From owner-freebsd-ports Mon Aug 24 05:30:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA18573 for freebsd-ports-outgoing; Mon, 24 Aug 1998 05:30:13 -0700 (PDT) (envelope-from owner-freebsd-ports@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA18499 for ; Mon, 24 Aug 1998 05:30:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id FAA25570; Mon, 24 Aug 1998 05:30:01 -0700 (PDT) Received: from odin.sat.t.u-tokyo.ac.jp (odin.sat.t.u-tokyo.ac.jp [133.11.156.40]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA18397 for ; Mon, 24 Aug 1998 05:29:39 -0700 (PDT) (envelope-from hideyuki@sat.t.u-tokyo.ac.jp) Received: by odin.sat.t.u-tokyo.ac.jp (8.8.8/8.7.3) id VAA11850; Mon, 24 Aug 1998 21:28:52 +0900 (JST) Message-Id: <199808241228.VAA11850@odin.sat.t.u-tokyo.ac.jp> Date: Mon, 24 Aug 1998 21:28:52 +0900 (JST) From: Hideyuki Suzuki Reply-To: hideyuki@sat.t.u-tokyo.ac.jp To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: ports/7736: security problem in wide-dhcp port. Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7736 >Category: ports >Synopsis: security problem in wide-dhcp port. >Confidential: yes >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Aug 24 05:30:00 PDT 1998 >Last-Modified: >Originator: Hideyuki Suzuki >Organization: The Univ. of Tokyo, Japan. >Release: FreeBSD 2.2.7-STABLE i386 >Environment: ports-current >Description: I'm a maintainer of ports/net/wide-dhcp. The following problem of wide-dhcp was notified by Oleg Safiullin : (thanks!) we see fopen(ADDRPOOL_DUMP, "w+") without checking if file exist, so any user can do the following thing for example: ln -s /etc/master.passwd /tmp/addrpool_dump and dhcps will overwrite /etc/master.passwd on startup or SIGUSR2. >How-To-Repeat: See the description above. >Fix: Apply the following patch. Modified file: patches/patch-af Added file: patches/patch-bh diff -urN wide-dhcp.orig/patches/patch-af wide-dhcp/patches/patch-af --- wide-dhcp.orig/patches/patch-af Sun May 3 00:14:46 1998 +++ wide-dhcp/patches/patch-af Mon Aug 24 21:00:16 1998 @@ -1,5 +1,5 @@ --- server/dhcps.c.orig Tue Aug 19 16:14:39 1997 -+++ server/dhcps.c Wed Apr 22 01:15:19 1998 ++++ server/dhcps.c Mon Aug 24 20:59:39 1998 @@ -61,6 +61,12 @@ #ifndef sun #include @@ -13,3 +13,11 @@ #include #include #include +@@ -526,6 +532,7 @@ + syslog(LOG_ERR, "Cannot open the binding database \"%s\"", binding_db); + exit(1); + } ++ unlink(ADDRPOOL_DUMP); + if ((dump_fp = fopen(ADDRPOOL_DUMP, "w+")) == NULL) { + syslog(LOG_ERR, "Cannot open the resource dump file \"%s\"",ADDRPOOL_DUMP); + exit(1); diff -urN wide-dhcp.orig/patches/patch-bh wide-dhcp/patches/patch-bh --- wide-dhcp.orig/patches/patch-bh Thu Jan 1 09:00:00 1970 +++ wide-dhcp/patches/patch-bh Mon Aug 24 20:55:25 1998 @@ -0,0 +1,10 @@ +--- server/database.c.orig Tue Aug 19 16:00:36 1997 ++++ server/database.c Mon Aug 24 20:54:25 1998 +@@ -124,6 +124,7 @@ + { + struct hash_member *resptr = NULL; + ++ unlink(ADDRPOOL_DUMP); + if ((dump_fp = freopen(ADDRPOOL_DUMP, "w+", dump_fp)) == NULL) { + syslog(LOG_WARNING, + "Cannot reopen the address pool dump file \"%s\"", ADDRPOOL_DUMP); >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message