FreeBSD Security Advisories
2003-Aug-03 17:04 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
============================================================================FreeBSD-SA-03:08.realpath
Security Advisory
The FreeBSD Project
Topic: Single byte buffer overflow in realpath(3)
Category: core
Module: libc
Announced: 2003-08-03
Credits: Janusz Niewiadomski <funkysh@isec.pl>,
Wojciech Purczynski <cliph@isec.pl>,
CERT/CC
Affects: All releases of FreeBSD up to and including 4.8-RELEASE
and 5.0-RELEASE
FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
2003-08-03 23:43:43 UTC (RELENG_4_8)
2003-08-03 23:44:12 UTC (RELENG_4_7)
2003-08-03 23:44:36 UTC (RELENG_4_6)
2003-08-03 23:44:56 UTC (RELENG_4_5)
2003-08-03 23:45:41 UTC (RELENG_4_4)
2003-08-03 23:46:03 UTC (RELENG_4_3)
2003-08-03 23:47:39 UTC (RELENG_3)
FreeBSD only: NO
I. Background
The realpath(3) function is used to determine the canonical,
absolute pathname from a given pathname which may contain extra
``/'' characters, references to ``/./'' or ``/../'', or
references
to symbolic links. The realpath(3) function is part of the FreeBSD
Standard C Library.
II. Problem Description
An off-by-one error exists in a portion of realpath(3) that computes
the length of the resolved pathname. As a result, if the resolved
path name is exactly 1024 characters long and contains at least
two directory separators, the buffer passed to realpath(3) will be
overwritten by a single NUL byte.
III. Impact
Applications using realpath(3) MAY be vulnerable to denial of service
attacks, remote code execution, and/or privilege escalation. The
impact on an individual application is highly dependent upon the
source of the pathname passed to realpath, the position of the output
buffer on the stack, the architecture on which the application is
running, and other factors.
Within the FreeBSD base system, several applications use realpath(3).
Two applications which are negatively impacted are:
(1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
process the MLST and MLSD commands. [lukemftpd(8) is not built or
installed by default.]
(2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
chdir commands.
In both of the cases above, the realpath(3) vulnerability may be
exploitable, leading to arbitrary code execution with the privileges
of the authenticated user. This is probably only of concern on
otherwise `closed' servers, e.g. servers without shell access.
At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
the following applications which appear to use realpath(3). These
applications have not been audited, and may or may not be vulnerable.
There may be additional applications in the FreeBSD Ports Collection
that use realpath(3), particularly statically-linked applications and
applications added since 4.8-RELEASE.
BitchX-1.0c19_1
Mowitz-0.2.1_1
XFree86-clients-4.3.0_1
abcache-0.14
aim-1.5.234
analog-5.24,1
