spam-DCC: : X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on meestal-mk5.stack.nl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DK_POLICY_SIGNSOME, NO_RELAYS autolearn=ham version=3.1.8 X-Spam-Relay-Country: Received: from mud.stack.nl (unknown [IPv6:2001:610:1108:5011:2e0:81ff:fe03:c4bf]) by vaak.stack.nl (Postfix) with ESMTP id A531CBA2F for ; Tue, 10 Jul 2007 12:30:42 +0200 (CEST) Received: by mud.stack.nl (Postfix, from userid 801) id E35E1B841; Tue, 10 Jul 2007 12:30:32 +0200 (CEST) Resent-From: johans@stack.nl Resent-Date: Tue, 10 Jul 2007 12:30:32 +0200 Resent-Message-ID: <20070710103032.GA3970@mud2.stack.nl> Resent-To: freebsd-security@freebsd.org Date: Tue, 10 Jul 2007 12:26:44 +0200 From: Johan van Selst To: Christian Baer Message-ID: <20070710102644.GA2017@mud2.stack.nl> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 10:51:50 -0000 --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Christian, Christian Baer wrote: > My hash for "The quick brown fox jumps over the lazy dog" is:=20 > 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae > 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 > And that is nowhere near the examples shown in the article. You have included the trailing newline in your hash calculation; the example in the article did not do this: echo The quick brown fox jumps over the lazy dog | openssl dgst -whirlpool (stdin)=3D 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae= 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 echo -n The quick brown fox jumps over the lazy dog | openssl dgst -whirlpo= ol (stdin)=3D b97de512e91e3828b40d2b0fdce9ceb3c4a71f9bea8d88e75c4fa854df36725f= d2b52eb6544edcacd6f8beddfea403cb55ae31f03ad62a5ef54e42ee82c3fb35 Greetings, Johan --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQFGk17kaOElK32lxTsRCMguAKCRfkM8iYrWQwEukRkHYed6hXbwmgCdEQA/ +Ai8C4a5n9Dt0d68RB6+G0Q= =mi03 -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 12 13:44:26 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3758C16A468 for ; Thu, 12 Jul 2007 13:44:26 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from mailr4.de.ignite.net (mailr4.de.ignite.net [62.134.11.20]) by mx1.freebsd.org (Postfix) with ESMTP id AD20813C45E for ; Thu, 12 Jul 2007 13:44:25 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from mailr3.de.ignite.net (mailr3.de.ignite.net [62.134.11.18]) by mailr4.de.ignite.net (Switch-3.1.9/Switch-3.1.7) with ESMTP id l6CDCsDJ008923 for ; Thu, 12 Jul 2007 15:12:54 +0200 (MEST) Received: from nermal.rz1.convenimus.net (c-134-228-165.d.dsl.de.ignite.net [62.134.228.165]) by mailr3.de.ignite.net (Switch-3.1.9/Switch-3.1.7) with SMTP id l6CDCe6m012614 for ; Thu, 12 Jul 2007 15:12:52 +0200 (MEST) Received: by nermal.rz1.convenimus.net (Postfix, from userid 8) id 74E6315213; Thu, 12 Jul 2007 15:12:35 +0200 (CEST) To: freebsd-security@freebsd.org Path: not-for-mail From: Christian Baer Newsgroups: gmane.os.freebsd.security.general Date: Thu, 12 Jul 2007 15:12:35 +0200 (CEST) Organization: Convenimus Projekt Lines: 21 Message-ID: References: <20070710102644.GA2017@mud2.stack.nl> NNTP-Posting-Host: garfield.rz1.convenimus.net X-Trace: nermal.rz1.convenimus.net 1184245955 91692 192.168.100.11 (12 Jul 2007 13:12:35 GMT) X-Complaints-To: abuse@convenimus.net NNTP-Posting-Date: Thu, 12 Jul 2007 13:12:35 +0000 (UTC) User-Agent: slrn/0.9.8.1 (FreeBSD) Subject: Re: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 13:44:26 -0000 On Tue, 10 Jul 2007 12:26:44 +0200 Johan van Selst wrote: > You have included the trailing newline in your hash calculation; > the example in the article did not do this: Richt now I feel a bit like Homer Simpson: DOH! Great, I could of thought auf that by myself, but once again, finding the problem was like finding an elephant through a microscope. Thanks for straightening me out! :-) > echo The quick brown fox jumps over the lazy dog | openssl dgst -whirlpool Did you install a port with an extended openssl or is there some trick to this? My manpage for openssl doesn't even include sha256, only md2, md5, mdc2, rmd160, sha (which will probably be sha-0) and sha1. Did I miss something? Regards Chris From owner-freebsd-security@FreeBSD.ORG Thu Jul 12 14:04:36 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D96716A46B for ; Thu, 12 Jul 2007 14:04:36 +0000 (UTC) (envelope-from johans@stack.nl) Received: from vaak.