3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
171 lines
6.1 KiB
Text
171 lines
6.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-01:40 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: fts(3) routines contain race condition [REVISED]
|
|
|
|
Category: core
|
|
Module: libc
|
|
Announced: 2001-06-04
|
|
Revised: 2001-08-16
|
|
Credits: Nick Cleaton <nick@cleaton.net>
|
|
Todd Miller <millert@openbsd.org> helped to develop the
|
|
patch.
|
|
Affects: FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction
|
|
date.
|
|
Corrected: 2001-06-01
|
|
FreeBSD only: NO
|
|
|
|
0. Revision History
|
|
|
|
2001-06-04 v1.0 Initial release
|
|
2001-08-16 v1.1 Corrected typo in recompilation instructions
|
|
|
|
I. Background
|
|
|
|
The standard C library (libc) contains a set of routines known as fts
|
|
which allow an application to recursively traverse a filesystem.
|
|
|
|
II. Problem Description
|
|
|
|
The fts routines are vulnerable to a race condition when ascending a
|
|
file hierarchy, which allows an attacker who has control over part of
|
|
the hierarchy into which fts is descending to cause the application to
|
|
ascend beyond the starting point of the file traversal, and enter
|
|
other parts of the filesystem.
|
|
|
|
If the fts routines are being used by an application to perform
|
|
operations on the filesystem hierarchy, such as find(1) with a keyword
|
|
such as -exec or -delete, or rm(1) with the -r flag, these operations
|
|
can be incorrectly applied to files outside the intended hierarchy,
|
|
which may result in system damage or compromise.
|
|
|
|
All versions of FreeBSD prior to the correction date including
|
|
4.3-RELEASE are vulnerable to this problem.
|
|
|
|
III. Impact
|
|
|
|
Local users may be able to remove or modify files on the local system
|
|
which are owned or writable by a user running a command that uses the
|
|
FTS routines in a vulnerable way.
|
|
|
|
If the system administrator has enabled the daily_clean_tmps_enable
|
|
variable in /etc/periodic.conf, the find -delete command is run once
|
|
per day, allowing unauthorised removal of files on the system. This
|
|
option is not enabled by default.
|
|
|
|
IV. Workaround
|
|
|
|
None appopriate for the general vulnerability. The instance exposed
|
|
by the daily_clean_tmps_enable setting can be prevented by disabling
|
|
this switch in /etc/periodic.conf, if it has been enabled.
|
|
|
|
V. Solution
|
|
|
|
One of the following:
|
|
|
|
1) As of FreeBSD 4.3-RELEASE, we have introduced a new ``security fix
|
|
CVS branch'' which contains security fixes only, which can be tracked
|
|
using the standard FreeBSD tools (cvsup/CVS/etc). The branch name is
|
|
``RELENG_4_3''. Upgrade your vulnerable FreeBSD system to the
|
|
RELENG_4_3 branch after the correction date.
|
|
|
|
2) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the
|
|
correction dates.
|
|
|
|
3) To patch your present system: download the relevant patch from the
|
|
below location, and execute the following commands as root:
|
|
|
|
[FreeBSD 4.3 base system]
|
|
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch.asc
|
|
|
|
Verify the detached PGP signature using your PGP utility.
|
|
|
|
# cd /usr/src/lib/libc
|
|
# patch -p < /path/to/patch
|
|
# make depend && make all install
|
|
# cd /usr/src/lib/libc_r
|
|
# make depend && make all install
|
|
# cd /usr/src/bin/chmod
|
|
# make depend && make all install
|
|
# cd /usr/src/bin/cp
|
|
# make depend && make all install
|
|
# cd /usr/src/bin/ls
|
|
# make depend && make all install
|
|
# cd /usr/src/bin/pax
|
|
# make depend && make all install
|
|
# cd /usr/src/bin/rm
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.bin/chflags
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.bin/du
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.bin/find
|
|
# make depend && make all install
|
|
# cd /usr/src/libexec/ftpd
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.sbin/chown
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.sbin/ckdist
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.sbin/ctm
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.sbin/mtree
|
|
# make depend && make all install
|
|
# cd /usr/src/usr.sbin/pkg_install
|
|
# make depend && make all install
|
|
|
|
This patch has been verified to apply to FreeBSD 4.3-RELEASE and
|
|
4.2-RELEASE; it may or may not apply to older, unsupported versions of
|
|
FreeBSD.
|
|
|
|
4) An experimental upgrade package is available for adventurous users
|
|
who wish to provide testing and feedback on the binary upgrade
|
|
process. This package may be installed on FreeBSD 4.3-RELEASE systems
|
|
only, and is intended for use on systems for which source patching is
|
|
not practical or convenient.
|
|
|
|
Since this is the first binary upgrade package produced for the
|
|
FreeBSD base system, it is not recommended that this be used on
|
|
production systems without first being tested on a scratch machine;
|
|
since the package replaces critical system files, a failed upgrade can
|
|
leave a system in an unusable state.
|
|
|
|
During the installation procedure, backup copies are made of the files
|
|
which are replaced by the package. These backup copies will be
|
|
reinstalled if the package is removed, reverting the system to a
|
|
pre-patch state.
|
|
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz
|
|
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz.asc
|
|
|
|
Verify the detached PGP signature using your PGP utility.
|
|
|
|
Bring the system down to single-user mode; this package should not be
|
|
installed from multi-user mode. If it desired to remove the package
|
|
at a later date, you should again do so from single-user mode.
|
|
|
|
# shutdown now
|
|
# pkg_add security-patch-fts-01.40
|
|
|
|
Follow the directions given after the installation of the package to
|
|
complete the system upgrade.
|
|
|
|
To bring the system back up to multi-user mode, type the following
|
|
command:
|
|
|
|
# exit
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.6 (FreeBSD)
|
|
Comment: For info see http://www.gnupg.org
|
|
|
|
iQCVAwUBO3y5tFUuHi5z0oilAQF6PwP/fFXgo2bL/IlDleuWCQsVB/C1By8QPL5J
|
|
Z0Hi4yl28Z8hEGRTI8qK2UXIliskU+ixlD0j9N6yxJDe17KIY/4w3gGJGsux3J7j
|
|
TSHXZOfsX0CE61Jssm9kUpOzilwJBOhRvii0BSso7njtVIQpFpWBgIMne+lNluFe
|
|
S7SZsk6sqgg=
|
|
=K6yG
|
|
-----END PGP SIGNATURE-----
|