From owner-freebsd-security-notifications Tue May 9 12:15:27 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 385BC37BEA3; Tue, 9 May 2000 12:15:12 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig From: FreeBSD Security Officer Message-Id: <20000509191512.385BC37BEA3@hub.freebsd.org> Date: Tue, 9 May 2000 12:15:12 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:16 Security Advisory FreeBSD, Inc. Topic: golddig port allows users to overwrite local files Category: ports Module: golddig Announced: 2000-05-09 Credits: Discovered during internal ports collection auditing. Affects: Ports collection. Corrected: 2000-04-30 Vendor status: Email bounced. FreeBSD only: NO I. Background Golddig is an X11 game provided as part of the FreeBSD ports collection. II. Problem Description The golddig port erroneously installs a level-creation utility setuid root, which allows users to overwrite the contents of arbitrary local files. It is not believed that any elevation of privileges is possible with this vulnerability because the contents of the file are a textual representation of a golddig game level which is highly constrained. The golddig port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact An unprivileged local user can overwrite the contents of any file, although they are restricted in the possible contents of the new file. If you have not chosen to install the golddig port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the golddig port/package, if you you have installed it. 2) Remove the setuid bit from /usr/local/bin/makelev. This will mean unprivileged users cannot create or modify golddig levels except in their own directories. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the golddig port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/games/golddig-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/games/golddig-2.0.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the golddig port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORhjV1UuHi5z0oilAQHa4AP8D5QZo+zNieNemPMfMW77JIxsHtCHCg+M MEG6CkJ6QOZlwJ8Mav1ExMyQywWncccgkazBFyK2KG5rAqpxX4KMZ+C3zfysTraS cHVCVBw73yx0t53/FnvoR3yqtI+GdmhPaw9X3icCtp9st3hiSMF759yPqOUKBbIu JFgdfAuXaqs= =Pxca -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Tue May 9 12:21: 5 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5712437BFB7; Tue, 9 May 2000 12:20:49 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo From: FreeBSD Security Officer Message-Id: <20000509192049.5712437BFB7@hub.freebsd.org> Date: Tue, 9 May 2000 12:20:49 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:17 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in libmytinfo may yield increased privileges with third-party software. Category: core Module: libmytinfo Announced: 2000-05-09 Affects: FreeBSD 3.x before the correction date. Corrected: 2000-04-25 FreeBSD only: Yes Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch I. Background libmytinfo is part of ncurses, a text-mode display library. II. Problem Description libmytinfo allows users to specify an alternate termcap file or entry via the TERMCAP environment variable, however this is not handled securely and contains a overflowable buffer inside the library. This is a security vulnerability for binaries which are linked against libmytinfo and which are setuid or setgid (i.e. run with elevated privileges). It may also be a vulnerability in other more obscure situations where a user can exert control over the environment with which an ncurses binary is run by another user. FreeBSD 3.x and earlier versions use a very old, customized version of ncurses which is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but it is unlikely that 3.x will be updated. However, the ncurses source is currently being audited for further vulnerabilities. III. Impact Certain setuid/setgid third-party software (including FreeBSD ports/packages) may be vulnerable to a local exploit yielding privileged resources, such as network sockets, privileged filesystem access, or outright privileged shell access (including root access). No program in the FreeBSD base system is believed to be vulnerable to the bug. FreeBSD 4.0 and above are NOT vulnerable to this problem. IV. Workaround Remove any setuid or setgid binary which is linked against libmytinfo (including statically linked), or remove set[ug]id privileges from the file as appropriate. The following instructions will identify the binaries installed on the system which are candidates for removal or removal of file permissions. Since there may be other as yet undiscovered vulnerabilities in libmytinfo it may be wise to perform this audit regardless of whether or not you upgrade your system as described in section V below. In particular, see the note regarding static linking in section V. Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit. 1) Download the 'libfind.sh' script from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh e.g. with the fetch(1) command: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh Receiving libfind.sh (460 bytes): 100% 460 bytes transferred in 0.0 seconds (394.69 Kbytes/s) # 2) Verify the md5 checksum and compare to the value below: # /sbin/md5 libfind.sh MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b 3) Run the libfind script against your system: # sh libfind.sh / This will scan your entire system for setuid or setgid binaries which are linked against libmytinfo. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges. 4) Remove the binaries, or reduce their file permissions, as appropriate. V. Solution Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction date, or patch your present system source code and rebuild. Then run the libfind script as instructed in section IV and identify any statically-linked binaries (those reported as "STATIC" by the libfind script). These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by recompiling the shared libmytinfo library). To patch your present system: save the patch below into a file, and execute the following commands as root: cd /usr/src/lib/libmytinfo patch < /path/to/patch/file make all make install Patches for 3.x systems before the resolution date: Index: findterm.c =================================================================== RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v retrieving revision 1.3 diff -u -r1.3 findterm.c --- findterm.c 1997/08/13 01:21:36 1.3 +++ findterm.c 2000/04/25 16:58:19 @@ -242,7 +242,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ':') + while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { @@ -259,7 +259,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ',') + while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORc3NFUuHi5z0oilAQGcaAP6Ar4+mNTHR/qXUJ+MFIVy+AQHFDwpYq5f KgBpCRzgKVZs/zfsQ+LwC1vCHzusftTK0lEd//2pfGZHt3ln0eD1s6qt+Q6+ZJBE MYYiXvqoBL1ob2Ahts6uEUs/vbMb4bCbEmMCn4ad2iU+neKH9a81Lk3frIaJjAVK 8/6vW7wH9W4= =NDsR -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Tue May 9 12:24:28 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5EEE137BEB2; Tue, 9 May 2000 12:24:03 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster From: FreeBSD Security Officer Message-Id: <20000509192403.5EEE137BEB2@hub.freebsd.org> Date: Tue, 9 May 2000 12:24:03 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:18 Security Advisory FreeBSD, Inc. Topic: gnapster port allows remote users to view local files Category: ports Module: gnapster Announced: 2000-05-09 Credits: Fixed by vendor. Affects: Ports collection. Corrected: 2000-04-29 Vendor status: Updated version released. FreeBSD only: NO I. Background Gnapster is a client for the Napster file-sharing network. II. Problem Description The gnapster port (version 1.3.8 and earlier) contains a vulnerability which allows remote gnapster users to view any file on the local system which is accessible to the user running gnapster. Gnapster does not run with elevated privileges, so it is only the user's regular filesystem access permissions which are involved. The gnapster port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3200 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can view files accessible to the user running the gnapster client. If you have not chosen to install the gnapster port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the gnapster port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the gnapster port. 2) Reinstall a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/gnapster-1.3.9.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/gnapster-1.3.9.tgz Note: it may be several days before the updated packages are available. 3) download a new port skeleton for the gnapster port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORhlmVUuHi5z0oilAQGytwQApAKwVXvt2Aw6JXMHetWyRLns2wPWT6l3 eIdlkGSesqJlxeeR22wfxWlqcFo3U2D8hlIcWCPCB5y7ejJ3MyeMU895OjJGZ5ii wNe5OabbNwnWjEQmMH8AB4c/zy8GRI9xTOMW/KAcoH5TGhmzJ+29KIYYFwJXlek7 Ywc5E9+Q0pw= =Yr2H -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message