From owner-announce-jp@jp.freebsd.org  Mon May 22 09:11:18 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA17422;
	Mon, 22 May 2000 09:11:18 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Message-Id: <200005211515.AAA28116@mail.geocities.co.jp>
To: announce-jp@jp.freebsd.org
In-Reply-To: <20000509192049.5712437BFB7@hub.freebsd.org>
References: <20000509192049.5712437BFB7@hub.freebsd.org>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 21 May 2000 23:35:09 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 171
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: announce-jp 442
Subject: Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:17.libmytinfo
Errors-To: owner-announce-jp@jp.freebsd.org
Sender: owner-announce-jp@jp.freebsd.org


 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Tue,  9 May 2000 12:20:49 -0700 (PDT)
  Message-Id: <20000509192049.5712437BFB7@hub.freebsd.org>
  X-Sequence: announce-jp 426

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:17                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:       Buffer overflow in libmytinfo may yield increased
		privileges with third-party software.

$BJ,N`(B:           core
$B%b%8%e!<%k(B:     libmytinfo
$B9pCNF|(B:         2000-05-09
$B1F6AHO0O(B:       $B=$@5F|0JA0$N(B FreeBSD 3.x
$B=$@5F|(B:         2000-04-25
FreeBSD $B$K8GM-$+(B:   Yes

$B=$@5%Q%C%A(B:     ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch

I.   $BGX7J(B - Background

libmytinfo $B$O(B ncurces $B$H$$$&(B, $B%F%-%9%H%b!<%II=<($N$?$a$N(B
$B%i%$%V%i%j$N0lIt$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

libmytinfo $B$O%f!<%6$KBP$7(B, TERMCAP $B4D6-JQ?t$r;H$C$F(B
$BBeBX$N(B termcap $B%U%!%$%k$d%(%s%H%j$r;XDj$9$k$3$H$r2DG=$K$7$^$9(B.
$B$7$+$7(B, $B$3$l$K$O0BA4$JJ}K!$,$H$i$l$F$*$i$:(B, $B%i%$%V%i%jFbIt$K(B
$B%P%C%U%!%*!<%P%U%m!<$r5/$3$92DG=@-$N$"$kItJ,$,B8:_$7$^$9(B.

$B$3$l$O(B, libmytinfo $B$H%j%s%/$5$l(B, setuid $B$b$7$/$O(B setgid $B$5$l$?(B
($B$D$^$j(B, $B<B9T;~$KDL>o$h$j$b9b$$FC8"$r;}$D$h$&$J(B)$B%P%$%J%j$K$*$$$F(B
$B%;%-%e%j%F%#>e$N<eE@$H$J$j$^$9(B.  $B$^$?(B, ncurses $B%P%$%J%j$r(B
$B<B9T$7$F$$$k%f!<%6$N4D6-$r%3%s%H%m!<%k$G$-$k%f!<%6$,B8:_$9$k(B
$BJ#;($J>u67$K$*$$$F$b(B, $B%;%-%e%j%F%#>e$N<eE@$H$J$k2DG=@-$,$"$k$G$7$g$&(B.

FreeBSD 3.x $B$r4^$`0JA0$N%P!<%8%g%s$G$O(B, $BHs>o$K8E$/(B, $B<j$r2C$($i$l$?(B
$B%P!<%8%g%s$N(B ncurses $B%i%$%V%i%j$,;H$o$l$F$$$^$9(B.  $B$=$N$?$a(B,
$B2a5n$N$b$N$H8_49@-$rJ]$C$?$^$^99?7$9$k$N$O:$Fq$G$9(B.  FreeBSD 4.0 $BMQ$N(B
$B99?7HG$O:n@.$5$l$F$$$^$9$,(B, FreeBSD 3.x $B$N99?7$,9T$J$o$l$k8+9~$_$O(B
$B$"$j$^$;$s(B.  $B8=:_$b$J$*(B, ncurses $B$N%=!<%9%U%!%$%k$KB>$N<eE@$,(B
$BB8:_$9$k$+$I$&$+D4::Cf$G$9(B.

