FreeBSD Security Advisories
2003-Aug-05 05:03 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced: 2003-08-03 Credits: Janusz Niewiadomski <funkysh@isec.pl>, Wojciech Purczynski <cliph@isec.pl>, CERT/CC Affects: All releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) 2003-08-03 23:43:43 UTC (RELENG_4_8) 2003-08-03 23:44:12 UTC (RELENG_4_7) 2003-08-03 23:44:36 UTC (RELENG_4_6) 2003-08-03 23:44:56 UTC (RELENG_4_5) 2003-08-03 23:45:41 UTC (RELENG_4_4) 2003-08-03 23:46:03 UTC (RELENG_4_3) 2003-08-03 23:47:39 UTC (RELENG_3) FreeBSD only: NO 0. Revision History v1.0 2003-08-03 Initial release v1.1 2003-08-04 Updated information for lukemftpd I. Background The realpath(3) function is used to determine the canonical, absolute pathname from a given pathname which may contain extra ``/'' characters, references to ``/./'' or ``/../'', or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. II. Problem Description An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. As a result, if the resolved path name is exactly 1024 characters long and contains at least two directory separators, the buffer passed to realpath(3) will be overwritten by a single NUL byte. III. Impact Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. The impact on an individual application is highly dependent upon the source of the pathname passed to realpath, the position of the output buffer on the stack, the architecture on which the application is running, and other factors. Within the FreeBSD base system, several applications use realpath(3). Two applications which are negatively impacted are: (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to process the MLST and MLSD commands. The vulnerability may be exploitable, leading to code execution with superuser privileges. lukemftpd(8) was installed (but not enabled) by default in 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through Nov 12 17:32:47 2002 UTC. It is not built or installed by default in any other release. If the `-r' option to lukemftpd is used (as suggested by the example /etc/inetd.conf supplied in 4.7-RELEASE), then successful exploitation leads leads to code execution with the privileges of the authenticated user (rather than superuser privileges). (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process chdir commands. This vulnerability may be exploitable, leading to code execution with the privileges of the authenticated user. At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained the following applications which appear to use realpath(3). These applications have not been audited, and may or may not be vulnerable. There may be additional applications in the FreeBSD Ports Collection that use realpath(3), particularly statically-linked applications and applications added since 4.8-RELEASE. BitchX-1.0c19_1 Mowitz-0.2.1_1 XFree86-clients-4.3.0_1 abcache-0.14 aim-1.5.234 analog-5.24,1 anjuta-1.0.1_1 aolserver-3.4.2 argus-2.0.5 arm-rtems-gdb-5.2_1 avr-gdb-5.2.1 ccache-2.1.1 cdparanoia-3.9.8_4 cfengine-1.6.3_4 cfengine2-2.0.3 cmake-1.4.7 comserv-1.4.3 criticalmass-0.97 dedit-0.6.2.3_1 drweb_postfix-4.29.10a drweb-4.29.2 drweb_sendmail-4.29.10a edonkey-gui-gtk-0.5.0 enca-0.10.7 epic4-1.0.1_2 evolution-1.2.2_1 exim-3.36_1 exim-4.12_5 