From owner-freebsd-security-notifications Mon Oct 30 15:12: 0 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B618B37B4CF; Mon, 30 Oct 2000 15:11:53 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:58.chpass Message-Id: <20001030231153.B618B37B4CF@hub.freebsd.org> Date: Mon, 30 Oct 2000 15:11:53 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:58 Security Advisory FreeBSD, Inc. Topic: chpass family contains local root vulnerability Category: core Module: chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd Announced: 2000-10-30 Credits: Problem fixed during internal auditing. Vulnerability pointed out by: caddis Affects: FreeBSD 3.x (all releases), FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE prior to the correction date Corrected: 2000/07/20 (FreeBSD 4.0-STABLE) 2000/10/04 (FreeBSD 3.5.1-STABLE) FreeBSD only: NO I. Background ch{fn,pass,sh} are utilities for changing user "finger" information, passwords, and login shell, respectively. The yp* variants perform the analogous changes on a NIS account. II. Problem Description A "format string vulnerability" was discovered in code used by the vipw utility during an internal FreeBSD code audit in July 2000. The vipw utility does not run with increased privileges and so it was believed at the time that it did not represent a security vulnerability. However it was not realised that this code is also shared with other utilities -- namely chfn, chpass, chsh, ypchfn, ypchpass, ypchsh and passwd -- which do in fact run setuid root. Therefore, the problem may be exploited by unprivileged local users to gain root access to the local machine. All versions of FreeBSD prior to the correction date including 4.0 and 3.5.1 are vulnerable to this problem, but it was fixed in the 4.x branch prior to the release of FreeBSD 4.1. III. Impact Local users can obtain root privileges on the local machine. IV. Workaround Remove the setuid bit on the following utilities. This has the side-effect that non-root users cannot change their finger information, passwords, or login shells. # chflags noschg /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh # chmod u-s /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh # chflags noschg /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh # chmod u-s /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh # chflags noschg /usr/bin/passwd # chmod u-s /usr/bin/passwd V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE, 4.1.1-RELEASE, 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2) Apply the patch below and recompile the respective files: Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/vipw.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/vipw.patch.asc Execute the following commands as root: # cd /usr/src/usr.sbin/vipw # patch -p < /path/to/patch_or_advisory # make depend && make all install # cd /usr/src/usr.bin/chpass/ # make depend && make all install # cd /usr/src/usr.bin/passwd/ # make depend && make all install Patch for vulnerable systems: --- pw_util.c 1999/08/28 01:20:31 1.17 +++ pw_util.c 2000/07/12 00:49:40 1.18 @@ -250,7 +250,7 @@ extern int _use_yp; #endif /* YP */ if (err) - warn(name); + warn("%s", name); #ifdef YP if (_use_yp) warnx("NIS information unchanged"); -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOf3/FFUuHi5z0oilAQEAhAQApmUnWU8Se8V6rAsy98jJLBXp11mmCnaB lVPve0SjOEhTjYVOfLEslDIPECP1WNrO3Ep/FiczhoTVrMBzWjh74XIGaiDbRxEy UDWh/cQhAaEmy/KPwraoPas6T2lsJ9brBu5LycKQj/F2SMYCNQOQ3UK4rmXqmf+z jAqmmerfaPo= =YNNN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Oct 30 15:12:42 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7039437B683; Mon, 30 Oct 2000 15:12:19 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:59.pine Message-Id: <20001030231219.7039437B683@hub.freebsd.org> Date: Mon, 30 Oct 2000 15:12:19 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:59 Security Advisory FreeBSD, Inc. Topic: pine4 port contains remote vulnerability Category: ports Module: pine4/pine4-ssl/zh-pine4/iw-pine4 Announced: 2000-10-30 Affects: Ports collection. Corrected: 2000-10-29 Credits: arkane@SPEAKEASY.ORG Vendor status: Contacted FreeBSD only: NO I. Background Pine is a popular mail user agent. II. Problem Description The pine4 port, versions 4.21 and before, contains a buffer overflow vulnerability which allows a remote user to execute arbitrary code on the local client by the sending of a special-crafted email message. The overflow occurs during the periodic "new mail" checking of an open folder. The pine4 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.1.1 and 3.5.