anjuta-1.0.1_1
aolserver-3.4.2
argus-2.0.5
arm-rtems-gdb-5.2_1
avr-gdb-5.2.1
ccache-2.1.1
cdparanoia-3.9.8_4
cfengine-1.6.3_4
cfengine2-2.0.3
cmake-1.4.7
comserv-1.4.3
criticalmass-0.97
dedit-0.6.2.3_1
drweb_postfix-4.29.10a
drweb-4.29.2
drweb_sendmail-4.29.10a
edonkey-gui-gtk-0.5.0
enca-0.10.7
epic4-1.0.1_2
evolution-1.2.2_1
exim-3.36_1
exim-4.12_5
exim-ldap-4.12_5
exim-ldap2-4.12_5
exim-mysql-4.12_5
exim-postgresql-4.12_5
fam-2.6.9_2
fastdep-0.15
feh-1.2.4_1
ferite-0.99.6
fileutils-4.1_1
finfo-0.1
firebird-1.0.2
firebird-1.0.r2
frontpage-5.0.2.2623_1
galeon-1.2.8
galeon2-1.3.2_1
gdb-5.3_20030311
gdb-5.2.1_1
gdm2-2.4.1.3
gecc-20021119
gentoo-0.11.34
gkrellmvolume-2.1.7
gltron-0.61
global-4.5.1
gnat-3.15p
gnomelibs-1.4.2_1
gprolog-1.2.16
gracula-3.0
gringotts-1.2.3
gtranslator-0.43_1
gvd-1.2.5
hercules-2.16.5
hte-0.7.0
hugs98-200211
i386-rtems-gdb-5.2_1
i960-rtems-gdb-5.2_1
installwatch-0.5.6
ivtools-1.0.6
ja-epic4-1.0.1_2
ja-gnomelibs-1.4.2_1
ja-msdosfs-20001027
ja-samba-2.2.7a.j1.1_1
kdebase-3.1_1
kdelibs-3.1
kermit-8.0.206
ko-BitchX-1.0c16_3
ko-msdosfs-20001027
leocad-0.73
libfpx-1.2.0.4_1
libgnomeui-2.2.0.1
libpdel-0.3.4
librep-0.16.1_1
linux-beonex-0.8.1
linux-divxplayer-0.2.0
linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
linux-gnomelibs-1.2.8_2
linux-mozilla-1.2
linux-netscape-communicator-4.8
linux-netscape-navigator-4.8
linux-phoenix-0.3
linux_base-6.1_4
linux_base-7.1_2
lsh-1.5.1
lukemftpd-1.1_1
m68k-rtems-gdb-5.2_1
mips-rtems-gdb-5.2_1
mod_php4-4.3.1
moscow_ml-2.00_1
mozilla-1.0.2_1
mozilla-1.2.1_1,2
mozilla-1.2.1_2
mozilla-1.3b,1
mozilla-1.3b
mozilla-embedded-1.0.2_1
mozilla-embedded-1.2.1_1,2
mozilla-embedded-1.3b,1
msyslog-1.08f_1
netraider-0.0.2
openag-1.1.1_1
openssh-portable-3.5p1_1
openssh-3.5
p5-PPerl-0.23
paragui-1.0.2_2
powerpc-rtems-gdb-5.2_1
psim-freebsd-5.2.1
ptypes-1.7.4
pure-ftpd-1.0.14
qiv-1.8
readlink-20010616
reed-5.4
rox-1.3.6_1
rox-session-0.1.18_1
rpl-1.4.0
rpm-3.0.6_6
samba-2.2.8
samba-3.0a20
scrollkeeper-0.3.11_8,1
sh-rtems-gdb-5.2_1
sharity-light-1.2_1
siag-3.4.10
skipstone-0.8.3
sparc-rtems-gdb-5.2_1
squeak-2.7
squeak-3.2
swarm-2.1.1
tcl-8.2.3_2
tcl-8.3.5
tcl-8.4.1,1
tcl-thread-8.1.b1
teTeX-2.0.2_1
wine-2003.02.19
wml-2.0.8
worker-2.7.0
xbubble-0.2
xerces-c2-2.1.0_1
xerces_c-1.7.0
xnview-1.50
xscreensaver-gnome-4.08
xscreensaver-4.08
xworld-2.0
yencode-0.46_1
zh-cle_base-0.9p1
zh-tcl-8.3.0
zh-tw-BitchX-1.0c19_3
zh-ve-1.0
zh-xemacs-20.4_1
IV. Workaround
There is no generally applicable workaround.
OpenSSH's sftp-server(8) may be disabled by editing
/etc/ssh/sshd_config and commenting out the following line by
inserting a `#' as the first character:
Subsystem sftp /usr/libexec/sftp-server
lukemftpd(8) may be replaced by the default ftpd(8).
V. Solution
1) Upgrade your vulnerable system to 4.8-STABLE
or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
dated after the respective correction dates.