exim-ldap-4.12_5 exim-ldap2-4.12_5 exim-mysql-4.12_5 exim-postgresql-4.12_5 fam-2.6.9_2 fastdep-0.15 feh-1.2.4_1 ferite-0.99.6 fileutils-4.1_1 finfo-0.1 firebird-1.0.2 firebird-1.0.r2 frontpage-5.0.2.2623_1 galeon-1.2.8 galeon2-1.3.2_1 gdb-5.3_20030311 gdb-5.2.1_1 gdm2-2.4.1.3 gecc-20021119 gentoo-0.11.34 gkrellmvolume-2.1.7 gltron-0.61 global-4.5.1 gnat-3.15p gnomelibs-1.4.2_1 gprolog-1.2.16 gracula-3.0 gringotts-1.2.3 gtranslator-0.43_1 gvd-1.2.5 hercules-2.16.5 hte-0.7.0 hugs98-200211 i386-rtems-gdb-5.2_1 i960-rtems-gdb-5.2_1 installwatch-0.5.6 ivtools-1.0.6 ja-epic4-1.0.1_2 ja-gnomelibs-1.4.2_1 ja-msdosfs-20001027 ja-samba-2.2.7a.j1.1_1 kdebase-3.1_1 kdelibs-3.1 kermit-8.0.206 ko-BitchX-1.0c16_3 ko-msdosfs-20001027 leocad-0.73 libfpx-1.2.0.4_1 libgnomeui-2.2.0.1 libpdel-0.3.4 librep-0.16.1_1 linux-beonex-0.8.1 linux-divxplayer-0.2.0 linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 linux-gnomelibs-1.2.8_2 linux-mozilla-1.2 linux-netscape-communicator-4.8 linux-netscape-navigator-4.8 linux-phoenix-0.3 linux_base-6.1_4 linux_base-7.1_2 lsh-1.5.1 lukemftpd-1.1_1 m68k-rtems-gdb-5.2_1 mips-rtems-gdb-5.2_1 mod_php4-4.3.1 moscow_ml-2.00_1 mozilla-1.0.2_1 mozilla-1.2.1_1,2 mozilla-1.2.1_2 mozilla-1.3b,1 mozilla-1.3b mozilla-embedded-1.0.2_1 mozilla-embedded-1.2.1_1,2 mozilla-embedded-1.3b,1 msyslog-1.08f_1 netraider-0.0.2 openag-1.1.1_1 openssh-portable-3.5p1_1 openssh-3.5 p5-PPerl-0.23 paragui-1.0.2_2 powerpc-rtems-gdb-5.2_1 psim-freebsd-5.2.1 ptypes-1.7.4 pure-ftpd-1.0.14 qiv-1.8 readlink-20010616 reed-5.4 rox-1.3.6_1 rox-session-0.1.18_1 rpl-1.4.0 rpm-3.0.6_6 samba-2.2.8 samba-3.0a20 scrollkeeper-0.3.11_8,1 sh-rtems-gdb-5.2_1 sharity-light-1.2_1 siag-3.4.10 skipstone-0.8.3 sparc-rtems-gdb-5.2_1 squeak-2.7 squeak-3.2 swarm-2.1.1 tcl-8.2.3_2 tcl-8.3.5 tcl-8.4.1,1 tcl-thread-8.1.b1 teTeX-2.0.2_1 wine-2003.02.19 wml-2.0.8 worker-2.7.0 xbubble-0.2 xerces-c2-2.1.0_1 xerces_c-1.7.0 xnview-1.50 xscreensaver-gnome-4.08 xscreensaver-4.08 xworld-2.0 yencode-0.46_1 zh-cle_base-0.9p1 zh-tcl-8.3.0 zh-tw-BitchX-1.0c19_3 zh-ve-1.0 zh-xemacs-20.4_1 IV. Workaround There is no generally applicable workaround. OpenSSH's sftp-server(8) may be disabled by editing /etc/ssh/sshd_config and commenting out the following line by inserting a `#' as the first character: Subsystem sftp /usr/libexec/sftp-server lukemftpd(8) may be replaced by the default ftpd(8). V. Solution 1) Upgrade your vulnerable system to 4.8-STABLE or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. The following patch has been tested to apply to all FreeBSD 4.x releases and to FreeBSD 5.0-RELEASE. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your operating system as described in <URL:http://www.freebsd.org/doc/handbook/makeworld.html>. NOTE WELL: Any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_3 src/lib/libc/stdlib/realpath.c 1.6.2.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.32 src/lib/libc/stdlib/realpath.c 1.9.4.1 src/sys/conf/newvers.sh 1.44.2.14.2.22 RELENG_4_4 src/UPDATING 1.73.2.43.2.45 src/lib/libc/stdlib/realpath.c 1.9.6.1 src/sys/conf/newvers.sh 1.44.2.17.