107 lines
4.2 KiB
Text
107 lines
4.2 KiB
Text
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||
|
|
||
|
=============================================================================
|
||
|
FreeBSD-SA-00:64 Security Advisory
|
||
|
FreeBSD, Inc.
|
||
|
|
||
|
Topic: global port allows remote compromise through CGI script
|
||
|
|
||
|
Category: ports
|
||
|
Module: global
|
||
|
Announced: 2000-11-06
|
||
|
Credits: Shigio Yamaguchi <shigio@tamacom.com>
|
||
|
Affects: Ports collection prior to the correction date.
|
||
|
Corrected: 2000-10-09
|
||
|
Vendor status: Updated version released
|
||
|
FreeBSD only: NO
|
||
|
|
||
|
I. Background
|
||
|
|
||
|
global is a source-code tagging system for indexing and searching
|
||
|
large bodies of source code.
|
||
|
|
||
|
II. Problem Description
|
||
|
|
||
|
The global port, versions 3.5 through to 3.55, contains a
|
||
|
vulnerability in the CGI script generated by the htags utility which
|
||
|
allows a remote attacker to execute code on the local system as the
|
||
|
user running the script, typically user 'nobody' in most
|
||
|
installations.
|
||
|
|
||
|
There is no vulnerability in the default installation of the port, but
|
||
|
if an administrator uses the 'htags -f' command to generate a CGI
|
||
|
script enabling the browsing of source code, then the system is
|
||
|
vulnerable to attack caused by incorrect validation of input.
|
||
|
|
||
|
An older version of global was included in previous releases of
|
||
|
FreeBSD; this is not vulnerable to the problem described here.
|
||
|
|
||
|
The global port is not installed by default, nor is it "part of
|
||
|
FreeBSD" as such: it is part of the FreeBSD ports collection, which
|
||
|
contains over 4100 third-party applications in a ready-to-install
|
||
|
format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1
|
||
|
contain this problem since it was discovered after the releases, but
|
||
|
it was corrected prior to the release of FreeBSD 4.2.
|
||
|
|
||
|
FreeBSD makes no claim about the security of these third-party
|
||
|
applications, although an effort is underway to provide a security
|
||
|
audit of the most security-critical ports.
|
||
|
|
||
|
III. Impact
|
||
|
|
||
|
If the 'htags -f' command is used to generate a CGI script which is
|
||
|
then installed under a webserver, then remote users may execute
|
||
|
arbitrary commands on the local system as the user which runs the CGI
|
||
|
script.
|
||
|
|
||
|
If you have not chosen to install the global port/package, or you have
|
||
|
not used the 'htags -f' command to produce a CGI script, then your
|
||
|
system is not vulnerable to this problem.
|
||
|
|
||
|
IV. Workaround
|
||
|
|
||
|
Deinstall the global port/package, if you you have installed it, or
|
||
|
remove the 'global.cgi' file installed on the website.
|
||
|
|
||
|
V. Solution
|
||
|
|
||
|
One of the following:
|
||
|
|
||
|
1) Upgrade your entire ports collection and rebuild the global port.
|
||
|
|
||
|
2) Deinstall the old package and install a new package dated after the
|
||
|
correction date, obtained from:
|
||
|
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/global-4.0.1.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/global-4.0.1.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/global-4.0.1.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/global-4.0.1.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/global-4.0.1.tgz
|
||
|
|
||
|
3) download a new port skeleton for the cvsweb port from:
|
||
|
|
||
|
http://www.freebsd.org/ports/
|
||
|
|
||
|
and use it to rebuild the port.
|
||
|
|
||
|
4) Use the portcheckout utility to automate option (3) above. The
|
||
|
portcheckout port is available in /usr/ports/devel/portcheckout or the
|
||
|
package can be obtained from:
|
||
|
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
|
||
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
|
||
|
|
||
|
-----BEGIN PGP SIGNATURE-----
|
||
|
Version: GnuPG v1.0.4 (FreeBSD)
|
||
|
Comment: For info see http://www.gnupg.org
|
||
|
|
||
|
iQCVAwUBOgcQslUuHi5z0oilAQHKXAP/Wz2SmgOAIYFOquE3z+++5nbNxKYmKS/J
|
||
|
Tb1ClUtPSSk6s/dfX3t17O1o0a/Pmj3u+CxAdRXdIka1XAQE9lY2pL4uhEVr0nXT
|
||
|
/+I4Hap17OZVdNTTiF/a6LYd/WYbJkMrRbADnZjvRp5zrOpPwbzc1ZwIn9GRqiHc
|
||
|
XYA/cWGGWXg=
|
||
|
=+ex8
|
||
|
-----END PGP SIGNATURE-----
|