From owner-freebsd-security Thu Dec 13 0:11:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 4E7D737B41B for ; Thu, 13 Dec 2001 00:11:50 -0800 (PST) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.22 #1) id 16EQuC-0000Wj-00 for security@freebsd.org; Thu, 13 Dec 2001 10:07:48 +0200 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Thu, 13 Dec 2001 10:11:39 +0200 Message-ID: From: Yonatan Bokovza To: "'security@freebsd.org'" Subject: RE: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd Date: Thu, 13 Dec 2001 10:11:33 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You forgot the usual paragraph: The thttpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. > -----Original Message----- > From: FreeBSD Security Advisories > [mailto:security-advisories@freebsd.org] > Sent: Tuesday, December 11, 2001 19:01 > To: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd > > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================== > =============== > FreeBSD-SA-01:66 > Security Advisory > > FreeBSD, Inc. > > Topic: thttpd port contains remotely vulnerability > > Category: ports > Module: thttpd > Announced: 2001-12-11 > Credits: GOBBLES SECURITY > Affects: Ports collection prior to the correction date > Corrected: 2001-11-22 00:10:56 UTC > FreeBSD only: no > > I. Background > > thttpd is a simple, small, portable, fast, and secure HTTP server. > > II. Problem Description > > In auth_check(), there is an off-by-one error in computing the amount > of memory needed for storing a NUL terminated string. Specifically, a > stack buffer of 500 bytes is used to store a string of up to 501 bytes > including the terminating NUL. > > III. Impact > > Due to the location of the affected buffer on the stack, this bug > can be exploited using ``The poisoned NUL byte'' technique (see > references). A remote attacker can hijack the thttpd process, > obtaining whatever privileges it has. By default, the thttpd process > runs as user `nobody'. > > IV. Workaround > > 1) Deinstall the thttpd port/package if you have it installed. > > V. Solution > > 1) Upgrade your entire ports collection and rebuild the port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from the following directories: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable /www/thttpd-2.22.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-curren t/www/thttpd-2.22.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the thttpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portche ckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portch eckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/www/thttpd/Makefile 1.23 ports/www/thttpd/distinfo 1.20 ports/www/thttpd/files/patch-fdwatch.c removed - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPBY6x1UuHi5z0oilAQEHrgQAgscqPT0AVJcotWgO1t8WuJQyNukLHnDS qGa8LT7ebuMY/Nl6JJzTYudwmr16RtJNPSYTfk1eHPWgAYzKyiNM7uMU87ZDplpM FOggQbjdhFPNUE3WK8P2cmdm+7mrZbdWGJmvZpYH4TRNn6yQVV4F8tENl+nPu3I+ 5IGxGqgr2vA= =1MCH -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message