Date: Mon, 24 Aug 1998 21:28:52 +0900 (JST) From: Hideyuki Suzuki <hideyuki@sat.t.u-tokyo.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: ports/7736: security problem in wide-dhcp port. Message-ID: <199808241228.VAA11850@odin.sat.t.u-tokyo.ac.jp>
next in thread | raw e-mail | index | archive | help
>Number: 7736
>Category: ports
>Synopsis: security problem in wide-dhcp port.
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 24 05:30:00 PDT 1998
>Last-Modified:
>Originator: Hideyuki Suzuki
>Organization:
The Univ. of Tokyo, Japan.
>Release: FreeBSD 2.2.7-STABLE i386
>Environment:
ports-current
>Description:
I'm a maintainer of ports/net/wide-dhcp.
The following problem of wide-dhcp was notified
by Oleg Safiullin <form@vs.itam.nsc.ru>: (thanks!)
we see fopen(ADDRPOOL_DUMP, "w+") without checking if file exist, so any user
can do the following thing for example:
ln -s /etc/master.passwd /tmp/addrpool_dump
and dhcps will overwrite /etc/master.passwd on startup or SIGUSR2.
>How-To-Repeat:
See the description above.
>Fix:
Apply the following patch.
Modified file:
patches/patch-af
Added file:
patches/patch-bh
diff -urN wide-dhcp.orig/patches/patch-af wide-dhcp/patches/patch-af
--- wide-dhcp.orig/patches/patch-af Sun May 3 00:14:46 1998
+++ wide-dhcp/patches/patch-af Mon Aug 24 21:00:16 1998
@@ -1,5 +1,5 @@
--- server/dhcps.c.orig Tue Aug 19 16:14:39 1997
-+++ server/dhcps.c Wed Apr 22 01:15:19 1998
++++ server/dhcps.c Mon Aug 24 20:59:39 1998
@@ -61,6 +61,12 @@
#ifndef sun
#include <net/bpf.h>
@@ -13,3 +13,11 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
+@@ -526,6 +532,7 @@
+ syslog(LOG_ERR, "Cannot open the binding database \"%s\"", binding_db);
+ exit(1);
+ }
++ unlink(ADDRPOOL_DUMP);
+ if ((dump_fp = fopen(ADDRPOOL_DUMP, "w+")) == NULL) {
+ syslog(LOG_ERR, "Cannot open the resource dump file \"%s\"",ADDRPOOL_DUMP);
+ exit(1);
diff -urN wide-dhcp.orig/patches/patch-bh wide-dhcp/patches/patch-bh
--- wide-dhcp.orig/patches/patch-bh Thu Jan 1 09:00:00 1970
+++ wide-dhcp/patches/patch-bh Mon Aug 24 20:55:25 1998
@@ -0,0 +1,10 @@
+--- server/database.c.orig Tue Aug 19 16:00:36 1997
++++ server/database.c Mon Aug 24 20:54:25 1998
+@@ -124,6 +124,7 @@
+ {
+ struct hash_member *resptr = NULL;
+
++ unlink(ADDRPOOL_DUMP);
+ if ((dump_fp = freopen(ADDRPOOL_DUMP, "w+", dump_fp)) == NULL) {
+ syslog(LOG_WARNING,
+ "Cannot reopen the address pool dump file \"%s\"", ADDRPOOL_DUMP);
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808241228.VAA11850>