-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

             ESB-2002.515 -- NetBSD Security Advisory Updates
           Multiple NetBSD Security Advisories Released/Updated
                             18 September 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                libc/libresolv DNS resolver
                        TIOCSCTTY ioctl
                        OpenSSL
                        pppd
                        Sun RPC XDR decoder
                        setlocale
                        NFS server
                        mbone tools and pppd
                        shutdown(s, SHUT_RD)
                        kfd
Vendor:                 NetBSD
Operating System:       NetBSD
Impact:                 Denial of Service
                        Root Compromise
                        Modify Permissions
Access Required:        Remote
                        Existing Account

Comment: NetBSD has released a batch of Security Bulletins in conjunction
         with the release of NetBSD 1.6.

         AusCERT has compiled these Security Bulletins into a single ESB.
         Users of both NetBSD 1.5.3 and NetBSD 1.6 should read the first
         section and determine which sections of the document is relevant
         to their situation.

         In order, the Security Bulletins included in this ESB are:

          * NetBSD Security Advisory 2002-006: buffer overrun in
            libc/libresolv DNS resolver
          * NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl
            can corrupt session hold counts
          * NetBSD Security Advisory 2002-009: Multiple vulnerabilities
            in OpenSSL code
          * NetBSD Security Advisory 2002-010: symlink race in pppd
          * NetBSD Security Advisory 2002-011: Sun RPC XDR decoder
            contains buffer overflow
          * NetBSD Security Advisory 2002-012: buffer overrun in
            setlocale
          * NetBSD Security Advisory 2002-013: Bug in NFS server code
            allows remote denial of service
          * NetBSD Security Advisory 2002-014: fd_set overrun in mbone
            tools and pppd
          * NetBSD Security Advisory 2002-017: shutdown(s, SHUT_RD) on
            TCP socket does not work as intended
          * NetBSD Security Advisory 2002-018: Multiple security isses
            with kfd daemon

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


With the release of NetBSD 1.6, the NetBSD project is publishing a
batch of Security Advisories (some of which are updates), as follows:

*   2002-006    buffer overrun in libc/libresolv DNS resolver
 x  2002-007    Repeated TIOCSCTTY ioctl can corrupt session hold counts
*x  2002-009    Multiple vulnerabilities in OpenSSL code
*x  2002-010    symlink race in pppd
*x  2002-011	Sun RPC XDR decoder contains buffer overflow
 x  2002-012    buffer overrun in setlocale
 x  2002-013    Bug in NFS server code allows remote denial of service
 x  2002-014    fd_set overrun in mbone tools and pppd
 x  2002-017    shutdown(s, SHUT_RD) on TCP socket does not work as intended
 x+ 2002-018    Multiple security isses with kfd daemon

    (*) reissue   (x) affects 1.5.3   (+) affects 1.6

These advisories involve bugs in libc (affecting static binaries), as
well as the kernel.  A full system rebuild is recommended to
collectively address all of these issues, but please make sure to read
through all of the advisories in case specific issues affect your
system.

Because of the extensive rebuild required, the NetBSD 1.6 release was
delayed in order to include fixes for as many of these issues as
possible, so as to provide binary release users with an easy upgrade
path.

Readers will note that there are some gaps in the above numbering.
These pending advisories involve third parties, and are awaiting
disclosure co-ordination, so we cannot publish them at this time.
However, they *are* fixed in NetBSD 1.6.

Unfortunately, the recent 1.5.3 release was affected by most of these
issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically
cross-built to release, and so any updated binary release from the 1.5
tree will take considerable time and developer effort.

Therefore:

 * The recommended cumulative fix for pre-1.6 systems is to upgrade to
   NetBSD 1.6. 

 * Users who cannot upgrade to 1.6 are recommended to update to the
   most recent sources on the NetBSD-1.5 branch, via anoncvs, and
   rebuild from there.

 * Users of NetBSD-current should upgrade to source more recent than
   September 11, 2002, and rebuild the kernel and all userland.

Having updated the base NetBSD distribution via one of the above, the
following steps are necessary for *all* users:

 * Recompile statically-linked binaries from pkgsrc, or custom builds (for
   2002-006)
 * Remove any shared libraries with older major numbers. (2002-006)
 * Remove any shared libraries for OS emulation under /emul, unless you 
   are sure it has no security vulnerabilities. (2002-006)
 * Follow instructions in 2002-018


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYZwhj5Ru2/4N2IFAQFkQwP+OtnCO0JZ2BWi/YgaDrfU7DBZrDDsQpW7
dXW/PtVvcOyvbpqgKREQ7CHi7jzolysRHX9VRXwgOS/tgo2fSmNaLyXjdbJhxzT2
xw6LEdaqC4YHHf3EuZ3GsF0UY/VGCDNg3WNf04CfTV1Jp61VnvTTjDMmOqegMxOI
/NTVURE2fV8=
=YBq6
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-006
		 =================================
		 (updated 2002/9/16)

Topic:		buffer overrun in libc/libresolv DNS resolver

Version:	NetBSD-current:	source prior to June 28, 2002
		NetBSD-1.6 beta:source prior to June 28, 2002
		NetBSD-1.5.3:   NOT affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.

