From owner-freebsd-security  Thu Jun 27  9:18: 7 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id DBDCC37B401
	for <freebsd-security@FreeBSD.ORG>; Thu, 27 Jun 2002 09:17:58 -0700 (PDT)
Received: (from root@localhost)
	by lariat.org (8.9.3/8.9.3) id KAA04440;
	Thu, 27 Jun 2002 10:17:49 -0600 (MDT)
Date: Thu, 27 Jun 2002 10:17:49 -0600 (MDT)
From: Brett Glass <brett@lariat.org>
Message-Id: <200206271617.KAA04440@lariat.org>
To: bright@mu.org, odela01@ca.com
Subject: Re: resolv and dynamic linking to compat libc
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20020627071849.GG18877@elvis.mu.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Last night, I saw an attempted attackl that may have been an attempt to
subvert a build of Apache 2.0.39 built with the buggy libc. Apache had spawned
dozens of child processes, which all hung (they were trying to double-free
memory) and the server was completely locked up. As far as I can tell, the
intruder didn't make it in but did manage to mess up Apache's unprivileged
child processes -- a first step.

Apache is one of the most likely targets for a libc exploit, because so many
servers run it. Beware, folks; the most important programs to rebuild are
daemons like Apache, which are often statically linked and which you may or
may not have installed as ports. (I built it straight from the Apache Project
tarball.) And if you've installed anything as a binary package, be careful! As
I've mentioned before on this list, the packages on the FreeBSD servers are
not rebuilt nightly (as they should be). Every package on the public servers
is probably STILL built with the faulty libc. Whoever manages ftp.freebsd.org
should immediately take the package collection offline until the entire
collection is rebuilt, and then make sure the mirrors get it. It would also be
nice to start seeing those nightly builds (using make, of course, so that
effort is not wasted if nothing has changed).

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message