Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 30 Apr 2000 15:52:48 +0200
From:      Andreas Klemm <andreas@klemm.gtn.com>
To:        Kris Kennaway <kris@FreeBSD.org>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: ports/print/apsfilter/patches patch-aa
Message-ID:  <20000430155248.B60564@titan.klemm.gtn.com>
In-Reply-To: <Pine.BSF.4.21.0004291301250.16747-100000@freefall.freebsd.org>; from kris@FreeBSD.org on Sat, Apr 29, 2000 at 01:01:40PM -0700
References:  <200004291348.GAA68598@freefall.freebsd.org> <Pine.BSF.4.21.0004291301250.16747-100000@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 29, 2000 at 01:01:40PM -0700, Kris Kennaway wrote:
> On Sat, 29 Apr 2000, Andreas Klemm wrote:
> 
> > andreas     2000/04/29 06:48:32 PDT
> > 
> >   Added files:
> >     print/apsfilter/patches patch-aa 
> >   Log:
> >   Add security patch
> 
> Can you explain this more? Does it require an advisory?

Yes, should be done:

---------------------------------------------------------------------

apsfilter user on a "single user Unix system" should upgrade
simply to 5.4.1 and "may" apply the apsfilter security fix which
is availabe from my homepage.

system administrators of Unix server having many user accounts
running apsfilter V 5.2.x - 5.3.3 (5.4.0 never has been introduced
to a larger audience) should upgrade to apsfilter 5.4.1 and apply
the security patch or wait 1 or 2 days to upgrade to apsfilter 5.4.2
which is a (hopefully ;-) stable and secure release.

---------------------------------------------------------------------
Explanation:

apsfilter before apsfilter 5.2.x (rather old) sourced user
customizeable apsfilter initialization files during runtime of
print job (input filter), i.e.:
	. $HOME/.apsfilterrc

So there was the possibility to abuse the apsfilter configuration
file, which runs under UID and GID of lpd.

To prevent this abuse and make apsfilter secure for general use,
the configuration variable INSECURE had been introduced with apsfilter
5.2.0 and later, default: not set.
When administrator sets INSECURE to true, user customizeable apsfilter
config files were still possible for "ease of use" on systems
where security isn't an issue ("single User" server).

Starting with apsfilter 5.2.x and later the method of reading
apsfilter environment variables have changed from "sourcing during runtime"
to "scanning config files using awk" for certain fixed variable names.
This method of "scanning with awk" was thought of being secure, so the
INSECURE variable vanished with apsfilter 5.2.0 and later.

But this is not true. So the INSECURE variable has been re-introduced
with apsfilter 5.4.1. Unfortunately the fix hasn't been complete, so
5.4.1 is still affected, to be insecure by default.

So for 5.4.1 the security patch has to be applied to make apsfilter secure.

The apsfilter port in the FreeBSD ports collection has been updated last
recently, so possibly only few FreeBSD users are affected by the bug,
when having installed apsfilter by ports collection.

apsfilter 5.4.2 will be released soon, to have a complete secure
version around. My experience is from download statistics, that most
people don't download patches ;-)

------------------------------------------------------------------------

The problem: some of the variables are evaluated during runtime:

	eval $VAR

This still gives the possibility to start trojan or attack programs.

------------------------------------------------------------------------

-- 
Andreas Klemm                               http://people.FreeBSD.ORG/~andreas
                                     http://www.freebsd.org/~fsmp/SMP/SMP.html
                                   powered by Symmetric MultiProcessor FreeBSD
New APSFILTER 541 and songs from our band - http://people.freebsd.org/~andreas



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000430155248.B60564>