III. $B1F6AHO0O(B - Impact

$B$"$k<o$N(B setuid/setgid $B$5$l$?(B(FreeBSD ports/packages $B$r4^$a$?(B)$B%5!<%I(B
$B%Q!<%F%#@=%=%U%H%&%'%"$O(B, $BFC8"$rI,MW$H$9$k%j%=!<%9$r%m!<%+%k$+$i(B
$B0-MQ$G$-$k$H$$$&%;%-%e%j%F%#>e$N<eE@$H$J$k2DG=@-$,$"$j$^$9(B.  $BFC8"$r(B
$BI,MW$H$9$k%j%=!<%9$K$O(B, $B$?$H$($P%M%C%H%o!<%/%=%1%C%H(B, $BFC8"$rI,MW$H$9$k(B
$B%U%!%$%k%7%9%F%`$X$N%"%/%;%9$d(B(root $B%"%/%;%9$r4^$`(B)$B9b$$FC8"$rI,MW$H$9$k(B
$B%7%'%k%"%/%;%9$J$I$,$"$j$^$9(B.

FreeBSD $B$N%Y!<%9%7%9%F%`$K4^$^$l$k%W%m%0%i%`$K$O(B, $B$3$N%P%0$K$h$k(B
$B%;%-%e%j%F%#>e$N<eE@$OB8:_$7$J$$$H9M$($i$l$F$$$^$9(B.

FreeBSD 4.0 $B$r4^$`(B, $B$=$l0J9_$N(B FreeBSD $B$K$O(B, $B$3$NLdBj$K$h$k(B
$B%;%-%e%j%F%#>e$N<eE@$O!VB8:_$7$^$;$s!W(B.

IV.  $BBP1~:v(B - Workaround

libmytinfo $B$H%j%s%/$7$F$$$k(B setuid, setgid $B$5$l$?%P%$%J%j(B($B@EE*%j%s%/(B
$B$5$l$F$$$k$b$N$b4^$^$l$^$9(B)$B$r$9$Y$F:o=|$9$k$+(B, $B$=$l$>$l$N%U%!%$%k$+$i(B
setuid, setgid $BFC8"(B($BLuCm(B: setuid, setgid $B5v2DB0@-$N$3$H(B)$B$r:o=|$7$F$/$@$5$$(B.

$B0J2<$N<j=g$O(B, $B%7%9%F%`$K%$%s%9%H!<%k$5$l$F$$$k%U%!%$%k$N$&$A(B,
$B:o=|$b$7$/$O5v2DB0@-$NJQ99$,I,MW$J%P%$%J%j$rFCDj$9$k$?$a$N$b$N$G$9(B.
libmytinfo $B$K$O(B, $B$^$@H/8+$5$l$F$$$J$$%;%-%e%j%F%#>e$N<eE@$,B8:_$9$k(B
$B2DG=@-$,$"$j$^$9(B.  $B$=$N$?$a(B, $B2<$N%;%/%7%g%s(B V $B$G=R$Y$i$l$F$$$k$h$&$J(B
$B%7%9%F%`$N99?7$r9T$J$&$+$I$&$+$K4X$o$i$:(B, $B$3$ND4::$r9T$J$&J}$,(B
$BK>$^$7$$$G$7$g$&(B.  $BFC$K(B, $B%;%/%7%g%s(B V $B$K$"$k@EE*%j%s%/$K4X$9$k(B
$BCm0UE@$r;2>H$9$k$h$&$K$*4j$$$7$^$9(B.

$B$b$A$m$s(B, $BD4::Cf$K3:Ev$7$?%U%!%$%k$,(B, $B%m!<%+%k%7%9%F%`$K$*$1$k(B
$B@5>o$J1?MQ$KI,MW$J%U%!%$%k$G$"$k2DG=@-$b$"$j$^$9(B.  $B$=$N$h$&$J>l9g$K$O(B,
$B%U%!%$%k5v2DB0@-$+$i(B "o+x" $B$r<h$j=|$-(B, $BE,@Z$J%f!<%6%0%k!<%W$rMQ$$$F(B
$B$=$N%P%$%J%j$r<B9T$G$-$k%f!<%6$r@)8B$9$k0J30$K(B, $BM-8z$JBP:v$O$"$j$^$;$s(B.

1) $B0J2<$N>l=j$+$i(B 'libfind.sh' $B%9%/%j%W%H$r%@%&%s%m!<%I$7$^$9(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh

fetch(1) $B%3%^%s%I$r;H$&>l9g$NNc(B:

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh
Receiving libfind.sh (460 bytes): 100%
460 bytes transferred in 0.0 seconds  (394.69 Kbytes/s)
#

2) md5 $B%A%'%C%/%5%`$r3NG'$7(B, $B0J2<$NCM$HHf3S$7$F$/$@$5$$(B.

