Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.515 -- NetBSD Security Advisory Updates
Multiple NetBSD Security Advisories Released/Updated
18 September 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libc/libresolv DNS resolver
TIOCSCTTY ioctl
OpenSSL
pppd
Sun RPC XDR decoder
setlocale
NFS server
mbone tools and pppd
shutdown(s, SHUT_RD)
kfd
Vendor: NetBSD
Operating System: NetBSD
Impact: Denial of Service
Root Compromise
Modify Permissions
Access Required: Remote
Existing Account
Comment: NetBSD has released a batch of Security Bulletins in conjunction
with the release of NetBSD 1.6.
AusCERT has compiled these Security Bulletins into a single ESB.
Users of both NetBSD 1.5.3 and NetBSD 1.6 should read the first
section and determine which sections of the document is relevant
to their situation.
In order, the Security Bulletins included in this ESB are:
* NetBSD Security Advisory 2002-006: buffer overrun in
libc/libresolv DNS resolver
* NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl
can corrupt session hold counts
* NetBSD Security Advisory 2002-009: Multiple vulnerabilities
in OpenSSL code
* NetBSD Security Advisory 2002-010: symlink race in pppd
* NetBSD Security Advisory 2002-011: Sun RPC XDR decoder
contains buffer overflow
* NetBSD Security Advisory 2002-012: buffer overrun in
setlocale
* NetBSD Security Advisory 2002-013: Bug in NFS server code
allows remote denial of service
* NetBSD Security Advisory 2002-014: fd_set overrun in mbone
tools and pppd
* NetBSD Security Advisory 2002-017: shutdown(s, SHUT_RD) on
TCP socket does not work as intended
* NetBSD Security Advisory 2002-018: Multiple security isses
with kfd daemon
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
With the release of NetBSD 1.6, the NetBSD project is publishing a
batch of Security Advisories (some of which are updates), as follows:
* 2002-006 buffer overrun in libc/libresolv DNS resolver
x 2002-007 Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x 2002-009 Multiple vulnerabilities in OpenSSL code
*x 2002-010 symlink race in pppd
*x 2002-011 Sun RPC XDR decoder contains buffer overflow
x 2002-012 buffer overrun in setlocale
x 2002-013 Bug in NFS server code allows remote denial of service
x 2002-014 fd_set overrun in mbone tools and pppd
x 2002-017 shutdown(s, SHUT_RD) on TCP socket does not work as intended
x+ 2002-018 Multiple security isses with kfd daemon
(*) reissue (x) affects 1.5.3 (+) affects 1.6
These advisories involve bugs in libc (affecting static binaries), as
well as the kernel. A full system rebuild is recommended to
collectively address all of these issues, but please make sure to read
through all of the advisories in case specific issues affect your
system.
Because of the extensive rebuild required, the NetBSD 1.6 release was
delayed in order to include fixes for as many of these issues as
possible, so as to provide binary release users with an easy upgrade
path.
Readers will note that there are some gaps in the above numbering.
These pending advisories involve third parties, and are awaiting
disclosure co-ordination, so we cannot publish them at this time.
However, they *are* fixed in NetBSD 1.6.
Unfortunately, the recent 1.5.3 release was affected by most of these
issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically
cross-built to release, and so any updated binary release from the 1.5
tree will take considerable time and developer effort.
Therefore:
* The recommended cumulative fix for pre-1.6 systems is to upgrade to
NetBSD 1.6.
* Users who cannot upgrade to 1.6 are recommended to update to the
most recent sources on the NetBSD-1.5 branch, via anoncvs, and
rebuild from there.
* Users of NetBSD-current should upgrade to source more recent than
September 11, 2002, and rebuild the kernel and all userland.
Having updated the base NetBSD distribution via one of the above, the
following steps are necessary for *all* users:
* Recompile statically-linked binaries from pkgsrc, or custom builds (for
2002-006)
* Remove any shared libraries with older major numbers. (2002-006)
* Remove any shared libraries for OS emulation under /emul, unless you
are sure it has no security vulnerabilities. (2002-006)
* Follow instructions in 2002-018
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYZwhj5Ru2/4N2IFAQFkQwP+OtnCO0JZ2BWi/YgaDrfU7DBZrDDsQpW7
dXW/PtVvcOyvbpqgKREQ7CHi7jzolysRHX9VRXwgOS/tgo2fSmNaLyXjdbJhxzT2
xw6LEdaqC4YHHf3EuZ3GsF0UY/VGCDNg3WNf04CfTV1Jp61VnvTTjDMmOqegMxOI
/NTVURE2fV8=
=YBq6
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-006
=================================
(updated 2002/9/16)
Topic: buffer overrun in libc/libresolv DNS resolver
Version: NetBSD-current: source prior to June 28, 2002
NetBSD-1.6 beta:source prior to June 28, 2002
NetBSD-1.5.3: NOT affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
All prior NetBSD releases.
