From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 14:00:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD13B37B401; Mon, 4 Aug 2003 14:00:19 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2F643FA3; Mon, 4 Aug 2003 14:00:18 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 81BB554861; Mon, 4 Aug 2003 16:00:17 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 1A43C6D455; Mon, 4 Aug 2003 16:00:17 -0500 (CDT) Date: Mon, 4 Aug 2003 16:00:17 -0500 From: "Jacques A. Vidrine" To: Eugene Grosbein , Christoph Moench-Tegeder , Peter Jeremy Message-ID: <20030804210016.GB10339@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Eugene Grosbein , Christoph Moench-Tegeder , Peter Jeremy , security@freebsd.org, FreeBSD Security References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030804101130.GA51954@cirb503493.alcatel.com.au> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <3F2E1B42.8BDE2215@grosbein.pp.ru> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: FreeBSD Security cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 21:00:20 -0000 On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote: > FreeBSD Security Advisories wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > ============================================================================= > > FreeBSD-SA-03:08.realpath Security Advisory > > The FreeBSD Project > > > > Topic: Single byte buffer overflow in realpath(3) > > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too. RELENG_4 does not currently suffer from the bug, because it has a different realpath implementation. On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote: > : Affects: All releases of FreeBSD up to and including 4.8-RELEASE > : and 5.0-RELEASE > : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less > by accident. Right, that was a new realpath implementation from -CURRENT. On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote: > On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: > >Affects: All releases of FreeBSD up to and including 4.8-RELEASE > > and 5.0-RELEASE > > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ... > >V. Solution > > > >1) Upgrade your vulnerable system to 4.8-STABLE > >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > >dated after the respective correction dates. > > I found the reference to RELENG_5_1 in the "Solutions" section but no > reference to 5.1-RELEASE in the "Affects" section somewhat confusing. I don't understand how to be more clear. 5.1-RELEASE is not affected, so of course it is not listed in `Affects'. > This is compounded by the failure to mention RELENG_5_0 in the > "Solutions" section. RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported security branches, so that is why they are listed in the `Solution' section. RELENG_5_0 is not a currently supported security branch, and I would not recommend that anyone upgrade to an old security branch. Please see the table at http://www.freebsd.org/security/ or my announcement in this forum dated July 14. > I gather that 5.1-RELEASE is not vulnerable due > to the realpath() rewrite in 1.14. That's correct, 5.1-RELEASE is not vulnerable, which is why it is not listed in the `Affects' section. > May I suggest that in future, when a release is not vulnerable due to > code rewrites or similar, this fact be explicitly mentioned. IMHO, > it's far better to err on the side of caution when dealing with > security issues. Thank you for the suggestion. Would you care to post _exactly_ what wording you think would be better? I cannot think of a way to do so without being redundant or misleading. I have no desire to add a ``Not affected:'' line. Especially at times when we have two -STABLE branches (as we will soon for 4.x and 5.x), it will be common that there is a bug in one release but not another higher-numbered one. I think that if one takes the `Affects' lines (and the rest of the advisory) at face value, without second-guessing, that it is crystal clear what versions of FreeBSD are affected. But of course I would :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se