Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.515 -- NetBSD Security Advisory Updates Multiple NetBSD Security Advisories Released/Updated 18 September 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libc/libresolv DNS resolver TIOCSCTTY ioctl OpenSSL pppd Sun RPC XDR decoder setlocale NFS server mbone tools and pppd shutdown(s, SHUT_RD) kfd Vendor: NetBSD Operating System: NetBSD Impact: Denial of Service Root Compromise Modify Permissions Access Required: Remote Existing Account Comment: NetBSD has released a batch of Security Bulletins in conjunction with the release of NetBSD 1.6. AusCERT has compiled these Security Bulletins into a single ESB. Users of both NetBSD 1.5.3 and NetBSD 1.6 should read the first section and determine which sections of the document is relevant to their situation. In order, the Security Bulletins included in this ESB are: * NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver * NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl can corrupt session hold counts * NetBSD Security Advisory 2002-009: Multiple vulnerabilities in OpenSSL code * NetBSD Security Advisory 2002-010: symlink race in pppd * NetBSD Security Advisory 2002-011: Sun RPC XDR decoder contains buffer overflow * NetBSD Security Advisory 2002-012: buffer overrun in setlocale * NetBSD Security Advisory 2002-013: Bug in NFS server code allows remote denial of service * NetBSD Security Advisory 2002-014: fd_set overrun in mbone tools and pppd * NetBSD Security Advisory 2002-017: shutdown(s, SHUT_RD) on TCP socket does not work as intended * NetBSD Security Advisory 2002-018: Multiple security isses with kfd daemon - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- With the release of NetBSD 1.6, the NetBSD project is publishing a batch of Security Advisories (some of which are updates), as follows: * 2002-006 buffer overrun in libc/libresolv DNS resolver x 2002-007 Repeated TIOCSCTTY ioctl can corrupt session hold counts *x 2002-009 Multiple vulnerabilities in OpenSSL code *x 2002-010 symlink race in pppd *x 2002-011 Sun RPC XDR decoder contains buffer overflow x 2002-012 buffer overrun in setlocale x 2002-013 Bug in NFS server code allows remote denial of service x 2002-014 fd_set overrun in mbone tools and pppd x 2002-017 shutdown(s, SHUT_RD) on TCP socket does not work as intended x+ 2002-018 Multiple security isses with kfd daemon (*) reissue (x) affects 1.5.3 (+) affects 1.6 These advisories involve bugs in libc (affecting static binaries), as well as the kernel. A full system rebuild is recommended to collectively address all of these issues, but please make sure to read through all of the advisories in case specific issues affect your system. Because of the extensive rebuild required, the NetBSD 1.6 release was delayed in order to include fixes for as many of these issues as possible, so as to provide binary release users with an easy upgrade path. Readers will note that there are some gaps in the above numbering. These pending advisories involve third parties, and are awaiting disclosure co-ordination, so we cannot publish them at this time. However, they *are* fixed in NetBSD 1.6. Unfortunately, the recent 1.5.3 release was affected by most of these issues. Unlike NetBSD 1.6, the 1.5 branch cannot be automatically cross-built to release, and so any updated binary release from the 1.5 tree will take considerable time and developer effort. Therefore: * The recommended cumulative fix for pre-1.6 systems is to upgrade to NetBSD 1.6. * Users who cannot upgrade to 1.6 are recommended to update to the most recent sources on the NetBSD-1.5 branch, via anoncvs, and rebuild from there. * Users of NetBSD-current should upgrade to source more recent than September 11, 2002, and rebuild the kernel and all userland. Having updated the base NetBSD distribution via one of the above, the following steps are necessary for *all* users: * Recompile statically-linked binaries from pkgsrc, or custom builds (for 2002-006) * Remove any shared libraries with older major numbers. (2002-006) * Remove any shared libraries for OS emulation under /emul, unless you are sure it has no security vulnerabilities. (2002-006) * Follow instructions in 2002-018 - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYZwhj5Ru2/4N2IFAQFkQwP+OtnCO0JZ2BWi/YgaDrfU7DBZrDDsQpW7 dXW/PtVvcOyvbpqgKREQ7CHi7jzolysRHX9VRXwgOS/tgo2fSmNaLyXjdbJhxzT2 xw6LEdaqC4YHHf3EuZ3GsF0UY/VGCDNg3WNf04CfTV1Jp61VnvTTjDMmOqegMxOI /NTVURE2fV8= =YBq6 - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-006 ================================= (updated 2002/9/16) Topic: buffer overrun in libc/libresolv DNS resolver Version: NetBSD-current: source prior to June 28, 2002 NetBSD-1.6 beta:source prior to June 28, 2002 NetBSD-1.5.3: NOT affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected All prior NetBSD releases. pkgsrc: net/bind4, prior to bind-4.9.9 are affected net/bind8, prior to bind-8.3.3 are affected net/bind9, bind-9.2.1 includes vulnerable code (not compiled for normal use) emulators/compat14 prior to 1.4.3.2 emulators/compat14-crypto prior to 1.4.3.2 emulators/netbsd32_compat14 prior to 1.4.3.2 emulators/compat15 prior to 1.5.3.1 if ships with libc/libresolv shlib emulators/netbsd32_compat15 prior to 1.5.3.1 emulators/* for other operating systems, if ships with libc/libresolv shlib any statically linked pkgsrc binaries (there could be more) Severity: remote buffer overrun on any application that uses DNS, possible remote root exploit (not confirmed) Fixed: NetBSD-current: June 28, 2002 NetBSD-1.6 branch: June 28, 2002 (1.6 includes the fix) NetBSD-1.5 branch: July 2, 2002 (1.5.3 includes the fix) NetBSD-1.4 branch: (not yet) pkgsrc: net/bind4, bind-4.9.8nb1 net/bind8, bind-8.3.3 net/bind9, (ISC is not planning a release, as vulnerable files are not used in the main server or utilites by default.) emulators/compat14 1.4.3.2 emulators/compat14-crypto 1.4.3.2 emulators/netbsd32_compat14 1.4.3.2 emulators/compat15 1.5.3.1 emulators/netbsd32_compat15 1.5.3.1 emulators/* for other operating systems - not yet NOTE: previous revisions of the advisory noted that fixed date was June 26. Since BIND8 was later found to also be vulnerable, the fixed date for NetBSD-current