From owner-freebsd-bugs Mon Oct 14 19:48:57 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA18502 for bugs-outgoing; Mon, 14 Oct 1996 19:48:57 -0700 (PDT) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA18486 for ; Mon, 14 Oct 1996 19:48:40 -0700 (PDT) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id UAA09350; Mon, 14 Oct 1996 20:48:12 -0600 (MDT) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id UAA07301; Mon, 14 Oct 1996 20:46:15 -0600 (MDT) Date: Mon, 14 Oct 1996 20:46:14 -0600 (MDT) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Jason Downs cc: freebsd-bugs@freefall.freebsd.org, freebsd-security@freebsd.org Subject: Re: bin/1805: Bug in ftpd In-Reply-To: <199610150130.SAA09758@threadway.teeny.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [Jason's message was only sent to -bugs; I'm ccing it to -security too because there was discussion there] Jason's fix from the OpenBSD source tree follows. Since ftpd uses getpwnam which calls endpwent when it is done, the only other programs that we would need to worry about are those that call getpwent(3), and there shouldn't be many (if any) programs that do that and are exploitable. Index: src/lib/libc/db/hash/hash_buf.c =================================================================== RCS file: /cvs/src/lib/libc/db/hash/hash_buf.c,v retrieving revision 1.3 retrieving revision 1.4 diff -c -r1.3 -r1.4 *** hash_buf.c 1996/08/19 08:20:35 1.3 --- hash_buf.c 1996/10/14 22:17:27 1.4 *************** *** 35,41 **** */ #if defined(LIBC_SCCS) && !defined(lint) ! static char rcsid[] = "$OpenBSD: hash_buf.c,v 1.3 1996/08/19 08:20:35 tholo Exp $"; #endif /* LIBC_SCCS and not lint */ /* --- 35,41 ---- */ #if defined(LIBC_SCCS) && !defined(lint) ! static char rcsid[] = "$OpenBSD: hash_buf.c,v 1.4 1996/10/14 22:17:27 downsj Exp $"; #endif /* LIBC_SCCS and not lint */ /* *************** *** 331,338 **** } /* Check if we are freeing stuff */ if (do_free) { ! if (bp->page) free(bp->page); BUF_REMOVE(bp); free(bp); bp = LRU; --- 331,340 ---- } /* Check if we are freeing stuff */ if (do_free) { ! if (bp->page) { ! (void)memset(bp->page, 0, hashp->BSIZE); free(bp->page); + } BUF_REMOVE(bp); free(bp); bp = LRU; On Mon, 14 Oct 1996, Jason Downs wrote: > In message <199610141820.LAA14810@freefall.freebsd.org>, > Marc Slemko writes: > >The following reply was made to PR bin/1805; it has been noted by GNATS. > > > >From: Marc Slemko > >To: rkozak@bdk.lublin.pl > >Cc: freebsd-gnats-submit@freebsd.org > >Subject: Re: bin/1805: Bug in ftpd > >Date: Mon, 14 Oct 1996 12:11:11 -0600 (MDT) > > > > On Mon, 14 Oct 1996 rkozak@bdk.lublin..pl wrote: > > > > > While user is connected to server via ftp, the process ftpd is owned > > > by this user. When ftpd is abnormally termineted (e.g. kill -11 ) > > > the memory image of this process is writed to file ftpd.core in home dir. > > > This file contain encrypted passwords all users on this machine. > > > > That isn't nice. I don't think it will contain the passwords of all the > > users, just a certain subset of them. This also a problem with older > > versions of wuftpd, but the latest beta seems to be fine, although I'm not > > sure if that is just a fluke or by design. There are several possible > > fixes, but for those that need a temporary fix ASAP, a workaround follows. > > There should be no security problems with this, but there could be > > something I'm missing. > > I don't think disabling core dumps is a very clean or effective fix for this > problem. a.) the problem is potentially wide spread, and b.) is caused by > the design (limitations) of the DB library. > > The problem was killed by making essentially a one line change in the OpenBSD > source tree. A slight performance hit is exchanged for greater overall > security. > > > -- > Jason Downs (503) 256-8535 -/- (503) 952-3749 > downsj@teeny.org --> teeny.org: Free Software for a Free Internet <-- > http://www.teeny.org/ > OpenBSD: The BSD with a soul. http://www.openbsd.org/ > >