pkgsrc: net/bind4, prior to bind-4.9.9 are affected
net/bind8, prior to bind-8.3.3 are affected
net/bind9, bind-9.2.1 includes vulnerable code
(not compiled for normal use)
emulators/compat14 prior to 1.4.3.2
emulators/compat14-crypto prior to 1.4.3.2
emulators/netbsd32_compat14 prior to 1.4.3.2
emulators/compat15 prior to 1.5.3.1
if ships with libc/libresolv shlib
emulators/netbsd32_compat15 prior to 1.5.3.1
emulators/* for other operating systems,
if ships with libc/libresolv shlib
any statically linked pkgsrc binaries
(there could be more)
Severity: remote buffer overrun on any application that uses DNS,
possible remote root exploit (not confirmed)
Fixed: NetBSD-current: June 28, 2002
NetBSD-1.6 branch: June 28, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: July 2, 2002 (1.5.3 includes the fix)
NetBSD-1.4 branch: (not yet)
pkgsrc: net/bind4, bind-4.9.8nb1
net/bind8, bind-8.3.3
net/bind9, (ISC is not planning
a release, as vulnerable
files are not used in the
main server or utilites by
default.)
emulators/compat14 1.4.3.2
emulators/compat14-crypto 1.4.3.2
emulators/netbsd32_compat14 1.4.3.2
emulators/compat15 1.5.3.1
emulators/netbsd32_compat15 1.5.3.1
emulators/* for other operating systems
- not yet
NOTE: previous revisions of the advisory noted that fixed date
was June 26. Since BIND8 was later found to also be
vulnerable, the fixed date for NetBSD-current was moved to Jun
28, and branches for which pullups have not yet been completed
or updated to distribution sites have been changed to (not
yet). If you have upgraded your system on June 26, you will
need to upgrade again. Thank you for your patience with this
complex issue.
NOTE: previous revisions of the advisory noted that the use of
BIND9 as caching resolver would work around the problem.
However, it was later found to be insufficient (CERT advisory
CA-2002-19 got updated on 2002/8/28 for this). Therefore,
the only fix to this problem is to upgrade your resolver
library and any static binaries.
Abstract
========
There was a buffer-length computation bug in BIND-based DNS resolver
code. A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.
NetBSD uses BIND4-based DNS resolver code in libc/libresolv, and is
found to be vulnerable. We also use BIND8-based DNS resolver code in
named related tools like /usr/bin/dig, and these are vulnerable (source
located in dist/bind and usr.sbin/bind).
Technical Details
=================
In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.
The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer. This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root. No exploit
script to take advantage of this vulnerability is known at time of
writing.
It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.
Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.
This issue was brought to the attention of the NetBSD security-officer
with short notice, and this advisory has since been updated with
additional information.
See also:
http://www.pine.nl/advisories/pine-cert-20020601.html
http://www.kb.cert.org/vuls/id/803539
http://www.cert.org/advisories/CA-2002-19.html (revised 2002/8/28)
Solutions and Workarounds
=========================
The recent NetBSD 1.5.3 release is not vulnerable to this issue,
however very shortly after its release other vulnerabilities were
found. Please ensure you check all relevant Security Advisories.
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.
Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.
If you have NetBSD systems that have been upgraded from earlier releases
from before 1997, you may have libc and/or libresolv shared libraries
with older shared library major numbers. Check for the presence of
/usr/lib/libc.so.X.Y where X < 12 (the current major number). These old
libraries contain vulnerable resolver code, and will not be updated even
if you rebuild the system. Therefore, we suggest you to remove those
old shared libraries.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-06-25
should be upgraded to NetBSD-current dated 2002-06-26 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libc/net
usr.sbin/bind
dist/bind
Also note that the include files needs to be in sync with
code in lib/libc/net.
To update from CVS, re-build, and re-install libc and statically linked
binaries:
# cd src
# cvs update -d -P lib/libc/net usr.sbin/bind dist/bind
# cd lib/libc
# make cleandir dependall
# make install
# cd ../../lib/libresolv
# make cleandir dependall
# make install
# cd ../..
# make dependall
# make install
* NetBSD 1.6 betas:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-06-26 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
lib/libc/net
usr.sbin/bind
dist/bind
Also note that the include files needs to be in sync with
code in lib/libc/net.
To update from CVS, re-build, and re-install libc and statically linked
binaries:
# cd src
# cvs update -d -P -r netbsd-1-6 lib/libc/net \
usr.sbin/bind dist/bind
# cd lib/libc
# make cleandir dependall
# make install
# cd ../../lib/libresolv
# make cleandir dependall
# make install
# cd ../..
# make dependall
# make install
* NetBSD 1.5.x:
Systems running NetBSD 1.5.x dated from before 2002-06-25
should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
lib/libc/net
usr.sbin/bind
dist/bind
Also note that the include files needs to be in sync with
code in lib/libc/net.
To update from CVS, re-build, and re-install libc and statically linked
binaries:
# cd src
# cvs update -d -P -r netbsd-1-5 lib/libc/net \
usr.sbin/bind dist/bind
# cd lib/libc
# make cleandir dependall
# make install
# cd ../../lib/libresolv
# make cleandir dependall
# make install
# cd ../..
# make dependall
# make install
* NetBSD 1.4.x:
Systems running NetBSD 1.4.x dated from before 2002-06-25
should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.
The following directories need to be updated from the
netbsd-1-4 CVS branch:
lib/libc/net
usr.sbin/bind
dist/bind
To update from CVS, re-build, and re-install libc and statically linked
binaries:
# cd src
# cvs update -d -P -r netbsd-1-4 lib/libc/net \
usr.sbin/bind dist/bind
# cd lib/libc
# make cleandir dependall
# make install
# cd ../../lib/libresolv
# make cleandir dependall
# make install
# cd ../..
# make dependall
# make install
* pkgsrc:
bind-4.9.8 (pkgsrc/net/bind4) and prior are vulnerable. Upgrade to
bind-4.9.8nb1 or bind-4.9.9. Note that BIND4 nameserver
is considered obsolete by the vendor (ISC), and it is recommended to
use BIND9, or BIND8.
pkgsrc prior to bind-8.3.3 are vulnerable. Upgrade to bind-8.3.3.
bind-9.2.1 includes vulnerable code, however, the code will not be
compiled by default.
Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
are vulnerable. There is no fix supplied at this moment.
If you have statically linked binaries in pkgsrc, they have to be
rebuilt. Statically linked binaries can be identified by the
following command (note: be sure to include the directory you install
pkgsrc binaries to, if you've changed LOCALBASE from the default of
/usr/pkg)
file /usr/pkg/{bin,sbin,libexec} | grep static
Shared libraries for binary compatibility are available
through pkgsrc for some operating systems, and may be
vulnerable as noted above if installed.
Thanks To
=========
Jun-ichiro itojun Hagino for patches, and initial advisory text.
Michael Graff for bind9 information
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-06-26 Initial release
2002-06-27 Updated with further information on pkgsrc, and
affected BIND releases.
2002-06-28 Add note from Michael Graff regarding BIND9
2002-06-28 BIND8 resolver (dist/bind) was found to be vulnerable.
Fixed date changed from Jun 26 to Jun 28.
2002-08-28 Remove note regarding BIND9, as it was found to be
insufficient.
2002-09-05 Updated information regarding recent 1.5.3 release
and emulation pkgsrc.
2002-09-16 Re-release with updated information
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-006.txt,v 1.40 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVpoD5Ru2/4N2IFAQGFOgP/UTJeXuOgFiB81myMTeTgeRc1H7u41W+q
nW/TJGltzApfFQJjZYDDj3TC7AfTLBFWwfrJynC4jsLFUMIcs5NMZOvWE2eiCTgz
S7QJi15B07nMfipYe3s9dJ3QQZB9YIZng1lNVa7V7Ee1fPrYt5oXHkrZfCZTOLKL
zd3yMAAQRpg=
=8/IS
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl can corrupt session
hold counts
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-007
=================================
Topic: Repeated TIOCSCTTY ioctl can corrupt session hold counts
Version: NetBSD-current: source prior to July 21, 2002
NetBSD-1.6 beta: source prior to July 23, 2002
NetBSD-1.5.*: source prior to September 5, 2002
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: Local user can cause system panic
Fixed: NetBSD-current: July 21, 2002
NetBSD-1.6 branch: July 23, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: September 5, 2002
NetBSD-1.4 branch: not yet
Abstract
========
A Session leader can use the TIOCSCTTY ioctl to set the session
controlling terminal. This ioctl can be called any number of times.
The call unconditionally raised the hold count of a kernel structure
shared between processes in the same session. It was possible to
overflow the structure counter, and thus arrange for the structure
memory to be freed prematurely, and possibly re-used. This could
cause a kernel panic or incorrect operation the next time the session
structure is accessed from the context of other processes which are
part of the former session.
Technical Details
=================
A process can start a new session (and thus create a new session
leader), by forking a child and exiting. The new child can then call
setsid(2) to create a new session, and thus become a session
leader. The child process can then call the TIOCSCTTY ioctl.
Structures shared between multiple processes (such as the session
structure) normally contain counters to keep track of how many times a
structure is referenced. Typically, macros are used to increase/decrease
the use counter, and the structure is freed when the counter goes to
zero.
By repeatedly invoking TIOCSCTTY, it's possible to overflow the integer
counter such that when a process exits (and thus the session structure
counter is decreased), the counter hits zero and structure is freed even
though other processes still reference it. Depending on kernel options,
this might immediately cause the memory to be overwritten with junk
data, or the memory will be overwritten by random other data when the
memory is allocated to something else. In either case, if any of the
processes of the old session group access the memory, they would very
likely follow trashed pointers and cause a kernel panic.
Solutions and Workarounds
=========================
NetBSD official releases up to and including 1.5.3 are vulnerable.
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
Otherwise, kernel sources must be updated and a new kernel built and
installed. Once the kernel sources have been updated, rebuild the
kernel, install it, and reboot. For more information on how to do
this, see:
http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel
The instructions for updating your kernel sources depend upon which
particular NetBSD release you are running.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-07-21
should be upgraded to NetBSD-current dated 2002-07-22 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/sys/kern/
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch
To patch:
# cd src/sys
# patch < /path/to/SA2002-007-tiocsctty.patch
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD-1.6 branch dated 2002-07-23 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
src/sys/kern/
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch
To patch:
# cd src/sys
# patch < /path/to/SA2002-007-tiocsctty.patch
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5.x dated from before 2002-09-05
should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
src/sys/kern/
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch
To patch:
# cd src/sys
# patch < /path/to/SA2002-007-tiocsctty.patch
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
David Laight, for finding the problem and original patches.