		pkgsrc:		net/bind4, prior to bind-4.9.9 are affected
				net/bind8, prior to bind-8.3.3 are affected
				net/bind9, bind-9.2.1 includes vulnerable code
					(not compiled for normal use)
				emulators/compat14 prior to 1.4.3.2
				emulators/compat14-crypto prior to 1.4.3.2
				emulators/netbsd32_compat14 prior to 1.4.3.2
				emulators/compat15 prior to 1.5.3.1
					if ships with libc/libresolv shlib
				emulators/netbsd32_compat15 prior to 1.5.3.1
				emulators/* for other operating systems,
					if ships with libc/libresolv shlib
				any statically linked pkgsrc binaries
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 28, 2002
		NetBSD-1.6 branch:	June 28, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	July 2, 2002 (1.5.3 includes the fix)
		NetBSD-1.4 branch:	(not yet)
		pkgsrc:			net/bind4, bind-4.9.8nb1
					net/bind8, bind-8.3.3
					net/bind9, (ISC is not planning
						a release, as vulnerable
						files are not used in the
						main server or utilites by
						default.)
					emulators/compat14 1.4.3.2
					emulators/compat14-crypto 1.4.3.2
					emulators/netbsd32_compat14 1.4.3.2
					emulators/compat15 1.5.3.1
					emulators/netbsd32_compat15 1.5.3.1
					emulators/* for other operating systems
						- not yet

	NOTE: previous revisions of the advisory noted that fixed date
	was June 26.  Since BIND8 was later found to also be
	vulnerable, the fixed date for NetBSD-current was moved to Jun
	28, and branches for which pullups have not yet been completed
	or updated to distribution sites have been changed to (not
	yet).  If you have upgraded your system on June 26, you will
	need to upgrade again. Thank you for your patience with this
	complex issue.

	NOTE: previous revisions of the advisory noted that the use of
	BIND9 as caching resolver would work around the problem.
	However, it was later found to be insufficient (CERT advisory
	CA-2002-19 got updated on 2002/8/28 for this).  Therefore,
	the only fix to this problem is to upgrade your resolver
	library and any static binaries.


Abstract
========

There was a buffer-length computation bug in BIND-based DNS resolver
code.  A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.

NetBSD uses BIND4-based DNS resolver code in libc/libresolv, and is
found to be vulnerable.  We also use BIND8-based DNS resolver code in
named related tools like /usr/bin/dig, and these are vulnerable (source
located in dist/bind and usr.sbin/bind).


Technical Details
=================

In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.

The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer.  This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root.  No exploit
script to take advantage of this vulnerability is known at time of
writing.

It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.

Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.

This issue was brought to the attention of the NetBSD security-officer
with short notice, and this advisory has since been updated with
additional information.

See also:
http://www.pine.nl/advisories/pine-cert-20020601.html
http://www.kb.cert.org/vuls/id/803539
http://www.cert.org/advisories/CA-2002-19.html (revised 2002/8/28)


Solutions and Workarounds
=========================

The recent NetBSD 1.5.3 release is not vulnerable to this issue,
however very shortly after its release other vulnerabilities were
found.  Please ensure you check all relevant Security Advisories.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

If you have NetBSD systems that have been upgraded from earlier releases
from before 1997, you may have libc and/or libresolv shared libraries
with older shared library major numbers.  Check for the presence of
/usr/lib/libc.so.X.Y where X < 12 (the current major number).  These old
libraries contain vulnerable resolver code, and will not be updated even
if you rebuild the system.  Therefore, we suggest you to remove those
old shared libraries.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-06-25
	should be upgraded to NetBSD-current dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net
		usr.sbin/bind
		dist/bind
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-06-26 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net
		usr.sbin/bind
		dist/bind
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net \
			usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net
		usr.sbin/bind
		dist/bind
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net \
			usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	Systems running NetBSD 1.4.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-4 CVS branch:
		lib/libc/net
		usr.sbin/bind
		dist/bind

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-4 lib/libc/net \
			usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* pkgsrc:

	bind-4.9.8 (pkgsrc/net/bind4) and prior are vulnerable.  Upgrade to
	bind-4.9.8nb1 or bind-4.9.9.  Note that BIND4 nameserver
	is considered obsolete by the vendor (ISC), and it is recommended to
	use BIND9, or BIND8.

	pkgsrc prior to bind-8.3.3 are vulnerable.  Upgrade to bind-8.3.3.

	bind-9.2.1 includes vulnerable code, however, the code will not be
	compiled by default.

	Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
	are vulnerable.  There is no fix supplied at this moment.

	If you have statically linked binaries in pkgsrc, they have to be
	rebuilt.  Statically linked binaries can be identified by the
	following command (note: be sure to include the directory you install
	pkgsrc binaries to, if you've changed LOCALBASE from the default of
	/usr/pkg)

		file /usr/pkg/{bin,sbin,libexec} | grep static

	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and may be
	vulnerable as noted above if installed.

Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.

Michael Graff for bind9 information

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-06-26	Initial release
	2002-06-27	Updated with further information on pkgsrc, and
			affected BIND releases.
	2002-06-28	Add note from Michael Graff regarding BIND9
	2002-06-28	BIND8 resolver (dist/bind) was found to be vulnerable.
			Fixed date changed from Jun 26 to Jun 28.
	2002-08-28	Remove note regarding BIND9, as it was found to be
			insufficient.
	2002-09-05	Updated information regarding recent 1.5.3 release
			and emulation pkgsrc.
	2002-09-16	Re-release with updated information


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-006.txt,v 1.40 2002/09/16 05:17:55 dan Exp $



- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVpoD5Ru2/4N2IFAQGFOgP/UTJeXuOgFiB81myMTeTgeRc1H7u41W+q
nW/TJGltzApfFQJjZYDDj3TC7AfTLBFWwfrJynC4jsLFUMIcs5NMZOvWE2eiCTgz
S7QJi15B07nMfipYe3s9dJ3QQZB9YIZng1lNVa7V7Ee1fPrYt5oXHkrZfCZTOLKL
zd3yMAAQRpg=
=8/IS
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl can corrupt session
hold counts

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-007
		 =================================

Topic:		Repeated TIOCSCTTY ioctl can corrupt session hold counts

Version:	NetBSD-current:	source prior to July 21, 2002 
		NetBSD-1.6 beta: source prior to July 23, 2002
		NetBSD-1.5.*:	source prior to September 5, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	Local user can cause system panic

Fixed:		NetBSD-current:		July 21, 2002
		NetBSD-1.6 branch:	July 23, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

A Session leader can use the TIOCSCTTY ioctl to set the session
controlling terminal. This ioctl can be called any number of times.
The call unconditionally raised the hold count of a kernel structure
shared between processes in the same session. It was possible to
overflow the structure counter, and thus arrange for the structure
memory to be freed prematurely, and possibly re-used.  This could
cause a kernel panic or incorrect operation the next time the session
structure is accessed from the context of other processes which are
part of the former session.

Technical Details
=================

A process can start a new session (and thus create a new session
leader), by forking a child and exiting. The new child can then call
setsid(2) to create a new session, and thus become a session
leader. The child process can then call the TIOCSCTTY ioctl.

Structures shared between multiple processes (such as the session
structure) normally contain counters to keep track of how many times a
structure is referenced. Typically, macros are used to increase/decrease
the use counter, and the structure is freed when the counter goes to
zero.

By repeatedly invoking TIOCSCTTY, it's possible to overflow the integer
counter such that when a process exits (and thus the session structure
counter is decreased), the counter hits zero and structure is freed even
though other processes still reference it. Depending on kernel options,
this might immediately cause the memory to be overwritten with junk
data, or the memory will be overwritten by random other data when the
memory is allocated to something else. In either case, if any of the
processes of the old session group access the memory, they would very
likely follow trashed pointers and cause a kernel panic.

Solutions and Workarounds
=========================

NetBSD official releases up to and including 1.5.3 are vulnerable.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Otherwise, kernel sources must be updated and a new kernel built and
installed.  Once the kernel sources have been updated, rebuild the
kernel, install it, and reboot.  For more information on how to do
this, see:
  http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel

The instructions for updating your kernel sources depend upon which
particular NetBSD release you are running.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-07-21
	should be upgraded to NetBSD-current dated 2002-07-22 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/sys/kern/

	Alternatively, apply the following patch (with potential offset
	differences):
 ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch

	To patch:
		# cd src/sys
		# patch < /path/to/SA2002-007-tiocsctty.patch
	
	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD-1.6 branch dated 2002-07-23 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		src/sys/kern/

	Alternatively, apply the following patch (with potential offset
	differences):
  ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch

	To patch:
		# cd src/sys
		# patch < /path/to/SA2002-007-tiocsctty.patch
	
	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5.x dated from before 2002-09-05
	should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		src/sys/kern/

	Alternatively, apply the following patch (with potential offset
	differences):
  ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch

	To patch:
		# cd src/sys
		# patch < /path/to/SA2002-007-tiocsctty.patch

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.


Thanks To
=========

David Laight, for finding the problem and original patches.

Jaromir Dolecek, for fix and initial advisory text.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-007.txt,v 1.13 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVp6T5Ru2/4N2IFAQFJlQQAyVqJqrdjewQrmRFSQb3HmwESQYe7mhtw
Wc36bXxVYS35u3ctz3HL9soMfKoBxQfJhEWozAM6hTi6I0ISnX2mPVqTTBOmHENT
5AfhIJQmynx5yorVguEHp9E/zPvKo90lLKuz4KwAY6Fonzx/qT9YTk1DzJkYUrki
umJi1sasvAU=
=XDgt
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-009 - Multiple vulnerabilities in OpenSSL code

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-009
		 =================================
		 (updated 2002/9/16)

Topic:		Multiple vulnerabilities in OpenSSL code

Version:	NetBSD-current:	 source prior to August 10, 2002
		NetBSD-1.6 beta: affected
		NetBSD-1.5.3:	 affected
		NetBSD-1.5.2:	 affected
		NetBSD-1.5.1:	 affected
		NetBSD-1.5:	 affected
		NetBSD-1.4.*:	 not applicable
		pkgsrc:		 prior to openssl-0.9.6f

Severity:	Potential for remote root exploit

Fixed:		NetBSD-current:		August 10, 2002
		NetBSD-1.6 branch:	August 11, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	August 31, 2002
		pkgsrc:			openssl-0.9.6f (or later)

	NOTE: previous advisory had fixed dates prior to August 10.
	There were errors found in the vendor-supplied fix, therefore
	the fixed dates were modified.  Sorry for the confusion and
	thanks for the patience.

	NOTE: previous revision of advisory suggested that 1.5 branch
	was fixed on August 1, however the fix was found to be
	insufficient.  Therefore, users of 1.5 should apply the fix
	presented in this revised advisory.  Sorry for the confusion
	and thanks for the patience.


Abstract
========

There are multiple vulnerabilities found in openssl 0.9.6e and prior
releases.  There are four remotely-exploitable buffer overruns in SSL2/3
code.  The ASN1 parser can be confused by invalid encodings (SSL/TLS
code affected).

None of these services are enabled by default in NetBSD, however, by
enabling services built with these libraries, a system would become
vulnerable.

