From owner-freebsd-security@FreeBSD.ORG Thu May 27 05:12:14 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CEB9106564A for ; Thu, 27 May 2010 05:12:14 +0000 (UTC) (envelope-from matt@xerq.net) Received: from cartman.xerq.net (cartman.xerq.net [67.52.126.46]) by mx1.freebsd.org (Postfix) with ESMTP id 4AC818FC08 for ; Thu, 27 May 2010 05:12:13 +0000 (UTC) Received: by cartman.xerq.net (Postfix, from userid 80) id 7B3C944C666; Wed, 26 May 2010 21:53:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xerq.net; s=dkimlol; t=1274936022; bh=8D/1EVDCJ6Na6TOHLb5A5OiohEb96aGuDQMDtASJb4k=; h=To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding: Date:From:In-Reply-To:References:Message-ID; b=jKP0U52IFwWH4sZiLSpqeEz6mBYPMJqJZiL7+RJJb0+NRO07tW7hvMaFV1IP1M/Lh 0isnU7FEjkWG71hlT5xM9Sc+7TrFqc4KUePcbZlTHuPYTbgURE0HGso3YCHzqWYlOI /o2W4sOGXKHLRUsCsE5P19g7i7WhpJgzpaYW6DlU= DomainKey-Signature: a=rsa-sha1; s=default; d=xerq.net; c=nofws; q=dns; h=to:subject:mime-version:content-type: content-transfer-encoding:date:from:in-reply-to:references:message-id:x-sender:user-agent; b=RqTy1sFHbvdhmxwhZE+MlS4k0wQhh73Jl5M8uYZGt1uuRIiEK9clsbFMZYdjDbItQ rr687AmV7VQxPtlT3jw2A== To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Date: Wed, 26 May 2010 21:53:42 -0700 From: matt In-Reply-To: <201005270325.o4R3P7wY009265@freefall.freebsd.org> References: <201005270325.o4R3P7wY009265@freefall.freebsd.org> Message-ID: <9a34eaba76391cf1481cd27a3aa0ffbd@imap.xerq.net> X-Sender: matt@xerq.net User-Agent: RoundCube Webmail/0.1 X-Mailman-Approved-At: Thu, 27 May 2010 11:07:26 +0000 Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:05.opie X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 05:12:14 -0000 There's a typo for the fetch link: --http://security.freebsd.org/patches/SA-10-05/opie.patch ++http://security.freebsd.org/patches/SA-10:05/opie.patch -Matt On Thu, 27 May 2010 03:25:07 GMT, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-10:05.opie Security > Advisory > The FreeBSD > Project > > Topic: OPIE off-by-one stack overflow > > Category: contrib > Module: contrib_opie > Announced: 2010-05-27 > Credits: Maksymilian Arciemowicz and Adam Zabrocki > Affects: All supported versions of FreeBSD > Corrected: 2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE) > 2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3) > 2010-05-27 03:15:04 UTC (RELENG_7, 7.3-STABLE) > 2010-05-27 03:15:04 UTC (RELENG_7_3, 7.3-RELEASE-p1) > 2010-05-27 03:15:04 UTC (RELENG_7_2, 7.2-RELEASE-p8) > 2010-05-27 03:15:04 UTC (RELENG_7_1, 7.1-RELEASE-p12) > 2010-05-27 03:15:04 UTC (RELENG_6, 6.4-STABLE) > 2010-05-27 03:15:04 UTC (RELENG_6_4, 6.4-RELEASE-p10) > CVE Name: CVE-2010-1938 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > OPIE is a one-time password system designed to help to secure a system > against replay attacks. It does so using a secure hash function and a > challenge/response system. > > OPIE is enabled by default on FreeBSD. > > II. Problem Description > > A programming error in the OPIE library could allow an off-by-one buffer > overflow to write a single zero byte beyond the end of an on-stack buffer. > > III. Impact > > An attacker can remotely crash a service process which uses OPIE when > stack protector is enabled. > > Note that this can happen even if OPIE is not enabled on the system, > for instance the base system ftpd(8) is affected by this. Depending > on the design and usage of OPIE, this may either affect only the > process that handles the user authentication, or cause a Denial of > Service condition. > > It is possible but very unlikely that an attacker could exploit this to > gain access to a system. > > IV. Workaround > > No workaround is available, but systems without OPIE capable services > running are not vulnerable. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_3, RELENG_7_2, RELENG_7_1, RELENG_6_4 > security branch dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to FreeBSD 6.4, > 7.1, 7.2, 7.3, and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-10-05/opie.patch > # fetch http://security.FreeBSD.org/patches/SA-10-05/opie.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libopie > # make obj && make depend && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > lib32 (i386 compatibility) libraries. On amd64 systems where the i386 > compatibility libraries are used, the operating system should instead > be recompiled as described in > > > 3) To update your vulnerable system via a binary patch: > > Systems running 6.4-RELEASE, 7.1-RELEASE, 7.2-RELEASE, 7.3-RELEASE or > 8.0-RELEASE on the i386 or amd64 platforms can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/opie/libopie/readrec.c 1.1.1.4.14.1 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.14 > src/sys/conf/newvers.sh 1.69.2.18.2.16 > src/contrib/opie/libopie/readrec.c 1.1.1.4.26.1 > RELENG_7 > src/contrib/opie/libopie/readrec.c 1.2.2.1 > RELENG_7_3 > src/UPDATING 1.507.2.34.2.3 > src/sys/conf/newvers.sh 1.72.2.16.2.5 > src/contrib/opie/libopie/readrec.c 1.2.12.2 > RELENG_7_2 > src/UPDATING 1.507.2.23.2.11 > src/sys/conf/newvers.sh 1.72.2.11.2.12 > src/contrib/opie/libopie/readrec.c 1.2.8.2 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.15 > src/sys/conf/newvers.sh 1.72.2.9.2.16 > src/contrib/opie/libopie/readrec.c 1.2.6.2 > RELENG_8 > src/contrib/opie/libopie/readrec.c 1.2.10.2 > RELENG_8_0 > src/UPDATING 1.632.2.7.2.6 > src/sys/conf/newvers.sh 1.83.2.6.2.6 > src/contrib/opie/libopie/readrec.c 1.2.10.1.2.2 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/6/ r208586 > releng/6.4/ r208586 > stable/7/ r208586 > releng/7.3/ r208586 > releng/7.2/ r208586 > releng/7.1/ r208586 > stable/8/ r208586 > releng/8.0/ r208586 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iEYEARECAAYFAkv95R0ACgkQFdaIBMps37KcEwCfXrMzuOs95kBzG822gZYKuCuI > XrsAniMF+cUbTvzbgPpUb4YdoOte7G8X > =BChs > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"