-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

              ESB-2001.352 -- FreeBSD-SA-01:40.fts [REVISED]
             fts(3) routines contain race condition [REVISED]
                              17 August 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                fts(3)
Vendor:                 FreeBSD
Operating System:       FreeBSD 4.3-RELEASE
                        FreeBSD 4.3-STABLE prior to the correction date (2001-06-01)
                        BSD
Impact:                 Modify Arbitrary Files
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:40                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          fts(3) routines contain race condition [REVISED]

Category:       core
Module:         libc
Announced:      2001-06-04
Revised:        2001-08-16
Credits:        Nick Cleaton <nick@cleaton.net>
                Todd Miller <millert@openbsd.org> helped to develop the
                patch.
Affects:        FreeBSD 4.3-RELEASE, 4.3-STABLE prior to the correction
                date.
Corrected:      2001-06-01
FreeBSD only:   NO

0.   Revision History

2001-06-04  v1.0  Initial release
2001-08-16  v1.1  Corrected typo in recompilation instructions

I.   Background

The standard C library (libc) contains a set of routines known as fts
which allow an application to recursively traverse a filesystem.

II.  Problem Description

The fts routines are vulnerable to a race condition when ascending a
file hierarchy, which allows an attacker who has control over part of
the hierarchy into which fts is descending to cause the application to
ascend beyond the starting point of the file traversal, and enter
other parts of the filesystem.

If the fts routines are being used by an application to perform
operations on the filesystem hierarchy, such as find(1) with a keyword
such as -exec or -delete, or rm(1) with the -r flag, these operations
can be incorrectly applied to files outside the intended hierarchy,
which may result in system damage or compromise.

All versions of FreeBSD prior to the correction date including
4.3-RELEASE are vulnerable to this problem.

III. Impact

Local users may be able to remove or modify files on the local system
which are owned or writable by a user running a command that uses the
FTS routines in a vulnerable way.

If the system administrator has enabled the daily_clean_tmps_enable
variable in /etc/periodic.conf, the find -delete command is run once
per day, allowing unauthorised removal of files on the system.  This
option is not enabled by default.

IV.  Workaround

None appopriate for the general vulnerability.  The instance exposed
by the daily_clean_tmps_enable setting can be prevented by disabling
this switch in /etc/periodic.conf, if it has been enabled.

V.   Solution

One of the following:

1) As of FreeBSD 4.3-RELEASE, we have introduced a new ``security fix
CVS branch'' which contains security fixes only, which can be tracked
using the standard FreeBSD tools (cvsup/CVS/etc).  The branch name is
``RELENG_4_3''.  Upgrade your vulnerable FreeBSD system to the
RELENG_4_3 branch after the correction date.

2) Upgrade your vulnerable FreeBSD system to 4.3-STABLE after the
correction dates.

3) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

[FreeBSD 4.3 base system]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:40/fts.patch.asc

Verify the detached PGP signature using your PGP utility.

# cd /usr/src/lib/libc
# patch -p < /path/to/patch
# make depend && make all install
# cd /usr/src/lib/libc_r
# make depend && make all install
# cd /usr/src/bin/chmod
# make depend && make all install
# cd /usr/src/bin/cp
# make depend && make all install
# cd /usr/src/bin/ls
# make depend && make all install
# cd /usr/src/bin/pax
# make depend && make all install
# cd /usr/src/bin/rm
# make depend && make all install
# cd /usr/src/usr.bin/chflags
# make depend && make all install
# cd /usr/src/usr.bin/du
# make depend && make all install
# cd /usr/src/usr.bin/find
# make depend && make all install
# cd /usr/src/libexec/ftpd
# make depend && make all install
# cd /usr/src/usr.sbin/chown
# make depend && make all install
# cd /usr/src/usr.sbin/ckdist
# make depend && make all install
# cd /usr/src/usr.sbin/ctm
# make depend && make all install
# cd /usr/src/usr.sbin/mtree
# make depend && make all install
# cd /usr/src/usr.sbin/pkg_install
# make depend && make all install

This patch has been verified to apply to FreeBSD 4.3-RELEASE and
4.2-RELEASE; it may or may not apply to older, unsupported versions of
FreeBSD.

4) An experimental upgrade package is available for adventurous users
who wish to provide testing and feedback on the binary upgrade
process.  This package may be installed on FreeBSD 4.3-RELEASE systems
only, and is intended for use on systems for which source patching is
not practical or convenient.

Since this is the first binary upgrade package produced for the
FreeBSD base system, it is not recommended that this be used on
production systems without first being tested on a scratch machine;
since the package replaces critical system files, a failed upgrade can
leave a system in an unusable state.

During the installation procedure, backup copies are made of the files
which are replaced by the package.  These backup copies will be
reinstalled if the package is removed, reverting the system to a
pre-patch state.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz 
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:40/security-patch-fts-01.40.tgz.asc

Verify the detached PGP signature using your PGP utility.

Bring the system down to single-user mode; this package should not be
installed from multi-user mode.  If it desired to remove the package
at a later date, you should again do so from single-user mode.

# shutdown now
# pkg_add security-patch-fts-01.40

Follow the directions given after the installation of the package to
complete the system upgrade.

To bring the system back up to multi-user mode, type the following
command:

# exit
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO3y5tFUuHi5z0oilAQF6PwP/fFXgo2bL/IlDleuWCQsVB/C1By8QPL5J
Z0Hi4yl28Z8hEGRTI8qK2UXIliskU+ixlD0j9N6yxJDe17KIY/4w3gGJGsux3J7j
TSHXZOfsX0CE61Jssm9kUpOzilwJBOhRvii0BSso7njtVIQpFpWBgIMne+lNluFe
S7SZsk6sqgg=
=K6yG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO31NTSh9+71yA2DNAQGozQP8CkdfooDl5xxFbZM7qmDdNux2NWX8bKbK
oRrM2zf0ioo7U3IP9sIqDpXfIxec1/FUXdHA3+x76K337t7hApafLlfr+dGg88dT
wkHJdNdWSW8mPqG9TMxqZSLNgYSwOAdngUyqW/zFcivj9my/4wUBBglAkH9rGW3U
GgqEfUk8r5k=
=tdkU
-----END PGP SIGNATURE-----