- - From the OpenSSL advisory:

  "Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
  current development snapshots of 0.9.7 to provide SSL or TLS is
  vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
  with SSL 2.0 disabled are not vulnerable."

After the above advisory was published,
  - 0.9.6e was found to be vulnerable, and 0.9.6f was released.
  - 0.9.6f had some build framework errors, and 0.9.6g was released.

The NetBSD fix includes OpenSSL 0.9.6g.


Technical Details
=================

http://www.openssl.org/news/secadv_20020730.txt
http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

The following instructions describe how to upgrade your libcrypto/libssl
binaries by updating your source tree and rebuilding and
installing a new version of libcrypto/libssl.

Be sure to restart running instances of programs that use crypto libraries
(like sshd) after upgrading shared libraries.

If you have any statically-linked binaries that linked against a
vulnerable libcrypto and/or libssl, you need to recompile them.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-10
	should be upgraded to NetBSD-current dated 2002-08-10 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/Makefile.openssl
		crypto/dist/openssl
		lib/libcrypto
		lib/libssl

	To update from CVS, re-build, and re-install libcrypto and libssl:
		# cd src
		# cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \
			lib/libcrypto lib/libssl

		# make includes
		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl
		# make cleandir dependall
		# make install


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-11 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/Makefile.openssl
		crypto/dist/openssl
		lib/libcrypto
		lib/libssl

	To update from CVS, re-build, and re-install libcrypto and libssl:
		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \
			crypto/dist/openssl lib/libcrypto lib/libssl

		# make includes
		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD-1.5.x dated from before 2002-08-31
	should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch.  Due to the shlib major bump in libcrypto/libssl
	large number of shared libraries has to be rebuilt:
		crypto/Makefile.openssl
		crypto/dist/openssl
		lib/libasn1
		lib/libcom_err
		lib/libcrypto
		lib/libgssapi
		lib/libhdb
		lib/libkadm
		lib/libkadm5clnt
		lib/libkadm5srv
		lib/libkafs
		lib/libkdb
		lib/libkrb
		lib/libkrb5
		lib/libkstream
		lib/libroken
		lib/libsl
		lib/libss
		lib/libtelnet
		usr.bin/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl:
		# cd src
		# cvs update -d -P -r netbsd-1-5 <directories listed above>

		# make includes
		# cd lib
		# make cleandir dependall
		# make install
		# cd usr.bin/openssl
		# make cleandir dependall
		# make install


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	OpenSSL was not included in the base system in NetBSD-1.4.*
	Follow the directions for pkgsrc if you have installed it from
	pkgsrc.


* pkgsrc:

	openssl (pkgsrc/security/openssl) prior to 0.9.6f are
	vulnerable.  Upgrade to openssl-0.9.6f or later; pkgsrc
	currently contains 0.9.6g at time of this writing.

	Packages which require openssl can be found by running 'pkg_info
	openssl'. Depending on the method you choose to update pkgsrc
	packages, a rebuild of the packages on that list may be
	performed for you by the package system. If you update using the
	experimental 'make replace' target, you will need to manually
	update any packages which build static binaries with libssl.a
	and libcrypto.a

        If you have statically linked binaries in pkgsrc, they have to be
        rebuilt.  Statically linked binaries can be identified by the
        following command (note: be sure to include the directory you install
        pkgsrc binaries to, if you've changed LOCALBASE from the default of
        /usr/pkg)

                file /usr/pkg/{bin,sbin,libexec} | grep static


Thanks To
=========

A.L. Digital Ltd and John McDonald of Neohapsis.
Adi Stav and James Yonan.
CERT and the OpenSSL team.

Jun-ichiro itojun Hagino for maintenance of OpenSSL in the NetBSD
source tree, and preparing the initial advisory text.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-08-01	Initial release based on 0.9.6e
	2002-08-11	based on 0.9.6f
	2002-08-31	1.5 pullup done, 0.9.6g
	2002-09-16	Re-release with updated information


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-009.txt,v 1.35 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqAD5Ru2/4N2IFAQHqtwQAluG+9I3pVeALK+p+X3ZNG99M2zx6y/Ea
IX7kS8M22PoZD6kJniBRWqcDfaYqj5FKHT1TlCAiehNUpQfdADQD/0i/nqX01puI
aCCLXIetnRwSmQdW3IcbWqs5NQvHuWOB+ng1t5DBF1rF9GPTRMmrv5Sjr27hl07X
+ta7U3VZCms=
=SEqH
- -----END PGP SIGNATURE-----


 NetBSD Security Advisory 2002-010: symlink race in pppd

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-010
		 =================================

Topic:		symlink race in pppd

Version:	NetBSD-current:	 source prior to July 31, 2002
		NetBSD-1.6 beta: affected
		NetBSD-1.5.3:	 affected
		NetBSD-1.5.2:	 affected
		NetBSD-1.5.1:	 affected
		NetBSD-1.5:	 affected
		NetBSD-1.4.*:	 affected

Severity:       Local user may be able to modify permissions on any file

Fixed:		NetBSD-current:		July 31, 2002
		NetBSD-1.6 branch:	August 3, 2002
					(NetBSD 1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.


Technical Details
=================

The file specified as the tty device is opened by pppd, and the
permissions are recorded.  If pppd fails to initialize the tty
device in some way (such as a failure of tcgetattr(3)), then pppd
will attempt to restore the original permissions by calling chmod(2).
The call to chmod(2) is subject to a symlink race, so that the
permissions may be `restored' on some other file.