# /sbin/md5 libfind.sh
MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b

3) $B%7%9%F%`$KBP$7$F(B libfind $B%9%/%j%W%H$r<B9T$7$^$9(B.

# sh libfind.sh /

$B$3$N%9%/%j%W%H$O%7%9%F%`A4BN$rAv::$7(B, setuid, setgid $B$5$l$F$$$F(B,
libmytinfo $B$H%j%s%/$7$F$$$k%P%$%J%j$rC5$7$^$9(B.  $B$3$l$K$h$j=PNO$5$l$k(B
$B%P%$%J%j$=$l$>$l$K$D$$$F(B, ('ls -l' $B$dB>$N%D!<%k$rMQ$$$F(B)$B%m!<%+%k4D6-$K(B
$B$I$&$$$&%;%-%e%j%F%#>e$N<eE@$r$b$?$i$9$N$+(B---$B$?$H$($P(B, $B$=$l$O(B
$B%m!<%+%k%f!<%6$,FC8"$rF@$k$?$a$K0-MQ$G$-$k$+$I$&$+(B---$B$H$$$C$?E@$K$D$$$F(B
$B3NG'$9$kI,MW$,$"$j$^$9(B.

4)$B%P%$%J%j$r:o=|$9$k$+(B, $BE,59(B, $B%U%!%$%k$N5v2DB0@-$r8BDj$7$F$/$@$5$$(B.

V.   $B=$@5=hCV(B - Solution

FreeBSD 3.x $B%7%9%F%`$N>l9g$O=$@5F|0J9_$N(B 3.4-STABLE $B$K99?7$9$k$+(B,
$B%7%9%F%`$N%=!<%9%3!<%I$K%Q%C%A$rE,MQ$7$F:F9=C[$7$F$/$@$5$$(B.
$B$=$N8e(B, $B%;%/%7%g%s(B IV $B$K=q$+$l$F$$$k$H$*$j$K(B libfind $B%9%/%j%W%H$r(B
$B<B9T$7$F(B, $B@EE*%j%s%/$5$l$?$9$Y$F$N%P%$%J%j$rD4::$7$^$9(B(libfind
$B%9%/%j%W%H$O(B, $B3:Ev$9$k%P%$%J%j$r(B "STATIC" $B$HJs9p$7$^$9(B).
$B$=$l$i$O$9$Y$F:o=|(B, $B$b$7$/$O:F9=C[$9$k$+(B, $B%;%-%e%j%F%#>e$N<eE@$H(B
$B$J$i$J$$$h$&$K(B, $B%U%!%$%k$N5v2DB0@-$r@)8B$9$kI,MW$,$"$j$^$9(B($B$3$l$O(B,
$B@EE*%j%s%/$5$l$?%P%$%J%j$K(B, libmytinfo $B6&M-%i%$%V%i%j$N:F9=C[$N8z2L$,(B
$B8=$o$l$J$$$?$a$G$9(B).

$B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k$K$O(B, $B2<$K$"$k=$@5%Q%C%A$r%U%!%$%k$K(B
$BJ]B8$7(B, root $B8"8B$G0J2<$N%3%^%s%I$r<B9T$7$F$/$@$5$$(B.

cd /usr/src/lib/libmytinfo
patch < /path/to/patch/file
make all
make install

$B=$@5F|0JA0$N(B 3.x $B%7%9%F%`$KBP$9$k=$@5%Q%C%A$O0J2<$N$H$*$j$G$9(B.

  Index: findterm.c
  ===================================================================
  RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v
  retrieving revision 1.3
  diff -u -r1.3 findterm.c
  --- findterm.c	1997/08/13 01:21:36	1.3
  +++ findterm.c	2000/04/25 16:58:19
  @@ -242,7 +242,7 @@
   			} else {
   				s = path->file;
   				d = buf;
  -				while(*s != '\0' && *s != ':')
  +				while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1)
   					*d++ = *s++;
   				*d = '\0';
   				if (_tmatch(buf, name)) {
  @@ -259,7 +259,7 @@
   			} else {
   				s = path->file;
   				d = buf;
  -				while(*s != '\0' && *s != ',')
  +				while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1)
   					*d++ = *s++;
   				*d = '\0';
   				if (_tmatch(buf, name)) {