Jaromir Dolecek, for fix and initial advisory text.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-09-16 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-007.txt,v 1.13 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVp6T5Ru2/4N2IFAQFJlQQAyVqJqrdjewQrmRFSQb3HmwESQYe7mhtw
Wc36bXxVYS35u3ctz3HL9soMfKoBxQfJhEWozAM6hTi6I0ISnX2mPVqTTBOmHENT
5AfhIJQmynx5yorVguEHp9E/zPvKo90lLKuz4KwAY6Fonzx/qT9YTk1DzJkYUrki
umJi1sasvAU=
=XDgt
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-009 - Multiple vulnerabilities in OpenSSL code
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-009
=================================
(updated 2002/9/16)
Topic: Multiple vulnerabilities in OpenSSL code
Version: NetBSD-current: source prior to August 10, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not applicable
pkgsrc: prior to openssl-0.9.6f
Severity: Potential for remote root exploit
Fixed: NetBSD-current: August 10, 2002
NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: August 31, 2002
pkgsrc: openssl-0.9.6f (or later)
NOTE: previous advisory had fixed dates prior to August 10.
There were errors found in the vendor-supplied fix, therefore
the fixed dates were modified. Sorry for the confusion and
thanks for the patience.
NOTE: previous revision of advisory suggested that 1.5 branch
was fixed on August 1, however the fix was found to be
insufficient. Therefore, users of 1.5 should apply the fix
presented in this revised advisory. Sorry for the confusion
and thanks for the patience.
Abstract
========
There are multiple vulnerabilities found in openssl 0.9.6e and prior
releases. There are four remotely-exploitable buffer overruns in SSL2/3
code. The ASN1 parser can be confused by invalid encodings (SSL/TLS
code affected).
None of these services are enabled by default in NetBSD, however, by
enabling services built with these libraries, a system would become
vulnerable.
- - From the OpenSSL advisory:
"Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
with SSL 2.0 disabled are not vulnerable."
After the above advisory was published,
- 0.9.6e was found to be vulnerable, and 0.9.6f was released.
- 0.9.6f had some build framework errors, and 0.9.6g was released.
The NetBSD fix includes OpenSSL 0.9.6g.
Technical Details
=================
http://www.openssl.org/news/secadv_20020730.txt
http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
The following instructions describe how to upgrade your libcrypto/libssl
binaries by updating your source tree and rebuilding and
installing a new version of libcrypto/libssl.
Be sure to restart running instances of programs that use crypto libraries
(like sshd) after upgrading shared libraries.
If you have any statically-linked binaries that linked against a
vulnerable libcrypto and/or libssl, you need to recompile them.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-10
should be upgraded to NetBSD-current dated 2002-08-10 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/Makefile.openssl
crypto/dist/openssl
lib/libcrypto
lib/libssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \
lib/libcrypto lib/libssl
# make includes
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-11 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
crypto/Makefile.openssl
crypto/dist/openssl
lib/libcrypto
lib/libssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \
crypto/dist/openssl lib/libcrypto lib/libssl
# make includes
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5.x dated from before 2002-08-31
should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch. Due to the shlib major bump in libcrypto/libssl
large number of shared libraries has to be rebuilt:
crypto/Makefile.openssl
crypto/dist/openssl
lib/libasn1
lib/libcom_err
lib/libcrypto
lib/libgssapi
lib/libhdb
lib/libkadm
lib/libkadm5clnt
lib/libkadm5srv
lib/libkafs
lib/libkdb
lib/libkrb
lib/libkrb5
lib/libkstream
lib/libroken
lib/libsl
lib/libss
lib/libtelnet
usr.bin/openssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P -r netbsd-1-5 <directories listed above>
# make includes
# cd lib
# make cleandir dependall
# make install
# cd usr.bin/openssl
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
OpenSSL was not included in the base system in NetBSD-1.4.*
Follow the directions for pkgsrc if you have installed it from
pkgsrc.
* pkgsrc:
openssl (pkgsrc/security/openssl) prior to 0.9.6f are
vulnerable. Upgrade to openssl-0.9.6f or later; pkgsrc
currently contains 0.9.6g at time of this writing.
Packages which require openssl can be found by running 'pkg_info
openssl'. Depending on the method you choose to update pkgsrc
packages, a rebuild of the packages on that list may be
performed for you by the package system. If you update using the
experimental 'make replace' target, you will need to manually
update any packages which build static binaries with libssl.a
and libcrypto.a
If you have statically linked binaries in pkgsrc, they have to be
rebuilt. Statically linked binaries can be identified by the
following command (note: be sure to include the directory you install
pkgsrc binaries to, if you've changed LOCALBASE from the default of
/usr/pkg)
file /usr/pkg/{bin,sbin,libexec} | grep static
Thanks To
=========
A.L. Digital Ltd and John McDonald of Neohapsis.
Adi Stav and James Yonan.
CERT and the OpenSSL team.
Jun-ichiro itojun Hagino for maintenance of OpenSSL in the NetBSD
source tree, and preparing the initial advisory text.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-08-01 Initial release based on 0.9.6e
2002-08-11 based on 0.9.6f
2002-08-31 1.5 pullup done, 0.9.6g
2002-09-16 Re-release with updated information
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-009.txt,v 1.35 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqAD5Ru2/4N2IFAQHqtwQAluG+9I3pVeALK+p+X3ZNG99M2zx6y/Ea
IX7kS8M22PoZD6kJniBRWqcDfaYqj5FKHT1TlCAiehNUpQfdADQD/0i/nqX01puI
aCCLXIetnRwSmQdW3IcbWqs5NQvHuWOB+ng1t5DBF1rF9GPTRMmrv5Sjr27hl07X
+ta7U3VZCms=
=SEqH
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-010: symlink race in pppd
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-010
=================================
Topic: symlink race in pppd
Version: NetBSD-current: source prior to July 31, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: Local user may be able to modify permissions on any file
Fixed: NetBSD-current: July 31, 2002
NetBSD-1.6 branch: August 3, 2002
(NetBSD 1.6 includes the fix)
NetBSD-1.5 branch: September 5, 2002
NetBSD-1.4 branch: not yet
Abstract
========
A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.
