TUCoPS :: BSD :: 2003-11.txt

realpath(3) off-by-one error

-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2003-011
		 =================================

Topic:		off-by-one error in realpath(3)

Version:	NetBSD-current:	source prior to August 4, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:	Possible remote buffer overrun/root compromise

Fixed:		NetBSD-current:		August 4, 2003
		NetBSD-1.6 branch:	August 5, 2003 (1.6.2 will include the fix)
		NetBSD-1.5 branch:	August 6, 2003


Abstract
========

In the library function realpath(3), there was a string manipulation
mistake which could lead to 1-byte buffer overrun.  realpath(3) is
being used by important network daemons such as ftpd(8),
therefore the vulnerability could be remotely exploitable.

Note: The same error remained in a derived function in the distribution
of the wu-ftpd server (Not part of NetBSD's base system).  This
information has been available to the general public for a matter of
days now.  Exploits have been released against wu-ftpd.  They are probably
being written against other affected services as well.  If you offer any
of the affected services, you are advised to patch your system
immediately.


Technical Details
=================

http://www.kb.cert.org/vuls/id/743092

Binaries in the NetBSD base system which use realpath(3) include:

/bin/systrace
/usr/libexec/ftpd (*)
/sbin/mount
/sbin/umount
/usr/sbin/mountd (*)
/usr/bin/ssh
/usr/sbin/sshd (*)
/usr/libexec/sftp-server (*)
/usr/sbin/bootpd (*)

Binaries marked (*) listen on network interfaces, and could be remotely
exploitable.


Solutions and Workarounds
=========================

To fix this vulnerability you will need to upgrade your libc.

The following instructions describe how to upgrade your libc
binaries by updating your source tree and rebuilding and
installing a new version of libc.

Note that all statically-linked binaries, such as the following, must be
rebuilt:
- - binaries under /sbin and /bin for 1.5 and 1.6-based systems
- - binaries under /rescue for NetBSD-current systems
- - statically-linked binaries built by pkgsrc

Also, running instances of daemons must be restarted, if you do not plan
to reboot the machine after the update of libc.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2003-08-03
	should be upgraded to NetBSD-current dated 2003-08-04 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/gen/getcwd.c

	To update from CVS, re-build, and re-install libc and rescue:
		# cd src
		# cvs update -d -P lib/libc/gen/getcwd.c

		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../../rescue
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		(then, reboot, or restart affected daemons)


* NetBSD 1.6, 1.6.1:

	The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before
	2003-08-04 should be upgraded from NetBSD 1.6 sources dated
	2003-08-05 or later.

	NetBSD 1.6.2 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/gen/getcwd.c

	To update from CVS, re-build, and re-install libc and static
	binaries:

		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/gen/getcwd.c

		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../../sbin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../bin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		(then, reboot, or restart affected daemons)

        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch

        To patch, re-build and re-install libc, and static binaries:

                # cd src
                # patch < /path/to/SA2003-011-realpath.patch

		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../../sbin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../bin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		(then, reboot, or restart affected daemons)


        * Binary patch:

        To apply the binary patch, perform the following steps,
        replacing ARCH with the NetBSD architecture you are running
        (i.e. i386):

        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath/netbsd-1-6/ARCH-realpath.tgz
        cd / && tar xzvpf /path/to/ARCH-realpath.tgz

	The tar file will extract new copies of:
		/usr/lib/libc.so.12.83.2
		/usr/lib/libc.so.12 (symlink to libc.so.12.83.2)
		/usr/lib/libc.a
		/usr/lib/libc_p.a
		/usr/lib/libc_pic.a
		/sbin/mount
		/sbin/umount

	Then, reboot, or restart affected daemons, so they use the new
	libc. Any statically linked binaries built against the old libc
	will still need to be recompiled.



* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distributions of NetBSD 1.5, 1.5.1, 1.5.2, and 1.5.3
	are vulnerable.

	Systems running NetBSD 1.5 sources dated from before
	2003-08-05 should be upgraded from NetBSD 1.5 sources dated
	2003-08-06 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/gen/getcwd.c

	To update from CVS, re-build, and re-install libc and static
	binaries:

                # cd src
                # cvs update -d -P -r netbsd-1-5 lib/libc/gen/getcwd.c

		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../../sbin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../bin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		(then, reboot, or restart affected daemons)

        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch

        To patch, re-build and re-install libc, and static binaries:

                # cd src
                # patch < /path/to/SA2003-011-realpath.patch

		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../../sbin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		# cd ../bin
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

		(then, reboot, or restart affected daemons)


Thanks To
=========

CERT


Revision History
================

	2003-08-04	Initial release
	2003-08-06	Add binary patch
	2003-08-10	Correct copy/paste errors in 1.5 instructions
	2003-08-10	binary patch includes /sbin/umount, not /sbin/mountd


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-011.txt,v 1.12 2003/08/11 03:55:53 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPzcUXD5Ru2/4N2IFAQGEzQP+NOJCWd396GtWerGure+KB0c2KY8MZFnJ
7utt39XcnRG7B4sccQkV1vSio/OyKkvmG5YpaxW49okMRz4j2sFha9bb4SL1Mn4p
jZ1E8V0dwclHMaKR/2jxZXOK1AgZJeD5zAi/J6NS/omYBMaVc5Js6iSkGpCyzZj1
kRzkcqaIswk=
=1lOU
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH