From owner-cvs-all Sun Apr 30 7:30:30 2000 Delivered-To: cvs-all@freebsd.org Received: from picalon.gun.de (picalon.gun.de [192.109.159.1]) by hub.freebsd.org (Postfix) with ESMTP id F1DAF37BCA6; Sun, 30 Apr 2000 07:30:20 -0700 (PDT) (envelope-from andreas@klemm.gtn.com) Received: (from uucp@localhost) by picalon.gun.de (8.9.3/8.9.3) id QAA25689; Sun, 30 Apr 2000 16:30:17 +0200 (MET DST) >Received: (from andreas@localhost) by klemm.gtn.com (8.9.3/8.9.3) id PAA64358; Sun, 30 Apr 2000 15:52:48 +0200 (CEST) (envelope-from andreas) Date: Sun, 30 Apr 2000 15:52:48 +0200 From: Andreas Klemm To: Kris Kennaway Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/print/apsfilter/patches patch-aa Message-ID: <20000430155248.B60564@titan.klemm.gtn.com> References: <200004291348.GAA68598@freefall.freebsd.org> Mime-Version: 1.0 X-Mailer: Mutt 1.0.1i In-Reply-To: ; from kris@FreeBSD.org on Sat, Apr 29, 2000 at 01:01:40PM -0700 X-Operating-System: FreeBSD 5.0-CURRENT SMP X-Disclaimer: A free society is one where it is safe to be unpopular Content-Type: text/plain; charset=us-ascii Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Apr 29, 2000 at 01:01:40PM -0700, Kris Kennaway wrote: > On Sat, 29 Apr 2000, Andreas Klemm wrote: > > > andreas 2000/04/29 06:48:32 PDT > > > > Added files: > > print/apsfilter/patches patch-aa > > Log: > > Add security patch > > Can you explain this more? Does it require an advisory? Yes, should be done: --------------------------------------------------------------------- apsfilter user on a "single user Unix system" should upgrade simply to 5.4.1 and "may" apply the apsfilter security fix which is availabe from my homepage. system administrators of Unix server having many user accounts running apsfilter V 5.2.x - 5.3.3 (5.4.0 never has been introduced to a larger audience) should upgrade to apsfilter 5.4.1 and apply the security patch or wait 1 or 2 days to upgrade to apsfilter 5.4.2 which is a (hopefully ;-) stable and secure release. --------------------------------------------------------------------- Explanation: apsfilter before apsfilter 5.2.x (rather old) sourced user customizeable apsfilter initialization files during runtime of print job (input filter), i.e.: . $HOME/.apsfilterrc So there was the possibility to abuse the apsfilter configuration file, which runs under UID and GID of lpd. To prevent this abuse and make apsfilter secure for general use, the configuration variable INSECURE had been introduced with apsfilter 5.2.0 and later, default: not set. When administrator sets INSECURE to true, user customizeable apsfilter config files were still possible for "ease of use" on systems where security isn't an issue ("single User" server). Starting with apsfilter 5.2.x and later the method of reading apsfilter environment variables have changed from "sourcing during runtime" to "scanning config files using awk" for certain fixed variable names. This method of "scanning with awk" was thought of being secure, so the INSECURE variable vanished with apsfilter 5.2.0 and later. But this is not true. So the INSECURE variable has been re-introduced with apsfilter 5.4.1. Unfortunately the fix hasn't been complete, so 5.4.1 is still affected, to be insecure by default. So for 5.4.1 the security patch has to be applied to make apsfilter secure. The apsfilter port in the FreeBSD ports collection has been updated last recently, so possibly only few FreeBSD users are affected by the bug, when having installed apsfilter by ports collection. apsfilter 5.4.2 will be released soon, to have a complete secure version around. My experience is from download statistics, that most people don't download patches ;-) ------------------------------------------------------------------------ The problem: some of the variables are evaluated during runtime: eval $VAR This still gives the possibility to start trojan or attack programs. ------------------------------------------------------------------------ -- Andreas Klemm http://people.FreeBSD.ORG/~andreas http://www.freebsd.org/~fsmp/SMP/SMP.html powered by Symmetric MultiProcessor FreeBSD New APSFILTER 541 and songs from our band - http://people.freebsd.org/~andreas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message