From owner-freebsd-security-notifications Tue May 9 12:21: 5 2000 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5712437BFB7; Tue, 9 May 2000 12:20:49 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo From: FreeBSD Security Officer Message-Id: <20000509192049.5712437BFB7@hub.freebsd.org> Date: Tue, 9 May 2000 12:20:49 -0700 (PDT) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:17 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in libmytinfo may yield increased privileges with third-party software. Category: core Module: libmytinfo Announced: 2000-05-09 Affects: FreeBSD 3.x before the correction date. Corrected: 2000-04-25 FreeBSD only: Yes Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch I. Background libmytinfo is part of ncurses, a text-mode display library. II. Problem Description libmytinfo allows users to specify an alternate termcap file or entry via the TERMCAP environment variable, however this is not handled securely and contains a overflowable buffer inside the library. This is a security vulnerability for binaries which are linked against libmytinfo and which are setuid or setgid (i.e. run with elevated privileges). It may also be a vulnerability in other more obscure situations where a user can exert control over the environment with which an ncurses binary is run by another user. FreeBSD 3.x and earlier versions use a very old, customized version of ncurses which is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but it is unlikely that 3.x will be updated. However, the ncurses source is currently being audited for further vulnerabilities. III. Impact Certain setuid/setgid third-party software (including FreeBSD ports/packages) may be vulnerable to a local exploit yielding privileged resources, such as network sockets, privileged filesystem access, or outright privileged shell access (including root access). No program in the FreeBSD base system is believed to be vulnerable to the bug. FreeBSD 4.0 and above are NOT vulnerable to this problem. IV. Workaround Remove any setuid or setgid binary which is linked against libmytinfo (including statically linked), or remove set[ug]id privileges from the file as appropriate. The following instructions will identify the binaries installed on the system which are candidates for removal or removal of file permissions. Since there may be other as yet undiscovered vulnerabilities in libmytinfo it may be wise to perform this audit regardless of whether or not you upgrade your system as described in section V below. In particular, see the note regarding static linking in section V. Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit. 1) Download the 'libfind.sh' script from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh e.g. with the fetch(1) command: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh Receiving libfind.sh (460 bytes): 100% 460 bytes transferred in 0.0 seconds (394.69 Kbytes/s) # 2) Verify the md5 checksum and compare to the value below: # /sbin/md5 libfind.sh MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b 3) Run the libfind script against your system: # sh libfind.sh / This will scan your entire system for setuid or setgid binaries which are linked against libmytinfo. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges. 4) Remove the binaries, or reduce their file permissions, as appropriate. V. Solution Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction date, or patch your present system source code and rebuild. Then run the libfind script as instructed in section IV and identify any statically-linked binaries (those reported as "STATIC" by the libfind script). These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by recompiling the shared libmytinfo library). To patch your present system: save the patch below into a file, and execute the following commands as root: cd /usr/src/lib/libmytinfo patch < /path/to/patch/file make all make install Patches for 3.x systems before the resolution date: Index: findterm.c =================================================================== RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v retrieving revision 1.3 diff -u -r1.3 findterm.c --- findterm.c 1997/08/13 01:21:36 1.3 +++ findterm.c 2000/04/25 16:58:19 @@ -242,7 +242,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ':') + while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { @@ -259,7 +259,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ',') + while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORc3NFUuHi5z0oilAQGcaAP6Ar4+mNTHR/qXUJ+MFIVy+AQHFDwpYq5f KgBpCRzgKVZs/zfsQ+LwC1vCHzusftTK0lEd//2pfGZHt3ln0eD1s6qt+Q6+ZJBE MYYiXvqoBL1ob2Ahts6uEUs/vbMb4bCbEmMCn4ad2iU+neKH9a81Lk3frIaJjAVK 8/6vW7wH9W4= =NDsR -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message