A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.
Technical Details
=================
The file specified as the tty device is opened by pppd, and the
permissions are recorded. If pppd fails to initialize the tty
device in some way (such as a failure of tcgetattr(3)), then pppd
will attempt to restore the original permissions by calling chmod(2).
The call to chmod(2) is subject to a symlink race, so that the
permissions may be `restored' on some other file.
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
Otherwise, the following instructions describe how to upgrade your
pppd binaries by updating your source tree and rebuilding and
installing a new version of pppd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-07-30
should be upgraded to NetBSD-current dated 2002-07-31 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
usr.sbin/pppd
To update from CVS, re-build, and re-install pppd:
# cd src
# cvs update -d -P usr.sbin/pppd
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-04 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
usr.sbin/pppd
To update from CVS, re-build, and re-install pppd:
# cd src
# cvs update -d -P -r netbsd-1-6 usr.sbin/pppd
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5 dated from before 2002-09-05 should
be upgraded to NetBSD 1.5 branch dated 2002-09-05 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
usr.sbin/pppd
To update from CVS, re-build, and re-install pppd:
# cd src
# cvs update -d -P -r netbsd-1-5 usr.sbin/pppd
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
Jun-ichiro itojun Hagino for patches, and preparing the advisory text.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-08-01 Initial release
2002-09-05 1.5 fixed
2002-09-16 Re-release with updated information
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-010.txt,v 1.15 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqFT5Ru2/4N2IFAQGWDwQAodZpv2grHbPZPoIdUmlhRVp46pRnZTH7
jXUvVNLAbqQYTb08ICChzTF2IIjkvOySNLXvBeynNEMTmYeFh+HZwdrofr/+Wgcc
DBgX3BnCHgeRkJbKTDXjPmMKB+EP86H9o4yYz0pSKNVNRg7GgeJtM1zOLwlmX1NE
nj8huZwPs7c=
=7Lza
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-011: Sun RPC XDR decoder contains buffer overflow
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-011
=================================
Topic: Sun RPC XDR decoder contains buffer overflow
Version: NetBSD-current: source prior to August 1, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
severity: Possible remote root compromise if RPC services
are enabled
Fixed: NetBSD-current: August 1, 2002
NetBSD-1.6 branch: August 2, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: August 1, 2002
NetBSD-1.4 branch: not yet
Abstract
========
Integer overflows exist in the RPC code in libc. These cause a buffer to
be mistakenly allocated too small, and then overflown.
The Automounter amd(8) and its query tool amq(8), and the rusers(1)
client binary use the flawed code in a way which could be exploitable.
Other uses of the RPC functions have been examined and are believed to
not be exploitable.
No RPC-based services are enabled by default.
Technical Details
=================
Sun RPC is a remote procedure call framework which allows clients
to invoke procedures in a server process over a network somewhat
transparently. XDR is a mechanism for encoding data structures for
use with RPC. NFS, NIS, and many other network services are built
upon Sun RPC.
The NetBSD C runtime library (libc) contains an XDR encoder/decoder
derived from Sun's RPC implementation.
Any application using Sun RPC may be vulnerable to a heap buffer
overflow. Depending upon the application, this vulnerability may be
exploitable and lead to arbitrary code execution.
An error in the calculation of memory needed for unpacking arrays in
the XDR decoder can result in a heap buffer overflow.
Though no exploits are known to exist currently, RPC-based services
often run as the superuser, and the vulnerability in amd(8) could be
exploitable.
Again, no RPC-based services are enabled by default.
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
If you do not run any of the affected RPC services (amd/amq/rusers)
your system is not affected. However, we suggest you upgrade your
system to avoid running vulnerable RPC code by mistake.
The following instructions describe how to upgrade your libc (which
includes RPC code) by updating your source tree and rebuilding and
installing a new version of libc.
Note that if you have any statically-linked binaries that uses RPC,
you need to recompile them.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-01
should be upgraded to NetBSD-current dated 2002-08-01 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libc/rpc
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P lib/libc/rpc
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-02 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
lib/libc/rpc
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P -r netbsd-1-6 lib/libc/rpc
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5 branch dated from before 2002-08-02
should be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
lib/libc/rpc
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P -r netbsd-1-5 lib/libc/rpc
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
CERT for notification.
Charles Hannum for scope analysis and commentary.
FreeBSD security-officers. Parts of the advisory text are based on
the FreeBSD advisory.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-08-01 Initial release
2002-08-02 1.5/1.6 branch info
2002-09-16 Re-release with updated information
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca
fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M
9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK
9OhEncw7mcw=
=YcPw
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-012: buffer overrun in setlocale
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-012
=================================
Topic: buffer overrun in setlocale
Severity: local root exploit if X11 (xterm) is installed.
Version: NetBSD-current: source prior to August 8, 2002
NetBSD-1.6 beta:source prior to August 8, 2002
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
All prior NetBSD releases.
