From owner-freebsd-announce Mon Sep 20 19:15:58 1999 Delivered-To: freebsd-announce@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A1D161536D; Mon, 20 Sep 1999 19:15:34 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id UAA98556; Mon, 20 Sep 1999 20:15:32 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: (from imp@localhost) by harmony.village.org (8.9.3/8.8.3) id UAA22243; Mon, 20 Sep 1999 20:14:55 -0600 (MDT) Date: Mon, 20 Sep 1999 20:14:55 -0600 (MDT) Message-Id: <199909210214.UAA22243@harmony.village.org> From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd Reply-To: security-officer@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-99:06 Security Advisory FreeBSD, Inc. Topic: remote amd attack Category: core Module: kernel Announced: 1999-09-16 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current before the correction date. FreeBSD 3.2-stable before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD-current as of September 7, 1999 FreeBSD-3.2-stable as of August 25, 1999 The FreeBSD-3.3-RC series of releases are not affected. FreeBSD only: NO Bugtraq Id: 614 (variation) CERT ID: CA-99.12 Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:06/ I. Background The amd program allows for a very flexible array of remote and local file systems to be mounted automatically on an as needed basis. Amd is an optional untility that system administrators must explicitly enable. If amd is not enabled on your system, then your system is not vulnerable. II. Problem Description There are two buffer overflow vulnerabilities in the the amd daemon. III. Impact Remote users could execute arbitrary code as root in the amd daemon context. IV. Workaround The only way to avoid these problems are to upgrade or not run the amd daemon. That leaves disabling the amd deamon as your only workaround. V. Solution Upgrade your system to one that is listed above as having the problem resolved, or you may patch your present systems. To patch your present system apply the following patches to amd, rebuild, install and restart amd (or reboot). Patches for 3.2-stable and -current systems before the resolution date: Index: xutil.c =================================================================== RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- xutil.c 1999/01/13 19:20:33 1.1.1.3 +++ xutil.c 1999/08/25 18:59:39 1.1.1.3.2.1 @@ -272,16 +272,18 @@ /* * Take a log format string and expand occurrences of %m - * with the current error code taken from errno. + * with the current error code taken from errno. Make sure + * 'e' never gets longer than maxlen characters. */ static void -expand_error(char *f, char *e) +expand_error(char *f, char *e, int maxlen) { extern int sys_nerr; - char *p; + char *p, *q; int error = errno; + int len = 0; - for (p = f; (*e = *p); e++, p++) { + for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) { if (p[0] == '%' && p[1] == 'm') { const char *errstr; if (error < 0 || error >= sys_nerr) @@ -289,13 +291,15 @@ else errstr = sys_errlist[error]; if (errstr) - strcpy(e, errstr); + strcpy(q, errstr); else - sprintf(e, "Error %d", error); - e += strlen(e) - 1; + sprintf(q, "Error %d", error); + len += strlen(q) - 1; + q += strlen(q) - 1; p++; } } + e[maxlen-1] = '\0'; /* null terminate, to be sure */ } @@ -401,9 +405,15 @@ checkup_mem(); #endif /* DEBUG_MEM */ - expand_error(fmt, efmt); + expand_error(fmt, efmt, 1024); + /* + * XXX: ptr is 1024 bytes long. It is possible to write into it + * more than 1024 bytes, if efmt is already large, and vargs expand + * as well. + */ vsprintf(ptr, efmt, vargs); + msg[1023] = '\0'; /* null terminate, to be sure */ ptr += strlen(ptr); if (ptr[-1] == '\n') Index: amq_subr.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- amq_subr.c 1999/01/13 20:03:54 1.3 +++ amq_subr.c 1999/09/07 23:07:03 1.4 @@ -204,11 +204,24 @@ int * amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp) { - static int rc; - char *s = *(amq_string *) argp; + static int rc = EINVAL; + char s[AMQ_STRLEN]; char *cp; + char dq[20]; + struct sockaddr_in *sin; + + if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) { + plog(XLOG_ERROR, "amu_svc_getcaller returned NULL"); + return &rc; + } + + strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1); + s[AMQ_STRLEN-1] = '\0'; /* null terminate, to be sure */ + plog(XLOG_ERROR, + "amq requested mount of %s from %s.%d", + s, inet_dquad(dq, sin->sin_addr.s_addr), + ntohs(sin->sin_port)); - plog(XLOG_INFO, "amq requested mount of %s", s); /* * Minimalist security check. */ ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN+aDyFUuHi5z0oilAQHyLQP/fohJFzI6h9g8ApbdjQJNu+sunEd7cehd IWuvFWuiTzRRqfj7tc9+Y7FEleFKv66WM98k9zBHzU8ZVzCQ5jlf1CcM1DegEqKc i8j71gpoKFQyrxsW3AdR2UESnUxYw8bDvimuVHyCVSvjrpvZ+5b5wXMqbvDNMo5I UgTaLUhzQEg= =0ohw -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Sep 21 19:28:58 1999 Delivered-To: freebsd-announce@freebsd.org Received: from vnode.vmunix.com (vnode.vmunix.com [209.112.4.20]) by hub.freebsd.org (Postfix) with ESMTP id 6E1711543F for ; Tue, 21 Sep 1999 19:28:50 -0700 (PDT) (envelope-from chrisc@vmunix.com) Received: from localhost (chrisc@localhost) by vnode.vmunix.com (8.9.3/8.9.3) with ESMTP id WAA09438 for ; Tue, 21 Sep 1999 22:28:50 -0400 (EDT) Date: Tue, 21 Sep 1999 22:28:49 -0400 (EDT) From: Chris Coleman To: announce@freebsd.org Subject: FreeBSD Real Quick News Letter. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD Real-Quick(TM) NewsLetter. Things Happening in FreeBSD. September 1999 Release Information: FreeBSD 3.3 is available from http://www.FreeBSDMall.com FreeBSD 4.0 is now the Development Version with no release scheduled until early 2000. FreeBSD in the News: There have been several great articles in the press lately about FreeBSD. A lot of them can be found by searching http://daily.daemonnews.org FreeBSD Advocacy: The advocacy.freebsd.org site has currently been discontinued. Most of the functionality has been wrapped into http://freebsd.tesserae.com I will be attempting to use content from freebsd.tesserae.com to automatically generate the RQN in the future. FreeBSD'zine: The FreeBSD zine seems to be having trouble getting authors I know there are lots of people who can write and have time. Submitting articles to the FreeBSD zine is a great way to contribute, especially if you don't know enough about coding programs to get your stuff committed. http://www.freebsdzine.org Daemon News: Due to extreme growth in the BSD community, Daemon News is branching out. Although Oct 1. 1999 is our official release date, our new News site is online and functioning: http://daily.daemonnews.org Feel free to suggest stories and make contents. This is not all, be sure to check us out on Oct 1 to see what we have done. http://www.daemonnews.org This is a (hopefully) monthly Newsletter, published only by E-mail. If you have anything you would like to see in the next edition, please post it at http://daily.daemonnews.org/add_story.php3 -Chris Coleman Daemon News Editor in Chief http://www.daemonnews.org Bringing BSD Together. This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed Sep 22 22:14:41 1999 Delivered-To: freebsd-announce@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 712F415155; Wed, 22 Sep 1999 22:14:31 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id XAA29699; Wed, 22 Sep 1999 23:14:30 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id XAA18035; Wed, 22 Sep 1999 23:14:29 -0600 Date: Wed, 22 Sep 1999 23:14:29 -0600 Message-Id: <199909230514.XAA18035@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-announce@FreeBSD.org Cc: java@FreeBSD.org Subject: Announce: New release of JDK1.1.8 for FreeBSD X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As always it is my great pleasure to announce another release of the JDK for FreeBSD. We've re-released JDK1.1.8 after fixing a couple of bugs in the previous release. For all your FreeBSD/JDK needs, see our home page at: http://www.freebsd.org/java Notable changes in this release include: - Printing from the JDK should now work reliably. - Updated to now use the assembly version of the interpreter. Performance should be increased slightly. - Better handling of signals like DIVIDE and SIGFPE which are trapped and handled correctly now. - The ELF version should work better with AWT/Swing applications. The FreeBSD project donated a more modern copy of Motif that should avoid some weird X errors that occurred previously. In particular, the performance improvements from using the assembly version of the interpreter should be motivation enough for everyone to update to this version. The FreeBSD ports collection has been updated to download the new version, so feel free to update the ports collection and get the new port. Thanks again go to Keith White who's amazing debugging skills and knowledge provided all of the above fixes. Thanks also go to the FreeBSD Project who donated a newer copy of Motif in order to make the more recent ELF releases more stable. -------------------------------------------------- In other news, the JDK2 port has been going slowly. Because of summer vacations and the great weather, the developers have spent time enjoying non-computer things. I expect that as the weather starts to cool down we'll be spending more time in front of our computer, and the JDK2 porting effort will ramp back up. We do have a good start on the effort, although it not yet organized enough to provide even an early alpha release. When we have something more solid, we will send out email to the freebsd-java list. Also, there is some work in progress in doing a native threads implementation of the JDK. This work is *very* early, and is mostly related to adding some new functionality to the FreeBSD kernel to support some necessary features needed to port the JDK. This means that a native threaded JDK probably won't be usable on systems prior to FreeBSD 4.0. More information will be posted on the freebsd-java mailing list as it becomes available. Thanks! -- The FreeBSD JDK porting team This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message