Import FreeBSD Security Advisories and Errata Notices, as well as their

patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
svn path=/head/; revision=39381
2012-08-15 06:19:40 +00:00 · 2012-08-15 06:19:40 +00:00 · 3571e53040 · 2020-12-08 03:00:23 +00:00
commit 3571e53040
parent 01c8718f26
1185 changed files with 317546 additions and 0 deletions
--- a/share/security/advisories/FreeBSD-SA-96:20.stack-overflow.asc
+++ b/share/security/advisories/FreeBSD-SA-96:20.stack-overflow.asc
@ -0,0 +1,272 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SA-96:20					    Security Advisory
+						        	FreeBSD, Inc.
+
+Topic:		unauthorized access via buffer overruns
+		cron, crontab, ppp
+
+Category:	core
+Module:		cron, crontab, ppp
+Announced:	1996-12-16
+Affects:	1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1
+Corrected:	2.2-current as of various dates (see below)
+		2.1-stable  as of various dates (see below)
+FreeBSD only:	yes
+
+Patches:	ftp://freebsd.org/pub/CERT/patches/SA-96:20/
+
+=============================================================================
+
+I.   Background    
+
+     Buffer overrun (aka stack overflow) exploits in system
+     supplied and locally installed utilities are commonly
+     used by individuals wishing to obtain unauthorized access to
+     computer systems.  The FreeBSD team has been reviewing and
+     fixing the source code pool to eliminate potential exploits
+     based on this technique.  We've found several such exploits
+     (and more have been reported by other sources) and strongly
+     suggest that all operators of FreeBSD machines upgrade to
+     the latest version of FreeBSD (2.1.6.1 at the time of this
+     advisory) if there is a possibility for untrustworthy users
+     to have standard user level access to the system.
+
+     Most of these problems were fixed with the release of
+     FreeBSD 2.1.6.1, however the following were not:
+
+     In August of 1996, exploits were discovered in the
+     cron and crontab utilities in FreeBSD.  These were fixed
+     in the -current source code pool in August of 1996, but
+     due to a clerical error, were not repaired in the older
+     -stable source code pool used to generate the FreeBSD
+     2.1.X distributions until 16-Dec-1996.
+     Recently, yet another buffer overrun was discovered
+     in the cron and crontab utilities in FreeBSD. The problem
+     was corrected on 16-Dec-1996 in both -current and -stable.
+
+     Also recently, a similar overrun has been discovered in the
+     ppp utility.  This was fixed in both -current and
+     -stable source code pools on 16-Dec-1996.
+
+
+II.  Problem Description
+
+     The programs in question store user-supplied information
+     in internal buffers.  There is no range checking on length
+     of the data copied into these buffers.  A malicious user
+     may be able to overflow these buffers through the use of
+     command line options or via enviornment variables and
+     insert and execute their own code fragment which could
+     be used to obtain unauthorized access to the system
+
+
+III. Impact
+
+     The programs in question may be subverted to allow an
+     unprivileged user to gain root access to the system.
+
+     These vulnerability can only be exploited by individuals
+     with access to the local system.
+
+
+IV. Workaround
+
+     Setuid programs invoked by the user may have their setuid
+     permissions removed, or their protection attributes modified
+     so unprivileged users may not operate them at all.
+     This may reduce or eliminate some functionality provided by
+     these programs to normal users.
+
+     To remove setuid privileges:
+
+     crontab:		# chmod ug-s /usr/bin/crontab
+     ppp:		# chmod ug-s /usr/bin/ppp
+
+     The cron program is started by the system on every boot.
+     This auto-start may be temporarily disabled, and the running
+     cron program stopped.  However, cron is a valuable system
+     utility,  so we suggest this as a temporary workaround only.
+
+     To stop cron from executing on system boot, edit the /etc/rc
+     file and change the line:
+		echo -n ' cron'; cron
+     so it reads:
+		# echo -n ' cron'; cron.
+
+     To turn off a running cron, use the ps program to determine
+     the PID of the currently running cron (use "ps") and type:
+
+		# kill <pid of running cron>
+
+V. Solution
+
+     The following patches fixes the vulnerabilities.  It should
+     apply cleanly to all FreeBSD 2.1.x systems.  It has not been
+     tested with FreeBSD 1.x.
+
+     After applying these patches, recompile and re-install the
+     affected utilities.
+
+
+    *** usr.sbin/cron/cron/database.c	1994/08/27 13:43:03	1.1.1.1
+    --- usr.sbin/cron/cron/database.c	1996/09/10 03:38:20	1.3
+    ***************
+    *** 112,119 ****
+      		if (dp->d_name[0] == '.')
+      			continue;
+      
+    ! 		(void) strcpy(fname, dp->d_name);
+    ! 		sprintf(tabname, CRON_TAB(fname));
+      
+      		process_crontab(fname, fname, tabname,
+      				&statbuf, &new_db, old_db);
+    --- 112,119 ----
+      		if (dp->d_name[0] == '.')