Fixed: NetBSD-current: August 8, 2002
NetBSD-1.6 branch: August 8, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: September 5, 2002
NetBSD-1.4 branch: not yet
Abstract
========
There was a boundary checking bug of array suffix in setlocale()
function in libc. If the setlocale() function is used with arguments
satisfying a specific condition (see below), there is a possibility
that this could be exploitable. This condition is as the following:
1. setlocale() function is called for LC_ALL category and
2. The string pointed to by the second argument of setlocale contains
over six elements separated by slash. An example of string causing
this problem to setlocale() is "C/C/C/C/C/C/C". (note that the
frequently used special form, setlocale(LC_ALL, ""), does not cause
this problem, since the code having this problem is never executed
in this case.)
3. To use this bug to exploit, the second argument of setlocale needs
to be derived from user-given data (e.g. environment variables or
command line arguments) and the program need to be setuid or
need to be involved in some setuid program or daemon.
Most programs using Xt, including xterm (setuid program), may satisfy
this condition. All other programs in NetBSD distribution except for
packages do not satisfy it. In packages, zsh is one of the most
important program that may satisfy this condition.
Technical Details
=================
The setlocale (or its subcontractor, __setlocale) function, defined in
lib/libc/locale/setlocale.c, is used to change the locale of each
locale category. setlocale() function switches the locale of the
category specified by the first argument to the second argument. The
special category LC_ALL can be used to change all locale categories at
the same time. In this case, the NetBSD implementation of setlocale
allows a special form of the second argument string to specify
individual locales per category.
In this form, each locale is given in a single string separated by
slashes ('/'), as "A/B/C/D/E/F". Here, each element corresponds to
categories LC_COLLATE, LC_CTYPE, LC_MONETARY, LC_NUMERIC, LC_TIME and
LC_MESSAGES, respectively. The setlocale() function attempts to
decomposit these elements into an array object named new_categories
locally defined in lib/libc/locale/setlocale.c. However, the code to
check the array boundary was lacking and thus this decomposition code
could destroy data segment if a string having over six elements was
given.
If the program which has set[ug]id bit or which is called from
set[ug]id program calls setlocale() with LC_ALL as the first argument
and with the string derived from user-given data
(e.g. setlocale(LC_ALL, getenv("FOO")) ) as the second argument, then
such program could be exploitable. DefaultLanguageProc function of X
Toolkit Intrinsics (Xt) is a example of such usage. DefaultLanguageProc
calls setlocale as "setlocale(LC_ALL, xnl)". Here, xnl variable is
null string ("") by default, but can be overriden by user via
- - -xnllanguage option. Most Xt programs, including xterm, use this
language procedure. xterm is a setuid root program and thus any local
user could illegally acquire root account by using this problem.
On the other hand, the frequently used special form,
setlocale(LC_ALL, ""), does not have this problem because the decomposition
code is never executed in this form, although user-given LC_ALL environment
variable is similarly referred.
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
Otherwise, you must update libc. Also, you must update all statically
linked binaries satisfying the condition above - although the NetBSD
distribution contains no such static binaries, you may have some from
pkgsrc packages or local programs. The following instructions
describe how to update libc.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-08
should be upgraded to NetBSD-current dated 2002-08-08 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libc/locale
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P lib/libc/locale
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.6 betas:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-08 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
lib/libc/locale
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P -r netbsd-1-6 lib/libc/locale
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.5.x:
Systems running NetBSD 1.5 betas dated from before 2002-09-05
should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
lib/libc/locale
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P -r netbsd-1-5 lib/libc/locale
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.4.x:
not yet
Thanks To
=========
Andrey A. Chernov for initial fix in FreeBSD source.
Takuya SHIOZAKI for preparing the initial advisory text.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-09-16 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-012.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-012.txt,v 1.11 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqPT5Ru2/4N2IFAQF2ngP9Gy/ZVH4yizEHSiv8f1OLHxn2auf3J/bx
Tit7KQVGiCQS/1sZ2UxV8ZVKQOzJwrJNHuJ23YS2iDs//RxghmpjVGQPmS91t7vb
X3z7SEy3mgEe0VClcDMSamxiomPi8rcH37CdlflHkTneX/UYsPgLClGT55PXtOu9
ZfqrAQGUgeU=
=5MrG
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-013: Bug in NFS server code allows remote
denial of service
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-013
=================================
Topic: Bug in NFS server code allows remote denial of service
Version: NetBSD-current: source prior to Aug 3, 2002
NetBSD 1.6 beta: source prior to Aug 3, 2002
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: remote denial of service
Fixed: NetBSD-current: Aug 3, 2002
NetBSD-1.6 branch: Aug 3, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: September 5, 2002
NetBSD-1.4 branch: not yet
Abstract
========
The Network File System (NFS) allows a host to export some or all of
its filesystems, or parts of them, so that other hosts can access them
over the network and mount them as if they were on local disks. NFS is
built on top of the Sun Remote Procedure Call (RPC) framework.
An attacker in a position to send RPC messages to an affected NetBSD
system can construct a sequence of malicious RPC messages that cause
the target system to lock up.
Technical Details
=================
A part of the NFS server code charged with handling incoming RPC
messages had an error which, when the server received a message with a
zero-length payload, would cause it to reference the payload from the
previous message, creating a loop in the message chain. This would
later cause an infinite loop in a different part of the NFS server
code which tried to traverse the chain.
Certain Linux implementations of NFS produce zero-length RPC messages
in some cases. A NetBSD system running an NFS server may lock up
when such clients connect.
Solutions and Workarounds
=========================
If possible, disable the NFS server on your machine. It is
still preferable to apply the following fixes to prevent using
vulnerable NFS code in the future.
