From owner-freebsd-security Sat Feb 3 10:30: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7B26137B491; Sat, 3 Feb 2001 10:29:40 -0800 (PST) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id NAA71216; Sat, 3 Feb 2001 13:29:39 -0500 (EST) (envelope-from str) Date: Sat, 3 Feb 2001 13:29:39 -0500 (EST) From: Igor Roshchin Message-Id: <200102031829.NAA71216@giganda.komkon.org> To: security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! micq packages (at least for 3-stable and 4-stable) are not available yet. Is it that they just haven't been generated yet, or somebody forgot about them ? Just reminding... Thanks. Igor > From owner-freebsd-security-notifications@FreeBSD.ORG Tue Jan 30 04:26:25 2001 > Date: Tue, 30 Jan 2001 01:25:01 -0800 (PST) > From: FreeBSD Security Advisories > To: FreeBSD Security Advisories > Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:14 Security Advisory > FreeBSD, Inc. > > Topic: micq remote buffer overflow vulnerability > > Category: ports > Module: micq > Announced: 2001-01-29 > Credits: recidjvo@pkcrew.org > Affects: Ports collection prior to the correction date. > Corrected: 2001-01-24 > Vendor status: Updated version released > FreeBSD only: NO > > I. Background > > micq is a text-based ICQ client. > > II. Problem Description > > The micq port, versions prior to 0.4.6.1, contains a remote > vulnerability: due to a buffer overflow, a malicious remote user > sending specially-crafted packets may be able to execute arbitrary > code on the local system with the privileges of the micq process. To > accomplish this, the attacker must be able to sniff the packets > between the micq client and ICQ server in order to gain the session > key to cause the client to accept the malicious packets. > > The micq port is not installed by default, nor is it "part of FreeBSD" > as such: it is part of the FreeBSD ports collection, which contains > over 4500 third-party applications in a ready-to-install format. The > ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this > problem since it was discovered after the releases. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > Malicious remote users may cause arbitrary code to be executed > with the privileges of the micq process. > > If you have not chosen to install the micq port/package, then > your system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the micq port/package, if you have installed it. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the micq port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/micq-0.4.6.1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/micq-0.4.6.1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/micq-0.4.6.1.tgz > > [alpha] > Packages are not automatically generated for the alpha architecture at > this time due to lack of build resources. > > 3) download a new port skeleton for the micq port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOnXfalUuHi5z0oilAQEhPQP/aq4wwNE4IFedgd2Fz8IEZo+cfiu5dsPa > P1fNoylanm+TbLBEV+hJwjt5lBQHQoEmMh3efz2x7foj42QMP6YPtw6WPcwbXtVQ > uTSra4+3Ck2NdO+5WDju2X0kMbIBWJMCAPrGEpr/EkNbJRu76Ojp6Cw31WBx17X7 > BwLriuu9c9I= > =Iluh > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message