2) To patch your present system:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility. The following patch
has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
5.0-RELEASE.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your operating system as described in
<URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
NOTE WELL: Any statically linked applications that are not part of
the base system (i.e. from the Ports Collection or other 3rd-party
sources) must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_3
src/lib/libc/stdlib/realpath.c 1.6.2.1
RELENG_4_3
src/UPDATING 1.73.2.28.2.32
src/lib/libc/stdlib/realpath.c 1.9.4.1
src/sys/conf/newvers.sh 1.44.2.14.2.22
RELENG_4_4
src/UPDATING 1.73.2.43.2.45
src/lib/libc/stdlib/realpath.c 1.9.6.1
src/sys/conf/newvers.sh 1.44.2.17.2.36
RELENG_4_5
src/UPDATING 1.73.2.50.2.44
src/lib/libc/stdlib/realpath.c 1.9.8.1
src/sys/conf/newvers.sh 1.44.2.20.2.28
RELENG_4_6
src/UPDATING 1.73.2.68.2.42
src/lib/libc/stdlib/realpath.c 1.9.10.1
src/sys/conf/newvers.sh 1.44.2.23.2.31
RELENG_4_7
src/UPDATING 1.73.2.74.2.14
src/lib/libc/stdlib/realpath.c 1.9.12.1
src/sys/conf/newvers.sh 1.44.2.26.2.13
RELENG_4_8
src/UPDATING 1.73.2.80.2.3
src/lib/libc/stdlib/realpath.c 1.9.14.1
src/sys/conf/newvers.sh 1.44.2.29.2.2
RELENG_5_0
src/UPDATING 1.229.2.14
src/lib/libc/stdlib/realpath.c 1.11.2.1
src/sys/conf/newvers.sh 1.48.2.9
- -------------------------------------------------------------------------
VII. References
<URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>
<URL:http://www.kb.cert.org/vuls/id/743092>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/LaFvFdaIBMps37IRAoO6AJ4zTutkdp69fekZGR1AcZTr4/HdVgCeK6v3
u9B/doXT8ns+tkXTCb7DX7M=oS/F
-----END PGP SIGNATURE-----
At 17:04 03/08/2003 -0700, you wrote:>V. Solution >2) To patch your present system: >a) Download the relevant patch... >b) Apply the patch... >c) Recompile your operating system...I hesitate to suggest that people leave their systems unpatched for longer than absolutely necessary, but there *will* be binary patches available for 4.7-RELEASE and 4.8-RELEASE -- as soon as I finish building them (ETA about 17 hours). This only applies to people who performed a binary install of FreeBSD 4.7 or 4.8 ***and have not recompiled the world locally***. Affected applications which were statically linked to the vulnerable code would still need to be recompiled. Once the binary updates are available, FreeBSD Update (security/freebsd-update in the ports tree) will be able to fetch and install them; I'll send another email to this list after they've been built, signed, and uploaded. Colin Percival
FreeBSD Security Advisories wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================> FreeBSD-SA-03:08.realpath Security Advisory > The FreeBSD Project > > Topic: Single byte buffer overflow in realpath(3)Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. Please MFC to RELENG_4 too. Eugene Grosbein.