was moved to Jun 28, and branches for which pullups have not yet been completed or updated to distribution sites have been changed to (not yet). If you have upgraded your system on June 26, you will need to upgrade again. Thank you for your patience with this complex issue. NOTE: previous revisions of the advisory noted that the use of BIND9 as caching resolver would work around the problem. However, it was later found to be insufficient (CERT advisory CA-2002-19 got updated on 2002/8/28 for this). Therefore, the only fix to this problem is to upgrade your resolver library and any static binaries. Abstract ======== There was a buffer-length computation bug in BIND-based DNS resolver code. A malicious DNS response packet may be able to overwrite data outside the buffer, and it could lead to attacks as serious as a remote root exploit, though there are no public exploits in circulation at this time. NetBSD uses BIND4-based DNS resolver code in libc/libresolv, and is found to be vulnerable. We also use BIND8-based DNS resolver code in named related tools like /usr/bin/dig, and these are vulnerable (source located in dist/bind and usr.sbin/bind). Technical Details ================= In lib/libc/net/gethnamaddr.c:getanswer() and lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage packet buffer parsing - a pointer to the byte we are looking at, and the remaining length on the buffer. The remaining length was not updated consistently, and malicious DNS responses are able to write outside the buffer. This may present an attacker with the opportunity to insert arbitrary code for execution as the user running the resolver query, potentially root. No exploit script to take advantage of this vulnerability is known at time of writing. It is important to understand that this issue can be triggered in a manner unlike the more common buffer overflows in network daemons. Any outgoing DNS query made to a hostile server would expose the vulnerability. The exploit path includes email sent to Netscape users which automatically display HTML, and hostile web pages which carry embedded objects located on servers in domains with a hostile DNS server. Since client systems in many network environments are permitted to make DNS queries directly to root servers, through routed IPs, or NATs, realize that these systems are vulnerable even if behind a firewall, since they are initiating the outgoing query. This issue was brought to the attention of the NetBSD security-officer with short notice, and this advisory has since been updated with additional information. See also: http://www.pine.nl/advisories/pine-cert-20020601.html http://www.kb.cert.org/vuls/id/803539 http://www.cert.org/advisories/CA-2002-19.html (revised 2002/8/28) Solutions and Workarounds ========================= The recent NetBSD 1.5.3 release is not vulnerable to this issue, however very shortly after its release other vulnerabilities were found. Please ensure you check all relevant Security Advisories. The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Note that any statically-linked binary that makes any DNS query is vulnerable, and cannot be fixed by replacing a shared library. Therefore, updating the entire system is suggested. Note also that shared libraries from other operating systems installed for binary compatibility under /emul may also be vulnerable. Please consult the vendor of those libraries for further details. If you have NetBSD systems that have been upgraded from earlier releases from before 1997, you may have libc and/or libresolv shared libraries with older shared library major numbers. Check for the presence of /usr/lib/libc.so.X.Y where X < 12 (the current major number). These old libraries contain vulnerable resolver code, and will not be updated even if you rebuild the system. Therefore, we suggest you to remove those old shared libraries. * NetBSD-current: Systems running NetBSD-current dated from before 2002-06-25 should be upgraded to NetBSD-current dated 2002-06-26 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/net usr.sbin/bind dist/bind Also note that the include files needs to be in sync with code in lib/libc/net. To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P lib/libc/net usr.sbin/bind dist/bind # cd lib/libc # make cleandir dependall # make install # cd ../../lib/libresolv # make cleandir dependall # make install # cd ../.. # make dependall # make install * NetBSD 1.6 betas: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-06-26 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: lib/libc/net usr.sbin/bind dist/bind Also note that the include files needs to be in sync with code in lib/libc/net. To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P -r netbsd-1-6 lib/libc/net \ usr.sbin/bind dist/bind # cd lib/libc # make cleandir dependall # make install # cd ../../lib/libresolv # make cleandir dependall # make install # cd ../.. # make dependall # make install * NetBSD 1.5.x: Systems running NetBSD 1.5.x dated from before 2002-06-25 should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: lib/libc/net usr.sbin/bind dist/bind Also note that the include files needs to be in sync with code in lib/libc/net. To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/net \ usr.sbin/bind dist/bind # cd lib/libc # make cleandir dependall # make install # cd ../../lib/libresolv # make cleandir dependall # make install # cd ../.. # make dependall # make install * NetBSD 1.4.x: Systems running NetBSD 1.4.x dated from before 2002-06-25 should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later. The following directories need to be updated from the netbsd-1-4 CVS branch: lib/libc/net usr.sbin/bind dist/bind To update from CVS, re-build, and re-install libc and statically linked binaries: # cd src # cvs update -d -P -r netbsd-1-4 lib/libc/net \ usr.sbin/bind dist/bind # cd lib/libc # make cleandir dependall # make install # cd ../../lib/libresolv # make cleandir dependall # make install # cd ../.. # make dependall # make install * pkgsrc: bind-4.9.8 (pkgsrc/net/bind4) and prior are vulnerable. Upgrade to bind-4.9.8nb1 or bind-4.9.9. Note that BIND4 nameserver is considered obsolete by the vendor (ISC), and it is recommended to use BIND9, or BIND8. pkgsrc prior to bind-8.3.3 are vulnerable. Upgrade to bind-8.3.3. bind-9.2.1 includes vulnerable code, however, the code will not be compiled by default. Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234]) are vulnerable. There is no fix supplied at this moment. If you have statically linked binaries in pkgsrc, they have to be rebuilt. Statically linked binaries can be identified by the following command (note: be sure to include the directory you install pkgsrc binaries to, if you've changed LOCALBASE from the default of /usr/pkg) file /usr/pkg/{bin,sbin,libexec} | grep static Shared libraries for binary compatibility are available through pkgsrc for some operating systems, and may be vulnerable as noted above if installed. Thanks To ========= Jun-ichiro itojun Hagino for patches, and initial advisory text. Michael Graff for bind9 information The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-06-26 Initial release 2002-06-27 Updated with further information on pkgsrc, and affected BIND releases. 2002-06-28 Add note from Michael Graff regarding BIND9 2002-06-28 BIND8 resolver (dist/bind) was found to be vulnerable. Fixed date changed from Jun 26 to Jun 28. 2002-08-28 Remove note regarding BIND9, as it was found to be insufficient. 2002-09-05 Updated information regarding recent 1.5.3 release and emulation pkgsrc. 2002-09-16 Re-release with updated information More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-006.txt,v 1.40 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVpoD5Ru2/4N2IFAQGFOgP/UTJeXuOgFiB81myMTeTgeRc1H7u41W+q nW/TJGltzApfFQJjZYDDj3TC7AfTLBFWwfrJynC4jsLFUMIcs5NMZOvWE2eiCTgz S7QJi15B07nMfipYe3s9dJ3QQZB9YIZng1lNVa7V7Ee1fPrYt5oXHkrZfCZTOLKL zd3yMAAQRpg= =8/IS - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-007: Repeated TIOCSCTTY ioctl can corrupt session hold counts - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-007 ================================= Topic: Repeated TIOCSCTTY ioctl can corrupt session hold counts Version: NetBSD-current: source prior to July 21, 2002 NetBSD-1.6 beta: source prior to July 23, 2002 NetBSD-1.5.*: source prior to September 5, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: Local user can cause system panic Fixed: NetBSD-current: July 21, 2002 NetBSD-1.6 branch: July 23, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== A Session leader can use the TIOCSCTTY ioctl to set the session controlling terminal. This ioctl can be called any number of times. The call unconditionally raised the hold count of a kernel structure shared between processes in the same session. It was possible to overflow the structure counter, and thus arrange for the structure memory to be freed prematurely, and possibly re-used. This could cause a kernel panic or incorrect operation the next time the session structure is accessed from the context of other processes which are part of the former session. Technical Details ================= A process can start a new session (and thus create a new session leader), by forking a child and exiting. The new child can then call setsid(2) to create a new session, and thus become a session leader. The child process can then call the TIOCSCTTY ioctl. Structures shared between multiple processes (such as the session structure) normally contain counters to keep track of how many times a structure is referenced. Typically, macros are used to increase/decrease the use counter, and the structure is freed when the counter goes to zero. By repeatedly invoking TIOCSCTTY, it's possible to overflow the integer counter such that when a process exits (and thus the session structure counter is decreased), the counter hits zero and structure is freed even though other processes still reference it. Depending on kernel options, this might immediately cause the memory to be overwritten with junk data, or the memory will be overwritten by random other data when the memory is allocated to something else. In either case, if any of the processes of the old session group access the memory, they would very likely follow trashed pointers and cause a kernel panic. Solutions and Workarounds ========================= NetBSD official releases up to and including 1.5.3 are vulnerable. The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Otherwise, kernel sources must be updated and a new kernel built and installed. Once the kernel sources have been updated, rebuild the kernel, install it, and reboot. For more information on how to do this, see: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel The instructions for updating your kernel sources depend upon which particular NetBSD release you are running. * NetBSD-current: Systems running NetBSD-current dated from before 2002-07-21 should be upgraded to NetBSD-current dated 2002-07-22 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/sys/kern/ Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch To patch: # cd src/sys # patch < /path/to/SA2002-007-tiocsctty.patch Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD-1.6 branch dated 2002-07-23 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: src/sys/kern/ Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch To patch: # cd src/sys # patch < /path/to/SA2002-007-tiocsctty.patch Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5.x dated from before 2002-09-05 should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: src/sys/kern/ Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-007-tiocsctty.patch To patch: # cd src/sys # patch < /path/to/SA2002-007-tiocsctty.patch Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= David Laight, for finding the problem and original patches. Jaromir Dolecek, for fix and initial advisory text. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-09-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-007.txt,v 1.13 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVp6T5Ru2/4N2IFAQFJlQQAyVqJqrdjewQrmRFSQb3HmwESQYe7mhtw Wc36bXxVYS35u3ctz3HL9soMfKoBxQfJhEWozAM6hTi6I0ISnX2mPVqTTBOmHENT 5AfhIJQmynx5yorVguEHp9E/zPvKo90lLKuz4KwAY6Fonzx/qT9YTk1DzJkYUrki umJi1sasvAU= =XDgt - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-009 - Multiple vulnerabilities in OpenSSL code - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-009 ================================= (updated 2002/9/16) Topic: Multiple vulnerabilities in OpenSSL code Version: NetBSD-current: source prior to August 10, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not applicable pkgsrc: prior to openssl-0.9.6f Severity: Potential for remote root exploit Fixed: NetBSD-current: August 10, 2002 NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix) NetBSD-1.5 branch: August 31, 2002 pkgsrc: openssl-0.9.6f (or later) NOTE: previous advisory had fixed dates prior to August 10. There were errors found in the vendor-supplied fix, therefore the fixed dates were modified. Sorry for the confusion and thanks for the patience. NOTE: previous revision of advisory suggested that 1.5 branch was fixed on August 1, however the fix was found to be insufficient. Therefore, users of 1.5 should apply the fix presented in this revised advisory. Sorry for the confusion and thanks for the patience. Abstract ======== There are multiple vulnerabilities found in openssl 0.9.6e and prior releases. There are four remotely-exploitable buffer overruns in SSL2/3 code. The ASN1 parser can be confused by invalid encodings (SSL/TLS code affected). None of these services are enabled by default in NetBSD, however, by enabling services built with these libraries, a system would become vulnerable. - - From the OpenSSL advisory: "Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable." After the above advisory was published, - 0.9.6e was found to be vulnerable, and 0.9.6f was released. - 0.9.6f had some build framework errors, and 0.9.6g was released. The NetBSD fix includes OpenSSL 0.9.6g. Technical Details ================= http://www.openssl.org/news/secadv_20020730.txt http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. The following instructions describe how to upgrade your libcrypto/libssl binaries by updating your source tree and rebuilding and installing a new version of libcrypto/libssl. Be sure to restart running instances of programs that use crypto libraries (like sshd) after upgrading shared libraries. If you have any statically-linked binaries that linked against a vulnerable libcrypto and/or libssl, you need to recompile them. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-10 should be upgraded to NetBSD-current dated 2002-08-10 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/Makefile.openssl crypto/dist/openssl lib/libcrypto lib/libssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src # cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \ lib/libcrypto lib/libssl # make includes # cd lib/libcrypto # make cleandir dependall # make install # cd ../../lib/libssl # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-11 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: crypto/Makefile.openssl crypto/dist/openssl lib/libcrypto lib/libssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src # cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \ crypto/dist/openssl lib/libcrypto lib/libssl # make includes # cd lib/libcrypto # make cleandir dependall # make install # cd ../../lib/libssl # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5.x dated from before 2002-08-31 should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later. The following directories need to be updated from the netbsd-1-5 CVS branch. Due to the shlib major bump in libcrypto/libssl large number of shared libraries has to be rebuilt: crypto/Makefile.openssl crypto/dist/openssl lib/libasn1 lib/libcom_err lib/libcrypto lib/libgssapi lib/libhdb lib/libkadm lib/libkadm5clnt lib/libkadm5srv lib/libkafs lib/libkdb lib/libkrb lib/libkrb5 lib/libkstream lib/libroken lib/libsl lib/libss lib/libtelnet usr.bin/openssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src # cvs update -d -P -r netbsd-1-5 <directories listed above> # make includes # cd lib # make cleandir dependall # make install # cd usr.bin/openssl # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: OpenSSL was not included in the base system in NetBSD-1.4.* Follow the directions for pkgsrc if you have installed it from pkgsrc. * pkgsrc: openssl (pkgsrc/security/openssl) prior to 0.9.6f are vulnerable. Upgrade to openssl-0.9.6f or later; pkgsrc currently contains 0.9.6g at time of this writing. Packages which require openssl can be found by running 'pkg_info openssl'. Depending on the method you choose to update pkgsrc packages, a rebuild of the packages on that list may be performed for you by the package system. If you update using the experimental 'make replace' target, you will need to manually update any packages which build static binaries with libssl.a and libcrypto.a If you have statically linked binaries in pkgsrc, they have to be rebuilt. Statically linked binaries can be identified by the following command (note: be sure to include the directory you install pkgsrc binaries to, if you've changed LOCALBASE from the default of /usr/pkg) file /usr/pkg/{bin,sbin,libexec} | grep static Thanks To ========= A.L. Digital Ltd and John McDonald of Neohapsis. Adi Stav and James Yonan. CERT and the OpenSSL team. Jun-ichiro itojun Hagino for maintenance of OpenSSL in the NetBSD source tree, and preparing the initial advisory text. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-08-01 Initial release based on 0.9.6e 2002-08-11 based on 0.9.6f 2002-08-31 1.5 pullup done, 0.9.6g 2002-09-16 Re-release with updated information More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-009.txt,v 1.35 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqAD5Ru2/4N2IFAQHqtwQAluG+9I3pVeALK+p+X3ZNG99M2zx6y/Ea IX7kS8M22PoZD6kJniBRWqcDfaYqj5FKHT1TlCAiehNUpQfdADQD/0i/nqX01puI aCCLXIetnRwSmQdW3IcbWqs5NQvHuWOB+ng1t5DBF1rF9GPTRMmrv5Sjr27hl07X +ta7U3VZCms= =SEqH - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-010: symlink race in pppd - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-010 ================================= Topic: symlink race in pppd Version: NetBSD-current: source prior to July 31, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: Local user may be able to modify permissions on any file Fixed: NetBSD-current: July 31, 2002 NetBSD-1.6 branch: August 3, 2002 (NetBSD 1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== A race condition exists in the pppd program that may be exploited in order to change the permissions of an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. Technical Details ================= The file specified as the tty device is opened by pppd, and the permissions are recorded. If pppd fails to initialize the tty device in some way (such as a failure of tcgetattr(3)), then pppd will attempt to restore the original permissions by calling chmod(2). The call to chmod(2) is subject to a symlink race, so that the permissions may be `restored' on some other file. Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Otherwise, the following instructions describe how to upgrade your pppd binaries by updating your source tree and rebuilding and installing a new version of pppd. * NetBSD-current: Systems running NetBSD-current dated from before 2002-07-30 should be upgraded to NetBSD-current dated 2002-07-31 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): usr.sbin/pppd To update from CVS, re-build, and re-install pppd: # cd src # cvs update -d -P usr.sbin/pppd # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-04 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: usr.sbin/pppd To update from CVS, re-build, and re-install pppd: # cd src # cvs update -d -P -r netbsd-1-6 usr.sbin/pppd # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5 dated from before 2002-09-05 should be upgraded to NetBSD 1.5 branch dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: usr.sbin/pppd To update from CVS, re-build, and re-install pppd: # cd src # cvs update -d -P -r netbsd-1-5 usr.sbin/pppd # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= Jun-ichiro itojun Hagino for patches, and preparing the advisory text. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-08-01 Initial release 2002-09-05 1.5 fixed 2002-09-16 Re-release with updated information More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-010.txt,v 1.15 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqFT5Ru2/4N2IFAQGWDwQAodZpv2grHbPZPoIdUmlhRVp46pRnZTH7 jXUvVNLAbqQYTb08ICChzTF2IIjkvOySNLXvBeynNEMTmYeFh+HZwdrofr/+Wgcc DBgX3BnCHgeRkJbKTDXjPmMKB+EP86H9o4yYz0pSKNVNRg7GgeJtM1zOLwlmX1NE nj8huZwPs7c= =7Lza - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-011: Sun RPC XDR decoder contains buffer overflow - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-011 ================================= Topic: Sun RPC XDR decoder contains buffer overflow Version: NetBSD-current: source prior to August 1, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected severity: Possible remote root compromise if RPC services are enabled Fixed: NetBSD-current: August 1, 2002 NetBSD-1.6 branch: August 2, 2002 (1.6 includes the fix) NetBSD-1.5 branch: August 1, 2002 NetBSD-1.4 branch: not yet Abstract ======== Integer overflows exist in the RPC code in libc. These cause a buffer to be mistakenly allocated too small, and then overflown. The Automounter amd(8) and its query tool amq(8), and the rusers(1) client binary use the flawed code in a way which could be exploitable. Other uses of the RPC functions have been examined and are believed to not be exploitable. No RPC-based services are enabled by default. Technical Details ================= Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network somewhat transparently. XDR is a mechanism for encoding data structures for use with RPC. NFS, NIS, and many other network services are built upon Sun RPC. The NetBSD C runtime library (libc) contains an XDR encoder/decoder derived from Sun's RPC implementation. Any application using Sun RPC may be vulnerable to a heap buffer overflow. Depending upon the application, this vulnerability may be exploitable and lead to arbitrary code execution. An error in the calculation of memory needed for unpacking arrays in the XDR decoder can result in a heap buffer overflow. Though no exploits are known to exist currently, RPC-based services often run as the superuser, and the vulnerability in amd(8) could be exploitable. Again, no RPC-based services are enabled by default. Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. If you do not run any of the affected RPC services (amd/amq/rusers) your system is not affected. However, we suggest you upgrade your system to avoid running vulnerable RPC code by mistake. The following instructions describe how to upgrade your libc (which includes RPC code) by updating your source tree and rebuilding and installing a new version of libc. Note that if you have any statically-linked binaries that uses RPC, you need to recompile them. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-01 should be upgraded to NetBSD-current dated 2002-08-01 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/rpc To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P lib/libc/rpc # cd lib/libc # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-02 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: lib/libc/rpc To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P -r netbsd-1-6 lib/libc/rpc # cd lib/libc # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5 branch dated from before 2002-08-02 should be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: lib/libc/rpc To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/rpc # cd lib/libc # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= CERT for notification. Charles Hannum for scope analysis and commentary. FreeBSD security-officers. Parts of the advisory text are based on the FreeBSD advisory. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-08-01 Initial release 2002-08-02 1.5/1.6 branch info 2002-09-16 Re-release with updated information More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M 9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK 9OhEncw7mcw= =YcPw - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-012: buffer overrun in setlocale - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-012 ================================= Topic: buffer overrun in setlocale Severity: local root exploit if X11 (xterm) is installed. Version: NetBSD-current: source prior to August 8, 2002 NetBSD-1.6 beta:source prior to August 8, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected All prior NetBSD releases. Fixed: NetBSD-current: August 8, 2002 NetBSD-1.6 branch: August 8, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== There was a boundary checking bug of array suffix in setlocale() function in libc. If the setlocale() function is used with arguments satisfying a specific condition (see below), there is a possibility that this could be exploitable. This condition is as the following: 1. setlocale() function is called for LC_ALL category and 2. The string pointed to by the second argument of setlocale contains over six elements separated by slash. An example of string causing this problem to setlocale() is "C/C/C/C/C/C/C". (note that the frequently used special form, setlocale(LC_ALL, ""), does not cause this problem, since the code having this problem is never executed in this case.) 3. To use this bug to exploit, the second argument of setlocale needs to be derived from user-given data (e.g. environment variables or command line arguments) and the program need to be setuid or need to be involved in some setuid program or daemon. Most programs using Xt, including xterm (setuid program), may satisfy this condition. All other programs in NetBSD distribution except for packages do not satisfy it. In packages, zsh is one of the most important program that may satisfy this condition. Technical Details ================= The setlocale (or its subcontractor, __setlocale) function, defined in lib/libc/locale/setlocale.c, is used to change the locale of each locale category. setlocale() function switches the locale of the category specified by the first argument to the second argument. The special category LC_ALL can be used to change all locale categories at the same time. In this case, the NetBSD implementation of setlocale allows a special form of the second argument string to specify individual locales per category. In this form, each locale is given in a single string separated by slashes ('/'), as "A/B/C/D/E/F". Here, each element corresponds to categories LC_COLLATE, LC_CTYPE, LC_MONETARY, LC_NUMERIC, LC_TIME and LC_MESSAGES, respectively. The setlocale() function attempts to decomposit these elements into an array object named new_categories locally defined in lib/libc/locale/setlocale.c. However, the code to check the array boundary was lacking and thus this decomposition code could destroy data segment if a string having over six elements was given. If the program which has set[ug]id bit or which is called from set[ug]id program calls setlocale() with LC_ALL as the first argument and with the string derived from user-given data (e.g. setlocale(LC_ALL, getenv("FOO")) ) as the second argument, then such program could be exploitable. DefaultLanguageProc function of X Toolkit Intrinsics (Xt) is a example of such usage. DefaultLanguageProc calls setlocale as "setlocale(LC_ALL, xnl)". Here, xnl variable is null string ("") by default, but can be overriden by user via - - -xnllanguage option. Most Xt programs, including xterm, use this language procedure. xterm is a setuid root program and thus any local user could illegally acquire root account by using this problem. On the other hand, the frequently used special form, setlocale(LC_ALL, ""), does not have this problem because the decomposition code is never executed in this form, although user-given LC_ALL environment variable is similarly referred. Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Otherwise, you must update libc. Also, you must update all statically linked binaries satisfying the condition above - although the NetBSD distribution contains no such static binaries, you may have some from pkgsrc packages or local programs. The following instructions describe how to update libc. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-08 should be upgraded to NetBSD-current dated 2002-08-08 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/locale To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P lib/libc/locale # cd lib/libc # make cleandir dependall # make install * NetBSD 1.6 betas: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-08 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: lib/libc/locale To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P -r netbsd-1-6 lib/libc/locale # cd lib/libc # make cleandir dependall # make install * NetBSD 1.5.x: Systems running NetBSD 1.5 betas dated from before 2002-09-05 should be upgraded to NetBSD 1.5 tree dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: lib/libc/locale To update from CVS, re-build, and re-install libc: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/locale # cd lib/libc # make cleandir dependall # make install * NetBSD 1.4.x: not yet Thanks To ========= Andrey A. Chernov for initial fix in FreeBSD source. Takuya SHIOZAKI for preparing the initial advisory text. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-09-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-012.txt,v 1.11 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqPT5Ru2/4N2IFAQF2ngP9Gy/ZVH4yizEHSiv8f1OLHxn2auf3J/bx Tit7KQVGiCQS/1sZ2UxV8ZVKQOzJwrJNHuJ23YS2iDs//RxghmpjVGQPmS91t7vb X3z7SEy3mgEe0VClcDMSamxiomPi8rcH37CdlflHkTneX/UYsPgLClGT55PXtOu9 ZfqrAQGUgeU= =5MrG - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-013: Bug in NFS server code allows remote denial of service - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-013 ================================= Topic: Bug in NFS server code allows remote denial of service Version: NetBSD-current: source prior to Aug 3, 2002 NetBSD 1.6 beta: source prior to Aug 3, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: remote denial of service Fixed: NetBSD-current: Aug 3, 2002 NetBSD-1.6 branch: Aug 3, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== The Network File System (NFS) allows a host to export some or all of its filesystems, or parts of them, so that other hosts can access them over the network and mount them as if they were on local disks. NFS is built on top of the Sun Remote Procedure Call (RPC) framework. An attacker in a position to send RPC messages to an affected NetBSD system can construct a sequence of malicious RPC messages that cause the target system to lock up. Technical Details ================= A part of the NFS server code charged with handling incoming RPC messages had an error which, when the server received a message with a zero-length payload, would cause it to reference the payload from the previous message, creating a loop in the message chain. This would later cause an infinite loop in a different part of the NFS server code which tried to traverse the chain. Certain Linux implementations of NFS produce zero-length RPC messages in some cases. A NetBSD system running an NFS server may lock up when such clients connect. Solutions and Workarounds ========================= If possible, disable the NFS server on your machine. It is still preferable to apply the following fixes to prevent using vulnerable NFS code in the future. The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of kernel. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-03 should be upgraded to NetBSD-current dated 2002-08-03 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): sys/nfs To update from CVS: # cd src # cvs update -d -P sys/nfs Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-03 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: sys/nfs To update from CVS: # cd src # cvs update -d -P -r netbsd-1-6 sys/nfs Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5 sources dated from before 2002-09-05 should be upgraded from NetBSD 1.5 sources dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: sys/nfs To update from CVS: # cd src # cvs update -d -P -r netbsd-1-5 sys/nfs Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated with instructions to fix the problem for 1.5-based systems. Thanks To ========= FreeBSD security officers. The advisory text is based on their advisory. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-09-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-013.txt,v 1.7 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqUD5Ru2/4N2IFAQF7VwP9HAw6DGiJI3TmxGeVR/7fNquzCXI6QtSJ evofRBhcsSSNGuTYn9R8KVHdn+f7n8fdc2b3huQ6UCLr3epAgRg6eeCDX8O60fpG DvKUABOJXx1LoUEkGsNGdTizxg3uoD/2GLCvDLhZZiZ4k9srZRRzFT3neyWWdFln EFbs33wT+40= =78tO - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-014: fd_set overrun in mbone tools and pppd - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-014 ================================= Topic: fd_set overrun in mbone tools and pppd Version: NetBSD-current: source prior to August 10, 2002 NetBSD 1.6 beta: sources prior to August 11, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: possible local root compromise Fixed: NetBSD-current: August 10, 2002 NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP daemon pppd(8), are setuid root binaries. A malicious local user can cause a buffer overrun in these programs by filling file descriptor tables before exec'ing them, which could lead to local root compromise. No exploit code is known to exist at this moment. Technical Details ================= These tools use select(2). select(2) uses fd_set bitmap, which supports up to FD_SETSIZE (256) file descriptors. These tools did not have a boundary check when doing FD_SET() operations. Therefore, if the file descriptor used for select(2) equals to or exceeds FD_SETSIZE, a buffer overrun occurs. More details are in the NetBSD-current select(2) manpage "BUGS" section: Although the provision of getdtablesize(3) was intended to allow user programs to be written independent of the kernel limit on the number of open files, the dimension of a sufficiently large bit field for select remains a problem. The default bit size of fd_set is based on the symbol FD_SETSIZE (currently 256), but that is somewhat smaller than the current kernel limit to the number of open files. However, in order to accommo- date programs which might potentially use a larger number of open files with select, it is possible to increase this size within a program by providing a larger definition of FD_SETSIZE before the inclusion of <sys/types.h>. The kernel will cope, and the userland libraries provided with the system are also ready for large numbers of file descriptors. Solutions and Workarounds ========================= If you do not run, and do not plan to use, multicast-related tools or pppd, the problem can be worked around by removing the setuid bit from those binaries. Users can therefore no longer escalate their privileges by exploiting the bug: # chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd Nevertheless, we suggest upgrading these binaries to make sure you don't have vulnerable code in your system. The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Otherwise, the following instructions describe how to upgrade your binaries by updating your source tree and rebuilding and installing a new version. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-10 should be upgraded to NetBSD-current dated 2002-08-10 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd To update from CVS, re-build, and re-install mrinfo and mtrace: # cd src # cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd # cd usr.sbin/mrinfo # make cleandir dependall # make install # cd usr.sbin/mtrace # make cleandir dependall # make install # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-11 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd To update from CVS, re-build, and re-install mrinfo and mtrace: # cd src # cvs update -d -P -r netbsd-1-6 \ usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd # cd usr.sbin/mrinfo # make cleandir dependall # make install # cd usr.sbin/mtrace # make cleandir dependall # make install # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5 branch dated from before 2002-09-05 should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd To update from CVS, re-build, and re-install mrinfo and mtrace: # cd src # cvs update -d -P -r netbsd-1-5 \ usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd # cd usr.sbin/mrinfo # make cleandir dependall # make install # cd usr.sbin/mtrace # make cleandir dependall # make install # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= xs@kittenz.org for finding this bug and sending fixes. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-09-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-014.txt,v 1.13 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqaD5Ru2/4N2IFAQGipAP/QwtISx0xcoOwzB3HrjGmn8DMX0V13q6d ecx1QZ/4TuCjEYmgbhXdW8ReB7yQ1wy2tIG61U3pvoQW9EMqoK1n7ispixwUIS7X Yp3gpYp4nTAeeLvv3mYoT6NFERqzku7qakoSFq92uojwborR/yXFsiC41IMudhK6 HuwbKbDG9WM= =Ez96 - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-017: shutdown(s, SHUT_RD) on TCP socket does not work as intended - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-017 ================================= Topic: shutdown(s, SHUT_RD) on TCP socket does not work as intended Version: NetBSD-current: source prior to September 7, 2002 NetBSD 1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: Unexpected kernel memory consumption Fixed: NetBSD-current: September 7, 2002 NetBSD-1.6 branch: September 7, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 7, 2002 NetBSD-1.4 branch: not yet Abstract ======== shutdown(s, SHUT_RD) is used to indicate that there should be no inbound traffic expected on the socket. There was mistake in TCP with respect to the handling of shutdown'ed socket, leading to unexpected kernel resource consumption and unexpected behavior. Technical Details ================= Some of sbappend() calls from sys/netinet/tcp_input.c did not consult SS_CANTRCVMORE flag on socket properly. http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=18185 Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of kernel. * NetBSD-current: Systems running NetBSD-current dated from before 2002-09-06 should be upgraded to NetBSD-current dated 2002-09-06 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): sys/netinet To update from CVS, re-build, re-install kernel and reboot: # cd src # cvs update -d -P sys/netinet Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-09-06 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: sys/netinet To update from CVS, re-build, re-install kernel and reboot: # cd src # cvs update -d -P -r netbsd-1-6 sys/netinet Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2002-09-06 should be upgraded from NetBSD 1.5.* sources dated 2002-09-06 or later. NetBSD 1.5.4 will be shipped with fixes. The following directories need to be updated from the netbsd-1-5 CVS branch: sys/netinet To update from CVS, re-build, re-install kernel and reboot: # cd src # cvs update -d -P -r netbsd-1-5 sys/netinet Configure, compile, install and boot a new kernel according to the instructions at: http://www.netbsd.org/Documentation/kernel/#building_a_kernel * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= Sean Boudreau The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-09-16 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-017.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-017.txt,v 1.9 2002/09/16 05:17:55 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqej5Ru2/4N2IFAQFXFQP/TgE2w4hDKtWeccyjBSYEYPji7hgu/IPK gJztYTRBM4xDKyx76QW+MSoFu/ye+Jfkveh6ZmxGKb2oFzGjbKKyKISk1brBaZ+o g6mqsd05AACYukIhkRdNOR84bPr086soGRJQFXaLUKbwcUBNQQ43yY8fDqMdEuBd yk+GJu7hDgQ= =kfaF - -----END PGP SIGNATURE----- NetBSD Security Advisory 2002-018: Multiple security isses with kfd daemon - -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-018 ================================= Topic: Multiple security isses with kfd daemon Version: NetBSD-current: source prior to September 10, 2002 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not affected Severity: remote buffer overrun, possibly resulting in root exploit Fixed: NetBSD-current: September 11, 2002 NetBSD-1.6 branch: not yet NetBSD-1.5 branch: September 11, 2002 Abstract ======== Kf and kfd are used to forward Kerberos credentials in a stand-alone fashion, and come from the Heimdal Kerberos implementation used by NetBSD. In Heimdal releases earlier than 0.5, these programs have multiple security issues, including possible buffer overruns. The kfd daemon has never been enabled by default in NetBSD; enabling it would have required a port name to be added to /etc/services. Technical Details ================= The client sent information about user and files without integrity protection, making it possible to overwrite any file the user had access to. The server also passed some of this data to other functions without checking that strings were zero terminated, possibly resulting in root exploit. All versions prior to Heimdal 0.5 are vulnerable. You can tell which version of kfd you have by running /usr/libexec/kfd --version. See also: http://www.pdc.kth.se/heimdal/ Solutions and Workarounds ========================= As this is not a vital service, and is very likely unused by most installations, the straightforward solution is to remove these programs. This has been done in NetBSD-current sources on September 11, 2002. Note that even after this time, systems may still have binaries left behind from earlier builds. Note that sources for the 1.6 release (and branch) still inlcude these programs. Therefore, a "make build" will re-install vulnerable binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6 LAST_MINUTE release notes, please remove them after each "make build". * NetBSD all releases: Check that you don't have kfd in your /etc/inetd.conf. % grep kfd /etc/inetd.conf Remove these programs: # rm /usr/bin/kf # rm /usr/libexec/kfd # rm /usr/share/man/cat1/kf.0 # rm /usr/share/man/cat8/kfd.0 # rm /usr/share/man/man1/kf.1 # rm /usr/share/man/man8/kfd.8 Thanks To ========= joda@pdc.kth.se (Johan Danielsson) Revision History ================ 2002-09-16 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-018.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-018.txt,v 1.9 2002/09/16 22:59:39 dan Exp $ - -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYZiaj5Ru2/4N2IFAQG3YQP6AxY5rsaUAgEIIQ3TVsLPbqplH4ARheS6 zvmwTOcoI4NnGVdvUL99FPf+hEJdHZyScEn9bRtEGgFUnbXCgovDu2G333/1S91Z w36jokou/av+WdxJ7fVSbFqrA62cFy1s9fpoWubZ14j3isPzz74qtPtGnOI19oGh WylKw/jKtps= =8Fkt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPYiV2Ch9+71yA2DNAQHdXAP/VnvLZqB75TBGCNO71EgWXI7JHd2E/V+q Wt1JvyJNo5wxuWq0FNZk8VjoCH3QC6uX20Dq+c5sucwMI4NDIqcU4y6qNULeGh8O dArhxJP/lAtcdPABab/0w9RH7TloHp7caWfe54ZL1+AuS1+nw4NtUIsfwVW8TCnB HXWK7gqtyT0= =kpf6 -----END PGP SIGNATURE-----