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.freebsd.org (Postfix) with ESMTP id 4BD5713C45D for ; Thu, 12 Jul 2007 14:04:36 +0000 (UTC) (envelope-from johans@stack.nl) Received: by vaak.stack.nl (Postfix, from userid 65534) id 146CCBDFC; Thu, 12 Jul 2007 16:04:35 +0200 (CEST) X-Spam-DCC: : X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on meestal-mk5.stack.nl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DK_POLICY_SIGNSOME,NO_RELAYS autolearn=ham version=3.1.8 X-Spam-Relay-Country: Received: from mud.stack.nl (unknown [IPv6:2001:610:1108:5011:2e0:81ff:fe03:c4bf]) by vaak.stack.nl (Postfix) with ESMTP id 111C8BDC3; Thu, 12 Jul 2007 16:04:32 +0200 (CEST) Received: by mud.stack.nl (Postfix, from userid 801) id 5EED4B8A1; Thu, 12 Jul 2007 16:03:54 +0200 (CEST) Date: Thu, 12 Jul 2007 16:03:54 +0200 From: Johan van Selst To: Christian Baer Message-ID: <20070712140354.GA81985@mud2.stack.nl> References: <20070710102644.GA2017@mud2.stack.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 14:04:36 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Christian Baer wrote: > Did you install a port with an extended openssl or is there some trick > to this? My manpage for openssl doesn't even include sha256, only md2, > md5, mdc2, rmd160, sha (which will probably be sha-0) and sha1. Ah, yes - this is indeed a snapshot of the openssl development version (0.9.9); I did not install it from the FreeBSD ports. This also includes sha-2 (sha224,256,384,512) algorithms. I'm not sure if these hashes are already included in 0.9.8 (which is in ports tree). I think sha* is, but whirlpool is not. Greetings, Johan --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQFGljTJaOElK32lxTsRCBK4AKDFN/GGVXCagYTYtaCVHmP30LoTgwCeMM6I Aw4rsqInINJFlGQdkFtoP/I= =hZG0 -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 12 15:09:48 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 912D916A474; Thu, 12 Jul 2007 15:09:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 7ABC013C45A; Thu, 12 Jul 2007 15:09:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l6CF9mMp056634; Thu, 12 Jul 2007 15:09:48 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l6CF9mel056632; Thu, 12 Jul 2007 15:09:48 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 12 Jul 2007 15:09:48 GMT Message-Id: <200707121509.l6CF9mel056632@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:05.libarchive X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 15:09:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:05.libarchive Security Advisory The FreeBSD Project Topic: Errors handling corrupt tar files in libarchive(3) Category: core Module: libarchive Announced: 2007-07-12 Credits: CPNI, CERT-FI, Tim Kientzle, Colin Percival Affects: FreeBSD 5.3 and later. Corrected: 2007-07-12 15:00:44 UTC (RELENG_6, 6.2-STABLE) 2007-07-12 15:01:14 UTC (RELENG_6_2, 6.2-RELEASE-p6) 2007-07-12 15:01:32 UTC (RELENG_6_1, 6.1-RELEASE-p18) 2007-07-12 15:01:42 UTC (RELENG_5, 5.5-STABLE) 2007-07-12 15:01:56 UTC (RELENG_5_5, 5.5-RELEASE-p14) CVE Name: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The libarchive library provides a flexible interface for reading and writing streaming archive files such as tar and cpio, and has been the basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3. II. Problem Description Several problems have been found in the code used to parse the tar and pax interchange formats. These include entering an infinite loop if an archive prematurely ends within a pax extension header or if certain types of corruption occur in pax extension headers [CVE-2007-3644]; dereferencing a NULL pointer if an archive prematurely ends within a tar header immediately following a pax extension header or if certain other types of corruption occur in pax extension headers [CVE-2007-3645]; and miscomputing the length of a buffer resulting in a buffer overflow if yet another type of corruption occurs in a pax extension header [CVE-2007-3641]. III. Impact An attacker who can cause a corrupt archive of his choice to be parsed by libarchive, including by having "tar -x" (extract) or "tar -t" (list entries) run on it, can cause libarchive to enter an infinite loop, to core dump, or possibly to execute arbitrary code provided by the attacker. IV. Workaround No workaround is available, but systems which do not read tar or pax extension archives provided by untrusted sources are not vulnerable. Note that while these issues do not affect libarchive's ability to parse cpio, ISO9660, or zip format archives, libarchive automatically detects the format of an archive, so external metadata (e.g., a file name) is not sufficient to ensure that a file will not be parsed using the vulnerable tar/pax format parser. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch # fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libarchive # make obj && make depend && make && make install # cd /usr/src/rescue # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/lib/libarchive/archive_read_support_format_tar.c 1.26.2.8 RELENG_5_5 src/UPDATING 1.342.2.35.2.14 src/sys/conf/newvers.sh 1.62.2.21.2.16 src/lib/libarchive/archive_read_support_format_tar.c 1.26.2.7.2.1 RELENG_6 src/lib/libarchive/archive_read_support_format_tar.c 1.32.2.5 RELENG_6_2 src/UPDATING 1.416.2.29.2.9 src/sys/conf/newvers.sh 1.69.2.13.2.9 src/lib/libarchive/archive_read_support_format_tar.c 1.32.2.2.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.20 src/sys/conf/newvers.sh 1.69.2.11.2.20 src/lib/libarchive/archive_read_support_format_tar.c 1.32.6.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3645 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:05.libarchive.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD4DBQFGlkN5FdaIBMps37IRAl/vAJ4vKkZ9eXBW4PPljvbgALUlAPdxCQCXRMzY 4hKO09Xhj1akwPufFXJS2w== =sRGA -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Jul 14 05:21:33 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 101FE16A400 for ; Sat, 14 Jul 2007 05:21:33 +0000 (UTC) (envelope-from ml@os2.kiev.ua) Received: from deepvision.tsua.net (deepvision.tsua.net [212.40.43.22]) by mx1.freebsd.org (Postfix) with ESMTP id C470313C4B4 for ; Sat, 14 Jul 2007 05:21:32 +0000 (UTC) (envelope-from ml@os2.kiev.ua) Received: from 144-49-124-91.pool.ukrtel.net ([91.124.49.144] helo=samm.local) by deepvision.tsua.net with esmtpa (Exim 4.67 (FreeBSD)) (envelope-from ) id 1I9Zij-000BFV-23 for freebsd-security@freebsd.org; Sat, 14 Jul 2007 07:59:05 +0300 Message-ID: <46985815.3060308@os2.kiev.ua> Date: Sat, 14 Jul 2007 07:59:01 +0300 From: Alex Samorukov User-Agent: Thunderbird 2.0.0.0 (X11/20070524) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: OpenBSM questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2007 05:21:33 -0000 Hello I have some issues with OpenBSM which i cannot resolve, so i decided to ask there. 1) I found some bugs in the auditreduce utility and created patch for it - http://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please, someone from freebsd team - take it, i think its better to fix this before next release. 2) I found that when i`m using XDM as login manager with OpenBSM, all my audit events comes with subject -1, and becauseof this i cant filter them with audit_user policy. When i`m using console "login" all work as designed and i got logged in user in the subject. I think that xdm must be patched to support audit, i found audit code in the login sources. My be someone already did such patches? 3) All services running from rc scripts also using "-1" as their subject. How can i change subject for such programs? E.g. mysql work with myslq uid/gid and i want create special policy for the mysql in the audit_user file, but "subject" of such events is always "-1", so i cant do this. P.S. I`m using FreeBSD-STABLE. From owner-freebsd-security@FreeBSD.ORG Sat Jul 14 16:02:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C4EB916A400 for ; Sat, 14 Jul 2007 16:02:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 9F4B313C48D for ; Sat, 14 Jul 2007 16:02:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id AD23A471CE; Sat, 14 Jul 2007 11:45:14 -0400 (EDT) Date: Sat, 14 Jul 2007 16:45:14 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alex Samorukov In-Reply-To: <46985815.3060308@os2.kiev.ua> Message-ID: <20070714164146.Q80803@fledge.watson.org> References: <46985815.3060308@os2.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: OpenBSM questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2007 16:02:24 -0000 On Sat, 14 Jul 2007, Alex Samorukov wrote: > I have some issues with OpenBSM which i cannot resolve, so i decided to ask > there. > > 1) I found some bugs in the auditreduce utility and created patch for it - > http://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please, someone from > freebsd team - take it, i think its better to fix this before next release. I was not aware of this PR, thanks for pointing it out. In the future, if no one picks up an audit-related PR, feel free to send e-mail to trustedbsd-audit@TrustedBSD.org and/or directly to me. I've grabbed ownership of this PR and will apply the changes to OpenBSM, hopefully today. > 2) I found that when i`m using XDM as login manager with OpenBSM, all my > audit events comes with subject -1, and becauseof this i cant filter them > with audit_user policy. When i`m using console "login" all work as designed > and i got logged in user in the subject. I think that xdm must be patched to > support audit, i found