FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
Lewis Watson
lists at visionsix.com
Tue Aug 5 09:58:47 PDT 2003
> NOTE WELL: Any statically linked applications that are not part of
> the base system (i.e. from the Ports Collection or other 3rd-party
> sources) must be recompiled.
>
> All affected applications must be restarted for them to use the
> corrected library. Though not required, rebooting may be the easiest
> way to accomplish this.
>
I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications
need to be patched and how do I make sure that the above noted statically
linked applications are patched after I am done?
Thanks a bunch!
Lewis
----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
To: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
Sent: Tuesday, August 05, 2003 7:02 AM
Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
==========================================================================
===
> FreeBSD-SA-03:08.realpath Security
Advisory
> The FreeBSD
Project
>
> Topic: Single byte buffer overflow in realpath(3)
>
> Category: core
> Module: libc
> Announced: 2003-08-03
> Credits: Janusz Niewiadomski <funkysh at isec.pl>,
> Wojciech Purczynski <cliph at isec.pl>,
> CERT/CC
> Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> and 5.0-RELEASE
> FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
> 2003-08-03 23:43:43 UTC (RELENG_4_8)
> 2003-08-03 23:44:12 UTC (RELENG_4_7)
> 2003-08-03 23:44:36 UTC (RELENG_4_6)
> 2003-08-03 23:44:56 UTC (RELENG_4_5)
> 2003-08-03 23:45:41 UTC (RELENG_4_4)
> 2003-08-03 23:46:03 UTC (RELENG_4_3)
> 2003-08-03 23:47:39 UTC (RELENG_3)
> FreeBSD only: NO
>
> 0. Revision History
>
> v1.0 2003-08-03 Initial release
> v1.1 2003-08-04 Updated information for lukemftpd
>
> I. Background
>
> The realpath(3) function is used to determine the canonical,
> absolute pathname from a given pathname which may contain extra
> ``/'' characters, references to ``/./'' or ``/../'', or references
> to symbolic links. The realpath(3) function is part of the FreeBSD
> Standard C Library.
>
> II. Problem Description
>
> An off-by-one error exists in a portion of realpath(3) that computes
> the length of the resolved pathname. As a result, if the resolved
> path name is exactly 1024 characters long and contains at least
> two directory separators, the buffer passed to realpath(3) will be
> overwritten by a single NUL byte.
>
> III. Impact
>
> Applications using realpath(3) MAY be vulnerable to denial of service
> attacks, remote code execution, and/or privilege escalation. The
> impact on an individual application is highly dependent upon the
> source of the pathname passed to realpath, the position of the output
> buffer on the stack, the architecture on which the application is
> running, and other factors.
>
> Within the FreeBSD base system, several applications use realpath(3).
> Two applications which are negatively impacted are:
>
> (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
> process the MLST and MLSD commands. The vulnerability may be
> exploitable, leading to code execution with superuser privileges.
>
> lukemftpd(8) was installed (but not enabled) by default in
> 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through
> Nov 12 17:32:47 2002 UTC. It is not built or installed by default
> in any other release.
>
> If the `-r' option to lukemftpd is used (as suggested by the
> example /etc/inetd.conf supplied in 4.7-RELEASE), then successful
> exploitation leads leads to code execution with the privileges of
> the authenticated user (rather than superuser privileges).
>
> (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
> chdir commands. This vulnerability may be exploitable, leading
> to code execution with the privileges of the authenticated user.
>
> At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
> the following applications which appear to use realpath(3). These
> applications have not been audited, and may or may not be vulnerable.
> There may be additional applications in the FreeBSD Ports Collection
> that use realpath(3), particularly statically-linked applications and
> applications added since 4.8-RELEASE.