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.44 src/lib/libc/stdlib/realpath.c 1.9.8.1 src/sys/conf/newvers.sh 1.44.2.20.2.28 RELENG_4_6 src/UPDATING 1.73.2.68.2.42 src/lib/libc/stdlib/realpath.c 1.9.10.1 src/sys/conf/newvers.sh 1.44.2.23.2.31 RELENG_4_7 src/UPDATING 1.73.2.74.2.14 src/lib/libc/stdlib/realpath.c 1.9.12.1 src/sys/conf/newvers.sh 1.44.2.26.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.3 src/lib/libc/stdlib/realpath.c 1.9.14.1 src/sys/conf/newvers.sh 1.44.2.29.2.2 RELENG_5_0 src/UPDATING 1.229.2.14 src/lib/libc/stdlib/realpath.c 1.11.2.1 src/sys/conf/newvers.sh 1.48.2.9 - ------------------------------------------------------------------------- VII. References <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt> <URL:http://www.kb.cert.org/vuls/id/743092> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w xpJrfCeDU4qOs8q33dXSsvw=5z4e -----END PGP SIGNATURE-----
FreeBSD Security Advisories
2003-Aug-05 05:03 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced: 2003-08-03 Credits: Janusz Niewiadomski <funkysh@isec.pl>, Wojciech Purczynski <cliph@isec.pl>, CERT/CC Affects: All releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) 2003-08-03 23:43:43 UTC (RELENG_4_8) 2003-08-03 23:44:12 UTC (RELENG_4_7) 2003-08-03 23:44:36 UTC (RELENG_4_6) 2003-08-03 23:44:56 UTC (RELENG_4_5) 2003-08-03 23:45:41 UTC (RELENG_4_4) 2003-08-03 23:46:03 UTC (RELENG_4_3) 2003-08-03 23:47:39 UTC (RELENG_3) FreeBSD only: NO 0. Revision History v1.0 2003-08-03 Initial release v1.1 2003-08-04 Updated information for lukemftpd I. Background The realpath(3) function is used to determine the canonical, absolute pathname from a given pathname which may contain extra ``/'' characters, references to ``/./'' or ``/../'', or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. II. Problem Description An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. As a result, if the resolved path name is exactly 1024 characters long and contains at least two directory separators, the buffer passed to realpath(3) will be overwritten by a single NUL byte. III. Impact Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. The impact on an individual application is highly dependent upon the source of the pathname passed to realpath, the position of the output buffer on the stack, the architecture on which the application is running, and other factors. Within the FreeBSD base system, several applications use realpath(3). Two applications which are negatively impacted are: (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to process the MLST and MLSD commands. The vulnerability may be exploitable, leading to code execution with superuser privileges. lukemftpd(8) was installed (but not enabled) by default in 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through Nov 12 17:32:47 2002 UTC. It is not built or installed by default in any other release. If the `-r' option to lukemftpd is used (as suggested by the example /etc/inetd.conf supplied in 4.7-RELEASE), then successful exploitation leads leads to code execution with the privileges of the authenticated user (rather than superuser privileges). (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process chdir commands. This vulnerability may be exploitable, leading to code execution with the privileges of the authenticated user. At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained the following applications which appear to use realpath(3). These applications have not been audited, and may or may not be vulnerable. There may be additional applications in the FreeBSD Ports Collection that use realpath(3), particularly statically-linked applications and applications added since 4.8-RELEASE. BitchX-1.0c19_1 Mowitz-0.2.1_1 XFree86-clients-4.3.0_1 abcache-0.14 aim-1.5.234 analog-5.24,1 anjuta-1.0.1_1 aolserver-3.4.2 argus-2.0.5 arm-rtems-gdb-5.2_1 avr-gdb-5.2.1 ccache-2.1.1 cdparanoia-3.9.8_4 cfengine-1.6.3_4 cfengine2-2.0.3 cmake-1.4.7 comserv-1.4.3 criticalmass-0.97 dedit-0.6.2.3_1 drweb_postfix-4.29.10a drweb-4.29.2 drweb_sendmail-4.29.10a edonkey-gui-gtk-0.5.0 enca-0.10.7 epic4-1.0.1_2 evolution-1.2.2_1 exim-3.36_1 exim-4.12_5 exim-ldap-4.12_5 exim-ldap2-4.12_5 exim-mysql-4.12_5 exim-postgresql-4.12_5 fam-2.6.9_2 fastdep-0.15 feh-1.2.4_1 ferite-0.99.6 fileutils-4.1_1 finfo-0.1 firebird-1.0.2 firebird-1.0.r2 frontpage-5.0.2.2623_1 galeon-1.2.8 galeon2-1.3.2_1 gdb-5.3_20030311 gdb-5.2.1_1 gdm2-2.4.1.3 gecc-20021119 gentoo-0.11.34 gkrellmvolume-2.1.7 gltron-0.61 global-4.5.1 gnat-3.15p gnomelibs-1.4.2_1 gprolog-1.2.16 gracula-3.0 gringotts-1.2.3 gtranslator-0.43_1 gvd-1.2.5 hercules-2.16.5 hte-0.7.0 hugs98-200211 i386-rtems-gdb-5.2_1 i960-rtems-gdb-5.2_1 installwatch-0.5.6 ivtools-1.0.6 ja-epic4-1.0.1_2 ja-gnomelibs-1.4.2_1 ja-msdosfs-20001027 ja-samba-2.2.7a.j1.1_1 kdebase-3.1_1 kdelibs-3.1 kermit-8.0.206 ko-BitchX-1.0c16_3 ko-msdosfs-20001027 leocad-0.73 libfpx-1.2.0.4_1 libgnomeui-2.2.0.1 libpdel-0.3.4 librep-0.16.1_1 linux-beonex-0.8.1 linux-divxplayer-0.2.0 linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 linux-gnomelibs-1.2.8_2 linux-mozilla-1.2 linux-netscape-communicator-4.8 linux-netscape-navigator-4.8 linux-phoenix-0.3 linux_base-6.1_4 linux_base-7.1_2 lsh-1.5.1 lukemftpd-1.1_1 m68k-rtems-gdb-5.2_1 mips-rtems-gdb-5.2_1 mod_php4-4.3.1 moscow_ml-2.00_1 mozilla-1.0.2_1 mozilla-1.2.1_1,2 mozilla-1.2.1_2 mozilla-1.3b,1 mozilla-1.3b mozilla-embedded-1.0.2_1 mozilla-embedded-1.2.1_1,2 mozilla-embedded-1.3b,1 msyslog-1.08f_1 netraider-0.0.2 openag-1.1.1_1 openssh-portable-3.5p1_1 openssh-3.5 p5-PPerl-0.23 paragui-1.0.2_2 powerpc-rtems-gdb-5.2_1 psim-freebsd-5.2.1 ptypes-1.7.4 pure-ftpd-1.0.14 qiv-1.8 readlink-20010616 reed-5.4 rox-1.3.6_1 rox-session-0.1.18_1 rpl-1.4.0 rpm-3.0.6_6 samba-2.2.8 samba-3.0a20 scrollkeeper-0.3.11_8,1 sh-rtems-gdb-5.2_1 sharity-light-1.2_1 siag-3.4.10 skipstone-0.8.3 sparc-rtems-gdb-5.2_1 squeak-2.7 squeak-3.2 swarm-2.1.1 tcl-8.2.3_2 tcl-8.3.5 tcl-8.4.1,1 tcl-thread-8.1.b1 teTeX-2.0.2_1 wine-2003.02.19 wml-2.0.8 worker-2.7.0 xbubble-0.2 xerces-c2-2.1.0_1 xerces_c-1.7.0 xnview-1.50 xscreensaver-gnome-4.08 xscreensaver-4.08 xworld-2.0 yencode-0.46_1 zh-cle_base-0.9p1 zh-tcl-8.3.0 zh-tw-BitchX-1.0c19_3 zh-ve-1.0 zh-xemacs-20.4_1 IV. Workaround There is no generally applicable workaround. OpenSSH's sftp-server(8) may be disabled by editing /etc/ssh/sshd_config and commenting out the following line by inserting a `#' as the first character: Subsystem sftp /usr/libexec/sftp-server lukemftpd(8) may be replaced by the default ftpd(8). V. Solution 1) Upgrade your vulnerable system to 4.8-STABLE or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. The following patch has been tested to apply to all FreeBSD 4.x releases and to FreeBSD 5.0-RELEASE. