From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jan 11 08:19:05 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDF0C16A420; Wed, 11 Jan 2006 08:19:05 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA90443D5A; Wed, 11 Jan 2006 08:19:04 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0B8J4Gx066565; Wed, 11 Jan 2006 08:19:04 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0B8J40j066563; Wed, 11 Jan 2006 08:19:04 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 11 Jan 2006 08:19:04 GMT Message-Id: <200601110819.k0B8J40j066563@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:01.texindex X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 08:19:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:01.texindex Security Advisory The FreeBSD Project Topic: Texindex temporary file privilege escalation Category: contrib Module: texinfo Announced: 2006-01-11 Credits: Frank Lichtenheld Affects: All FreeBSD releases. Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE) 2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2) 2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE) 2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9) 2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24) 2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE) 2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14) 2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20) CVE Name: CAN-2005-3011 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background TeX is a document typesetting system which is popular in the mathematics, physics, and computer science realms because of its ability to typeset complex mathematical formulas. texindex(1) is a utility which is often used to generate a sorted index of a TeX file. II. Problem Description The "sort_offline" function used by texindex(1) employs the "maketempname" function, which produces predictable file names and fails to validate that the paths do not exist. III. Impact These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could enable them to overwrite files on the system in the context of the user running the texindex(1) utility. IV. Workaround No workaround is available, but the problematic code is only executed if the input file being processed is 500kB or more in length; as a result, users working with documents of less than several hundred pages are very unlikely to be affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x and 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc [FreeBSD 6.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/texinfo/texindex # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/texinfo/util/texindex.c 1.1.1.3.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.15 src/sys/conf/newvers.sh 1.44.2.39.2.18 contrib/texinfo/util/texindex.c 1.1.1.3.2.3.6.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.21 src/sys/conf/newvers.sh 1.44.2.34.2.22 contrib/texinfo/util/texindex.c 1.1.1.3.2.3.4.1 RELENG_5 contrib/texinfo/util/texindex.c 1.1.1.7.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.18 src/sys/conf/newvers.sh 1.62.2.18.2.14 contrib/texinfo/util/texindex.c 1.1.1.7.8.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.27 src/sys/conf/newvers.sh 1.62.2.15.2.29 contrib/texinfo/util/texindex.c 1.1.1.7.6.1 RELENG_6 contrib/texinfo/util/texindex.c 1.1.1.8.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.7 src/sys/conf/newvers.sh 1.69.2.8.2.3 contrib/texinfo/util/texindex.c 1.1.1.8.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxL4PFdaIBMps37IRAoJSAJ9kEVz5knEPcpUDw4psmKpbBjFH8wCfa7mq u+tT93VL13dZm8/9WCMU51k= =z4va -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jan 11 08:19:11 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE50116A41F; Wed, 11 Jan 2006 08:19:11 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0232343D55; Wed, 11 Jan 2006 08:19:10 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0B8JAAq066616; Wed, 11 Jan 2006 08:19:10 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0B8JAxT066614; Wed, 11 Jan 2006 08:19:10 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 11 Jan 2006 08:19:10 GMT Message-Id: <200601110819.k0B8JAxT066614@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:02.ee X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 08:19:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:02.ee Security Advisory The FreeBSD Project Topic: ee temporary file privilege escalation Category: core Module: ee Announced: 2006-01-11 Credits: Christian S.J. Peron Affects: All FreeBSD versions Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE) 2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2) 2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE) 