FreeBSD Security Advisory FreeBSD-SA-03:08.realpath

Jacques A. Vidrine nectar at FreeBSD.org
Mon Aug 4 14:00:20 PDT 2003 

On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote:
> FreeBSD Security Advisories wrote:
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > =============================================================================
> > FreeBSD-SA-03:08.realpath                                   Security Advisory
> >                                                           The FreeBSD Project
> > 
> > Topic:          Single byte buffer overflow in realpath(3)
> 
> Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo.
> Please MFC to RELENG_4 too.

RELENG_4 does not currently suffer from the bug, because it has a
different realpath implementation.


On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote:
> : Affects:        All releases of FreeBSD up to and including 4.8-RELEASE
> :                 and 5.0-RELEASE
> :                 FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
>                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less
> by accident.

Right, that was a new realpath implementation from -CURRENT.


On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote:
> On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:
> >Affects:        All releases of FreeBSD up to and including 4.8-RELEASE
> >                and 5.0-RELEASE
> >                FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> ...
> >V.   Solution
> >
> >1) Upgrade your vulnerable system to 4.8-STABLE
> >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
> >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
> >dated after the respective correction dates.
> 
> I found the reference to RELENG_5_1 in the "Solutions" section but no
> reference to 5.1-RELEASE in the "Affects" section somewhat confusing.

I don't understand how to be more clear.  5.1-RELEASE is not affected,
so of course it is not listed in `Affects'.

> This is compounded by the failure to mention RELENG_5_0 in the
> "Solutions" section.  

RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported
security branches, so that is why they are listed in the `Solution'
section.  RELENG_5_0 is not a currently supported security branch,
and I would not recommend that anyone upgrade to an old security
branch.  Please see the table at http://www.freebsd.org/security/ or
my announcement in this forum dated July 14.

> I gather that 5.1-RELEASE is not vulnerable due
> to the realpath() rewrite in 1.14.

That's correct, 5.1-RELEASE is not vulnerable, which is why it is not
listed in the `Affects' section.

> May I suggest that in future, when a release is not vulnerable due to
> code rewrites or similar, this fact be explicitly mentioned.  IMHO,
> it's far better to err on the side of caution when dealing with
> security issues.

Thank you for the suggestion.  Would you care to post _exactly_ what
wording you think would be better?  I cannot think of a way to do so
without being redundant or misleading.  I have no desire to add a
``Not affected:'' line.  Especially at times when we have two -STABLE
branches (as we will soon for 4.x and 5.x), it will be common that
there is a bug in one release but not another higher-numbered one.

I think that if one takes the `Affects' lines (and the rest of the
advisory) at face value, without second-guessing, that it is crystal
clear what versions of FreeBSD are affected.  But of course I would
:-)

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se

More information about the freebsd-security mailing list