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your operating system as described in <URL:http://www.freebsd.org/doc/handbook/makeworld.html>. NOTE WELL: Any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_3 src/lib/libc/stdlib/realpath.c 1.6.2.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.32 src/lib/libc/stdlib/realpath.c 1.9.4.1 src/sys/conf/newvers.sh 1.44.2.14.2.22 RELENG_4_4 src/UPDATING 1.73.2.43.2.45 src/lib/libc/stdlib/realpath.c 1.9.6.1 src/sys/conf/newvers.sh 1.44.2.17.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.44 src/lib/libc/stdlib/realpath.c 1.9.8.1 src/sys/conf/newvers.sh 1.44.2.20.2.28 RELENG_4_6 src/UPDATING 1.73.2.68.2.42 src/lib/libc/stdlib/realpath.c 1.9.10.1 src/sys/conf/newvers.sh 1.44.2.23.2.31 RELENG_4_7 src/UPDATING 1.73.2.74.2.14 src/lib/libc/stdlib/realpath.c 1.9.12.1 src/sys/conf/newvers.sh 1.44.2.26.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.3 src/lib/libc/stdlib/realpath.c 1.9.14.1 src/sys/conf/newvers.sh 1.44.2.29.2.2 RELENG_5_0 src/UPDATING 1.229.2.14 src/lib/libc/stdlib/realpath.c 1.11.2.1 src/sys/conf/newvers.sh 1.48.2.9 - ------------------------------------------------------------------------- VII. References <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt> <URL:http://www.kb.cert.org/vuls/id/743092> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w xpJrfCeDU4qOs8q33dXSsvw=5z4e -----END PGP SIGNATURE-----
Lewis Watson
2003-Aug-05 09:58 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
> NOTE WELL: Any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. >I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications need to be patched and how do I make sure that the above noted statically linked applications are patched after I am done? Thanks a bunch! Lewis ----- Original Message ----- From: "FreeBSD Security Advisories" <security-advisories@freebsd.org> To: "FreeBSD Security Advisories" <security-advisories@freebsd.org> Sent: Tuesday, August 05, 2003 7:02 AM Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >===========================================================================> FreeBSD-SA-03:08.realpath Security Advisory> The FreeBSDProject> > Topic: Single byte buffer overflow in realpath(3) > > Category: core > Module: libc > Announced: 2003-08-03 > Credits: Janusz Niewiadomski <funkysh@isec.pl>, > Wojciech Purczynski <cliph@isec.pl>, > CERT/CC > Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC > Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) > 2003-08-03 23:43:43 UTC (RELENG_4_8) > 2003-08-03 23:44:12 UTC (RELENG_4_7) > 2003-08-03 23:44:36 UTC (RELENG_4_6) > 2003-08-03 23:44:56 UTC (RELENG_4_5) > 2003-08-03 23:45:41 UTC (RELENG_4_4) > 2003-08-03 23:46:03 UTC (RELENG_4_3) > 2003-08-03 23:47:39 UTC (RELENG_3) > FreeBSD only: NO > > 0. Revision History > > v1.0 2003-08-03 Initial release > v1.1 2003-08-04 Updated information for lukemftpd > > I. Background > > The realpath(3) function is used to determine the canonical, > absolute pathname from a given pathname which may contain extra > ``/'' characters, references to ``/./'' or ``/../'', or references > to symbolic links. The realpath(3) function