-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2003-011 ================================= Topic: off-by-one error in realpath(3) Version: NetBSD-current: source prior to August 4, 2003 NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected Severity: Possible remote buffer overrun/root compromise Fixed: NetBSD-current: August 4, 2003 NetBSD-1.6 branch: August 5, 2003 (1.6.2 will include the fix) NetBSD-1.5 branch: August 6, 2003 Abstract ======== In the library function realpath(3), there was a string manipulation mistake which could lead to 1-byte buffer overrun. realpath(3) is being used by important network daemons such as ftpd(8), therefore the vulnerability could be remotely exploitable. Note: The same error remained in a derived function in the distribution of the wu-ftpd server (Not part of NetBSD's base system). This information has been available to the general public for a matter of days now. Exploits have been released against wu-ftpd. They are probably being written against other affected services as well. If you offer any of the affected services, you are advised to patch your system immediately. Technical Details ================= http://www.kb.cert.org/vuls/id/743092 Binaries in the NetBSD base system which use realpath(3) include: /bin/systrace /usr/libexec/ftpd (*) /sbin/mount /sbin/umount /usr/sbin/mountd (*) /usr/bin/ssh /usr/sbin/sshd (*) /usr/libexec/sftp-server (*) /usr/sbin/bootpd (*) Binaries marked (*) listen on network interfaces, and could be remotely exploitable. Solutions and Workarounds ========================= To fix this vulnerability you will need to upgrade your libc. The following instructions describe how to upgrade your libc binaries by updating your source tree and rebuilding and installing a new version of libc. Note that all statically-linked binaries, such as the following, must be rebuilt: - - binaries under /sbin and /bin for 1.5 and 1.6-based systems - - binaries under /rescue for NetBSD-current systems - - statically-linked binaries built by pkgsrc Also, running instances of daemons must be restarted, if you do not plan to reboot the machine after the update of libc. * NetBSD-current: Systems running NetBSD-current dated from before 2003-08-03 should be upgraded to NetBSD-current dated 2003-08-04 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/gen/getcwd.c To update from CVS, re-build, and re-install libc and rescue: # cd src # cvs update -d -P lib/libc/gen/getcwd.c # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../rescue # make USETOOLS=no cleandir dependall # make USETOOLS=no install (then, reboot, or restart affected daemons) * NetBSD 1.6, 1.6.1: The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable. Systems running NetBSD 1.6 sources dated from before 2003-08-04 should be upgraded from NetBSD 1.6 sources dated 2003-08-05 or later. NetBSD 1.6.2 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: lib/libc/gen/getcwd.c To update from CVS, re-build, and re-install libc and static binaries: # cd src # cvs update -d -P -r netbsd-1-6 lib/libc/gen/getcwd.c # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../sbin # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../bin # make USETOOLS=no cleandir dependall # make USETOOLS=no install (then, reboot, or restart affected daemons) Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch To patch, re-build and re-install libc, and static binaries: # cd src # patch < /path/to/SA2003-011-realpath.patch # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../sbin # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../bin # make USETOOLS=no cleandir dependall # make USETOOLS=no install (then, reboot, or restart affected daemons) * Binary patch: To apply the binary patch, perform the following steps, replacing ARCH with the NetBSD architecture you are running (i.e. i386): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath/netbsd-1-6/ARCH-realpath.tgz cd / && tar xzvpf /path/to/ARCH-realpath.tgz The tar file will extract new copies of: /usr/lib/libc.so.12.83.2 /usr/lib/libc.so.12 (symlink to libc.so.12.83.2) /usr/lib/libc.a /usr/lib/libc_p.a /usr/lib/libc_pic.a /sbin/mount /sbin/umount Then, reboot, or restart affected daemons, so they use the new libc. Any statically linked binaries built against the old libc will still need to be recompiled. * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: The binary distributions of NetBSD 1.5, 1.5.1, 1.5.2, and 1.5.3 are vulnerable. Systems running NetBSD 1.5 sources dated from before 2003-08-05 should be upgraded from NetBSD 1.5 sources dated 2003-08-06 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: lib/libc/gen/getcwd.c To update from CVS, re-build, and re-install libc and static binaries: # cd src # cvs update -d -P -r netbsd-1-5 lib/libc/gen/getcwd.c # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../sbin # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../bin # make USETOOLS=no cleandir dependall # make USETOOLS=no install (then, reboot, or restart affected daemons) Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch To patch, re-build and re-install libc, and static binaries: # cd src # patch < /path/to/SA2003-011-realpath.patch # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../sbin # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../bin # make USETOOLS=no cleandir dependall # make USETOOLS=no install (then, reboot, or restart affected daemons) Thanks To ========= CERT Revision History ================ 2003-08-04 Initial release 2003-08-06 Add binary patch 2003-08-10 Correct copy/paste errors in 1.5 instructions 2003-08-10 binary patch includes /sbin/umount, not /sbin/mountd More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2003-011.txt,v 1.12 2003/08/11 03:55:53 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPzcUXD5Ru2/4N2IFAQGEzQP+NOJCWd396GtWerGure+KB0c2KY8MZFnJ 7utt39XcnRG7B4sccQkV1vSio/OyKkvmG5YpaxW49okMRz4j2sFha9bb4SL1Mn4p jZ1E8V0dwclHMaKR/2jxZXOK1AgZJeD5zAi/J6NS/omYBMaVc5Js6iSkGpCyzZj1 kRzkcqaIswk= =1lOU -----END PGP SIGNATURE-----