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Otherwise, the following instructions describe how to upgrade your
pppd binaries by updating your source tree and rebuilding and
installing a new version of pppd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-07-30
	should be upgraded to NetBSD-current dated 2002-07-31 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		usr.sbin/pppd

	To update from CVS, re-build, and re-install pppd:
		# cd src
		# cvs update -d -P usr.sbin/pppd

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-04 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		usr.sbin/pppd

	To update from CVS, re-build, and re-install pppd:
		# cd src
		# cvs update -d -P -r netbsd-1-6 usr.sbin/pppd

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 dated from before 2002-09-05 should
	be upgraded to NetBSD 1.5 branch dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		usr.sbin/pppd

	To update from CVS, re-build, and re-install pppd:
		# cd src
		# cvs update -d -P -r netbsd-1-5 usr.sbin/pppd

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.



Thanks To
=========

Jun-ichiro itojun Hagino for patches, and preparing the advisory text.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-08-01	Initial release
	2002-09-05	1.5 fixed
	2002-09-16	Re-release with updated information


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-010.txt,v 1.15 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqFT5Ru2/4N2IFAQGWDwQAodZpv2grHbPZPoIdUmlhRVp46pRnZTH7
jXUvVNLAbqQYTb08ICChzTF2IIjkvOySNLXvBeynNEMTmYeFh+HZwdrofr/+Wgcc
DBgX3BnCHgeRkJbKTDXjPmMKB+EP86H9o4yYz0pSKNVNRg7GgeJtM1zOLwlmX1NE
nj8huZwPs7c=
=7Lza
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-011: Sun RPC XDR decoder contains buffer overflow

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-011
		 =================================

Topic:		Sun RPC XDR decoder contains buffer overflow

Version:	NetBSD-current:	 source prior to August 1, 2002
		NetBSD-1.6 beta: affected
		NetBSD-1.5.3:	 affected
		NetBSD-1.5.2:	 affected
		NetBSD-1.5.1:	 affected
		NetBSD-1.5:	 affected
		NetBSD-1.4.*:	 affected

severity:	Possible remote root compromise if RPC services
		are enabled

Fixed:		NetBSD-current:		August 1, 2002
		NetBSD-1.6 branch:	August 2, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	August 1, 2002 
		NetBSD-1.4 branch:	not yet


Abstract
========

Integer overflows exist in the RPC code in libc. These cause a buffer to
be mistakenly allocated too small, and then overflown.

The Automounter amd(8) and its query tool amq(8), and the rusers(1)
client binary use the flawed code in a way which could be exploitable.

Other uses of the RPC functions have been examined and are believed to
not be exploitable.

No RPC-based services are enabled by default.


Technical Details
=================

Sun RPC is a remote procedure call framework which allows clients
to invoke procedures in a server process over a network somewhat
transparently.  XDR is a mechanism for encoding data structures for
use with RPC.  NFS, NIS, and many other network services are built
upon Sun RPC.

The NetBSD C runtime library (libc) contains an XDR encoder/decoder
derived from Sun's RPC implementation.

Any application using Sun RPC may be vulnerable to a heap buffer
overflow.  Depending upon the application, this vulnerability may be
exploitable and lead to arbitrary code execution.

An error in the calculation of memory needed for unpacking arrays in
the XDR decoder can result in a heap buffer overflow.

Though no exploits are known to exist currently, RPC-based services
often run as the superuser, and the vulnerability in amd(8) could be
exploitable.

Again, no RPC-based services are enabled by default.


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

If you do not run any of the affected RPC services (amd/amq/rusers)
your system is not affected.  However, we suggest you upgrade your
system to avoid running vulnerable RPC code by mistake.

The following instructions describe how to upgrade your libc (which
includes RPC code) by updating your source tree and rebuilding and
installing a new version of libc.

Note that if you have any statically-linked binaries that uses RPC,
you need to recompile them.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-01
	should be upgraded to NetBSD-current dated 2002-08-01 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/rpc

	To update from CVS, re-build, and re-install libc:
		# cd src
		# cvs update -d -P lib/libc/rpc

		# cd lib/libc
		# make cleandir dependall
		# make install


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-02 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/rpc

	To update from CVS, re-build, and re-install libc:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/rpc

		# cd lib/libc
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD-1.5 branch dated from before 2002-08-02
	should be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/rpc

	To update from CVS, re-build, and re-install libc:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/rpc

		# cd lib/libc
		# make cleandir dependall
		# make install


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.


Thanks To
=========

CERT for notification.

Charles Hannum for scope analysis and commentary.

FreeBSD security-officers. Parts of the advisory text are based on
the FreeBSD advisory.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-08-01	Initial release
	2002-08-02	1.5/1.6 branch info
	2002-09-16	Re-release with updated information


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca
fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M
9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK
9OhEncw7mcw=
=YcPw
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-012: buffer overrun in setlocale

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-012
		 =================================

Topic:		buffer overrun in setlocale

Severity:	local root exploit if X11 (xterm) is installed.

Version:	NetBSD-current:	source prior to August 8, 2002
		NetBSD-1.6 beta:source prior to August 8, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.

Fixed:		NetBSD-current:		August 8, 2002
		NetBSD-1.6 branch:	August 8, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet

Abstract
========

There was a boundary checking bug of array suffix in setlocale()
function in libc.  If the setlocale() function is used with arguments
satisfying a specific condition (see below), there is a possibility
that this could be exploitable.  This condition is as the following:

1. setlocale() function is called for LC_ALL category and
2. The string pointed to by the second argument of setlocale contains
   over six elements separated by slash.  An example of string causing
   this problem to setlocale() is "C/C/C/C/C/C/C".  (note that the
   frequently used special form, setlocale(LC_ALL, ""), does not cause
   this problem, since the code having this problem is never executed
   in this case.)
3. To use this bug to exploit, the second argument of setlocale needs
   to be derived from user-given data (e.g. environment variables or
   command line arguments) and the program need to be setuid or
   need to be involved in some setuid program or daemon.

