From owner-freebsd-announce@FreeBSD.ORG Thu Nov 18 12:23:35 2004 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACA6F16A4CE; Thu, 18 Nov 2004 12:23:35 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA8F843D53; Thu, 18 Nov 2004 12:23:34 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: by smtp.des.no (Pony Express, from userid 666) id 50E245316; Thu, 18 Nov 2004 13:23:32 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 0FC575310; Thu, 18 Nov 2004 13:22:53 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 253E5B876; Thu, 18 Nov 2004 13:22:53 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20041118122253.253E5B876@dwp.des.no> Date: Thu, 18 Nov 2004 13:22:53 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on flood.des.no X-Spam-Level: s X-Spam-Status: No, hits=1.8 required=5.0 tests=ADDR_FREE autolearn=no version=2.64 Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:16.fetch X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Nov 2004 12:23:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:16.fetch Security Advisory The FreeBSD Project Topic: Overflow error in fetch Category: core Module: fetch Announced: 2004-11-18 Credits: Colin Percival Affects: All FreeBSD versions. Corrected: 2004-11-18 12:02:13 UTC (RELENG_5, 5.3-STABLE) 2004-11-18 12:03:05 UTC (RELENG_5_3, 5.3-RELEASE-p1) 2004-11-18 12:04:29 UTC (RELENG_5_2, 5.2.1-RELEASE-p12) 2004-11-18 12:05:36 UTC (RELENG_5_1, 5.1-RELEASE-p18) 2004-11-18 12:05:50 UTC (RELENG_5_0, 5.0-RELEASE-p22) 2004-11-18 12:02:29 UTC (RELENG_4, 4.10-STABLE) 2004-11-18 12:06:06 UTC (RELENG_4_10, 4.10-RELEASE-p4) 2004-11-18 12:06:22 UTC (RELENG_4_9, 4.9-RELEASE-p13) 2004-11-18 12:06:36 UTC (RELENG_4_8, 4.8-RELEASE-p26) 2004-11-18 12:06:52 UTC (RELENG_4_7, 4.7-RELEASE-p28) FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The fetch(1) utility is a tool for fetching files via FTP, HTTP, and HTTPS. II. Problem Description An integer overflow condition in the processing of HTTP headers can result in a buffer overflow. III. Impact A malicious server or CGI script can respond to an HTTP or HTTPS request in such a manner as to cause arbitrary portions of the client's memory to be overwritten, allowing for arbitrary code execution. IV. Workaround There is no known workaround for the affected application, although the ftp(1) application in the FreeBSD base system, and several applications in the FreeBSD Ports collection provide similar functionality and could be used in place of fetch(1). V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.10, 5.2, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # ftp ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:16/fetch.patch # ftp ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:16/fetch.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.bin/fetch # make obj && make depend && make && make install 3) IMPORTANT NOTE to users of FreeBSD Update: FreeBSD Update (security/freebsd-update in the FreeBSD Ports collection) is a binary security update system for the FreeBSD base system. It is not supported or endorsed by the FreeBSD Security team, but its author has requested that the following note be included in this advisory: FreeBSD Update uses the fetch(1) utility for downloading security updates to the FreeBSD base system. While these updates are cryptographically signed, and FreeBSD Update is therefore immune from most attacks, it is exposed to this vulnerability since the files must be fetched before their integrity can be verified. As a workaround, FreeBSD Update can be made to use the ftp(1) utility for downloading updates as follows: # sed -i.bak -e 's/fetch -qo/ftp -o/' /usr/local/sbin/freebsd-update # freebsd-update fetch # mv /usr/local/sbin/freebsd-update.bak /usr/local/sbin/freebsd-update # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/usr.bin/fetch/fetch.c 1.10.2.28 RELENG_4_10 src/UPDATING 1.73.2.90.2.5 src/sys/conf/newvers.sh 1.44.2.34.2.6 src/usr.bin/fetch/fetch.c 1.10.2.23.2.1 RELENG_4_9 src/UPDATING 1.73.2.89.2.14 src/sys/conf/newvers.sh 1.44.2.32.2.14 src/usr.bin/fetch/fetch.c 1.10.2.21.2.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.29 src/sys/conf/newvers.sh 1.44.2.29.2.27 src/usr.bin/fetch/fetch.c 1.10.2.20.2.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.32 src/sys/conf/newvers.sh 1.44.2.26.2.30 src/usr.bin/fetch/fetch.c 1.10.2.18.2.1 RELENG_5 src/usr.bin/fetch/fetch.c 1.72.2.2 RELENG_5_3 src/UPDATING 1.342.2.13.2.4 src/sys/conf/newvers.sh 1.62.2.15.2.6 src/usr.bin/fetch/fetch.c 1.72.2.1.2.1 RELENG_5_2 src/UPDATING 1.282.2.20 src/sys/conf/newvers.sh 1.56.2.19 src/usr.bin/fetch/fetch.c 1.62.4.1 RELENG_5_1 src/UPDATING 1.251.2.20 src/sys/conf/newvers.sh 1.50.2.20 src/usr.bin/fetch/fetch.c 1.62.2.1 RELENG_5_0 src/UPDATING 1.229.2.28 src/sys/conf/newvers.sh 1.48.2.23 src/usr.bin/fetch/fetch.c 1.58.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBnJIEFdaIBMps37IRAm1/AKCISgScX7iQV6689Mm0jVk15pa0EgCgj1Pj WSxoiyw5dAEC6PcSpMSIgZQ= =Ikr3 -----END PGP SIGNATURE-----