+      			continue;
+      
+    ! 		(void)snprintf(fname, sizeof fname, "%s", dp->d_name);
+    ! 		(void)snprintf(tabname, sizeof tabname, CRON_TAB(fname));
+      
+      		process_crontab(fname, fname, tabname,
+      				&statbuf, &new_db, old_db);
+    
+    *** usr.sbin/cron/crontab/crontab.c	1996/04/09 21:23:11	1.3.4.1
+    --- usr.sbin/cron/crontab/crontab.c	1996/08/05 00:50:02	1.6
+    ***************
+    *** 167,173 ****
+      					ProgramName, optarg);
+      				exit(ERROR_EXIT);
+      			}
+    ! 			(void) strcpy(User, optarg);
+      			break;
+      		case 'l':
+      			if (Option != opt_unknown)
+    --- 165,171 ----
+      					ProgramName, optarg);
+      				exit(ERROR_EXIT);
+      			}
+    ! 			(void) snprintf(User, sizeof(user), "%s", optarg);
+      			break;
+      		case 'l':
+      			if (Option != opt_unknown)
+    ***************
+    *** 198,204 ****
+      	} else {
+      		if (argv[optind] != NULL) {
+      			Option = opt_replace;
+    ! 			(void) strcpy (Filename, argv[optind]);
+      		} else {
+      			usage("file name must be specified for replace");
+      		}
+    --- 196,203 ----
+      	} else {
+      		if (argv[optind] != NULL) {
+      			Option = opt_replace;
+    ! 			(void) snprintf(Filename, sizeof(Filename), "%s",
+    ! 					argv[optind]);
+      		} else {
+      			usage("file name must be specified for replace");
+      		}
+    ***************
+    *** 480,486 ****
+      			ProgramName, Filename);
+      		goto done;
+      	default:
+    ! 		fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n");
+      		goto fatal;
+      	}
+       remove:
+    --- 479,486 ----
+      			ProgramName, Filename);
+      		goto done;
+      	default:
+    ! 		fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n",
+    ! 			ProgramName);
+      		goto fatal;
+      	}
+       remove:
+    
+    --- usr.sbin/cron/lib/env.c	1994/08/27 13:43:02	1.1.1.1
+    +++ usr.sbin/cron/lib/env.c	1996/12/16 18:11:57
+    @@ -115,7 +115,7 @@
+     {
+     	long	filepos;
+     	int	fileline;
+    -	char	name[MAX_TEMPSTR], val[MAX_ENVSTR];
+    +	char	name[MAX_ENVSTR], val[MAX_ENVSTR];
+     	int	fields;
+     
+     	filepos = ftell(f);
+    
+    
+    --- usr.sbin/ppp/chat.c	1996/06/10 09:41:45	1.4.4.2
+    +++ usr.sbin/ppp/chat.c	1996/12/15 20:40:26
+    @@ -315,7 +315,7 @@
+         }
+         cp--;
+       }
+    -  sprintf(tmp, "%s %s", command, cp);
+    +  snprintf(tmp, sizeof tmp, "%s %s", command, cp);
+       (void) MakeArgs(tmp, &vector);
+     
+       pipe(fids);
+    
+    --- usr.sbin/ppp/systems.c	1995/05/30 03:50:58	1.5
+    +++ usr.sbin/ppp/systems.c	1996/12/15 20:40:26
+    @@ -75,12 +75,12 @@
+       cp = getenv("HOME");
+       if (cp) {
+         SetUserId();
+    -    sprintf(line, "%s/.%s", cp, file);
+    +    snprintf(line, sizeof line, "%s/.%s", cp, file);
+         fp = fopen(line, "r");
+       }
+       if (fp == NULL) {
+         SetPppId();
+    -    sprintf(line, "%s/%s",_PATH_PPP, file);
+    +    snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file);
+         fp = fopen(line, "r");
+       }
+       if (fp == NULL) {
+    @@ -115,12 +115,12 @@
+       cp = getenv("HOME");
+       if (cp) {
+         SetUserId();
+    -    sprintf(line, "%s/.%s", cp, file);
+    +    snprintf(line, sizeof line, "%s/.%s", cp, file);
+         fp = fopen(line, "r");
+       }
+       if (fp == NULL) {
+         SetPppId();		/* fix from pdp@ark.jr3uom.iijnet.or.jp */
+    -    sprintf(line, "%s/%s",_PATH_PPP, file);
+    +    snprintf(line, sizeof line, "%s/%s", _PATH_PPP, file);
+         fp = fopen(line, "r");
+       }
+       if (fp == NULL) {
+
+=============================================================================
+FreeBSD, Inc.
+
+Web Site:			http://www.freebsd.org/
+Confidential contacts:		security-officer@freebsd.org
+PGP Key:			ftp://freebsd.org/pub/CERT/public_key.asc
+Security notifications:		security-notifications@freebsd.org
+Security public discussion:	security@freebsd.org
+
+Notice: Any patches in this document may not apply cleanly due to
+        modifications caused by digital signature or mailer software.
+        Please reference the URL listed at the top of this document
+        for original copies of all patches if necessary.
+=============================================================================
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCVAwUBMrb4FlUuHi5z0oilAQGCjQP/TcKygSf3CLwfJcPSnsQnc0k5fkF3QZvk
+Lp4K7FTua7M0AHHMn4gjpZEqB0+eqxMEGuZ+VXISSoESWyaOSz+hVLmLU2UZDLO0
+WWZWw3MM3UeWAzLLXwRPTLN0tQlpQJyqPNH1okb4c/Lx9IugN1wcGfbiTnOF3NaC
+d8lhtqcQoi4=
+=zAKC
+-----END PGP SIGNATURE-----