is part of the FreeBSD > Standard C Library. > > II. Problem Description > > An off-by-one error exists in a portion of realpath(3) that computes > the length of the resolved pathname. As a result, if the resolved > path name is exactly 1024 characters long and contains at least > two directory separators, the buffer passed to realpath(3) will be > overwritten by a single NUL byte. > > III. Impact > > Applications using realpath(3) MAY be vulnerable to denial of service > attacks, remote code execution, and/or privilege escalation. The > impact on an individual application is highly dependent upon the > source of the pathname passed to realpath, the position of the output > buffer on the stack, the architecture on which the application is > running, and other factors. > > Within the FreeBSD base system, several applications use realpath(3). > Two applications which are negatively impacted are: > > (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to > process the MLST and MLSD commands. The vulnerability may be > exploitable, leading to code execution with superuser privileges. > > lukemftpd(8) was installed (but not enabled) by default in > 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through > Nov 12 17:32:47 2002 UTC. It is not built or installed by default > in any other release. > > If the `-r' option to lukemftpd is used (as suggested by the > example /etc/inetd.conf supplied in 4.7-RELEASE), then successful > exploitation leads leads to code execution with the privileges of > the authenticated user (rather than superuser privileges). > > (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process > chdir commands. This vulnerability may be exploitable, leading > to code execution with the privileges of the authenticated user. > > At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained > the following applications which appear to use realpath(3). These > applications have not been audited, and may or may not be vulnerable. > There may be additional applications in the FreeBSD Ports Collection > that use realpath(3), particularly statically-linked applications and > applications added since 4.8-RELEASE. > > BitchX-1.0c19_1 > Mowitz-0.2.1_1 > XFree86-clients-4.3.0_1 > abcache-0.14 > aim-1.5.234 > analog-5.24,1 > anjuta-1.0.1_1 > aolserver-3.4.2 > argus-2.0.5 > arm-rtems-gdb-5.2_1 > avr-gdb-5.2.1 > ccache-2.1.1 > cdparanoia-3.9.8_4 > cfengine-1.6.3_4 > cfengine2-2.0.3 > cmake-1.4.7 > comserv-1.4.3 > criticalmass-0.97 > dedit-0.6.2.3_1 > drweb_postfix-4.29.10a > drweb-4.29.2 > drweb_sendmail-4.29.10a > edonkey-gui-gtk-0.5.0 > enca-0.10.7 > epic4-1.0.1_2 > evolution-1.2.2_1 > exim-3.36_1 > exim-4.12_5 > exim-ldap-4.12_5 > exim-ldap2-4.12_5 > exim-mysql-4.12_5 > exim-postgresql-4.12_5 > fam-2.6.9_2 > fastdep-0.15 > feh-1.2.4_1 > ferite-0.99.6 > fileutils-4.1_1 > finfo-0.1 > firebird-1.0.2 > firebird-1.0.r2 > frontpage-5.0.2.2623_1 > galeon-1.2.8 > galeon2-1.3.2_1 > gdb-5.3_20030311 > gdb-5.2.1_1 > gdm2-2.4.1.3 > gecc-20021119 > gentoo-0.11.34 > gkrellmvolume-2.1.7 > gltron-0.61 > global-4.5.1 > gnat-3.15p > gnomelibs-1.4.2_1 > gprolog-1.2.16 > gracula-3.0 > gringotts-1.2.3 > gtranslator-0.43_1 > gvd-1.2.5 > hercules-2.16.5 > hte-0.7.0 > hugs98-200211 > i386-rtems-gdb-5.2_1 > i960-rtems-gdb-5.2_1 > installwatch-0.5.6 > ivtools-1.0.6 > ja-epic4-1.0.1_2 > ja-gnomelibs-1.4.2_1 > ja-msdosfs-20001027 > ja-samba-2.2.7a.j1.1_1 > kdebase-3.1_1 > kdelibs-3.1 > kermit-8.0.206 > ko-BitchX-1.0c16_3 > ko-msdosfs-20001027 > leocad-0.73 > libfpx-1.2.0.4_1 > libgnomeui-2.2.0.1 > libpdel-0.3.4 > librep-0.16.1_1 > linux-beonex-0.8.1 > linux-divxplayer-0.2.0 > linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 > linux-gnomelibs-1.2.8_2 > linux-mozilla-1.2 > linux-netscape-communicator-4.8 > linux-netscape-navigator-4.8 > linux-phoenix-0.3 > linux_base-6.1_4 > linux_base-7.1_2 > lsh-1.5.1 > lukemftpd-1.1_1 > m68k-rtems-gdb-5.2_1 > mips-rtems-gdb-5.2_1 > mod_php4-4.3.1 > moscow_ml-2.00_1 > mozilla-1.0.2_1 > mozilla-1.2.1_1,2 > mozilla-1.2.1_2 > mozilla-1.3b,1 > mozilla-1.3b > mozilla-embedded-1.0.2_1 > mozilla-embedded-1.2.1_1,2 > mozilla-embedded-1.3b,1 > msyslog-1.08f_1 > netraider-0.0.2 > openag-1.1.1_1 > openssh-portable-3.5p1_1 > openssh-3.5 > p5-PPerl-0.23 > paragui-1.0.2_2 > powerpc-rtems-gdb-5.2_1 > psim-freebsd-5.2.1 > ptypes-1.7.4 > pure-ftpd-1.0.14 > qiv-1.8 > readlink-20010616 > reed-5.4 > rox-1.3.6_1 > rox-session-0.1.18_1 > rpl-1.4.0 > rpm-3.0.6_6 > samba-2.2.8 > samba-3.0a20 > scrollkeeper-0.3.11_8,1 > sh-rtems-gdb-5.2_1 > sharity-light-1.2_1 > siag-3.4.10 > skipstone-0.8.3 > sparc-rtems-gdb-5.2_1 > squeak-2.7 > squeak-3.2 > swarm-2.1.1 > tcl-8.2.3_2 > tcl-8.3.5 > tcl-8.4.1,1 > tcl-thread-8.1.b1 > teTeX-2.0.2_1 > wine-2003.02.19 > wml-2.0.8 > worker-2.7.0 > xbubble-0.2 > xerces-c2-2.1.0_1 > xerces_c-1.7.0 > xnview-1.50 > xscreensaver-gnome-4.08 > xscreensaver-4.08 > xworld-2.0 > yencode-0.46_1 > zh-cle_base-0.9p1 > zh-tcl-8.3.0 > zh-tw-BitchX-1.0c19_3 > zh-ve-1.0 > zh-xemacs-20.4_1 > > IV. Workaround > > There is no generally applicable workaround. > > OpenSSH's sftp-server(8) may be disabled by editing > /etc/ssh/sshd_config and commenting out the following line by > inserting a `#' as the first character: > > Subsystem sftp /usr/libexec/sftp-server > > lukemftpd(8) may be replaced by the default ftpd(8). > > V. Solution > > 1) Upgrade your vulnerable system to 4.8-STABLE > or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 > (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches > dated after the respective correction dates. > > 2) To patch your present system: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. The following patch > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD > 5.0-RELEASE. > > # fetchftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch> # fetchftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc> > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your operating system as described in > <URL:http://www.freebsd.org/doc/handbook/makeworld.html>. > > NOTE WELL: Any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > BranchRevision> Path > - -------------------------------------------------------------------------> RELENG_3 > src/lib/libc/stdlib/realpath.c1.6.2.1> RELENG_4_3 > src/UPDATING1.73.2.28.2.32> src/lib/libc/stdlib/realpath.c1.9.4.1> src/sys/conf/newvers.sh1.44.2.14.2.22> RELENG_4_4 > src/UPDATING1.73.2.43.2.45> src/lib/libc/stdlib/realpath.c1.9.6.1> src/sys/conf/newvers.sh1.44.2.17.2.36> RELENG_4_5 > src/UPDATING1.73.2.50.2.44> src/lib/libc/stdlib/realpath.c1.9.8.1> src/sys/conf/newvers.sh1.44.2.20.2.28> RELENG_4_6 > src/UPDATING1.73.2.68.2.42> src/lib/libc/stdlib/realpath.c1.9.10.1> src/sys/conf/newvers.sh1.44.2.23.2.31> RELENG_4_7 > src/UPDATING1.73.2.74.2.14> src/lib/libc/stdlib/realpath.c1.9.12.1> src/sys/conf/newvers.sh1.44.2.26.2.13> RELENG_4_8 > src/UPDATING1.73.2.80.2.3> src/lib/libc/stdlib/realpath.c1.9.14.1> src/sys/conf/newvers.sh1.44.2.29.2.2> RELENG_5_0 > src/UPDATING1.229.2.14> src/lib/libc/stdlib/realpath.c1.11.2.1> src/sys/conf/newvers.sh1.48.2.9> - -------------------------------------------------------------------------> > VII. References > > <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt> > <URL:http://www.kb.cert.org/vuls/id/743092> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (FreeBSD) > > iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w > xpJrfCeDU4qOs8q33dXSsvw> =5z4e > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to"freebsd-security-notifications-unsubscribe@freebsd.org">
Jacques A. Vidrine
2003-Aug-05 11:40 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
On Tue, Aug 05, 2003 at 11:58:33AM -0500, Lewis Watson wrote:> I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications > need to be patchedRecompiling static applications is the only sure-fire way. You may be able to use ident(1) to determine if a statically-linked application uses realpath, but probably not. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Jacques A. Vidrine
2003-Aug-12 15:49 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
[Follow-ups set to freebsd-security@. Folks there might be around to help you, while I'm gone for the evening :-) ] On Tue, Aug 12, 2003 at 05:40:29PM -0500, Chris Byrnes wrote:> Sorry to bother you, but not sure what the problem is.. > > awww# fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch > Receiving realpath.patch (691 bytes): 100% > 691 bytes transferred in 0.0 seconds (39.62 kBps) > awww# patch < realpath.patch > Hmm... Looks like a new-style context diff to me... > The text leading up to this was: > -------------------------- > |Index: lib/libc/stdlib/realpath.c > |==================================================================> |RCS file: /home/ncvs/src/lib/libc/stdlib/realpath.c,v > |retrieving revision 1.9 > |diff -c -c -r1.9 realpath.c > |*** lib/libc/stdlib/realpath.c 27 Jan 2000 23:06:50 -0000 1.9 > |--- lib/libc/stdlib/realpath.c 3 Aug 2003 17:21:20 -0000 > -------------------------- > Patching file lib/libc/stdlib/realpath.c using Plan A... > Hunk #1 failed at 138. > 1 out of 1 hunks failed--saving rejects to lib/libc/stdlib/realpath.c.rej > done > awww# > > Any ideas? Thank you for your help!You did not indicate what version of FreeBSD you are attempting to patch. Is it one of the versions indicated as affected in the advisory? (copied here for your convenience)> Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTCCheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Reasonably Related Threads
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
- What's the thing? FreeBSD Security AdvisoryFreeBSD-SA-03:08.realpath (fwd)
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
- Checking realpath file up to date