Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0033 Local DoS in virecover 3 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: virecover Publisher: NetBSD Operating System: NetBSD Impact/Access: Delete Arbitrary Files -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2018-002 ================================= Topic: Local DoS in virecover Version: NetBSD-current: source prior to Sat, November 4th 2017 NetBSD 7.0 - 7.02: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Local Denial of Service Fixed: NetBSD-current: Sat, November 4th 2017 NetBSD-6-0 branch: Sun, November 5th 2017 NetBSD-6-1 branch: Sun, November 5th 2017 NetBSD-6 branch: Sun, November 5th 2017 NetBSD-7-0 branch: Sun, November 5th 2017 NetBSD-7 branch: Sun, November 5th 2017 NetBSD-8 branch: Sun, November 5th 2017 Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An error in the virecover script allows an unprivileged user to delete any files in the root / directory. Technical Details ================= The virecover shell script used file globbing without arranging for whitespace within filenames to be preserved. Instead of treating a filename containing a space as is, it will treat the file as two files. For example, by placing "/var/tmp/virecover/vi. netbsd", virecover will treat it as two files: /var/tmp/virecover/vi. and netbsd. As virecover attempts to delete the recovered files, it will delete files in its current working directory (the root directory). This allows an unprivileged user to delete any file within the root directory. Solutions and Workarounds ========================= Disabling virecover: # echo "virecover=NO" >> /etc/rc.conf Updating nvi: FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0 external/bsd/nvi/dist/common/recover.c 1.9 1.5.22.1 1.5.6.1 1.5.18.1 1.5.10.1 external/bsd/nvi/usr.bin/recover/virecover 1.3 1.1.22.1 1.1.6.1 1.1.18.1 1.1.10.1 FILE netbsd-6 netbsd-6-1 netbsd-6-0 dist/nvi/common/recover.c 1.3.10.1 1.3.24.1 1.3.16.1 usr.bin/nvi/recover/virecover 1.1.22.1 1.1.36.1 1.1.28.1 for netbsd-7, -7-0, -7-1, netbsd-8, HEAD: $ cd src $ cvs update -d -P -r VERSION external/bsd/nvi/dist/common/recover.c $ cvs update -d -P -r VERSION external/bsd/nvi/usr.bin/recover/virecover $ cd external/bsd/nvi $ make USETOOLS=no # make install USETOOLS=no for netbsd-6, -6-0, -6-1: $ cd src $ cvs update -d -P -r VERSION dist/nvi/common/recover.c $ cvs update -d -P -r VERSION usr.bin/nvi/recover/virecover $ cd usr.bin/nvi $ make USETOOLS=no # make install USETOOLS=no Thanks To ================ Maya Rashish for noticing the issue, Christos Zoulas and Robert Elz for deploying the fix. Revision History ================ 2018-01-02 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJaS7+UAAoJEAZJc6xMSnBuqhgQAJHCyUMeylnsOUGi0SzsZ/G9 kzQVGSir6+U+yKGaEFM5xkuRUoQFOVxCcHo9GXxY5EvxfF3rsYoW6MORzkn5DXAs Yup1HMb5impVdGruED7ubFI155EjLtlI03S3fqgOChH0g1aWwtfP0PlqC1iMl7mp Ygyo7UZEJNOsrAM28WqW5LHQPNVG2q92yl16UwP6UWH8MoydnjCj4WuQ4/D161bQ xFDNgxruxt3R3RqwBnVIPYBRTlxM9xPGpW/dNngc+rVoiyRD3+XzcEvhemY2Eccx Gqp2ohQl+q8rDzKnS2pv+wNdQlgXZVkg5XrfWkP52JBTdAojAfeNP9cWlOoV9ggZ nFzjHnURkodRwosE8AWuJ+aquokqUMtec48NNKVIaRK/LPuJQLz/CWdiM5V0xwqY 0WSK5Yvgl3aM5FwFpWFo78RE3Pl18FaJuqMN3XYWhDuBXLZW7raQK0KXQuWC+E72 PgRqqDU2YswGV3Gt2xbBh74SBnedjwppffNCenSdxjZHjfpFLGr1sS/JGBj/UG1m RfxAA7mbogE/yEjWXLyt8H+y78Id6Ck9rWiKTFUKBXJw7qw05opdewJDsZrOsw6T 40iydSOLl1ahr/Ke2Mu8/B09MUyt8MMrrmthnhoXQr9a2R9iR1fDFxfboocOVCfn BHDNhoPO+m+GSApcBd7p =MHk1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWkwRfYx+lLeg9Ub1AQgtCg//en6BoFAW/tmxae3CiZ72L9pe0DZ0J1WP Kq10AKItVzVd2DPnlDVmXifDxCrO11X7zUR551MNwEGjRuEex42HUhxmdlXomBsF PIW9JiugKMuFYZIpsDnnt/79RlCRmjrHodvPYlu/NbVBr5MAR8v5lRsNeI4iDaiD KO9/iM9xIdAN/yGoDqbMoW85Jm67/3crOPjeq7k69jXZ9sRUfy4DnZVBa0QSWHXn Pl2zOrUUCKDjt7gheTfsD2kOdk2rgFy27bsBQzoFTVSnDmB77cdwkhOjVZ0Zk1F9 aiNG/eLQOhBMYm7jsEIT4NN12Qybht7uCtrb7gQbMsgTeLEihNx4sD0BrDZ8J+3S rLXaqQ4erj48GEl1L9GodGkfr6+cG1YMFUUCb4yQq3/XnzORhpKFjr/Nnh5QWRdP gXSuznulZiLokk0dOU8orgzrogJ7zl7u4SlOI6AH+gFmi6zpC1cb7u//T+VSjCvo zfDV7ALtMr3QQer4FMYelWBl7oaoOJyremAoaJ3MlVT9eJ9l8N0D44+43OLlaFD+ 9MnE1bxPw5LfzMOS3wam2jgJ89zr6kKlPvNRC8oqkTSYHur6UQZzU4Gj7pYkBgtm 827nYz+NAnpsOYWteiK8lvdhzn9R7TFcpVyslB6aWA7CNk0YxGBwrSaWq9HsXJb0 lwD0hR68SVo= =O3bS -----END PGP SIGNATURE-----