Most programs using Xt, including xterm (setuid program), may satisfy
this condition.  All other programs in NetBSD distribution except for
packages do not satisfy it.  In packages, zsh is one of the most
important program that may satisfy this condition.


Technical Details
=================

The setlocale (or its subcontractor, __setlocale) function, defined in
lib/libc/locale/setlocale.c, is used to change the locale of each
locale category.  setlocale() function switches the locale of the
category specified by the first argument to the second argument.  The
special category LC_ALL can be used to change all locale categories at
the same time.  In this case, the NetBSD implementation of setlocale
allows a special form of the second argument string to specify
individual locales per category.

In this form, each locale is given in a single string separated by
slashes ('/'), as "A/B/C/D/E/F".  Here, each element corresponds to
categories LC_COLLATE, LC_CTYPE, LC_MONETARY, LC_NUMERIC, LC_TIME and
LC_MESSAGES, respectively.  The setlocale() function attempts to
decomposit these elements into an array object named new_categories
locally defined in lib/libc/locale/setlocale.c.  However, the code to
check the array boundary was lacking and thus this decomposition code
could destroy data segment if a string having over six elements was
given.

If the program which has set[ug]id bit or which is called from
set[ug]id program calls setlocale() with LC_ALL as the first argument
and with the string derived from user-given data
(e.g. setlocale(LC_ALL, getenv("FOO")) ) as the second argument, then
such program could be exploitable.  DefaultLanguageProc function of X
Toolkit Intrinsics (Xt) is a example of such usage. DefaultLanguageProc 
calls setlocale as "setlocale(LC_ALL, xnl)".  Here, xnl variable is
null string ("") by default, but can be overriden by user via
- - -xnllanguage option.  Most Xt programs, including xterm, use this
language procedure.  xterm is a setuid root program and thus any local
user could illegally acquire root account by using this problem.

On the other hand, the frequently used special form,
setlocale(LC_ALL, ""), does not have this problem because the decomposition
code is never executed in this form, although user-given LC_ALL environment
variable is similarly referred.


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Otherwise, you must update libc.  Also, you must update all statically
linked binaries satisfying the condition above - although the NetBSD
distribution contains no such static binaries, you may have some from
pkgsrc packages or local programs.  The following instructions
describe how to update libc.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-08
	should be upgraded to NetBSD-current dated 2002-08-08 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/locale

	To update from CVS, re-build, and re-install libc:
		# cd src
		# cvs update -d -P lib/libc/locale

		# cd lib/libc
		# make cleandir dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-08 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/locale

	To update from CVS, re-build, and re-install libc:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/locale

		# cd lib/libc
		# make cleandir dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5 betas dated from before 2002-09-05
	should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/locale

	To update from CVS, re-build, and re-install libc:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/locale

		# cd lib/libc
		# make cleandir dependall
		# make install


* NetBSD 1.4.x:

	not yet


Thanks To
=========

Andrey A. Chernov for initial fix in FreeBSD source.

Takuya SHIOZAKI for preparing the initial advisory text.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-012.txt,v 1.11 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqPT5Ru2/4N2IFAQF2ngP9Gy/ZVH4yizEHSiv8f1OLHxn2auf3J/bx
Tit7KQVGiCQS/1sZ2UxV8ZVKQOzJwrJNHuJ23YS2iDs//RxghmpjVGQPmS91t7vb
X3z7SEy3mgEe0VClcDMSamxiomPi8rcH37CdlflHkTneX/UYsPgLClGT55PXtOu9
ZfqrAQGUgeU=
=5MrG
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-013: Bug in NFS server code allows remote
denial of service

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-013
		 =================================

Topic:		Bug in NFS server code allows remote denial of service

Version:	NetBSD-current:	source prior to Aug 3, 2002
		NetBSD 1.6 beta: source prior to Aug 3, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	remote denial of service

Fixed:		NetBSD-current:		Aug 3, 2002
		NetBSD-1.6 branch:	Aug 3, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

The Network File System (NFS) allows a host to export some or all of
its filesystems, or parts of them, so that other hosts can access them
over the network and mount them as if they were on local disks.  NFS is
built on top of the Sun Remote Procedure Call (RPC) framework.

An attacker in a position to send RPC messages to an affected NetBSD
system can construct a sequence of malicious RPC messages that cause
the target system to lock up.


Technical Details
=================

A part of the NFS server code charged with handling incoming RPC
messages had an error which, when the server received a message with a
zero-length payload, would cause it to reference the payload from the
previous message, creating a loop in the message chain.  This would
later cause an infinite loop in a different part of the NFS server
code which tried to traverse the chain.

Certain Linux implementations of NFS produce zero-length RPC messages
in some cases.  A NetBSD system running an NFS server may lock up
when such clients connect.