Christoph Moench-Tegeder
2003-Aug-04 01:50 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
## Eugene Grosbein (eugen@grosbein.pp.ru):> > Topic: Single byte buffer overflow in realpath(3) > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too.: Affects: All releases of FreeBSD up to and including 4.8-RELEASE : and 5.0-RELEASE : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less by accident. Regards, Christoph -- Antivirus-software is protection for people against yesterdays threats. Antivirus-software is protection for moronic users against themselves. Antivirus-software is crap. I say we kill the users and be done with it. -- kh@telecomplus.dk
[My keyboard got stuck with the control key down, so I think a partially written copy of this got sent a moment ago; please disregard it.] At 10:10 04/08/2003 +0100, Chris Howells wrote:>On Monday 04 August 2003 08:54, Colin Percival wrote: > > Affected applications which were statically linked to the vulnerable > > code would still need to be recompiled. > >I'm just trying to work out which applications on my system are statically >linked or not.I'm sure someone else can offer better suggestions, but I'm just doing the following: $ sh -c 'find / -type f -perm +111 | while read x; do file $x; done | grep "statically linked" | cut -f 1 -d ":"' Colin Percival
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:>Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC...>V. Solution > >1) Upgrade your vulnerable system to 4.8-STABLE >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches >dated after the respective correction dates.I found the reference to RELENG_5_1 in the "Solutions" section but no reference to 5.1-RELEASE in the "Affects" section somewhat confusing. This is compounded by the failure to mention RELENG_5_0 in the "Solutions" section. I gather that 5.1-RELEASE is not vulnerable due to the realpath() rewrite in 1.14. May I suggest that in future, when a release is not vulnerable due to code rewrites or similar, this fact be explicitly mentioned. IMHO, it's far better to err on the side of caution when dealing with security issues. Peter
On Sun, 2003-08-03 at 19:04, FreeBSD Security Advisories wrote:> 2) To patch your present system: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. The following patch > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD > 5.0-RELEASE. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patchIs it just me or is the patch referenced above wrong? I followed the instructions above but the patch failed: ##### snip ###### # cd /usr/src-all/current/src # Where my "/usr/src" lives # patch < /tmp/realpath.patch Hmm... Looks like a new-style context diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/stdlib/realpath.c |==================================================================|RCS file: /home/ncvs/src/lib/libc/stdlib/realpath.c,v |retrieving revision 1.9 |diff -c -c -r1.9 realpath.c |*** lib/libc/stdlib/realpath.c 27 Jan 2000 23:06:50 -0000 1.9 |--- lib/libc/stdlib/realpath.c 3 Aug 2003 17:21:20 -0000 -------------------------- Patching file lib/libc/stdlib/realpath.c using Plan A... Hunk #1 failed at 138. 1 out of 1 hunks failed--saving rejects to lib/libc/stdlib/realpath.c.rej done ##### snip ###### realpath.c.rej contains the entire patch: ##### snip ###### *************** *** 138,144 **** rootd = 0; if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } --- 138,145 ---- rootd = 0; if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + (1-rootd) + 1 > ! MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } ##### snip ###### I wasn't really surprised that it failed since it looks like it should apply to crypto/openssh/openbsd-compat/realpath.c rather than lib/libc/stdlib/realpath.c. I assume (from the CVS logs) that cvsup has taken care of the libc version for me. Does the openssh file need to be patched too? -Ben
Jacques A. Vidrine
2003-Aug-04 14:32 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
On Mon, Aug 04, 2003 at 11:17:18PM +0200, Troels Holm wrote:> Jacques A. Vidrine wrote: > >> Does the openssh file need to be patched too? > > > > No, it is not used. > > But it states in the advisory that "sftp-server" is negatively > impacted....And its a part of OpenSSH. > Or did I get you wrong?The realpath.c that is distributed with OpenSSH-portable and found in our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is not used. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Jacques A. Vidrine wrote:> The realpath.c that is distributed with OpenSSH-portable and found in > our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is > not used.Just for the record :=) What u say is that the advisory is in error and my "sftp-server" is _not_ affected? Or are you just saying that sftp isnt using the realpath.c from OpenSSH? Thanks, -- Troels Holm
Jacques A. Vidrine
