Date: Mon, 4 Aug 2003 16:00:17 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Eugene Grosbein <eugen@grosbein.pp.ru>, Christoph Moench-Tegeder <cmt@rz.uni-karlsruhe.de>, Peter Jeremy <PeterJeremy@optushome.com.au> Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath Message-ID: <20030804210016.GB10339@madman.celabo.org> In-Reply-To: <20030804101130.GA51954@cirb503493.alcatel.com.au> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <3F2E1B42.8BDE2215@grosbein.pp.ru> References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <200308040004.h7404VVL030671@freefall.freebsd.org> <3F2E1B42.8BDE2215@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote: > FreeBSD Security Advisories wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > ============================================================================= > > FreeBSD-SA-03:08.realpath Security Advisory > > The FreeBSD Project > > > > Topic: Single byte buffer overflow in realpath(3) > > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too. RELENG_4 does not currently suffer from the bug, because it has a different realpath implementation. On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote: > : Affects: All releases of FreeBSD up to and including 4.8-RELEASE > : and 5.0-RELEASE > : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less > by accident. Right, that was a new realpath implementation from -CURRENT. On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote: > On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote: > >Affects: All releases of FreeBSD up to and including 4.8-RELEASE > > and 5.0-RELEASE > > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > ... > >V. Solution > > > >1) Upgrade your vulnerable system to 4.8-STABLE > >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > >dated after the respective correction dates. > > I found the reference to RELENG_5_1 in the "Solutions" section but no > reference to 5.1-RELEASE in the "Affects" section somewhat confusing. I don't understand how to be more clear. 5.1-RELEASE is not affected, so of course it is not listed in `Affects'. > This is compounded by the failure to mention RELENG_5_0 in the > "Solutions" section. RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported security branches, so that is why they are listed in the `Solution' section. RELENG_5_0 is not a currently supported security branch, and I would not recommend that anyone upgrade to an old security branch. Please see the table at http://www.freebsd.org/security/ or my announcement in this forum dated July 14. > I gather that 5.1-RELEASE is not vulnerable due > to the realpath() rewrite in 1.14. That's correct, 5.1-RELEASE is not vulnerable, which is why it is not listed in the `Affects' section. > May I suggest that in future, when a release is not vulnerable due to > code rewrites or similar, this fact be explicitly mentioned. IMHO, > it's far better to err on the side of caution when dealing with > security issues. Thank you for the suggestion. Would you care to post _exactly_ what wording you think would be better? I cannot think of a way to do so without being redundant or misleading. I have no desire to add a ``Not affected:'' line. Especially at times when we have two -STABLE branches (as we will soon for 4.x and 5.x), it will be common that there is a bug in one release but not another higher-numbered one. I think that if one takes the `Affects' lines (and the rest of the advisory) at face value, without second-guessing, that it is crystal clear what versions of FreeBSD are affected. But of course I would :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030804210016.GB10339>