From owner-freebsd-security Tue Dec 10 11:29:23 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA23552 for security-outgoing; Tue, 10 Dec 1996 11:29:23 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA23522; Tue, 10 Dec 1996 11:29:05 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.2 with smtp patch/8.8.2) id UAA15958; Tue, 10 Dec 1996 20:28:47 +0100 (MET) Message-Id: <199612101928.UAA15958@gvr.win.tue.nl> From: FreeBSD Security Officer To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr (REVISED) Date: Tue, 10 Dec 1996 20:23:15 +0100 (MET) Reply-To: security-officer@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:19 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in modstat Category: core Module: modstat Announced: 1996-12-10 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5, 2.1.6, 2.1.6.1 Corrected: FreeBSD-current as of 1996/08/08 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:19/ ============================================================================= I. Background The modstat program is used to display status of loaded kernel modules. It is standard software in the FreeBSD operating system. II. Problem Description The modstat program has always been installed setuid kmem. Within the program, a buffer overflow can occur. III. Impact Local users can gain kmem privileges. IV. Workaround Modstat does not need to be setuid kmem. It is thus sufficient to do the following: su cd /usr/bin chmod 555 modstat This effectively clears the setuid bit on the modstat program. V. Solution Apply the following patch: (This patch can also be found on ftp://freebsd.org/pub/CERT/patches/SA-96:19) Index: Makefile =================================================================== RCS file: /home/freebsd/CVS/src/usr.bin/modstat/Makefile,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 - --- Makefile 1994/08/19 12:14:02 1.1 +++ Makefile 1996/05/30 02:19:03 1.2 @@ -38,7 +38,5 @@ PROG= modstat MAN8= modstat.8 - -BINGRP= kmem - -BINMODE=2555 .include Index: modstat.c =================================================================== RCS file: /home/freebsd/CVS/src/usr.bin/modstat/modstat.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 - --- modstat.c 1995/04/20 05:08:53 1.3 +++ modstat.c 1996/08/08 07:58:07 1.4 @@ -72,8 +72,9 @@ { struct lmc_stat sbuf; + sbuf.name[MAXLKMNAME - 1] = '\0'; /* In case strncpy limits the string. */ if (modname != NULL) - - strcpy(sbuf.name, modname); + strncpy(sbuf.name, modname, MAXLKMNAME - 1); sbuf.id = modnum; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMq2381UuHi5z0oilAQE99wP+NktTxugo1lrVDm0FVcmqd8c3zu6s95Wt WCvM9GLECCVB+sFbssbikQc35SvgzEjnE4lZ3J4VBrAoThG3tLOmO5si0csM8dwE QPGMyR/fdU7DpYXEK/XKuDxre1TDJ0uOwU9DfBewgy0o5OiybRR5dxj3nsJIznnd F5O6NNppKb0= =qcrF -----END PGP SIGNATURE-----