2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9) 2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24) 2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE) 2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14) 2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20) CVE Name: CVE-2006-0055 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ee utility is a simple screen oriented text editor. This editor is popular with a lot of users due to its ease of use. II. Problem Description The ispell_op function used by ee(1) while executing spell check operations employs an insecure method of temporary file generation. This method produces predictable file names based on the process ID and fails to confirm which path will be over written with the user. It should be noted that ispell does not have to be installed in order for this to be exploited. The option simply needs to be selected. III. Impact These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could allow them to overwrite files on the system in the context of the user running the ee(1) editor. IV. Workaround Instead of invoking ispell through ee(1), invoke it directly. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.bin/ee # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 usr.bin/ee/ee.c 1.16.2.9 RELENG_4_11 src/UPDATING 1.73.2.91.2.15 src/sys/conf/newvers.sh 1.44.2.39.2.18 usr.bin/ee/ee.c 1.16.2.7.6.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.21 src/sys/conf/newvers.sh 1.44.2.34.2.22 usr.bin/ee/ee.c 1.16.2.7.4.1 RELENG_5 usr.bin/ee/ee.c 1.31.4.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.18 src/sys/conf/newvers.sh 1.62.2.18.2.14 usr.bin/ee/ee.c 1.31.4.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.27 src/sys/conf/newvers.sh 1.62.2.15.2.29 usr.bin/ee/ee.c 1.31.6.1 RELENG_6 usr.bin/ee/ee.c 1.32.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.7 src/sys/conf/newvers.sh 1.69.2.8.2.3 usr.bin/ee/ee.c 1.32.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0055 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:02.ee.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxL4YFdaIBMps37IRAlL2AJ4x+2WoVU3OJMEab2ch6sbBRaLoogCglFSE n4bkyDA2e6afV7tG4ja8foA= =42lw -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jan 11 08:19:16 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3518616A41F; Wed, 11 Jan 2006 08:19:16 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2832343D4C; Wed, 11 Jan 2006 08:19:15 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0B8JFpE066669; Wed, 11 Jan 2006 08:19:15 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0B8JEZM066667; Wed, 11 Jan 2006 08:19:14 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 11 Jan 2006 08:19:14 GMT Message-Id: <200601110819.k0B8JEZM066667@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:03.cpio X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 08:19:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:03.cpio Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities cpio Category: contrib Module: contrib_cpio Announced: 2006-01-11 Credits: Imran Ghory, Richard Harms Affects: All FreeBSD releases. Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE) 2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2) 2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE) 2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9) 2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24) 2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE) 2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14) 2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20) CVE Name: CVE-2005-1111, CVE-2005-1229, CVE-2005-4268 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The cpio utility copies files into or out of a cpio or tar archive. II. Problem Description A number of issues has been discovered in cpio: . When creating a new file, cpio closes the file before setting its permissions. (CVE-2005-1111) . When extracting files cpio does not properly sanitize file names to filter out ".." components, even if the --no-absolute-filenames option is used. (CVE-2005-1229) . When adding large files (larger than 4 GB) to a cpio archive on 64-bit platforms an internal buffer might overflow. (CVE-2005-4268) III. Impact . The first problem can allow a local attacker to change the permissions of files owned by the user executing cpio providing that they have write access to the directory in which the file is being extracted. (CVE-2005-1111) . The lack of proper file name sanitation can allow an attacker to overwrite arbitrary local files when extracting files from a cpio a archive. (CVE-2005-1229) . The buffer-overflow on 64-bit platforms could lead cpio to a Denial-of-Service situation (crash) or possibly execute arbitrary code with the permissions of the user running cpio. (CVE-2005-4268) IV. Workaround Use a different utility to create and extract cpio archives, for example pax(1) or (on FreeBSD 5.3 or later) tar(1). If this is not possible, do not extract untrusted archives and when running on 64-bit platforms do not add untrusted files to cpio archives. V. Solution NOTE WELL: The solution described below causes cpio to not exact files with absolute paths by default anymore. If it is required that cpio exact files with absolute names, use the --absolute-filenames parameter. Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cpio # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/cpio/copyin.c 1.6.6.2 contrib/cpio/copyout.c 1.2.8.1 contrib/cpio/cpio.1 1.3.6.1 contrib/cpio/extern.h 1.2.8.1 contrib/cpio/global.c 1.1.1.1.8.1 contrib/cpio/main.c 1.3.2.1 RELENG_4_11 src/UPDATING 1.73.2.91.2.15 src/sys/conf/newvers.sh 1.44.2.39.2.18 contrib/cpio/copyin.c 1.6.6.1.12.1 contrib/cpio/copyout.c 1.2.36.1 contrib/cpio/cpio.1 1.3.34.1 contrib/cpio/extern.h 1.2.36.1 contrib/cpio/global.c 1.1.1.1.36.1 contrib/cpio/main.c 1.3.30.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.21 src/sys/conf/newvers.sh 1.44.2.34.2.22 contrib/cpio/copyin.c 1.6.6.1.10.1 contrib/cpio/copyout.c 1.2.30.1 contrib/cpio/cpio.1 1.3.28.1 contrib/cpio/extern.h 1.2.30.1 contrib/cpio/global.c 1.1.1.1.30.1 contrib/cpio/main.c 1.3.24.1 RELENG_5 contrib/cpio/copyin.c 1.7.8.1 contrib/cpio/copyout.c 1.2.32.1 contrib/cpio/cpio.1 1.3.30.1 contrib/cpio/extern.h 1.2.32.1 contrib/cpio/global.c 1.1.1.1.32.1 contrib/cpio/main.c 1.3.26.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.18 src/sys/conf/newvers.sh 1.62.2.18.2.14 contrib/cpio/copyin.c 1.7.12.1 contrib/cpio/copyout.c 1.2.38.1 contrib/cpio/cpio.1 1.3.36.1 contrib/cpio/extern.h 1.2.38.1 contrib/cpio/global.c 1.1.1.1.38.1 contrib/cpio/main.c 1.3.32.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.27 src/sys/conf/newvers.sh 1.62.2.15.2.29 contrib/cpio/copyin.c 1.7.10.1 contrib/cpio/copyout.c 1.2.34.1 contrib/cpio/cpio.1 1.3.32.1 contrib/cpio/extern.h 1.2.34.1 contrib/cpio/global.c 1.1.1.1.34.1 contrib/cpio/main.c 1.3.28.1 RELENG_6 contrib/cpio/copyin.c 1.7.14.1 contrib/cpio/copyout.c 1.2.40.1 contrib/cpio/cpio.1 1.3.38.1 contrib/cpio/extern.h 1.2.40.1 contrib/cpio/global.c 1.1.1.1.40.1 contrib/cpio/main.c 1.3.34.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.7 src/sys/conf/newvers.sh 1.69.2.8.2.3 contrib/cpio/copyin.c 1.7.16.1 contrib/cpio/copyout.c 1.2.42.1 contrib/cpio/cpio.1 1.3.40.1 contrib/cpio/extern.h 1.2.42.1 contrib/cpio/global.c 1.1.1.1.42.1 contrib/cpio/main.c 1.3.36.1 - ------------------------------------------------------------------------- VII. References [CVE-2005-1111] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111 http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120 https://savannah.gnu.org/patch/?func=detailitem&item_id=4006 https://savannah.gnu.org/patch/?func=detailitem&item_id=4007 [CVE-2005-1229] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229 http://marc.theaimsgroup.com/?l=bugtraq&m=111403177526312 https://savannah.gnu.org/patch/?func=detailitem&item_id=4005 [CVE-2005-4268] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4268 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172669 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:03.cpio.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxL4mFdaIBMps37IRAqQnAJ9Js/Joq8LJJT1kX6DXStgJMliqJQCfdZCx bxuCX+ps+C0MR5UcLOExHvM= =7laG -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jan 11 08:19:24 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE7C616A438; Wed, 11 Jan 2006 08:19:24 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B4F143D55; Wed, 11 Jan 2006 08:19:23 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0B8JNjZ066725; Wed, 11 Jan 2006 08:19:23 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0B8JNFG066723; Wed, 11 Jan 2006 08:19:23 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 11 Jan 2006 08:19:23 GMT Message-Id: <200601110819.k0B8JNFG066723@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:04.ipfw X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 08:19:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:04.ipfw Security Advisory The FreeBSD Project Topic: ipfw IP fragment denial of service Category: core Module: ipfw Announced: 2006-01-11 Credits: Oleg Bulyzhin Affects: FreeBSD 6.0-RELEASE Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE) 2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2) CVE Name: CVE-2006-0054 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ipfw(8) is a system facility which provides IP packet filtering, accounting, and redirection. Among the many features, while discarding packets it can perform actions defined by the user, such as sending back TCP reset or ICMP unreachable packets. These operations can be performed by using the reset, reject or uncreach actions. II. Problem Description The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized. III. Impact An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions. IV. Workaround Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet/ip_fw2.c 1.106.2.6 RELENG_6_0 src/UPDATING 1.416.2.3.2.7 src/sys/conf/newvers.sh 1.69.2.8.2.3 src/sys/netinet/ip_fw2.c 1.106.2.3.