3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
90 lines
3 KiB
Text
90 lines
3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-00:10 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: orville-write port contains local root compromise.
|
|
|
|
Category: ports
|
|
Module: orville-write
|
|
Announced: 2000-03-15
|
|
Affects: Ports collection before the correction date.
|
|
Corrected: 2000-03-09
|
|
FreeBSD only: Yes
|
|
|
|
I. Background
|
|
|
|
Orville-write is a replacement for the write(1) command, which
|
|
provides improved control over message delivery and other features.
|
|
|
|
II. Problem Description
|
|
|
|
One of the commands installed by the port is incorrectly installed
|
|
with setuid root permissions. The 'huh' command should not have any
|
|
special privileges since it is intended to be run by the local user to
|
|
view his saved messages.
|
|
|
|
The orville-write port is not installed by default, nor is it "part of
|
|
FreeBSD" as such: it is part of the FreeBSD ports collection, which
|
|
contains over 3100 third-party applications in a ready-to-install
|
|
format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to
|
|
this problem.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security audit of
|
|
the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
A local user can exploit a buffer overflow in the 'huh' utility to
|
|
obtain root privileges.
|
|
|
|
If you have not chosen to install the orville-write port/package, then
|
|
your system is not vulnerable.
|
|
|
|
IV. Workaround
|
|
|
|
Remove the orville-write port if you have installed it.
|
|
|
|
V. Solution
|
|
|
|
Remove the setuid bit from the huh utility, by executing the following
|
|
command as root:
|
|
|
|
chmod u-s /usr/local/bin/huh
|
|
|
|
It is not necessary to reinstall the orville-write port, although this
|
|
can be done in one of the following ways if desired:
|
|
|
|
1) Upgrade your entire ports collection and rebuild the orville-write port.
|
|
|
|
2) Reinstall a new package dated after the correction date, obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/orville-write-2.41a.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/misc/orville-write-2.41a.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/misc/orville-write-2.41a.tgz
|
|
|
|
Note: it may be several days before the updated packages are available.
|
|
|
|
3) download a new port skeleton for the orville-write port from:
|
|
|
|
http://www.freebsd.org/ports/
|
|
|
|
and use it to rebuild the port.
|
|
|
|
4) Use the portcheckout utility to automate option (3) above. The
|
|
portcheckout port is available in /usr/ports/devel/portcheckout or the
|
|
package can be obtained from:
|
|
|
|
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBOM/KWlUuHi5z0oilAQHk3AP+PEWNZ95ou8Oyf0nFzgAvjRCc4T060cJf
|
|
8qncBFmbWKvl/VHGJnj+u5HPE2LciZb/SdQxH0Ibuvm45hjt7umRrNcHQABmhtYV
|
|
9kG2k2cG+w9QtPnWQUtk7UDAQ2nmbyvQBsUJI+wrILoTHaKU1nLBivzzQbZPX9Nr
|
|
YTNtkrInpV0=
|
|
=c84W
|
|
-----END PGP SIGNATURE-----
|