Date: Sun, 30 Apr 2000 15:52:48 +0200 From: Andreas Klemm <andreas@klemm.gtn.com> To: Kris Kennaway <kris@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/print/apsfilter/patches patch-aa Message-ID: <20000430155248.B60564@titan.klemm.gtn.com> In-Reply-To: <Pine.BSF.4.21.0004291301250.16747-100000@freefall.freebsd.org>; from kris@FreeBSD.org on Sat, Apr 29, 2000 at 01:01:40PM -0700 References: <200004291348.GAA68598@freefall.freebsd.org> <Pine.BSF.4.21.0004291301250.16747-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 29, 2000 at 01:01:40PM -0700, Kris Kennaway wrote:
> On Sat, 29 Apr 2000, Andreas Klemm wrote:
>
> > andreas 2000/04/29 06:48:32 PDT
> >
> > Added files:
> > print/apsfilter/patches patch-aa
> > Log:
> > Add security patch
>
> Can you explain this more? Does it require an advisory?
Yes, should be done:
---------------------------------------------------------------------
apsfilter user on a "single user Unix system" should upgrade
simply to 5.4.1 and "may" apply the apsfilter security fix which
is availabe from my homepage.
system administrators of Unix server having many user accounts
running apsfilter V 5.2.x - 5.3.3 (5.4.0 never has been introduced
to a larger audience) should upgrade to apsfilter 5.4.1 and apply
the security patch or wait 1 or 2 days to upgrade to apsfilter 5.4.2
which is a (hopefully ;-) stable and secure release.
---------------------------------------------------------------------
Explanation:
apsfilter before apsfilter 5.2.x (rather old) sourced user
customizeable apsfilter initialization files during runtime of
print job (input filter), i.e.:
. $HOME/.apsfilterrc
So there was the possibility to abuse the apsfilter configuration
file, which runs under UID and GID of lpd.
To prevent this abuse and make apsfilter secure for general use,
the configuration variable INSECURE had been introduced with apsfilter
5.2.0 and later, default: not set.
When administrator sets INSECURE to true, user customizeable apsfilter
config files were still possible for "ease of use" on systems
where security isn't an issue ("single User" server).
Starting with apsfilter 5.2.x and later the method of reading
apsfilter environment variables have changed from "sourcing during runtime"
to "scanning config files using awk" for certain fixed variable names.
This method of "scanning with awk" was thought of being secure, so the
INSECURE variable vanished with apsfilter 5.2.0 and later.
But this is not true. So the INSECURE variable has been re-introduced
with apsfilter 5.4.1. Unfortunately the fix hasn't been complete, so
5.4.1 is still affected, to be insecure by default.
So for 5.4.1 the security patch has to be applied to make apsfilter secure.
The apsfilter port in the FreeBSD ports collection has been updated last
recently, so possibly only few FreeBSD users are affected by the bug,
when having installed apsfilter by ports collection.
apsfilter 5.4.2 will be released soon, to have a complete secure
version around. My experience is from download statistics, that most
people don't download patches ;-)
------------------------------------------------------------------------
The problem: some of the variables are evaluated during runtime:
eval $VAR
This still gives the possibility to start trojan or attack programs.
------------------------------------------------------------------------
--
Andreas Klemm http://people.FreeBSD.ORG/~andreas
http://www.freebsd.org/~fsmp/SMP/SMP.html
powered by Symmetric MultiProcessor FreeBSD
New APSFILTER 541 and songs from our band - http://people.freebsd.org/~andreas
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000430155248.B60564>