From owner-freebsd-questions@FreeBSD.ORG Wed Aug 6 05:44:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E19B37B401 for ; Wed, 6 Aug 2003 05:44:51 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 097B943F93 for ; Wed, 6 Aug 2003 05:44:50 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h76CicMN025882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Aug 2003 13:44:45 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h76Cic3Z025877; Wed, 6 Aug 2003 13:44:38 +0100 (BST) (envelope-from matthew) Date: Wed, 6 Aug 2003 13:44:38 +0100 From: Matthew Seaman To: eodyna Message-ID: <20030806124438.GG24051@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , eodyna , freebsd-questions@freebsd.org References: <20030806115140.10667.qmail@web41713.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4ndw/alBWmZEhfcZ" Content-Disposition: inline In-Reply-To: <20030806115140.10667.qmail@web41713.mail.yahoo.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-8.3 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-questions@freebsd.org Subject: Re: realpath patch understanding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 12:44:57 -0000 --4ndw/alBWmZEhfcZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 06, 2003 at 09:51:39PM +1000, eodyna wrote: > Hi all, >=20 > Im kinda new to FreeBSD (running 4.5 RELEASE) and Im a > bit confused. Im hoping someone can help me understand > what I am doing incorrectly, or point me in a > direction where I can understand what is happening. As > you are all aware a security advisory was released > about realpath. >=20 > I have followed the instructions. > downloaded the patch. verified it. > ran patch < path to patch Did the patch apply cleanly? If there are any .rej files in the vicinity, then they didn't > built KERNCONF > installed KERNCONF The kernel is beside the point here: the bug is in the libc shared library. As instructed you need to rebuild the world and reinstall. Not just the kernel: viz # cd /usr/src # make buildworld buildkernel KERNCONF=3Dfoo # make installkernel KERNCONF=3Dfoo # shutdown -r now [ Interrupt the boot process during the 10 second countdown by pressing any key (other than return) to get to the boot loader prompt.] > boot -s [...various output. Hit return when prompted for the shell to use...] # fsck -p # swapon -a # mount -a # cd /usr/src # make installworld # mergemaster # exit After which the system will continue booting to full multi-user mode. =20 > then i went and checked the UPDATING, the realpath.c > file and the newvers.sh file. According to the email > these files were meant to be corrected. >=20 > The timestamp on the UPDATING and newvers.sh have not > changed. and the realpath.c file indicates that it is > version 1.9 2000/01/27 instead of 1.9.8.1 as indicated > by the advisory. >=20 > Have I done something wrong? or missed the point? I > know i dont really understand it. If someone can > explain it to me or point me in the right direction it > would be very much appreciated. OK. The patches (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch) mentioned in the advisory (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpat= h.asc) won't alter the UPDATING or newvers.sh files -- as those are essentially documentation and don't have any effect of the resulting functionality of the system, that's nothing to worry about. The patch only affects the realpath.c file, and in that case, it doesn't alter the version number at the top of the file -- mostly because the patch is designed to apply to files from a range of different code branches and hence different version numbers. In fact, the patch consists in it's entirety of a two line change to the realpath.c file: /tmp:% less realpath.patch=20 Index: lib/libc/stdlib/realpath.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libc/stdlib/realpath.c,v retrieving revision 1.9 diff -c -c -r1.9 realpath.c *** lib/libc/stdlib/realpath.c 27 Jan 2000 23:06:50 -0000 1.9 --- lib/libc/stdlib/realpath.c 3 Aug 2003 17:21:20 -0000 *************** *** 138,144 **** rootd =3D 0; =20 if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPA= THLEN) { errno =3D ENAMETOOLONG; goto err1; } --- 138,145 ---- rootd =3D 0; =20 if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + (1-rootd) + 1 > ! MAXPATHLEN) { errno =3D ENAMETOOLONG; goto err1; } =20 So, unless that patch was rejected, or you have not managed to recompile and re-install everything, then you will have secured your system against attack via any dynamically linked program that calls realpath(1). As the advisory says, you do need to check for statically linked programs that use realpath(1). There are none in the base system, so it's a case of hunting for statically linked programs installed via ports and re-installing those. Other than by applying the patch manually as you have done, you could have used cvsup(1) to update to the latest sources for whatever branch you prefer. Even though the security branches before 4.7-RELEASE are no longer officially supported, patches were applied to them. In that case, you would see the updated version numbers on the various files mentioned. Note too that 4.5-RELEASE is itself no longer supported and fairly long in the tooth. If the system is security critical then you would be well advised to upgrade it to 4.8-RELEASE-pX as soon as may be: mostly because you'll need to be able to update ports to counter any security holes there, and it's not guarranteed that the latest revisions of the ports system will actually work with older systems. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --4ndw/alBWmZEhfcZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/MPg2dtESqEQa7a0RAuVkAJ47NXQZoAXiU/CbBvM/pBeTaH81BQCfdBaU rf4H9FX1tSqVuj4aO7KTmFg= =uxua -----END PGP SIGNATURE----- --4ndw/alBWmZEhfcZ--