>
> BitchX-1.0c19_1
> Mowitz-0.2.1_1
> XFree86-clients-4.3.0_1
> abcache-0.14
> aim-1.5.234
> analog-5.24,1
> anjuta-1.0.1_1
> aolserver-3.4.2
> argus-2.0.5
> arm-rtems-gdb-5.2_1
> avr-gdb-5.2.1
> ccache-2.1.1
> cdparanoia-3.9.8_4
> cfengine-1.6.3_4
> cfengine2-2.0.3
> cmake-1.4.7
> comserv-1.4.3
> criticalmass-0.97
> dedit-0.6.2.3_1
> drweb_postfix-4.29.10a
> drweb-4.29.2
> drweb_sendmail-4.29.10a
> edonkey-gui-gtk-0.5.0
> enca-0.10.7
> epic4-1.0.1_2
> evolution-1.2.2_1
> exim-3.36_1
> exim-4.12_5
> exim-ldap-4.12_5
> exim-ldap2-4.12_5
> exim-mysql-4.12_5
> exim-postgresql-4.12_5
> fam-2.6.9_2
> fastdep-0.15
> feh-1.2.4_1
> ferite-0.99.6
> fileutils-4.1_1
> finfo-0.1
> firebird-1.0.2
> firebird-1.0.r2
> frontpage-5.0.2.2623_1
> galeon-1.2.8
> galeon2-1.3.2_1
> gdb-5.3_20030311
> gdb-5.2.1_1
> gdm2-2.4.1.3
> gecc-20021119
> gentoo-0.11.34
> gkrellmvolume-2.1.7
> gltron-0.61
> global-4.5.1
> gnat-3.15p
> gnomelibs-1.4.2_1
> gprolog-1.2.16
> gracula-3.0
> gringotts-1.2.3
> gtranslator-0.43_1
> gvd-1.2.5
> hercules-2.16.5
> hte-0.7.0
> hugs98-200211
> i386-rtems-gdb-5.2_1
> i960-rtems-gdb-5.2_1
> installwatch-0.5.6
> ivtools-1.0.6
> ja-epic4-1.0.1_2
> ja-gnomelibs-1.4.2_1
> ja-msdosfs-20001027
> ja-samba-2.2.7a.j1.1_1
> kdebase-3.1_1
> kdelibs-3.1
> kermit-8.0.206
> ko-BitchX-1.0c16_3
> ko-msdosfs-20001027
> leocad-0.73
> libfpx-1.2.0.4_1
> libgnomeui-2.2.0.1
> libpdel-0.3.4
> librep-0.16.1_1
> linux-beonex-0.8.1
> linux-divxplayer-0.2.0
> linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
> linux-gnomelibs-1.2.8_2
> linux-mozilla-1.2
> linux-netscape-communicator-4.8
> linux-netscape-navigator-4.8
> linux-phoenix-0.3
> linux_base-6.1_4
> linux_base-7.1_2
> lsh-1.5.1
> lukemftpd-1.1_1
> m68k-rtems-gdb-5.2_1
> mips-rtems-gdb-5.2_1
> mod_php4-4.3.1
> moscow_ml-2.00_1
> mozilla-1.0.2_1
> mozilla-1.2.1_1,2
> mozilla-1.2.1_2
> mozilla-1.3b,1
> mozilla-1.3b
> mozilla-embedded-1.0.2_1
> mozilla-embedded-1.2.1_1,2
> mozilla-embedded-1.3b,1
> msyslog-1.08f_1
> netraider-0.0.2
> openag-1.1.1_1
> openssh-portable-3.5p1_1
> openssh-3.5
> p5-PPerl-0.23
> paragui-1.0.2_2
> powerpc-rtems-gdb-5.2_1
> psim-freebsd-5.2.1
> ptypes-1.7.4
> pure-ftpd-1.0.14
> qiv-1.8
> readlink-20010616
> reed-5.4
> rox-1.3.6_1
> rox-session-0.1.18_1
> rpl-1.4.0
> rpm-3.0.6_6
> samba-2.2.8
> samba-3.0a20
> scrollkeeper-0.3.11_8,1
> sh-rtems-gdb-5.2_1
> sharity-light-1.2_1
> siag-3.4.10
> skipstone-0.8.3
> sparc-rtems-gdb-5.2_1
> squeak-2.7
> squeak-3.2
> swarm-2.1.1
> tcl-8.2.3_2
> tcl-8.3.5
> tcl-8.4.1,1
> tcl-thread-8.1.b1
> teTeX-2.0.2_1
> wine-2003.02.19
> wml-2.0.8
> worker-2.7.0
> xbubble-0.2
> xerces-c2-2.1.0_1
> xerces_c-1.7.0
> xnview-1.50
> xscreensaver-gnome-4.08
> xscreensaver-4.08
> xworld-2.0
> yencode-0.46_1
> zh-cle_base-0.9p1
> zh-tcl-8.3.0
> zh-tw-BitchX-1.0c19_3
> zh-ve-1.0
> zh-xemacs-20.4_1
>
> IV. Workaround
>
> There is no generally applicable workaround.
