From owner-freebsd-announce Tue May 9 12:15:28 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 385BC37BEA3; Tue, 9 May 2000 12:15:12 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000509191512.385BC37BEA3@hub.freebsd.org> Date: Tue, 9 May 2000 12:15:12 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:16 Security Advisory FreeBSD, Inc. Topic: golddig port allows users to overwrite local files Category: ports Module: golddig Announced: 2000-05-09 Credits: Discovered during internal ports collection auditing. Affects: Ports collection. Corrected: 2000-04-30 Vendor status: Email bounced. FreeBSD only: NO I. Background Golddig is an X11 game provided as part of the FreeBSD ports collection. II. Problem Description The golddig port erroneously installs a level-creation utility setuid root, which allows users to overwrite the contents of arbitrary local files. It is not believed that any elevation of privileges is possible with this vulnerability because the contents of the file are a textual representation of a golddig game level which is highly constrained. The golddig port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An unprivileged local user can overwrite the contents of any file, although they are restricted in the possible contents of the new file. If you have not chosen to install the golddig port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the golddig port/package, if you you have installed it. 2) Remove the setuid bit from /usr/local/bin/makelev. This will mean unprivileged users cannot create or modify golddig levels except in their own directories. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the golddig port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/games/golddig-2.0.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the golddig port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORhjV1UuHi5z0oilAQHa4AP8D5QZo+zNieNemPMfMW77JIxsHtCHCg+M MEG6CkJ6QOZlwJ8Mav1ExMyQywWncccgkazBFyK2KG5rAqpxX4KMZ+C3zfysTraS cHVCVBw73yx0t53/FnvoR3yqtI+GdmhPaw9X3icCtp9st3hiSMF759yPqOUKBbIu JFgdfAuXaqs= =Pxca -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue May 9 12:21:20 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5712437BFB7; Tue, 9 May 2000 12:20:49 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000509192049.5712437BFB7@hub.freebsd.org> Date: Tue, 9 May 2000 12:20:49 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:17 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in libmytinfo may yield increased privileges with third-party software. Category: core Module: libmytinfo Announced: 2000-05-09 Affects: FreeBSD 3.x before the correction date. Corrected: 2000-04-25 FreeBSD only: Yes Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch I. Background libmytinfo is part of ncurses, a text-mode display library. II. Problem Description libmytinfo allows users to specify an alternate termcap file or entry via the TERMCAP environment variable, however this is not handled securely and contains a overflowable buffer inside the library. This is a security vulnerability for binaries which are linked against libmytinfo and which are setuid or setgid (i.e. run with elevated privileges). It may also be a vulnerability in other more obscure situations where a user can exert control over the environment with which an ncurses binary is run by another user. FreeBSD 3.x and earlier versions use a very old, customized version of ncurses which is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but it is unlikely that 3.x will be updated. However, the ncurses source is currently being audited for further vulnerabilities. III. Impact Certain setuid/setgid third-party software (including FreeBSD ports/packages) may be vulnerable to a local exploit yielding privileged resources, such as network sockets, privileged filesystem access, or outright privileged shell access (including root access). No program in the FreeBSD base system is believed to be vulnerable to the bug. FreeBSD 4.0 and above are NOT vulnerable to this problem. IV. Workaround Remove any setuid or setgid binary which is linked against libmytinfo (including statically linked), or remove set[ug]id privileges from the file as appropriate. The following instructions will identify the binaries installed on the system which are candidates for removal or removal of file permissions. Since there may be other as yet undiscovered vulnerabilities in libmytinfo it may be wise to perform this audit regardless of whether or not you upgrade your system as described in section V below. In particular, see the note regarding static linking in section V. Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit. 1) Download the 'libfind.sh' script from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh e.g. with the fetch(1) command: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh Receiving libfind.sh (460 bytes): 100% 460 bytes transferred in 0.0 seconds (394.69 Kbytes/s) # 2) Verify the md5 checksum and compare to the value below: # /sbin/md5 libfind.sh MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b 3) Run the libfind script against your system: # sh libfind.sh / This will scan your entire system for setuid or setgid binaries which are linked against libmytinfo. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges. 4) Remove the binaries, or reduce their file permissions, as appropriate. V. Solution Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction date, or patch your present system source code and rebuild. Then run the libfind script as instructed in section IV and identify any statically-linked binaries (those reported as "STATIC" by the libfind script). These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by recompiling the shared libmytinfo library). To patch your present system: save the patch below into a file, and execute the following commands as root: cd /usr/src/lib/libmytinfo patch < /path/to/patch/file make all make install Patches for 3.x systems before the resolution date: Index: findterm.c =================================================================== RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v retrieving revision 1.3 diff -u -r1.3 findterm.c --- findterm.c 1997/08/13 01:21:36 1.3 +++ findterm.c 2000/04/25 16:58:19 @@ -242,7 +242,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ':') + while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { @@ -259,7 +259,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ',') + while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORc3NFUuHi5z0oilAQGcaAP6Ar4+mNTHR/qXUJ+MFIVy+AQHFDwpYq5f KgBpCRzgKVZs/zfsQ+LwC1vCHzusftTK0lEd//2pfGZHt3ln0eD1s6qt+Q6+ZJBE MYYiXvqoBL1ob2Ahts6uEUs/vbMb4bCbEmMCn4ad2iU+neKH9a81Lk3frIaJjAVK 8/6vW7wH9W4= =NDsR -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue May 9 12:24:38 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5EEE137BEB2; Tue, 9 May 2000 12:24:03 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000509192403.5EEE137BEB2@hub.freebsd.org> Date: Tue, 9 May 2000 12:24:03 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:18 Security Advisory FreeBSD, Inc. Topic: gnapster port allows remote users to view local files Category: ports Module: gnapster Announced: 2000-05-09 Credits: Fixed by vendor. Affects: Ports collection. Corrected: 2000-04-29 Vendor status: Updated version released. FreeBSD only: NO I. Background Gnapster is a client for the Napster file-sharing network. II. Problem Description The gnapster port (version 1.3.8 and earlier) contains a vulnerability which allows remote gnapster users to view any file on the local system which is accessible to the user running gnapster. Gnapster does not run with elevated privileges, so it is only the user's regular filesystem access permissions which are involved. The gnapster port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can view files accessible to the user running the gnapster client. If you have not chosen to install the gnapster port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the gnapster port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the gnapster port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/gnapster-1.3.9.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the gnapster port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORhlmVUuHi5z0oilAQGytwQApAKwVXvt2Aw6JXMHetWyRLns2wPWT6l3 eIdlkGSesqJlxeeR22wfxWlqcFo3U2D8hlIcWCPCB5y7ejJ3MyeMU895OjJGZ5ii wNe5OabbNwnWjEQmMH8AB4c/zy8GRI9xTOMW/KAcoH5TGhmzJ+29KIYYFwJXlek7 Ywc5E9+Q0pw= =Yr2H -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri May 12 12:39:23 2000 Delivered-To: freebsd-announce@freebsd.org Received: from luna.cdrom.com (luna.cdrom.com [204.216.28.135]) by hub.freebsd.org (Postfix) with ESMTP id 9CA0137BEBE for ; Fri, 12 May 2000 12:39:09 -0700 (PDT) (envelope-from jim@luna.cdrom.com) Received: by luna.cdrom.com (Postfix, from userid 1000) id 6A82131E8; Fri, 12 May 2000 12:39:09 -0700 (PDT) Date: Fri, 12 May 2000 12:39:09 -0700 From: Jim Mock To: announce@FreeBSD.org Subject: BSDCon 2000 Announcement Message-ID: <20000512123909.A1828@luna.cdrom.com> Reply-To: jim@luna.