From owner-doc-jp@jp.freebsd.org  Thu Mar 23 13:50:52 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id NAA92667;
	Thu, 23 Mar 2000 13:50:52 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id NAA92659
	for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 13:50:48 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id NAA02911 for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 13:50:47 +0900 (JST)
Received: from mail.hrs.jp (sutnmax1-ppp37.ed.noda.sut.ac.jp [133.31.173.47]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id NAA19824 for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 13:50:44 +0900 (JST)
Message-Id: <200003230450.NAA19824@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id NAA56185
	for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 13:27:07 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000315173308.C8D9737BADE@hub.freebsd.org>
References: <20000315173308.C8D9737BADE@hub.freebsd.org>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Thu, 23 Mar 2000 13:27:06 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 208
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7195
Subject: [doc-jp 7195] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:07.mh
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 SA-00:07.mh $B$NF|K\8lLu$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED]
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Sun, 19 Mar 2000 22:31:45 -0800 (PST)
  Message-Id: <20000320063145.8E1A037B528@hub.freebsd.org>
  X-Sequence: announce-jp 404

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,(B
 $B;29M$N$?$a$KDs6!$9$k$b$N$G(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B $B$=$NFbMF$K$D$$$F(B
 $B$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B. $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B,
 doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:07                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	mh/nmh/exmh/exmh2 ports allow remote execution of binary code

$BJ,N`(B:           ports
$B%b%8%e!<%k(B:     mh/nmh/exmh/exmh2
$B9pCNF|(B:         2000-03-15
$B2~D{F|(B:	        2000-03-19
$B1F6AHO0O(B:       $B=$@5F|0JA0$N(B Ports collection
$B=$@5F|(B:         [$B0J2<$K$"$k>\:Y$J5-=R$r$4Mw$/$@$5$$(B]
		4.0-RELEASE $B$G$O$9$Y$F=$@5:Q$_$G$9(B.
		mh: 2000-03-04
		nmh: 2000-02-29
		exmh: 2000-03-05
		exmh2: 2000-03-05
FreeBSD $B$K8GM-$+(B:   NO

I.   $BGX7J(B - Background

MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are
TCL/TK-based front-ends to the MH system. There are also Japanese-language
versions of the MH and EXMH2 ports, but these are developed separately and are
not vulnerable to the problem described here.

MH $B$*$h$S!"$=$N8e7Q$G$"$k(B NMH $B$O!"M-L>$J%a!<%k%f!<%6%(!<%8%'%s%H$G$9!#(B
$B$^$?!"(BEXMH $B$H(B EXMH2 $B$O!"(BTCL/TK $B$r4pK\$H$7$?(B MH $B%7%9%F%`$N%U%m%s%H%(%s%I$G$9!#(B
$BF|K\8lHG(B MH, EXMH2 $B$N(B port $B$bB8:_$7$^$9$,!"$=$l$i$OJL8D$K3+H/$5$l$F$$$k$?$a!"(B
$B$3$3$G=R$Y$i$l$F$$$kLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B

II.  $BLdBj$N>\:Y(B - Problem Description

The mhshow command used for viewing MIME attachments contains a buffer
overflow which can be exploited by a specially-crafted email attachment,
which will allow the execution of arbitrary code as the local user when the
attachment is opened.

mhshow $B%3%^%s%I$O!"(BMIME attachments ($BLuCm(B: $B$$$o$f$kE:IU%U%!%$%k$N$3$H!#(B
$B0J2<!"(Battachments $B$r!VE:IU%U%!%$%k!W$HI=5-$7$^$9(B) $B$NI=<($K;H$o$l$^$9!#(B
$B$3$N%3%^%s%I$K$O!"FCJL$K$D$/$i$l$?%a!<%kE:IU%U%!%$%k$K$h$C$F(B exploit $B2DG=$J(B
$B%P%C%U%!%*!<%P%U%m!<LdBj$,$"$j$^$9!#$=$N$?$a!"E:IU%U%!%$%k$r3+$/:]$K!"(B
$B%m!<%+%k%f!<%6$N8"8B$GG$0U$N%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9!#(B

The *MH ports are not installed by default, nor are they "part of
FreeBSD" as such: they are part of the FreeBSD ports collection, which
contains over 3100 third-party applications in a ready-to-install
format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to
this problem.

*MH $B$N(B port $B$O!"%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B
FreeBSD $B%7%9%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s!#(B
$B$=$l$i$O!"(B3100 $B$rD6$($k%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,(B
$B$9$0$K%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B
FreeBSD Ports Collection $B$N0lIt$G$9!#(BFreeBSD 4.0-RELEASE $B$K4^$^$l$k(B
Ports Collection $B$K$O!"$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit
of the most security-critical ports.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$K(B
$BBP$7$FBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B. 

III. $B1F6AHO0O(B - Impact

An attacker who can convince a user to open a hostile MIME attachment sent
as part of an email message can execute arbitrary binary code running with
the privileges of that user.

$B967b<T$,%a!<%k%a%C%;!<%8$N0lIt$H$7$FAw$i$l$k0-0U$N$"$k(B MIME $BE:IU%U%!%$%k$r!"(B
$B<u$1<h$C$?%f!<%6$K3+$+$;$k$3$H$,$G$-$k>l9g!"$=$N%U%!%$%k$r3+$$$?%f!<%6$N8"8B$G(B
$BG$0U$N%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9!#(B

If you have not chosen to install any of the mh/nmh/exmh/exmh2
ports/packages, then your system is not vulnerable.

mh/nmh/exmh/exmh2 $B$N(B port $B$b$7$/$O(B package $B$r0l$D$b%$%s%9%H!<%k$7$F$$$J$1$l$P!"(B
$B%7%9%F%`$K%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B

The Japanese-language version of MH is being actively developed and is
believed to have fixed this particular problem over a year ago. Consequently
the ja-mh and ja-exmh2 ports are not believed to be vulnerable to this problem.