>
> OpenSSH's sftp-server(8) may be disabled by editing
> /etc/ssh/sshd_config and commenting out the following line by
> inserting a `#' as the first character:
>
> Subsystem sftp /usr/libexec/sftp-server
>
> lukemftpd(8) may be replaced by the default ftpd(8).
>
> V. Solution
>
> 1) Upgrade your vulnerable system to 4.8-STABLE
> or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
> (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
> dated after the respective correction dates.
>
> 2) To patch your present system:
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility. The following patch
> has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
> 5.0-RELEASE.
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your operating system as described in
> <URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
>
> NOTE WELL: Any statically linked applications that are not part of
> the base system (i.e. from the Ports Collection or other 3rd-party
> sources) must be recompiled.
>
> All affected applications must be restarted for them to use the
> corrected library. Though not required, rebooting may be the easiest
> way to accomplish this.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch
Revision
> Path
> - ----------------------------------------------------------------------
---
> RELENG_3
> src/lib/libc/stdlib/realpath.c
1.6.2.1
> RELENG_4_3
> src/UPDATING
1.73.2.28.2.32
> src/lib/libc/stdlib/realpath.c
1.9.4.1
> src/sys/conf/newvers.sh
1.44.2.14.2.22
> RELENG_4_4
> src/UPDATING
1.73.2.43.2.45
> src/lib/libc/stdlib/realpath.c
1.9.6.1
> src/sys/conf/newvers.sh
1.44.2.17.2.36
> RELENG_4_5
> src/UPDATING
1.73.2.50.2.44
> src/lib/libc/stdlib/realpath.c
1.9.8.1
> src/sys/conf/newvers.sh
1.44.2.20.2.28
> RELENG_4_6
> src/UPDATING
1.73.2.68.2.42
> src/lib/libc/stdlib/realpath.c
1.9.10.1
> src/sys/conf/newvers.sh
1.44.2.23.2.31
> RELENG_4_7
> src/UPDATING
1.73.2.74.2.14
> src/lib/libc/stdlib/realpath.c
1.9.12.1
> src/sys/conf/newvers.sh
1.44.2.26.2.13
> RELENG_4_8
> src/UPDATING
1.73.2.80.2.3
> src/lib/libc/stdlib/realpath.c
1.9.14.1
> src/sys/conf/newvers.sh
1.44.2.29.2.2
> RELENG_5_0
> src/UPDATING
1.229.2.14
> src/lib/libc/stdlib/realpath.c
1.11.2.1
> src/sys/conf/newvers.sh
1.48.2.9
> - ----------------------------------------------------------------------
---
>
> VII. References
>
> <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>
> <URL:http://www.kb.cert.org/vuls/id/743092>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (FreeBSD)
>
> iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w
> xpJrfCeDU4qOs8q33dXSsvw=
> =5z4e
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to
"freebsd-security-notifications-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list