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. Administrators should note that the Pine software has been a frequent source of past security holes, and makes extensive use of string routines commonly associated with security vulnerabilities. The FreeBSD Security Officer believes it is likely that further vulnerabilities exit in this software, and recommends the use of alternative mail software in environments where electronic mail may be received from untrusted sources. III. Impact Remote users can cause pine4 to crash when closing a mail folder by sending a malformed email. If you have not chosen to install the pine4 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the pine4 port/package, if you have installed it. The risk can be decreased by not leaving pine sitting idle with an open folder, but it cannot be completely eliminated without patching and recompiling the software. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the pine4 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/pine-4.21_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.21_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/pine-4.21_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.21_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/pine-4.21_1.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the listmanager port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOf3+NVUuHi5z0oilAQHjFQQAmVrnuMQbQwPKf8LVdsNFgc6470e8Lz07 +8OTApKVTzX1WVbBNQUTJ8tC0TSiZt/BTOq41EVHc+yP6W8gJWPWmGJHMH2vtd2q /5X1o+Q17IP2doXuDBT2MUJH7simUJBPbZ9Fi+AuI+lecCx80Q9W9qndEypdwpwZ j01EAufwmMk= =nefD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Oct 30 15:13:31 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 1BF7B37B4E5; Mon, 30 Oct 2000 15:12:45 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:60.boa Message-Id: <20001030231245.1BF7B37B4E5@hub.freebsd.org> Date: Mon, 30 Oct 2000 15:12:45 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:60 Security Advisory FreeBSD, Inc. Topic: boa web server allows arbitrary file access/execution Category: ports Module: boa Announced: 2000-10-30 Credits: Lluis Mora Affects: Ports collection prior to the correction date. Corrected: 2000-10-07 Vendor status: Updated version released FreeBSD only: NO I. Background Boa is a high-performance web server. II. Problem Description The boa port, versions after 0.92 but prior to 0.94.8.3, contains a vulnerability which allows remote users to view arbitrary files outside the document root. The vulnerability is that boa does not correctly restrict URL-encoded requests containing ".." in the path. In addition, if the administrator has enabled CGI extension support, a request for any file ending in .cgi will result in the file being executed with the privileges of the user id running the web server. Since the .cgi file may reside outside the document root, this may result in untrusted binaries/scripts being executed. If an attacker can upload files to the system, e.g. via anonymous FTP, they can cause arbitrary code to be executed by the user running the web server. The boa port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4000 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users may view any file on the system that is accessible by the webserver account. In addition, the webserver account may be compromised due to the execution of arbitrary files outside the document root. If you have not chosen to install the boa port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the boa port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the boa port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/boa-0.94.8.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/boa-0.94.8.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/boa-0.94.8.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/boa-0.94.8.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/boa-0.94.8.3.tgz 3) download a new port skeleton for the cvsweb port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOf3+LlUuHi5z0oilAQHuAAP+PB/Y6PwDyWZrfvX5cKRdnQiwebU2FPiS BhKSwjwBsE4jZGFw0YC+tU6TksGhun6LvvIw0DVHXRevH0VwPcf18akuqKQrFhPA r3NQ1atFvrdDoGQN0J4px1vANXKPu6afe1LKaMTeF+sbjokoniScnAFyH9IHBvQH mVUcDXhq7sU= =WmZ+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Oct 30 15:14:23 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7642A37B680; Mon, 30 Oct 2000 15:13:11 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump Message-Id: <20001030231311.7642A37B680@hub.freebsd.org> Date: Mon, 30 Oct 2000 15:13:11 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:61 Security Advisory FreeBSD, Inc. Topic: tcpdump contains remote vulnerabilities Category: core Module: tcpdump Announced: 2000-10-31 Credits: Discovered during internal auditing. Affects: All releases of FreeBSD 3.x, 4.x prior to 4.2 FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date Corrected: 2000-10-04 (FreeBSD 4.1.1-STABLE) 2000-10-05 (FreeBSD 3.5.1-STABLE) Vendor status: Patch released FreeBSD only: NO I. Background tcpdump is a tool for monitoring network activity. II. Problem Description Several overflowable buffers were discovered in the version of tcpdump included in FreeBSD, during internal source code auditing. Some simply allow the remote attacker to crash the local tcpdump process, but there is a more serious vulnerability in the decoding of AFS ACL packets in the more recent version of tcpdump (tcpdump 3.5) included in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow a remote attacker to execute arbitrary code on the local system (usually root, since root privileges are required to run tcpdump). The former issue may be a problem for systems using tcpdump as a form of intrusion detection system, i.e. to monitor suspicious network activity: after the attacker crashes any listening tcpdump processes their subsequent activities will not be observed. All released versions of FreeBSD prior to the correction date including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are vulnerable to the "remote crash" problems, and FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also vulnerable to the "remote execution" vulnerability. Both problems were corrected in 4.1.1-STABLE prior to the release of FreeBSD 4.2-RELEASE. III. Impact Remote users can cause the local tcpdump process to crash, and (under FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior to the correction date) may be able to cause arbitrary code to be executed as the user running tcpdump, usually root. IV. Workaround Do not use vulnerable versions of tcpdump in network environments which may contain packets from untrusted sources. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2a) FreeBSD 3.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install 2b) FreeBSD 4.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOf3+JlUuHi5z0oilAQH8GAP+OwB7XLd4PKszqXvcvr/UE9pPMjXR3L3a wUGrvMbapUABULMYuHux9UtaAuZyma3Lq8tIU4V0mq6jMHAqZ/ILCtmukO/TylOV JCt8fJUMmVFmENne4oY56g09bVhV8uk6dtqz3ZJDgJVno1cxXh1Cgyyse3pamt5f xNY1oVybmHE= =4uj5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Nov 1 15: 0: 3 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E5B2C37B479; Wed, 1 Nov 2000 14:59:54 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:62.top Message-Id: <20001101225954.E5B2C37B479@hub.freebsd.org> Date: Wed, 1 Nov 2000 14:59:54 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:62 Security Advisory FreeBSD, Inc. Topic: top allows reading of kernel memory Category: core Module: top Announced: 2000-11-01 Credits: vort@wiretapped.net via OpenBSD Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000/10/04 (FreeBSD 4.1.1-STABLE) 2000/10/04 (FreeBSD 3.5.1-STABLE) FreeBSD only: NO I. Background top is a utility for displaying current system resource statistics such as process CPU and memory use. It is externally-maintained, contributed software which is included in FreeBSD by default. II. Problem Description A "format string vulnerability" was discovered in the top(1) utility which allows unprivileged local users to cause the top process to execute arbitrary code. The top utility runs with increased privileges as a member of the kmem group, which allows it to read from kernel memory (but not write to it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges. All released versions of FreeBSD prior to the correction date including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this problem, but it was fixed in the 4.1.1-STABLE branch prior to the release of FreeBSD 4.2-RELEASE. III. Impact Local users can read privileged data from kernel memory which may provide information allowing them to further increase their local or remote system access privileges. IV. Workaround Remove the setgid bit on the top utilities. This has the side-effect that users who are not a member of the kmem group or who are not the superuser cannot use the top utility. # chmod g-s /usr/bin/top V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2) Apply the patch below and recompile the relevant files: Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/top.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/top.patch.asc Execute the following commands as root: # cd /usr/src/contrib/top # patch -p < /path/to/patch_or_advisory # cd /usr/src/usr.bin/top # make depend && make all install Patch for vulnerable systems: Index: display.c =================================================================== RCS file: /mnt/ncvs/src/contrib/top/display.