Solutions and Workarounds
=========================

If possible, disable the NFS server on your machine.  It is
still preferable to apply the following fixes to prevent using
vulnerable NFS code in the future.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and
installing a new version of kernel.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-03
	should be upgraded to NetBSD-current dated 2002-08-03 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/nfs

	To update from CVS:

		# cd src
		# cvs update -d -P sys/nfs

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-03 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		sys/nfs

	To update from CVS:
		# cd src
		# cvs update -d -P -r netbsd-1-6 sys/nfs

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 sources dated from before
	2002-09-05 should be upgraded from NetBSD 1.5 sources dated
	2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		sys/nfs

	To update from CVS:
		# cd src
		# cvs update -d -P -r netbsd-1-5 sys/nfs

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated with instructions to fix the problem
	for 1.5-based systems.


Thanks To
=========

FreeBSD security officers.  The advisory text is based on their advisory.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-013.txt,v 1.7 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqUD5Ru2/4N2IFAQF7VwP9HAw6DGiJI3TmxGeVR/7fNquzCXI6QtSJ
evofRBhcsSSNGuTYn9R8KVHdn+f7n8fdc2b3huQ6UCLr3epAgRg6eeCDX8O60fpG
DvKUABOJXx1LoUEkGsNGdTizxg3uoD/2GLCvDLhZZiZ4k9srZRRzFT3neyWWdFln
EFbs33wT+40=
=78tO
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-014: fd_set overrun in mbone tools and pppd

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-014
		 =================================

Topic:		fd_set overrun in mbone tools and pppd

Version:	NetBSD-current:	source prior to August 10, 2002
		NetBSD 1.6 beta: sources prior to August 11, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	possible local root compromise

Fixed:		NetBSD-current:		August 10, 2002
		NetBSD-1.6 branch:	August 11, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP
daemon pppd(8), are setuid root binaries.  A malicious local user can
cause a buffer overrun in these programs by filling file descriptor
tables before exec'ing them, which could lead to local root
compromise.

No exploit code is known to exist at this moment.


Technical Details
=================

These tools use select(2).  select(2) uses fd_set bitmap, which
supports up to FD_SETSIZE (256) file descriptors.  These tools did not
have a boundary check when doing FD_SET() operations.  Therefore, if
the file descriptor used for select(2) equals to or exceeds
FD_SETSIZE, a buffer overrun occurs.

More details are in the NetBSD-current select(2) manpage "BUGS" section:

   Although the provision of getdtablesize(3) was intended to allow user
   programs to be written independent of the kernel limit on the number of
   open files, the dimension of a sufficiently large bit field for select
   remains a problem.  The default bit size of fd_set is based on the symbol
   FD_SETSIZE (currently 256), but that is somewhat smaller than the current
   kernel limit to the number of open files.  However, in order to accommo-
   date programs which might potentially use a larger number of open files
   with select, it is possible to increase this size within a program by
   providing a larger definition of FD_SETSIZE before the inclusion of
   <sys/types.h>.  The kernel will cope, and the userland libraries provided
   with the system are also ready for large numbers of file descriptors.


Solutions and Workarounds
=========================

If you do not run, and do not plan to use, multicast-related tools or
pppd, the problem can be worked around by removing the setuid bit from
those binaries.  Users can therefore no longer escalate their
privileges by exploiting the bug:

	# chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd

Nevertheless, we suggest upgrading these binaries to make sure you
don't have vulnerable code in your system.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Otherwise, the following instructions describe how to upgrade your
binaries by updating your source tree and rebuilding and installing a
new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-10
	should be upgraded to NetBSD-current dated 2002-08-10 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		usr.sbin/mrinfo
		usr.sbin/mtrace
		usr.sbin/pppd

	To update from CVS, re-build, and re-install mrinfo and mtrace:
		# cd src
		# cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

		# cd usr.sbin/mrinfo
		# make cleandir dependall
		# make install

		# cd usr.sbin/mtrace
		# make cleandir dependall
		# make install

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-11 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		usr.sbin/mrinfo
		usr.sbin/mtrace
		usr.sbin/pppd

	To update from CVS, re-build, and re-install mrinfo and mtrace:
		# cd src
		# cvs update -d -P -r netbsd-1-6 \
			usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

		# cd usr.sbin/mrinfo
		# make cleandir dependall
		# make install

		# cd usr.sbin/mtrace
		# make cleandir dependall
		# make install

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD-1.5 branch dated from before 2002-09-05
	should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		usr.sbin/mrinfo
		usr.sbin/mtrace
		usr.sbin/pppd

	To update from CVS, re-build, and re-install mrinfo and mtrace:
		# cd src
		# cvs update -d -P -r netbsd-1-5 \
			usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

		# cd usr.sbin/mrinfo
		# make cleandir dependall
		# make install

		# cd usr.sbin/mtrace
		# make cleandir dependall
		# make install

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.


Thanks To
=========

xs@kittenz.org for finding this bug and sending fixes.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-014.txt,v 1.13 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqaD5Ru2/4N2IFAQGipAP/QwtISx0xcoOwzB3HrjGmn8DMX0V13q6d
ecx1QZ/4TuCjEYmgbhXdW8ReB7yQ1wy2tIG61U3pvoQW9EMqoK1n7ispixwUIS7X
Yp3gpYp4nTAeeLvv3mYoT6NFERqzku7qakoSFq92uojwborR/yXFsiC41IMudhK6
HuwbKbDG9WM=
=Ez96
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-017: shutdown(s, SHUT_RD) on TCP socket does
not work as intended

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-017
		 =================================

Topic:		shutdown(s, SHUT_RD) on TCP socket does not work as intended

Version:	NetBSD-current:	 source prior to September 7, 2002
		NetBSD 1.6 beta: affected
		NetBSD-1.5.3:	 affected
		NetBSD-1.5.2:	 affected
		NetBSD-1.5.1:	 affected
		NetBSD-1.5:	 affected
		NetBSD-1.4.*:	 affected

Severity:	Unexpected kernel memory consumption

Fixed:		NetBSD-current:	    September 7, 2002
		NetBSD-1.6 branch:  September 7, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:  September 7, 2002
		NetBSD-1.4 branch:  not yet


Abstract
========

shutdown(s, SHUT_RD) is used to indicate that there should be no inbound
traffic expected on the socket.  There was mistake in TCP with respect to
the handling of shutdown'ed socket, leading to unexpected kernel resource
consumption and unexpected behavior.


