Date: Wed, 5 Jul 2000 16:02:39 -0700 (PDT) From: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit Message-ID: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:24 Security Advisory FreeBSD, Inc. Topic: libedit reads config file from current directory Category: core Module: libedit Announced: 2000-07-05 Affects: All versions of FreeBSD prior to the correction date Credits: Tim Vanderhoek <hoek@FreeBSD.org> Vendor status: Notified Corrected: 2000-05-22 FreeBSD only: NO I. Background libedit is a library of routines for providing command editing and history retrieval for interactive command-oriented programs. II. Problem Description libedit incorrectly reads an ".editrc" file in the current directory if it exists, in order to specify configurable program behaviour. However it does not check for ownership of the file, so an attacker can cause a libedit application to execute arbitrary key rebindings and exercise terminal capabilities by creating an .editrc file in a directory from which another user executes a libedit binary (e.g. root running ftp(1) from /tmp). This can be used to fool the user into unknowingly executing program commands which may compromise system security. For example, ftp(1) includes the ability to escape to a shell and execute a command, which can be done under libedit control. The supplied patch removes this behaviour and causes libedit to only search for its configuration file in the home directory of the user, if it exists and the binary is not running with increased privileges (i.e. setuid or setgid). FreeBSD 3.5-RELEASE is not affected by this vulnerability, although 4.0-RELEASE is affected since the problem was discovered after it was released. III. Impact An attacker can cause a user to execute arbitrary commands within a program which is run from a directory to which the attacker has write access, potentially leading to system compromise if run as a privileged user (such as root). IV. Workaround Do not interactively run utilities which link against libedit from directories which can be written to by other users. To identify utilities which link dynamically against libedit, download the libfind tool and detached PGP signature as follows: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc Verify the detached signature using your PGP utility. Run the libfind.sh tool as root, as follows: # sh libfind.sh libedit / Note that it is not feasible to locate utilities which link statically against libedit since there are no common strings embedded in such binaries. However the following is believed to be a complete list of statically and dynamically linked FreeBSD system utilities which link against the library: /bin/sh /sbin/fsdb /usr/bin/ftp /usr/sbin/cdcontrol /usr/sbin/lpc /usr/sbin/nslookup /usr/sbin/pppctl Because libedit is not a portable library in common use there are unlikely to be many FreeBSD ports which link statically against it: no such ports are known at this time. V. Solution One of the following: 1) Upgrade your vulnerable system to a version dated after the correction date. 2) Save the advisory into a file or download the patch and detached PGP signature: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc Verify the detached PGP signature using your PGP utility. Apply the patch and rebuild as follows: # cd /usr/src/lib/libedit # patch -p < /path/to/patch/or/advisory and rebuild your system as described in http://www.freebsd.org/handbook/makeworld.html --- el.c 1999/08/20 01:17:12 1.6 +++ el.c 2000/05/22 05:55:22 1.7 @@ -290,13 +294,10 @@ char *ptr, path[MAXPATHLEN]; if (fname == NULL) { - fname = &elpath[1]; - if ((fp = fopen(fname, "r")) == NULL) { - if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL) - return -1; - (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath); - fname = path; - } + if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL) + return -1; + (void) snprintf(path, sizeof(path), "%s%s", ptr, elpath); + fname = path; } if ((fp = fopen(fname, "r")) == NULL) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGmz1UuHi5z0oilAQF1rwP/QhuVAAmc1873YHkhTS8kMTPR63HoIlkc 8VRgf0PU6Z3AObVq6fjt3ZikCUXf7d8NhiTqRdL1Cb/Koai56yP+E5Fqbt2U5JCC cNbWIlI8NYKxAybgOsx+9EJGSnGfrjjjvxG6MguwcyJ+W1DS3M41mDzv8C1hdpqw /QAi9qToH+Q= =TlZc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000705230239.8E2CF37B8B6>