3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
152 lines
5.1 KiB
Text
152 lines
5.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-99:05 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: fts library routine vulnerability
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 1999-09-15
|
|
Affects: FreeBSD 3.2 (and earlier)
|
|
FreeBSD-current before the correction date.
|
|
FreeBSD 3.2-stable before the correction date.
|
|
Corrected: FreeBSD-3.3 RELEASE
|
|
FreeBSD-current as of 1999/08/26
|
|
FreeBSD-3.2-stable as of 1999/08/26
|
|
The FreeBSD-3.3-RC series of releases are not affected.
|
|
FreeBSD only: NO
|
|
|
|
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:05/
|
|
|
|
I. Background
|
|
|
|
The fts library routines provide a convenient way for a program to
|
|
walk a hierarchy of files.
|
|
|
|
II. Problem Description
|
|
|
|
The fts library functions had a buffer overflow in them where which
|
|
would lead to a core dump when periodic ran the security checking
|
|
scripts (or other scripts which traverse trees that can be controlled
|
|
by users). periodic(3) should limit core size to zero to disable core
|
|
dumps while it is executing commands, but does not do so. In
|
|
addition, the kernel should not follow symbolic links.
|
|
|
|
All three of these problems caused a situation where it was possible
|
|
for an attacker could create or overwrite an arbitrary file on the
|
|
system with a moderate degree of controll of its contents to cause a
|
|
problem.
|
|
|
|
III. Impact
|
|
|
|
Local users could gain root access.
|
|
|
|
IV. Workaround
|
|
|
|
One can workaround this problem by preventing core dumps for periodic.
|
|
This solution is less than completely satisfying, since it only plugs
|
|
the known exploit hole. None the less, this may provide a short term
|
|
stopgap solution until a new kernel and userland can be installed.
|
|
|
|
# mv /usr/sbin/periodic /usr/sbin/periodic.bin
|
|
# cat > /usr/sbin/periodic
|
|
#!/bin/sh
|
|
ulimit -c 0
|
|
/usr/sbin/periodic.bin $*
|
|
^D
|
|
# chmod 555 /usr/sbin/periodic
|
|
|
|
V. Solution
|
|
|
|
Apply the following patches to libc and do a make world. Please also
|
|
see the companion advisory FreeBSD-SA-99:04.core.asc in the advisories
|
|
directory of our ftp site for details on the kernel portions of this
|
|
fix.
|
|
|
|
Index: lib/libc/gen/fts.c
|
|
===================================================================
|
|
RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/gen/fts.c,v
|
|
retrieving revision 1.10
|
|
retrieving revision 1.11
|
|
diff -u -r1.10 -r1.11
|
|
--- fts.c 1999/08/15 19:21:29 1.10
|
|
+++ fts.c 1999/09/02 07:45:07 1.11
|
|
@@ -963,6 +963,24 @@
|
|
return (sp->fts_path == NULL);
|
|
}
|
|
|
|
+static void
|
|
+ADJUST(p, addr)
|
|
+ FTSENT *p;
|
|
+ void *addr;
|
|
+{
|
|
+ if ((p)->fts_accpath >= (p)->fts_path &&
|
|
+ (p)->fts_accpath < (p)->fts_path + (p)->fts_pathlen) {
|
|
+ if (p->fts_accpath != p->fts_path)
|
|
+ errx(1, "fts ADJUST: accpath %p path %p",
|
|
+ p->fts_accpath, p->fts_path);
|
|
+ if (p->fts_level != 0)
|
|
+ errx(1, "fts ADJUST: level %d not 0", p->fts_level);
|
|
+ (p)->fts_accpath =
|
|
+ (char *)addr + ((p)->fts_accpath - (p)->fts_path);
|
|
+ }
|
|
+ (p)->fts_path = addr;
|
|
+}
|
|
+
|
|
/*
|
|
* When the path is realloc'd, have to fix all of the pointers in structures
|
|
* already returned.
|
|
@@ -974,18 +992,18 @@
|
|
{
|
|
FTSENT *p;
|
|
|
|
-#define ADJUST(p) { \
|
|
- (p)->fts_accpath = \
|
|
- (char *)addr + ((p)->fts_accpath - (p)->fts_path); \
|
|
+#define ADJUST1(p) { \
|
|
+ if ((p)->fts_accpath == (p)->fts_path) \
|
|
+ (p)->fts_accpath = (addr); \
|
|
(p)->fts_path = addr; \
|
|
}
|
|
/* Adjust the current set of children. */
|
|
for (p = sp->fts_child; p; p = p->fts_link)
|
|
- ADJUST(p);
|
|
+ ADJUST(p, addr);
|
|
|
|
/* Adjust the rest of the tree. */
|
|
for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) {
|
|
- ADJUST(p);
|
|
+ ADJUST(p, addr);
|
|
p = p->fts_link ? p->fts_link : p->fts_parent;
|
|
}
|
|
}
|
|
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: freebsd-security@freebsd.org
|
|
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.3ia
|
|
Charset: noconv
|
|
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
|
|
|
|
iQCVAwUBN+B9rFUuHi5z0oilAQHGYgP+IwrmdUBtCw1r8J/lt/wBrxH5wug70K1V
|
|
t2graun2wIWvtkh+kmwKJP4tonzlxi/YhyqqATh4pFIZb5CUEtCR2/gcpHPwB4NX
|
|
oNuIGGBtKftrrFnPf9aArFu/XFjrxyUPetYoXtfgGc5y6VlI6mupDnwt9oj34EeY
|
|
VIb92qSfH+c=
|
|
=tPng
|
|
-----END PGP SIGNATURE-----
|