From owner-freebsd-questions  Thu Jun 21  2:51:43 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from hotmail.com (f295.pav1.hotmail.com [64.4.30.170])
	by hub.freebsd.org (Postfix) with ESMTP id 5AD6937B409
	for <freebsd-questions@freebsd.org>; Thu, 21 Jun 2001 02:51:34 -0700 (PDT)
	(envelope-from bsdforumen@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 21 Jun 2001 02:51:34 -0700
Received: from 212.30.183.2 by pv1fd.pav1.hotmail.msn.com with HTTP;	Thu, 21 Jun 2001 09:51:33 GMT
X-Originating-IP: [212.30.183.2]
From: "Magdalinin Kirill" <bsdforumen@hotmail.com>
To: freebsd-questions@freebsd.org
Cc: bio.metrix@gte.net
Subject: Re: server stopped responding
Date: Thu, 21 Jun 2001 13:51:33 +0400
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F2956AmX3qrB0Xn2Pi100006d3f@hotmail.com>
X-OriginalArrivalTime: 21 Jun 2001 09:51:34.0037 (UTC) FILETIME=[C1593C50:01C0FA37]
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello,

I downloaded glob.4.x.patch, but when I run

cd /usr/src
patch -p < /download/glob.4.x.patch

I get:

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: include/glob.h
|===================================================================
|RCS file: /home/ncvs/src/include/glob.h,v
|--- include/glob.h     1998/02/25 02:15:59     1.3
|+++ include/glob.h     2001/03/21 14:33:56     1.3.6.1
--------------------------
File to patch: /usr/src/include/glob.h
No file found--skip this patch? [n]


What is wrong?

Thanks for helping me,

Kirill Magdalinin
magcyril@hotmail.com

>From: "biometrix" <bio.metrix@gte.net>
>To: "Magdalinin Kirill" <bsdforumen@hotmail.com>
>Subject: Re: server stopped responding
>Date: Wed, 20 Jun 2001 12:15:43 -0500
>
>Not sure if it's related, or if you patched it but:
>
>============================================================================
>=
>FreeBSD-SA-01:33                                           Security 
>Advisory
>                                                                 FreeBSD,
>Inc.
>
>Topic:          globbing vulnerability in ftpd [REVISED]
>
>Category:       core
>Module:         ftpd/libc
>Announced:      2001-04-17
>Revised:        2001-04-19
>Credits:        John McDonald and Anthony Osborne, COVERT Labs
>Affects:        FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
>                 FreeBSD 3.5-STABLE and 4.3-RC prior to the
>                 correction date.
>Corrected:      2001-04-17 (FreeBSD 4.3-RC)
>                 2001-04-17 (FreeBSD 3.5-STABLE)
>Vendor status:  Corrected
>FreeBSD only:   NO
>
>0.   Revision History
>
>2001-04-17  v1.0  Initial release
>2001-04-19  v1.1  Corrected patch and patch instructions
>
>I.   Background
>
>Numerous FTP daemons, including the daemon distributed with FreeBSD,
>use server-side globbing to expand pathnames via user input.  This
>globbing is performed by FreeBSD's glob() implementation in libc.
>
>II.  Problem Description
>
>The glob() function contains potential buffer overflows that may be
>exploitable through the FTP daemon.  If a directory with a name of
>a certain length is present, a remote user specifying a pathname
>using globbing characters may cause arbitrary code to be executed
>on the FTP server as user running ftpd, usually root.
>
>Additionally, when given a path containing numerous globbing
>characters, the glob() functions may consume significant system
>resources when expanding the path.  This can be controlled by
>setting user limits via /etc/login.conf and setting limits on
>globbing expansion.
>
>All versions of FreeBSD prior to the correction date, including
>FreeBSD 3.5.1 and 4.2 contain this problem.  The base system that
>will ship with FreeBSD 4.3 does not contain this problem since it
>was corrected before the release.
>
>III. Impact
>
>Remote users may be able to execute arbitrary code on the FTP server
>as the user running ftpd, usually root.
>
>The FTP daemon supplied with FreeBSD is enabled by default to allow
>access to authorized local users and not anonymous users, thus
>limiting the impact to authorized local users.
>
>IV.  Workaround
>
>If the FTP daemon is executed from inetd, disable the FTP daemon by
>commenting out the ftp line in /etc/inetd.conf, then reload the
>inetd configuration by executing the following command as root:
>
># killall -HUP inetd
>
>V.   Solution
>
>One of the following:
>
>1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction
>date.
>
>2) Download the patch and detached PGP signature from the following
>location:
>
>The following patch applies to FreeBSD 4.x:
>
># fetch
>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch
># fetch
>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc
>
>The following patch applies to FreeBSD 3.x:
>
># fetch
>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch
># fetch
>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc
>
>Verify the detached signature using your PGP utility.
>
>Issue the following commands as root:
>
># cd /usr/src
># patch -p < /path/to/patch
># cp /usr/src/include/glob.h /usr/include/
># cd /usr/src/lib/libc
># make all install
># cd /usr/src/libexec/ftpd
># make all install
>
>If the FTP daemon is running standalone, it will have to be manually
>stopped and restarted.
>
>---------
>
>----- Original Message -----
>From: "Magdalinin Kirill" <bsdforumen@hotmail.com>
>To: <freebsd-questions@freebsd.org>
>Cc: <freebsd-security@freebsd.org>
>Sent: Wednesday, June 20, 2001 11:39 AM
>Subject: server stopped responding
>
>
> > Hello,
> >
> > I have 4.1 Release box that today suddenly stopped responding
> > except for ping command. I could not connect to it via http,
> > ssh, ftp or telnet. Then it was rebooted by our hosting enginer
> > and then I found just a few clues in the logs.
> >
> > last shows that
> >
> > some_login ftp xxx.xxx.xxx.xxx Wed Jun 20 16:06 - crash(02:26)
> >
> > which was the last record before it was rebooted.
> >
> > no errors in /var/log/messages
> >
> > apache caught a couple of errors before it stopped responding:
> >
> > (54)Connection reset by peer: getsockname
> >
> > Does anyone have any explanations or ideas what it was?
> > What else should I look for?
> >
> > Please, send copy to my email address.
> >
> > Thanks in advance,
> >
> > Kirill Magdalinin
> > magcyril@hotmail.com
> > 
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at 
>http://www.hotmail.com.
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message