audit code in the > login sources. My be someone > already did such patches? This is correct -- login services must be modified to properly set up user audit state at login. I am not familiar with work relating to this with xdm, kdm, gdm, etc, but it would be very good to see this happen. Possibly, e-mail to the port maintainers of these may be called for, possibly with patches. > 3) All services running from rc scripts also using "-1" as their subject. > How can i change subject for such programs? E.g. mysql work with myslq > uid/gid and i want create special policy for the mysql in the audit_user > file, but "subject" of such events is always "-1", so i cant do this. Hmm. Right now there isn't a tool to do this, but there probably should be. > P.S. I`m using FreeBSD-STABLE. The patch you've submitted will go first into OpenBSM, then 7-CURRENT, and then at some point an MFC to 6-STABLE. Fortunately, you've caught be just before I released OpenBSM 1.0 alpha 15, which will be the last import (we hope) before 7.0. If you're aware of any other outstanding issues relating to OpenBSM, please let me know. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sat Jul 14 18:33:36 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A501016A402 for ; Sat, 14 Jul 2007 18:33:36 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7D51F13C471 for ; Sat, 14 Jul 2007 18:33:36 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id B6D6F475EA; Sat, 14 Jul 2007 14:33:35 -0400 (EDT) Date: Sat, 14 Jul 2007 19:33:35 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Garrett Wollman In-Reply-To: <18073.3478.284631.986914@hergotha.csail.mit.edu> Message-ID: <20070714193149.N91807@fledge.watson.org> References: <46985815.3060308@os2.kiev.ua> <20070714164146.Q80803@fledge.watson.org> <18073.3478.284631.986914@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: OpenBSM questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2007 18:33:36 -0000 On Sat, 14 Jul 2007, Garrett Wollman wrote: > < said: > >> This is correct -- login services must be modified to properly set up user >> audit state at login. I am not familiar with work relating to this with >> xdm, kdm, gdm, etc, but it would be very good to see this happen. > > Surely this is something that belongs in a PAM module...? The whole point > of the PAM framework is that you should *not* have to modify every program > that does a login when new mechanisms are introduced or policy changes. Setting login state is not the only thing that audit does. Audit requirements also exist to audit failures in the login process that may be entirely unrelated to authentication. That said, I'm not 100% sure that the audit state, leaving aside the auditing of login events, couldn't be done in a PAM module. An interesting question is why the rest of the UNIX credential is also not set up using PAM -- see calls to setlogin(2), setusercontext(3), etc, in login.c and other things involved in login. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sat Jul 14 18:28:56 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC06E16A403; Sat, 14 Jul 2007 18:28:56 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 9EB7113C48D; Sat, 14 Jul 2007 18:28:56 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.13.8/8.13.8) with ESMTP id l6EHrQjn038411; Sat, 14 Jul 2007 13:53:26 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.13.8/8.13.8/Submit) id l6EHrQOQ038408; Sat, 14 Jul 2007 13:53:26 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18073.3478.284631.986914@hergotha.csail.mit.edu> Date: Sat, 14 Jul 2007 13:53:26 -0400 From: Garrett Wollman To: Robert Watson In-Reply-To: <20070714164146.Q80803@fledge.watson.org> References: <46985815.3060308@os2.kiev.ua> <20070714164146.Q80803@fledge.watson.org> X-Mailer: VM 7.17 under 21.4 (patch 20) "Double Solitaire" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hergotha.csail.mit.edu [127.0.0.1]); Sat, 14 Jul 2007 13:53:26 -0400 (EDT) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sat, 14 Jul 2007 19:03:45 +0000 Cc: freebsd-security@freebsd.org Subject: Re: OpenBSM questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2007 18:28:57 -0000 < said: > This is correct -- login services must be modified to properly set up user > audit state at login. I am not familiar with work relating to this with xdm, > kdm, gdm, etc, but it would be very good to see this happen. Surely this is something that belongs in a PAM module...? The whole point of the PAM framework is that you should *not* have to modify every program that does a login when new mechanisms are introduced or policy changes. -GAWollman