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and
installing a new version of kernel.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-03
should be upgraded to NetBSD-current dated 2002-08-03 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/nfs
To update from CVS:
# cd src
# cvs update -d -P sys/nfs
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-03 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
sys/nfs
To update from CVS:
# cd src
# cvs update -d -P -r netbsd-1-6 sys/nfs
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5 sources dated from before
2002-09-05 should be upgraded from NetBSD 1.5 sources dated
2002-09-05 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
sys/nfs
To update from CVS:
# cd src
# cvs update -d -P -r netbsd-1-5 sys/nfs
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated with instructions to fix the problem
for 1.5-based systems.
Thanks To
=========
FreeBSD security officers. The advisory text is based on their advisory.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-09-16 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-013.txt,v 1.7 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqUD5Ru2/4N2IFAQF7VwP9HAw6DGiJI3TmxGeVR/7fNquzCXI6QtSJ
evofRBhcsSSNGuTYn9R8KVHdn+f7n8fdc2b3huQ6UCLr3epAgRg6eeCDX8O60fpG
DvKUABOJXx1LoUEkGsNGdTizxg3uoD/2GLCvDLhZZiZ4k9srZRRzFT3neyWWdFln
EFbs33wT+40=
=78tO
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-014: fd_set overrun in mbone tools and pppd
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-014
=================================
Topic: fd_set overrun in mbone tools and pppd
Version: NetBSD-current: source prior to August 10, 2002
NetBSD 1.6 beta: sources prior to August 11, 2002
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: possible local root compromise
Fixed: NetBSD-current: August 10, 2002
NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: September 5, 2002
NetBSD-1.4 branch: not yet
Abstract
========
The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP
daemon pppd(8), are setuid root binaries. A malicious local user can
cause a buffer overrun in these programs by filling file descriptor
tables before exec'ing them, which could lead to local root
compromise.
No exploit code is known to exist at this moment.
Technical Details
=================
These tools use select(2). select(2) uses fd_set bitmap, which
supports up to FD_SETSIZE (256) file descriptors. These tools did not
have a boundary check when doing FD_SET() operations. Therefore, if
the file descriptor used for select(2) equals to or exceeds
FD_SETSIZE, a buffer overrun occurs.
More details are in the NetBSD-current select(2) manpage "BUGS" section:
Although the provision of getdtablesize(3) was intended to allow user
programs to be written independent of the kernel limit on the number of
open files, the dimension of a sufficiently large bit field for select
remains a problem. The default bit size of fd_set is based on the symbol
FD_SETSIZE (currently 256), but that is somewhat smaller than the current
kernel limit to the number of open files. However, in order to accommo-
date programs which might potentially use a larger number of open files
with select, it is possible to increase this size within a program by
providing a larger definition of FD_SETSIZE before the inclusion of
<sys/types.h>. The kernel will cope, and the userland libraries provided
with the system are also ready for large numbers of file descriptors.
Solutions and Workarounds
=========================
If you do not run, and do not plan to use, multicast-related tools or
pppd, the problem can be worked around by removing the setuid bit from
those binaries. Users can therefore no longer escalate their
privileges by exploiting the bug:
# chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd
Nevertheless, we suggest upgrading these binaries to make sure you
don't have vulnerable code in your system.
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
Otherwise, the following instructions describe how to upgrade your
binaries by updating your source tree and rebuilding and installing a
new version.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-10
should be upgraded to NetBSD-current dated 2002-08-10 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd
To update from CVS, re-build, and re-install mrinfo and mtrace:
# cd src
# cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
# cd usr.sbin/mrinfo
# make cleandir dependall
# make install
# cd usr.sbin/mtrace
# make cleandir dependall
# make install
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-11 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd
To update from CVS, re-build, and re-install mrinfo and mtrace:
# cd src
# cvs update -d -P -r netbsd-1-6 \
usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
# cd usr.sbin/mrinfo
# make cleandir dependall
# make install
# cd usr.sbin/mtrace
# make cleandir dependall
# make install
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5 branch dated from before 2002-09-05
should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd
To update from CVS, re-build, and re-install mrinfo and mtrace:
# cd src
# cvs update -d -P -r netbsd-1-5 \
usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
# cd usr.sbin/mrinfo
# make cleandir dependall
# make install
# cd usr.sbin/mtrace
# make cleandir dependall
# make install
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
xs@kittenz.org for finding this bug and sending fixes.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-09-16 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-014.txt,v 1.13 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqaD5Ru2/4N2IFAQGipAP/QwtISx0xcoOwzB3HrjGmn8DMX0V13q6d
ecx1QZ/4TuCjEYmgbhXdW8ReB7yQ1wy2tIG61U3pvoQW9EMqoK1n7ispixwUIS7X
Yp3gpYp4nTAeeLvv3mYoT6NFERqzku7qakoSFq92uojwborR/yXFsiC41IMudhK6
HuwbKbDG9WM=
=Ez96
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-017: shutdown(s, SHUT_RD) on TCP socket does
not work as intended
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-017
=================================
Topic: shutdown(s, SHUT_RD) on TCP socket does not work as intended
Version: NetBSD-current: source prior to September 7, 2002
NetBSD 1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: Unexpected kernel memory consumption
Fixed: NetBSD-current: September 7, 2002
NetBSD-1.6 branch: September 7, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: September 7, 2002
NetBSD-1.4 branch: not yet
Abstract
========
shutdown(s, SHUT_RD) is used to indicate that there should be no inbound
traffic expected on the socket. There was mistake in TCP with respect to
the handling of shutdown'ed socket, leading to unexpected kernel resource
consumption and unexpected behavior.
