FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
Jacques A. Vidrine
nectar at FreeBSD.org
Mon Aug 4 14:00:20 PDT 2003
On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote:
> FreeBSD Security Advisories wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > =============================================================================
> > FreeBSD-SA-03:08.realpath Security Advisory
> > The FreeBSD Project
> >
> > Topic: Single byte buffer overflow in realpath(3)
>
> Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo.
> Please MFC to RELENG_4 too.
RELENG_4 does not currently suffer from the bug, because it has a
different realpath implementation.
On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote:
> : Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> : and 5.0-RELEASE
> : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less
> by accident.
Right, that was a new realpath implementation from -CURRENT.
On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote:
> On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:
> >Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> > and 5.0-RELEASE
> > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> ...
> >V. Solution
> >
> >1) Upgrade your vulnerable system to 4.8-STABLE
> >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
> >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
> >dated after the respective correction dates.
>
> I found the reference to RELENG_5_1 in the "Solutions" section but no
> reference to 5.1-RELEASE in the "Affects" section somewhat confusing.
I don't understand how to be more clear. 5.1-RELEASE is not affected,
so of course it is not listed in `Affects'.
> This is compounded by the failure to mention RELENG_5_0 in the
> "Solutions" section.
RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported
security branches, so that is why they are listed in the `Solution'
section. RELENG_5_0 is not a currently supported security branch,
and I would not recommend that anyone upgrade to an old security
branch. Please see the table at http://www.freebsd.org/security/ or
my announcement in this forum dated July 14.
> I gather that 5.1-RELEASE is not vulnerable due
> to the realpath() rewrite in 1.14.
That's correct, 5.1-RELEASE is not vulnerable, which is why it is not
listed in the `Affects' section.
> May I suggest that in future, when a release is not vulnerable due to
> code rewrites or similar, this fact be explicitly mentioned. IMHO,
> it's far better to err on the side of caution when dealing with
> security issues.
Thank you for the suggestion. Would you care to post _exactly_ what
wording you think would be better? I cannot think of a way to do so
without being redundant or misleading. I have no desire to add a
``Not affected:'' line. Especially at times when we have two -STABLE
branches (as we will soon for 4.x and 5.x), it will be common that
there is a bug in one release but not another higher-numbered one.
I think that if one takes the `Affects' lines (and the rest of the
advisory) at face value, without second-guessing, that it is crystal
clear what versions of FreeBSD are affected. But of course I would
:-)
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-security
mailing list