3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
84 lines
3 KiB
Text
84 lines
3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-00:80 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: halflifeserver allows remote code execution
|
|
|
|
Category: ports
|
|
Module: halflifeserver
|
|
Announced: 2000-12-20
|
|
Credits: Mark Cooper
|
|
Affects: Ports collection prior to the correction date.
|
|
Corrected: 2000-11-29
|
|
Vendor status: Updated version released
|
|
FreeBSD only: NO
|
|
|
|
I. Background
|
|
|
|
halflifeserver is a dedicated server for hosting Half-Life games.
|
|
|
|
II. Problem Description
|
|
|
|
The halflifeserver port, versions prior to 3.1.0.4, contains local and
|
|
remote vulnerabilities through buffer overflows and format string
|
|
vulnerabilities. These vulnerabilities may allow remote users to
|
|
execute arbitrary code as the user running halflifeserver.
|
|
|
|
The halflifeserver port is not installed by default, nor is it "part
|
|
of FreeBSD" as such: it is part of the FreeBSD ports collection, which
|
|
contains over 4200 third-party applications in a ready-to-install
|
|
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
|
|
contain this problem since it was discovered after the releases.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security
|
|
audit of the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
Malicious remote users may execute arbitrary code as the user running
|
|
the halflifeserver software.
|
|
|
|
If you have not chosen to install the halflifeserver port/package,
|
|
then your system is not vulnerable to this problem.
|
|
|
|
IV. Workaround
|
|
|
|
Deinstall the halflifeserver port/package, if you have installed it.
|
|
|
|
V. Solution
|
|
|
|
One of the following:
|
|
|
|
1) Upgrade your entire ports collection and rebuild the halflifeserver
|
|
port.
|
|
|
|
2) download a new port skeleton for the halflifeserver port from:
|
|
|
|
http://www.freebsd.org/ports/
|
|
|
|
and use it to rebuild the port. Due to license restrictions no binary
|
|
package is provided for the halflifeserver port.
|
|
|
|
3) Use the portcheckout utility to automate option (2) above. The
|
|
portcheckout port is available in /usr/ports/devel/portcheckout or the
|
|
package can be obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.4 (FreeBSD)
|
|
Comment: For info see http://www.gnupg.org
|
|
|
|
iQCVAwUBOkDIQVUuHi5z0oilAQGcqQQApE+76gPjqdkQf9TvbGBThPxcSocU8F+N
|
|
GHiBPzkrgVHqCLYee0sywsQ4KRg2awuq+sP6EcqLTfaIGLZqPgS4xNZ6gqOrrgLP
|
|
wxvGdtlqgad5lXLEvs1uYwBmj+lTNteYWy6KC04za2rLHYdkZce21kyj+6preXZs
|
|
trAQ2uVDvsM=
|
|
=s4GT
|
|
-----END PGP SIGNATURE-----
|