From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 09:58:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1383337B401; Tue, 5 Aug 2003 09:58:47 -0700 (PDT) Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB53743F85; Tue, 5 Aug 2003 09:58:43 -0700 (PDT) (envelope-from lists@visionsix.com) Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com (Vircom SMTPRS 2.1.258) with SMTP id ; Tue, 5 Aug 2003 11:58:42 -0500 Message-ID: <01b201c35b72$cdcb7bd0$df0a0a0a@vsis169> From: "Lewis Watson" To: References: <200308051202.h75C2e6S072245@freefall.freebsd.org> Date: Tue, 5 Aug 2003 11:58:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 16:58:47 -0000 > NOTE WELL: Any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. > I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications need to be patched and how do I make sure that the above noted statically linked applications are patched after I am done? Thanks a bunch! Lewis ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Tuesday, August 05, 2003 7:02 AM Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ========================================================================== === > FreeBSD-SA-03:08.realpath Security Advisory > The FreeBSD Project > > Topic: Single byte buffer overflow in realpath(3) > > Category: core > Module: libc > Announced: 2003-08-03 > Credits: Janusz Niewiadomski , > Wojciech Purczynski , > CERT/CC > Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) > 2003-08-03 23:43:43 UTC (RELENG_4_8) > 2003-08-03 23:44:12 UTC (RELENG_4_7) > 2003-08-03 23:44:36 UTC (RELENG_4_6) > 2003-08-03 23:44:56 UTC (RELENG_4_5) > 2003-08-03 23:45:41 UTC (RELENG_4_4) > 2003-08-03 23:46:03 UTC (RELENG_4_3) > 2003-08-03 23:47:39 UTC (RELENG_3) > FreeBSD only: NO > > 0. Revision History > > v1.0 2003-08-03 Initial release > v1.1 2003-08-04 Updated information for lukemftpd > > I. Background > > The realpath(3) function is used to determine the canonical, > absolute pathname from a given pathname which may contain extra > ``/'' characters, references to ``/./'' or ``/../'', or references > to symbolic links. The realpath(3) function is part of the FreeBSD > Standard C Library. > > II. Problem Description > > An off-by-one error exists in a portion of realpath(3) that computes > the length of the resolved pathname. As a result, if the resolved > path name is exactly 1024 characters long and contains at least > two directory separators, the buffer passed to realpath(3) will be > overwritten by a single NUL byte. > > III. Impact > > Applications using realpath(3) MAY be vulnerable to denial of service > attacks, remote code execution, and/or privilege escalation. The > impact on an individual application is highly dependent upon the > source of the pathname passed to realpath, the position of the output > buffer on the stack, the architecture on which the application is > running, and other factors. > > Within the FreeBSD base system, several applications use realpath(3). > Two applications which are negatively impacted are: > > (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to > process the MLST and MLSD commands. The vulnerability may be > exploitable, leading to code execution with superuser privileges. > > lukemftpd(8) was installed (but not enabled) by default in > 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through > Nov 12 17:32:47 2002 UTC. It is not built or installed by default > in any other release. > > If the `-r' option to lukemftpd is used (as suggested by the > example /etc/inetd.conf supplied in 4.7-RELEASE), then successful > exploitation leads leads to code execution with the privileges of > the authenticated user (rather than superuser privileges). > > (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process > chdir commands. This vulnerability may be exploitable, leading > to code execution with the privileges of the authenticated user. > > At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained > the following applications which appear to use realpath(3). These > applications have not been audited, and may or may not be vulnerable. > There may be additional applications in the FreeBSD Ports Collection > that use realpath(3), particularly statically-linked applications and > applications added since 4.8-RELEASE. > > BitchX-1.0c19_1 > Mowitz-0.2.1_1 > XFree86-clients-4.3.0_1 > abcache-0.14 > aim-1.5.234 > analog-5.24,1 > anjuta-1.0.1_1 > aolserver-3.4.2 > argus-2.0.5 > arm-rtems-gdb-5.2_1 > avr-gdb-5.2.1 > ccache-2.1.1 > cdparanoia-3.9.8_4 > cfengine-1.6.3_4 > cfengine2-2.0.3 > cmake-1.4.7 > comserv-1.4.3 > criticalmass-0.97 > dedit-0.6.2.3_1 > drweb_postfix-4.29.10a > drweb-4.29.2 > drweb_sendmail-4.29.10a > edonkey-gui-gtk-0.5.0 > enca-0.10.7 > epic4-1.0.1_2 > evolution-1.2.2_1 > exim-3.36_1 > exim-4.12_5 > exim-ldap-4.12_5 > exim-ldap2-4.12_5 > exim-mysql-4.12_5 > exim-postgresql-4.12_5 > fam-2.6.9_2 > fastdep-0.15 > feh-1.2.4_1 > ferite-0.99.6 > fileutils-4.1_1 > finfo-0.1 > firebird-1.0.2 > firebird-1.0.r2 > frontpage-5.0.2.2623_1 > galeon-1.2.8 > galeon2-1.3.2_1 > gdb-5.3_20030311 > gdb-5.2.1_1 > gdm2-2.4.1.3 > gecc-20021119 > gentoo-0.11.34 > gkrellmvolume-2.1.7 > gltron-0.61 > global-4.5.1 > gnat-3.15p > gnomelibs-1.4.2_1 > gprolog-1.2.16 > gracula-3.0 > gringotts-1.2.3 > gtranslator-0.43_1 > gvd-1.2.5 > hercules-2.16.5 > hte-0.7.0 > hugs98-200211 > i386-rtems-gdb-5.2_1 > i960-rtems-gdb-5.2_1 > installwatch-0.5.6 > ivtools-1.0.6 > ja-epic4-1.0.1_2 > ja-gnomelibs-1.4.2_1 > ja-msdosfs-20001027 > ja-samba-2.2.7a.j1.1_1 > kdebase-3.1_1 > kdelibs-3.1 > kermit-8.0.206 > ko-BitchX-1.0c16_3 > ko-msdosfs-20001027 > leocad-0.73 > libfpx-1.2.0.4_1 > libgnomeui-2.2.0.1 > libpdel-0.3.4 > librep-0.16.1_1 > linux-beonex-0.8.1 > linux-divxplayer-0.2.0 > linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 > linux-gnomelibs-1.2.8_2 > linux-mozilla-1.2 > linux-netscape-communicator-4.8 > linux-netscape-navigator-4.8 > linux-phoenix-0.3 > linux_base-6.1_4 > linux_base-7.1_2 > lsh-1.5.1 > lukemftpd-1.1_1 > m68k-rtems-gdb-5.2_1 > mips-rtems-gdb-5.2_1 > mod_php4-4.3.1 > moscow_ml-2.00_1 > mozilla-1.0.2_1 > mozilla-1.2.1_1,2 > mozilla-1.2.1_2 > mozilla-1.3b,1 > mozilla-1.3b > mozilla-embedded-1.0.2_1 > mozilla-embedded-1.2.1_1,2 > mozilla-embedded-1.3b,1 > msyslog-1.08f_1 > netraider-0.0.2 > openag-1.1.1_1 > openssh-portable-3.5p1_1 > openssh-3.5 > p5-PPerl-0.23 > paragui-1.0.2_2 > powerpc-rtems-gdb-5.2_1 > psim-freebsd-5.2.1 > ptypes-1.7.4 > pure-ftpd-1.0.14 > qiv-1.8 > readlink-20010616 > reed-5.4 > rox-1.3.6_1 > rox-session-0.1.18_1 > rpl-1.4.0 > rpm-3.0.6_6 > samba-2.2.8 > samba-3.0a20 > scrollkeeper-0.3.11_8,1 > sh-rtems-gdb-5.2_1 > sharity-light-1.2_1 > siag-3.4.10 > skipstone-0.8.3 > sparc-rtems-gdb-5.2_1 > squeak-2.7 > squeak-3.2 > swarm-2.1.1 > tcl-8.2.3_2 > tcl-8.3.5 > tcl-8.4.1,1 > tcl-thread-8.1.b1 > teTeX-2.0.2_1 > wine-2003.02.19 > wml-2.0.8 > worker-2.7.0 > xbubble-0.2 > xerces-c2-2.1.0_1 > xerces_c-1.7.0 > xnview-1.50 > xscreensaver-gnome-4.08 > xscreensaver-4.08 > xworld-2.0 > yencode-0.46_1 > zh-cle_base-0.9p1 > zh-tcl-8.3.0 > zh-tw-BitchX-1.0c19_3 > zh-ve-1.0 > zh-xemacs-20.4_1 > > IV. Workaround > > There is no generally applicable workaround. > > OpenSSH's sftp-server(8) may be disabled by editing > /etc/ssh/sshd_config and commenting out the following line by > inserting a `#' as the first character: > > Subsystem sftp /usr/libexec/sftp-server > > lukemftpd(8) may be replaced by the default ftpd(8). > > V. Solution > > 1) Upgrade your vulnerable system to 4.8-STABLE > or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > dated after the respective correction dates. > > 2) To patch your present system: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. The following patch > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD > 5.0-RELEASE. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your operating system as described in > . > > NOTE WELL: Any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ---------------------------------------------------------------------- --- > RELENG_3 > src/lib/libc/stdlib/realpath.c 1.6.2.1 > RELENG_4_3 > src/UPDATING 1.73.2.28.2.32 > src/lib/libc/stdlib/realpath.c 1.9.4.1 > src/sys/conf/newvers.sh 1.44.2.14.2.22 > RELENG_4_4 > src/UPDATING 1.73.2.43.2.45 > src/lib/libc/stdlib/realpath.c 1.9.6.1 > src/sys/conf/newvers.sh 1.44.2.17.2.36 > RELENG_4_5 > src/UPDATING 1.73.2.50.2.44 > src/lib/libc/stdlib/realpath.c 1.9.8.1 > src/sys/conf/newvers.sh 1.44.2.20.2.28 > RELENG_4_6 > src/UPDATING 1.73.2.68.2.42 > src/lib/libc/stdlib/realpath.c 1.9.10.1 > src/sys/conf/newvers.sh 1.44.2.23.2.31 > RELENG_4_7 > src/UPDATING 1.73.2.74.2.14 > src/lib/libc/stdlib/realpath.c 1.9.12.1 > src/sys/conf/newvers.sh 1.44.2.26.2.13 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.3 > src/lib/libc/stdlib/realpath.c 1.9.14.1 > src/sys/conf/newvers.sh 1.44.2.29.2.2 > RELENG_5_0 > src/UPDATING 1.229.2.14 > src/lib/libc/stdlib/realpath.c 1.11.2.1 > src/sys/conf/newvers.sh 1.48.2.9 > - ---------------------------------------------------------------------- --- > > VII. References > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (FreeBSD) > > iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w > xpJrfCeDU4qOs8q33dXSsvw= > =5z4e > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" >