Technical Details
=================

Some of sbappend() calls from sys/netinet/tcp_input.c did not consult
SS_CANTRCVMORE flag on socket properly.

http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=18185


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version
of kernel.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-09-06
	should be upgraded to NetBSD-current dated 2002-09-06 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/netinet

	To update from CVS, re-build, re-install kernel and reboot:
		# cd src
		# cvs update -d -P sys/netinet

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-09-06 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		sys/netinet

	To update from CVS, re-build, re-install kernel and reboot:
		# cd src
		# cvs update -d -P -r netbsd-1-6 sys/netinet

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2002-09-06 should be upgraded from NetBSD 1.5.*
	sources dated 2002-09-06 or later.

	NetBSD 1.5.4 will be shipped with fixes.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		sys/netinet

	To update from CVS, re-build, re-install kernel and reboot:
		# cd src
		# cvs update -d -P -r netbsd-1-5 sys/netinet

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.


Thanks To
=========

Sean Boudreau

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-017.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-017.txt,v 1.9 2002/09/16 05:17:55 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqej5Ru2/4N2IFAQFXFQP/TgE2w4hDKtWeccyjBSYEYPji7hgu/IPK
gJztYTRBM4xDKyx76QW+MSoFu/ye+Jfkveh6ZmxGKb2oFzGjbKKyKISk1brBaZ+o
g6mqsd05AACYukIhkRdNOR84bPr086soGRJQFXaLUKbwcUBNQQ43yY8fDqMdEuBd
yk+GJu7hDgQ=
=kfaF
- -----END PGP SIGNATURE-----


NetBSD Security Advisory 2002-018: Multiple security isses with kfd daemon

- -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-018
		 =================================

Topic:		Multiple security isses with kfd daemon

Version:	NetBSD-current:	source prior to September 10, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not affected

Severity:	remote buffer overrun, possibly resulting in root exploit

Fixed:		NetBSD-current:		September 11, 2002
		NetBSD-1.6 branch:	not yet
		NetBSD-1.5 branch:	September 11, 2002


Abstract
========

Kf and kfd are used to forward Kerberos credentials in a stand-alone
fashion, and come from the Heimdal Kerberos implementation used by
NetBSD.  In Heimdal releases earlier than 0.5, these programs have
multiple security issues, including possible buffer overruns.

The kfd daemon has never been enabled by default in NetBSD; enabling
it would have required a port name to be added to /etc/services.


Technical Details
=================

The client sent information about user and files without integrity
protection, making it possible to overwrite any file the user had
access to. The server also passed some of this data to other functions
without checking that strings were zero terminated, possibly resulting
in root exploit.

All versions prior to Heimdal 0.5 are vulnerable.  You can tell which
version of kfd you have by running /usr/libexec/kfd --version.

See also: http://www.pdc.kth.se/heimdal/


Solutions and Workarounds
=========================

As this is not a vital service, and is very likely unused by most
installations, the straightforward solution is to remove these
programs. This has been done in NetBSD-current sources on September
11, 2002. Note that even after this time, systems may still have
binaries left behind from earlier builds.

Note that sources for the 1.6 release (and branch) still inlcude these
programs. Therefore, a "make build" will re-install vulnerable
binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6
LAST_MINUTE release notes, please remove them after each "make build".

* NetBSD all releases:

        Check that you don't have kfd in your /etc/inetd.conf.

        % grep kfd /etc/inetd.conf

        Remove these programs:

        # rm /usr/bin/kf
        # rm /usr/libexec/kfd
        # rm /usr/share/man/cat1/kf.0
        # rm /usr/share/man/cat8/kfd.0
        # rm /usr/share/man/man1/kf.1
        # rm /usr/share/man/man8/kfd.8


Thanks To
=========

joda@pdc.kth.se (Johan Danielsson)


Revision History
================

	2002-09-16	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-018.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-018.txt,v 1.9 2002/09/16 22:59:39 dan Exp $


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYZiaj5Ru2/4N2IFAQG3YQP6AxY5rsaUAgEIIQ3TVsLPbqplH4ARheS6
zvmwTOcoI4NnGVdvUL99FPf+hEJdHZyScEn9bRtEGgFUnbXCgovDu2G333/1S91Z
w36jokou/av+WdxJ7fVSbFqrA62cFy1s9fpoWubZ14j3isPzz74qtPtGnOI19oGh
WylKw/jKtps=
=8Fkt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPYiV2Ch9+71yA2DNAQHdXAP/VnvLZqB75TBGCNO71EgWXI7JHd2E/V+q
Wt1JvyJNo5wxuWq0FNZk8VjoCH3QC6uX20Dq+c5sucwMI4NDIqcU4y6qNULeGh8O
dArhxJP/lAtcdPABab/0w9RH7TloHp7caWfe54ZL1+AuS1+nw4NtUIsfwVW8TCnB
HXWK7gqtyT0=
=kpf6
-----END PGP SIGNATURE-----