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- display.c 1999/01/09 20:20:33 1.4 +++ display.c 2000/10/04 23:34:16 1.5 @@ -829,7 +831,7 @@ register int i; /* first, format the message */ - (void) sprintf(next_msg, msgfmt, a1, a2, a3); + (void) snprintf(next_msg, sizeof(next_msg), msgfmt, a1, a2, a3); if (msglen > 0) { Index: top.c =================================================================== RCS file: /mnt/ncvs/src/contrib/top/top.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- top.c 1999/01/09 20:20:34 1.4 +++ top.c 2000/10/04 23:34:16 1.5 @@ -807,7 +809,7 @@ { if ((errmsg = kill_procs(tempbuf2)) != NULL) { - new_message(MT_standout, errmsg); + new_message(MT_standout, "%s", errmsg); putchar('\r'); no_command = Yes; } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgCfWFUuHi5z0oilAQECnwP8CCL5roxtZIfgV7yEfNGW3u61+NNfFK7V bEsygpUlT0/KGLM1gBWkMhn7oTlrYk4xJ01SdXenlBJg05ScS6qd8MhJ2TgqsS2l f5w7ZIvZhSu+V+mLKmjmc52aHM+9Jth2ejyRwlcxWa+tE1XXCUK0KO6oaXod0TR9 g0TXn2UfHJ4= =eU0t -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Nov 1 15: 0:50 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B57DC37B696; Wed, 1 Nov 2000 15:00:35 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:63.getnameinfo Message-Id: <20001101230035.B57DC37B696@hub.freebsd.org> Date: Wed, 1 Nov 2000 15:00:35 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:63 Security Advisory FreeBSD, Inc. Topic: getnameinfo function allows remote denial of service Category: core Module: libc Announced: 2000-11-01 Credits: Pavel Kankovsky Affects: FreeBSD 4.x (all releases prior to 4.2), 4.1.1-STABLE prior to the correction date. Corrected: 2000/09/25 (FreeBSD 4.1.1-STABLE) FreeBSD only: NO I. Background The getnameinfo() function is part of the protocol-independent resolver library from the KAME project. II. Problem Description An off-by-one error exists in the processing of DNS hostnames which allows a long DNS hostname to crash the getnameinfo() function when an address resolution of the hostname is performed (e.g. in response to a connection to a service which makes use of getnameinfo()). Under the following conditions, this bug can be used as a denial of service attack against vulnerable services: * The attacker must control their DNS server. * The service must be run as a persistent daemon (i.e. running "standalone", not spawned as-needed from a supervisor process such as inetd) * The daemon must perform the getnameinfo() call on the remote hostname prior to forking a child process to handle the connection (otherwise it is just the child process which dies, and the parent remains running). * The daemon is not automatically restarted by a "watchdog" process. All released versions of FreeBSD 4.x prior to the correction date including 4.0, 4.1, and 4.1.1 are vulnerable to this problem, but it was fixed in the 4.1.1-STABLE branch prior to the release of FreeBSD 4.2-RELEASE. The FreeBSD 3.x branch is unaffected since it does not include the KAME code. Note that this vulnerability is not believed to pose a vulnerability for any servers included in the FreeBSD base system. It is only a potential problem for certain third party servers fulfilling the above conditions (none of which are currently known). Therefore the impact on the vast majority of FreeBSD systems is expected to be nonexistent. III. Impact Remote users may be able to cause a very small class of network servers to terminate abnormally, causing a denial of service condition. IV. Workaround None practical. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD 4.x system to 4.1.1-STABLE after the correction date. 2) Apply the patch below and recompile the relevant files: Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:63/getnameinfo.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:63/getnameinfo.patch.asc Execute the following commands as root: # cd /usr/src/lib/libc # patch -p < /path/to/patch_or_advisory # make depend && make all install Patch for vulnerable systems: --- net/getnameinfo.c 2000/07/05 05:09:17 1.5 +++ net/getnameinfo.c 2000/09/25 23:04:36 1.6 @@ -154,12 +153,12 @@ (flags & NI_DGRAM) ? "udp" : "tcp"); } if (sp) { - if (strlen(sp->s_name) > servlen) + if (strlen(sp->s_name) + 1 > servlen) return ENI_MEMORY; strcpy(serv, sp->s_name); } else { snprintf(numserv, sizeof(numserv), "%d", ntohs(port)); - if (strlen(numserv) > servlen) + if (strlen(numserv) + 1 > servlen) return ENI_MEMORY; strcpy(serv, numserv); } @@ -253,7 +252,7 @@ *p = '\0'; } #endif - if (strlen(hp->h_name) > hostlen) { + if (strlen(hp->h_name) + 1 > hostlen) { freehostent(hp); return ENI_MEMORY; } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOgCgVlUuHi5z0oilAQGqfwP/SYLG0yD0uR4wdPHy5S9eXH4HqtNrVpF7 NlN3iMjHrzIDqeFSYoRTbMEhrbTTGMWYIEadadW9zjlnHfGNRniYx2oOhm+0tqsI C3wlqsGAo2GXsXfr1hOpcVc1GqLhsK3oLgz9RRMoMlRWJ+K0bHHLwKlB9uEoxPJ2 X/WHJ//RQXI= =YFwv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message