From owner-freebsd-audit  Sun Mar 18  6:26:12 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from mail.imp.ch (mail.imp.ch [157.161.1.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4CF7037B719; Sun, 18 Mar 2001 06:26:08 -0800 (PST)
	(envelope-from mb@imp.ch)
Received: from levais.imp.ch (levais.imp.ch [157.161.4.66])
	by mail.imp.ch (8.11.1/8.11.1) with ESMTP id f2IEQ7p55623;
	Sun, 18 Mar 2001 15:26:07 +0100 (CET)
	(envelope-from Martin.Blapp@imp.ch)
Date: Sun, 18 Mar 2001 15:27:31 +0100 (CET)
From: Martin Blapp <mb@imp.ch>
To: audit@freebsd.org
Cc: alfred@freebsd.org
Subject: audit of tirpc code
Message-ID: <Pine.BSF.4.21.0103180240120.6501-100000@levais.imp.ch>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Hi,

As you know I did the tirpc port from NetBSD to FreeBSD. I tried to
integrate all known bugs and security issues from Open-/Net-/FreeBSD
into this FreeBSD tirpc and there are a lot of bugs fixed there.

So can anybody who fixed a security bug in portmapper or rpc
look at this diff and check if there are similar conditions ?
I tried to do that carefully, hand have fixed a lot of them.

I'm asking for a carefully audit, but I think we should integrate the
code now into CURRENT and upgrade it then to the latest version. What
do you think ?

Two commits are missing, I'd like to integrate them if you think they
are necessary (code is still the same in tirpc1999):

http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libc/rpc/svc.c.diff?r1=1.6&r2=1.7
http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libc/rpc/svc.c.diff?r1=1.12&r2=1.13

Included in the 1,3 MB big patch are:

- tirpc2.3 (and parts from 2.0 and tirpc1999)
  I've planed to slowly upgrade the code to
  tirpc1999 which is available under SunOS OSS license.

- nfs utilities converted to ipv6 and lot of bugfixes
  ifor nfsd(8) and umount(8).

- fixes to rpc userland code.

You can find the diff on:

http://www.attic.ch/tirpc.html
http://home.teleport.ch/freebsd/tirpc-20010318.diff
http://home.teleport.ch/freebsd/tirpc-20010318.diff.tgz

Martin

Martin Blapp, mb@imp.ch
------------------------------------------------
Improware AG, UNIX solution and service provider
Zurlindenstrasse 29, 4133 Pratteln, Switzerland
Phone: +41 79 370 26 05, Fax: +41 61 826 93 01
------------------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message