Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.316 -- NetBSD Security Advisory 2000-015 format-string bugs in passwd/libutil 27 October 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: passwd/libutil Vendor: NetBSD Operating System: NetBSD Impact: Root Compromise Access Required: Local - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-015 ================================= Topic: format-string bugs in passwd/libutil Version: all releases up to and including 1.4.2 Severity: local root compromise possible Fixed: 2000/10/03 in -current and netbsd-1-5 branches 2000/10/04 in netbsd-1-4 branch. fix will be in the 1.4.3 and 1.5 releases Abstract ======== The pw_error() function of the system libutil library, used by several programs including the setuid passwd program, was vulnerable to a format string attack. Technical Details ================= pw_error passed its first argument to the warn(3) function, which interprets its first argument as a format string. in certain circumstances, passwd(1) passes a value derived from untrusted user input to pw_error(). Solutions and Workarounds ========================= The problem was fixed in NetBSD-current on 2000/10/03; systems running NetBSD-current dated from before that date should be upgraded to NetBSD-current dated 2000/10/04 or later. The two active release branches were both fixed by 2000/10/05. Systems running releases older than NetBSD 1.4 should be upgraded to NetBSD 1.4.2 before applying the fixes described here. Systems running 1.4.2 should apply the following patch to lib/libutil/passwd.c usign the patch(1), and rebuild and reinstall the "libutil" library. On systems which do not support shared libraries, you should then rebuild and reinstall the "passwd" command. - - --- lib/libutil/passwd.c 1999/12/04 20:00:55 1.15.2.1 +++ lib/libutil/passwd.c 2000/10/04 14:11:02 1.15.2.2 @@ -319,7 +319,7 @@ int err, eval; { if (err) - - - warn(name); + warn("%s", name); warnx("%s: unchanged", _PATH_MASTERPASSWD); pw_abort(); Revision History ================ 20001024 Initial draft of advisory. More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2000-015.txt,v 1.3 2000/10/26 15:22:01 sommerfeld Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOfhMIT5Ru2/4N2IFAQFsPQP+P0d5nzIuDDlXFeS/8Oksb91uGaGoPrZl sd2JASfLXcgPAemQVLzuAqNsJwxjcDpKlwvbDUrySSrvi4FxJ8scjlUl4g7XCf3G MfY/NqB2bfoLJIUv3PT3Vx/bHi5rYodu4uqopXQZwWg/PfmXEa0LRgDk/UOuxoNC +yq0nhXqsOE= =iNoz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOlSNHyh9+71yA2DNAQEjiAP9FO2bcqzHYPi7ARz0rvqrjL3B11Ni+1TJ tvOcMTAdXLr4Wv1hhIHEdjybPFjT9srPWXgk1q6bmorQNSbMFb2NTKtvSipsQSLl OGG+DEn+d0JYtlInb/06mNcaFkBPVMUF+67C1XfocabghO4QD6BzuBCdajG/TITr /VxPg1snsAM= =gfus -----END PGP SIGNATURE-----