$BF|K\8lHG(B MH $B$O3hH/$K3+H/$,B3$1$i$l$F$*$j!"$3$NLdBj$O:rG/$N$&$A$K(B
$B=$@5$5$l$F$$$^$9!#$7$?$,$C$F!"(Bja-mh $B$*$h$S(B ja-exmh2 $B$N(B port $B$O!"(B
$B$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$OB8:_$7$J$$$H9M$($i$l$^$9!#(B

IV.  $BBP1~:v(B - Workaround

1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will
prevent the viewing of MIME attachments from within *mh.

2) Remove the mh/nmh/exmh/exmh2 ports, if you you have installed them.

1) /usr/local/bin/mhshow $B$K$"$k(B mhshow $B$N%P%$%J%j%U%!%$%k$r:o=|$7$F2<$5$$!#(B
   $B$3$l$K$h$j!"(B*mh $B$G(B MIME $BE:IU%U%!%$%k$r1\Mw$9$k$3$H$O$G$-$J$/$J$j$^$9!#(B

2) mh/nmh/exmh/exmh2 $B$N(B port $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$K$O!"(B
   $B$=$l$i$r:o=|$7$F2<$5$$!#(B

V.   $B=$@5=hCV(B - Solution

The English language version of the MH software is no longer actively
developed, and no fix is currently available. It is unknown whether a fix
to the problem will be forthcoming - consider upgrading to use NMH instead,
which is the designated successor of the MH software. EXMH and EXMH2 can
both be compiled to use NMH instead (this is now the default behaviour). It
is not necessary to recompile EXMH/EXMH2 after reinstalling NMH.

$B1Q8lHG$N(B MH $B$O$9$G$K3hH/$J3+H/$,=*N;$7$F$$$k$?$a!"8=:_$N$H$3$m(B
$B=$@5HG$OB8:_$7$^$;$s!#$^$?!">-MhE*$K=$@5HG$,3+H/$5$l$k$+$I$&$+$bITL@$G$9!#(B
$B$=$N$?$a!"(BMH $B$rMxMQ$9$k$N$G$O$J$/!"(BNMH $B$K99?7$9$k$3$H$r8!F$$7$F2<$5$$!#(B
NMH $B$O(B MH $B$N8e7Q$H$7$F@_7W$5$l$?%=%U%H%&%'%"$G$9!#(BEXMH $B$H(B EXMH2 $B$O!"(B
$BN>J}$H$b(B MH $B$NBe$o$j$K(B NMH $B$rMxMQ$7$F%3%s%Q%$%k$9$k$3$H$,$G$-$^$9(B($B8=:_$N(B
$B%G%U%)%k%H$b$=$&$J$C$F$$$^$9(B)$B!#$^$?!"(BNMH $B$r:F%$%s%9%H!<%k$7$?>l9g$K$O!"(B
$B%$%s%9%H!<%k8e$K(B EXMH/EXMH2 $B$r:F%3%s%Q%$%k$9$kI,MW$O$"$j$^$;$s!#(B

SOLUTION: Remove any old versions of the mail/mh or mail/nmh ports and
perform one of the following:

1) Upgrade your entire ports collection and rebuild the mail/nmh port.

2) Reinstall a new package obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz

3) download a new port skeleton for the nmh port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

$B=$@5=hCV(B:
    mail/mh $B$b$7$/$O(B mail/nmh $B$N5l%P!<%8%g%s$N(B port $B$r$9$Y$F:o=|$7!"(B
    $B<!$N$$$:$l$+$N<j=g$K=>$C$F$/$@$5$$!#(B

1) Ports Collection $BA4BN$r99?7$7$F!"(Bmail/nmh $B$N(B port $B$r:F%3%s%Q%$%k$9$k!#(B

2) $B0J2<$N>l=j$+$i?7$7$$(B package $B$rF~<j$7$F%$%s%9%H!<%k$9$k!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/mail/nmh-1.0.3.tgz

3) $B0J2<$N>l=j$+$i(B nmh $B$N(B $B?7$7$$(B port $B%9%1%k%H%s$r%@%&%s%m!<%I$7!"(B
   $B$=$l$rMxMQ$7$F(B nmh $B$N(B port $B$r:F%3%s%Q%$%k$9$k!#(B

http://www.freebsd.org/ports/

4) portcheckout $B%f!<%F%#%j%F%#$r;H$&$H(B, $B>e5-(B (3) $B$r<+F0E*$K(B
   $B9T$J$&$3$H$,$G$-$^$9(B.  portcheckout $B$O(B,
   /usr/ports/devel/portcheckout $B$d(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

VI.   $B99?7MzNr(B - Revision history

v1.0  2000-03-15   Initial release
v1.1  2000-03-19   Update to note that the japanese-localized ports are not
                   vulnerable

v1.0  2000-03-15   $B=iHG$N8x3+(B
v1.1  2000-03-19   $BF|K\8lHG(B ports $B$K$O%;%-%e%j%F%#>e$N<eE@$,(B
                   $BB8:_$7$J$$$3$H$K4X$9$kCm5-$NDI2C(B