Technical Details
=================
Some of sbappend() calls from sys/netinet/tcp_input.c did not consult
SS_CANTRCVMORE flag on socket properly.
http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=18185
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version
of kernel.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-09-06
should be upgraded to NetBSD-current dated 2002-09-06 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/netinet
To update from CVS, re-build, re-install kernel and reboot:
# cd src
# cvs update -d -P sys/netinet
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-09-06 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
sys/netinet
To update from CVS, re-build, re-install kernel and reboot:
# cd src
# cvs update -d -P -r netbsd-1-6 sys/netinet
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2002-09-06 should be upgraded from NetBSD 1.5.*
sources dated 2002-09-06 or later.
NetBSD 1.5.4 will be shipped with fixes.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
sys/netinet
To update from CVS, re-build, re-install kernel and reboot:
# cd src
# cvs update -d -P -r netbsd-1-5 sys/netinet
Configure, compile, install and boot a new kernel according to
the instructions at:
http://www.netbsd.org/Documentation/kernel/#building_a_kernel
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
Sean Boudreau
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-09-16 Initial release
More Information
================
Advisories may be updated as new information comes to hand. The most
recent version of this advisory (PGP signed) can be found at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-017.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-017.txt,v 1.9 2002/09/16 05:17:55 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqej5Ru2/4N2IFAQFXFQP/TgE2w4hDKtWeccyjBSYEYPji7hgu/IPK
gJztYTRBM4xDKyx76QW+MSoFu/ye+Jfkveh6ZmxGKb2oFzGjbKKyKISk1brBaZ+o
g6mqsd05AACYukIhkRdNOR84bPr086soGRJQFXaLUKbwcUBNQQ43yY8fDqMdEuBd
yk+GJu7hDgQ=
=kfaF
- -----END PGP SIGNATURE-----
NetBSD Security Advisory 2002-018: Multiple security isses with kfd daemon
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-018
=================================
Topic: Multiple security isses with kfd daemon
Version: NetBSD-current: source prior to September 10, 2002
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not affected
Severity: remote buffer overrun, possibly resulting in root exploit
Fixed: NetBSD-current: September 11, 2002
NetBSD-1.6 branch: not yet
NetBSD-1.5 branch: September 11, 2002
Abstract
========
Kf and kfd are used to forward Kerberos credentials in a stand-alone
fashion, and come from the Heimdal Kerberos implementation used by
NetBSD. In Heimdal releases earlier than 0.5, these programs have
multiple security issues, including possible buffer overruns.
The kfd daemon has never been enabled by default in NetBSD; enabling
it would have required a port name to be added to /etc/services.
Technical Details
=================
The client sent information about user and files without integrity
protection, making it possible to overwrite any file the user had
access to. The server also passed some of this data to other functions
without checking that strings were zero terminated, possibly resulting
in root exploit.
All versions prior to Heimdal 0.5 are vulnerable. You can tell which
version of kfd you have by running /usr/libexec/kfd --version.
See also: http://www.pdc.kth.se/heimdal/
Solutions and Workarounds
=========================
As this is not a vital service, and is very likely unused by most
installations, the straightforward solution is to remove these
programs. This has been done in NetBSD-current sources on September
11, 2002. Note that even after this time, systems may still have
binaries left behind from earlier builds.
Note that sources for the 1.6 release (and branch) still inlcude these
programs. Therefore, a "make build" will re-install vulnerable
binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6
LAST_MINUTE release notes, please remove them after each "make build".
* NetBSD all releases:
Check that you don't have kfd in your /etc/inetd.conf.
% grep kfd /etc/inetd.conf
Remove these programs:
# rm /usr/bin/kf
# rm /usr/libexec/kfd
# rm /usr/share/man/cat1/kf.0
# rm /usr/share/man/cat8/kfd.0
# rm /usr/share/man/man1/kf.1
# rm /usr/share/man/man8/kfd.8
Thanks To
=========
joda@pdc.kth.se (Johan Danielsson)
Revision History
================
2002-09-16 Initial release
More Information
================
Advisories may be updated as new information comes to hand. The most
recent version of this advisory (PGP signed) can be found at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-018.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-018.txt,v 1.9 2002/09/16 22:59:39 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYZiaj5Ru2/4N2IFAQG3YQP6AxY5rsaUAgEIIQ3TVsLPbqplH4ARheS6
zvmwTOcoI4NnGVdvUL99FPf+hEJdHZyScEn9bRtEGgFUnbXCgovDu2G333/1S91Z
w36jokou/av+WdxJ7fVSbFqrA62cFy1s9fpoWubZ14j3isPzz74qtPtGnOI19oGh
WylKw/jKtps=
=8Fkt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPYiV2Ch9+71yA2DNAQHdXAP/VnvLZqB75TBGCNO71EgWXI7JHd2E/V+q
Wt1JvyJNo5wxuWq0FNZk8VjoCH3QC6uX20Dq+c5sucwMI4NDIqcU4y6qNULeGh8O
dArhxJP/lAtcdPABab/0w9RH7TloHp7caWfe54ZL1+AuS1+nw4NtUIsfwVW8TCnB
HXWK7gqtyT0=
=kpf6
-----END PGP SIGNATURE-----