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0054 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxL4vFdaIBMps37IRAmrZAJ4qRzdR0zR0u9ZY5RTTsMF5ZcGBUACfa5Gn 9kbuhOTex8BBlNFRHYCd9e4= =WcS+ -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jan 11 10:21:58 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF31B16A41F; Wed, 11 Jan 2006 10:21:58 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0817243D82; Wed, 11 Jan 2006 10:21:57 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0BALuR7073547; Wed, 11 Jan 2006 10:21:56 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0BALukD073545; Wed, 11 Jan 2006 10:21:56 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 11 Jan 2006 10:21:56 GMT Message-Id: <200601111021.k0BALukD073545@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:01.texindex [REVISED] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 10:21:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:01.texindex Security Advisory The FreeBSD Project Topic: Texindex temporary file privilege escalation Category: contrib Module: texinfo Announced: 2006-01-11 Credits: Frank Lichtenheld Affects: All FreeBSD releases. Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE) 2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2) 2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE) 2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9) 2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24) 2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE) 2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14) 2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20) CVE Name: CAN-2005-3011 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History. v1.0 2006-01-11 Initial release. v1.1 2006-01-11 Corrected instructions for rebuilding texindex. I. Background TeX is a document typesetting system which is popular in the mathematics, physics, and computer science realms because of its ability to typeset complex mathematical formulas. texindex(1) is a utility which is often used to generate a sorted index of a TeX file. II. Problem Description The "sort_offline" function used by texindex(1) employs the "maketempname" function, which produces predictable file names and fails to validate that the paths do not exist. III. Impact These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could enable them to overwrite files on the system in the context of the user running the texindex(1) utility. IV. Workaround No workaround is available, but the problematic code is only executed if the input file being processed is 500kB or more in length; as a result, users working with documents of less than several hundred pages are very unlikely to be affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x and 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc [FreeBSD 6.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/texinfo/libtxi # make obj && make depend && make # cd /usr/src/gnu/usr.bin/texinfo/texindex # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/texinfo/util/texindex.c 1.1.1.3.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.15 src/sys/conf/newvers.sh 1.44.2.39.2.18 contrib/texinfo/util/texindex.c 1.1.1.3.2.3.6.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.21 src/sys/conf/newvers.sh 1.44.2.34.2.22 contrib/texinfo/util/texindex.c 1.1.1.3.2.3.4.1 RELENG_5 contrib/texinfo/util/texindex.c 1.1.1.7.4.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.18 src/sys/conf/newvers.sh 1.62.2.18.2.14 contrib/texinfo/util/texindex.c 1.1.1.7.8.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.27 src/sys/conf/newvers.sh 1.62.2.15.2.29 contrib/texinfo/util/texindex.c 1.1.1.7.6.1 RELENG_6 contrib/texinfo/util/texindex.c 1.1.1.8.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.7 src/sys/conf/newvers.sh 1.69.2.8.2.3 contrib/texinfo/util/texindex.c 1.1.1.8.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxNZZFdaIBMps37IRAkQ5AKCayEHnnoglWAyY2wA22huF9xmIxgCdFwpn ePrdykp4BUjKqAMYCUupMK8= =q74p -----END PGP SIGNATURE-----