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3i Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am pleased to announce BSDCon 2000, the second annual BSD Conference and Expo! If you are a BSD user, this is the event you don't want to miss. There will be BSD-related tutorials, talks, demos, discussions, and exhibitor booths. Many BSD users and developers from all over the world will be present to share ideas, find common interest points, and develop new ideas -- as a single community. *All* BSD users are welcome and encouraged to attend and participate. Some highlights of the conference include: o BSD Internals tutorial by Kirk McKusick o Conference dinner at the Monterey Aquarium o Talks by members of the BSD user and commercial community BSDCon 2000 will be held at the Hyatt Regency in Monterey, California. Please see http://www.hyatt.com/usa/monterey/hotels/hotel_mrydm.html for more information about the hotel, their mailing address and location, etc. The entire expo (tutorials and conference) will be held from October 14-20, with the tutorials being held from October 14-17, and the conference from October 18-20. Pricing information is as follows: Conference (Oct. 18-20): $495 Tutorial 1 (Oct. 14-15): $495 Tutorial 2 (Oct. 16-17): $495 Room rates at the Hyatt: $129 US per night There is a $50 early-bird discount off each if you register before September 1, 2000. Any registrations after September 1, 2000 will be charged full price. Please see http://www.bsdcon.com/ for more information on the conference and for registration information. Pricing information for sponsorships and exhibits are also available on our web site. If you are interested in speaking or giving at tutorial at this event, please contact me by email at jim@bsdcon.com, or by phone at 1-925-691-2800 x3814. If you are interested in being a sponsor of this event, please contact us at sponsors@bsdcon.com. If you are interested in having a booth at this event, please contact us at exhibitors@bsdcon.com. Alternatively, you can contact us by phone at 1-925-691-2800, or fax at 1-925-674-0821. Thanks, and hope to see you there! - jim -- - jim mock - walnut creek cdrom/freebsd test labs - jim@luna.cdrom.com - - phone: 1.925.691.2800 x.3814 - fax: 1.925.674.0821 - jim@FreeBSD.org - - editor - The FreeBSDzine - www.freebsdzine.org - jim@freebsdzine.org - This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri May 12 12:47:25 2000 Delivered-To: freebsd-announce@freebsd.org Received: from luna.cdrom.com (luna.cdrom.com [204.216.28.135]) by hub.freebsd.org (Postfix) with ESMTP id 25BC437BF95 for ; Fri, 12 May 2000 12:47:20 -0700 (PDT) (envelope-from jim@luna.cdrom.com) Received: by luna.cdrom.com (Postfix, from userid 1000) id CDCD531E8; Fri, 12 May 2000 12:47:19 -0700 (PDT) Date: Fri, 12 May 2000 12:47:19 -0700 From: Jim Mock To: announce@FreeBSD.org Subject: BSDCon 2000 Call for Papers Message-ID: <20000512124719.A1972@luna.cdrom.com> Reply-To: jim@luna.cdrom.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3i Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am pleased to announce the call for papers for BSDCon 2000, the 2nd annual BSD Conference and Expo! For more information on how to submit a paper, where to submit it, deadlines, etc., see below. There will be two sets of tutorials prior to the actual conference. Here's what it looks like right now: Tutorial 1 (Oct. 14-15): TBA Tutorial 2 (Oct. 16-17): BSD Internals by Kirk McKusick If you are interested in participating in the first tutorial (FreeBSD, NetBSD, OpenBSD, BSD/OS), please contact us. The deadline for tutorial submissions is August 1, 2000. During the conference, papers will be given by various BSD users, developers, and companies. If you would like to give a paper, you are encouraged to do so! You can either choose a topic of your own, or you can choose from one of the following: o Desktop o Commericial uses (hosting, etc.) o Raid o Embedded systems o Device drivers o Ports collection o Networking o Porting to various architectures o Performance Tuning o Threads o Kernel Architecture o Programming o Security o Interoperability (with other OS's) o Mass Installations o System Administration o E-Commerce o Internationalization These are just some of the areas that we would like to see discussed, although any topics relevant to BSD or the community in general are more than welcome. If you are interested in participating in the first tutorial, or possibly giving a different tutorial, please contact tutorials@bsdcon.com. If you are interested in giving a paper, please contact me at jim@bsdcon.com. Thanks! - jim -- - jim mock - walnut creek cdrom/freebsd test labs - jim@luna.cdrom.com - - phone: 1.925.691.2800 x.3814 - fax: 1.925.674.0821 - jim@FreeBSD.org - - editor - The FreeBSDzine - www.freebsdzine.org - jim@freebsdzine.org - This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message