2003-Aug-04 15:20 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
On Tue, Aug 05, 2003 at 12:10:14AM +0200, Troels Holm wrote:> Jacques A. Vidrine wrote: > > The realpath.c that is distributed with OpenSSH-portable and found in > > our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is > > not used. > > Just for the record :=) > What u say is that the advisory is in error and my "sftp-server" is _not_ > affected? Or are you just saying that sftp isnt using the realpath.c from > OpenSSH?The latter. sftp-server *is* affected, just as it says in the advisory. But OpenSSH as bundled with FreeBSD uses realpath(3) from libc, not from src/crypto/openssh/openbsd-compat/realpath.c, and so (in answer to the question by a previous poster) that file does not need patching. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Jacques A. Vidrine
2003-Aug-04 15:35 UTC
IMPORTANT FOR lukemftpd USERS (was Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath)
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:> (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to > process the MLST and MLSD commands. [lukemftpd(8) is not built or > installed by default.][...]> the realpath(3) vulnerability may be > exploitable, leading to arbitrary code execution with the privileges > of the authenticated user. This is probably only of concern on > otherwise `closed' servers, e.g. servers without shell access.[...] I have a correction to make regarding the above text. In the case of lukemftpd (and lukemftpd only), in some situations the vulnerability may be used to execute code with _superuser privileges_. If lukemftpd is NOT invoked with `-r', then it does NOT completely drop privileges when a user logs in. Thus, a successful exploit will be able to regain superuser privileges. Conversely, if lukemftpd IS invoked with `-r', then the original advisory text above applies. The example usage for lukemftpd that was in /etc/inetd.conf prior to 5.1-RELEASE included the `-r' flag, but there is no longer an example in 5.1-RELEASE. I don't think there was ever an example entry for 4.x. I would normally immediately publish a revised advisory with this additional information, however lukemftpd is neither built nor installed by default. Since that is the case, I will probably wait a few days before revision in case further useful information comes to light. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
At 00:54 04/08/2003 -0700, I wrote: > Once the binary updates are available, FreeBSD Update >(security/freebsd-update in the ports tree) will be able to fetch and >install them; I'll send another email to this list after they've been >built, signed, and uploaded. Binary patches can now be installed via FreeBSD Update for any systems with a binary install of 4.7-RELEASE or 4.8-RELEASE which have not have any system binaries rebuilt or replaced locally (except by FreeBSD Update). With a recent copy of the ports tree: 1. cd /usr/ports/security/freebsd-update/ && make all install 2. cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf 3. /usr/local/sbin/freebsd-update fetch 4. /usr/local/sbin/freebsd-update install In FreeBSD 4.7, the following binaries were affected by this security advisory: /bin/mv /bin/pwd /bin/realpath /sbin/kldconfig /sbin/mount /sbin/mount_cd9660 /sbin/mount_ext2fs /sbin/mount_fdesc /sbin/mount_kernfs /sbin/mount_linprocfs /sbin/mount_mfs /sbin/mount_msdos /sbin/mount_nfs /sbin/mount_ntfs /sbin/mount_null /sbin/mount_nwfs /sbin/mount_portal /sbin/mount_procfs /sbin/mount_smbfs /sbin/mount_std /sbin/mount_umap /sbin/mount_union /sbin/mountd /sbin/newfs /sbin/umount /usr/bin/make /usr/lib/libc.a /usr/lib/libc.so.4 /usr/lib/libc_p.a /usr/lib/libc_pic.a /usr/lib/libc_r.a /usr/lib/libc_r.so.4 /usr/lib/libc_r_p.a /usr/libexec/lukemftpd /usr/libexec/sftp-server /usr/sbin/config /usr/sbin/pkg_add /usr/sbin/sshd In FreeBSD 4.8, the same binaries were affected, with the exception of /sbin/mount_kernfs (no longer installed), /usr/bin/make (no longer uses realpath), and /usr/libexec/lukemftpd (no longer installed). Colin Percival
Mike Hoskins wrote:>... but I can also see KISS. If you add more data than >absolutely needed, confusion may also arise... > >> I think that if one takes the `Affects' lines (and the rest of the >> advisory) at face value, without second-guessing, that it is crystal >> clear what versions of FreeBSD are affected.Along those lines it might be worth moving Affects: to the top of advisories page format, ahead of Credits:, Announced:, Module:, and Category:. A "REL-Advisories" list would also be helpful to those of us who don't use beta releases (aka -STABLE). -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Seemingly Similar Threads
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
- Checking realpath file up to date
- remotely exploitable vulnerability in lukemftpd / tnftpd
- OpenSSH: multiple vulnerabilities in the new PAM code