January 2006
Four FreeBSD Security Advisories: 1. FreeBSD-SA-06:01. - texindex 2. FreeBSD-SA-06:02. - ee 3. FreeBSD-SA-06:03. - cpio 4. FreeBSD-SA-06:04. - ipfw
ID: 00033
Ref: 32/2006
Date: 11 January 2006:15:04:51
Version: 1
Title: Four FreeBSD Security Advisories: 1. FreeBSD-SA-06:01. - texindex 2. FreeBSD-SA-06:02. - ee 3. FreeBSD-SA-06:03. - cpio 4. FreeBSD-SA-06:04. - ipfw
Abstract:
Vendors affected: FreeBSD
Operating systems affected: FreeBSD
Applications affected: FreeBSD
Title
=====
Four FreeBSD Security Advisories:
1. FreeBSD-SA-06:01. - texindex
2. FreeBSD-SA-06:02. - ee
3. FreeBSD-SA-06:03. - cpio
4. FreeBSD-SA-06:04. - ipfw
Detail
======
1. The "sort_offline" function used by texindex(1) employs the "maketempname"
function, which produces predictable file names and fails to validate that
the paths do not exist.
2. The ispell_op function used by ee(1) while executing spell check
operations employs an insecure method of temporary file generation.
This method produces predictable file names based on the process ID
and fails to confirm which path will be over written with the user.
3. A number of issues has been discovered in cpio.
4. The firewall maintains a pointer to layer 4 header information in the
event that it needs to send a TCP reset or ICMP error message to
discard packets. Due to incorrect handling of IP fragments, this
pointer fails to get initialized.
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:01.texindex Security Advisory
The FreeBSD Project
Topic: Texindex temporary file privilege escalation
Category: contrib
Module: texinfo
Announced: 2006-01-11
Credits: Frank Lichtenheld
Affects: All FreeBSD releases.
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name: CAN-2005-3011
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
.
I. Background
TeX is a document typesetting system which is popular in the mathematics,
physics, and computer science realms because of its ability to typeset
complex mathematical formulas. texindex(1) is a utility which is often
used to generate a sorted index of a TeX file.
II. Problem Description
The "sort_offline" function used by texindex(1) employs the "maketempname"
function, which produces predictable file names and fails to validate that
the paths do not exist.
III. Impact
These predictable temporary file names are problematic because they
allow an attacker to take advantage of a race condition in order to
execute a symlink attack, which could enable them to overwrite files
on the system in the context of the user running the texindex(1) utility.
IV. Workaround
No workaround is available, but the problematic code is only executed
if the input file being processed is 500kB or more in length; as a
result, users working with documents of less than several hundred pages
are very unlikely to be affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.x and 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc
[FreeBSD 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/texinfo/texindex
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_4
contrib/texinfo/util/texindex.c 1.1.1.3.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.15
src/sys/conf/newvers.sh 1.44.2.39.2.18
contrib/texinfo/util/texindex.c 1.1.1.3.2.3.6.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.21
src/sys/conf/newvers.sh 1.44.2.34.2.22
contrib/texinfo/util/texindex.c 1.1.1.3.2.3.4.1
RELENG_5
contrib/texinfo/util/texindex.c 1.1.1.7.4.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.18
src/sys/conf/newvers.sh 1.62.2.18.2.14
contrib/texinfo/util/texindex.c 1.1.1.7.8.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.27
src/sys/conf/newvers.sh 1.62.2.15.2.29
contrib/texinfo/util/texindex.c 1.1.1.7.6.1
RELENG_6
contrib/texinfo/util/texindex.c 1.1.1.8.2.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.7
src/sys/conf/newvers.sh 1.69.2.8.2.3
contrib/texinfo/util/texindex.c 1.1.1.8.4.1
- - -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:01.texindex.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDxL4PFdaIBMps37IRAoJSAJ9kEVz5knEPcpUDw4psmKpbBjFH8wCfa7mq
u+tT93VL13dZm8/9WCMU51k=
=z4va
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:02.ee Security Advisory
The FreeBSD Project
Topic: ee temporary file privilege escalation
Category: core
Module: ee
Announced: 2006-01-11
Credits: Christian S.J. Peron
Affects: All FreeBSD versions
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name: CVE-2006-0055
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
.
I. Background
The ee utility is a simple screen oriented text editor. This editor is
popular with a lot of users due to its ease of use.
II. Problem Description
The ispell_op function used by ee(1) while executing spell check
operations employs an insecure method of temporary file generation.
This method produces predictable file names based on the process ID
and fails to confirm which path will be over written with the user.
It should be noted that ispell does not have to be installed in order
for this to be exploited. The option simply needs to be selected.
III. Impact
These predictable temporary file names are problematic because they
allow an attacker to take advantage of a race condition in order to
execute a symlink attack, which could allow them to overwrite files
on the system in the context of the user running the ee(1) editor.
IV. Workaround
Instead of invoking ispell through ee(1), invoke it directly.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/ee
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_4
usr.bin/ee/ee.c 1.16.2.9
RELENG_4_11
src/UPDATING 1.73.2.91.2.15
src/sys/conf/newvers.sh 1.44.2.39.2.18
usr.bin/ee/ee.c 1.16.2.7.6.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.21
src/sys/conf/newvers.sh 1.44.2.34.2.22
usr.bin/ee/ee.c 1.16.2.7.4.1
RELENG_5
usr.bin/ee/ee.c 1.31.4.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.18
src/sys/conf/newvers.sh 1.62.2.18.2.14
usr.bin/ee/ee.c 1.31.4.1.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.27
src/sys/conf/newvers.sh 1.62.2.15.2.29
usr.bin/ee/ee.c 1.31.6.1
RELENG_6
usr.bin/ee/ee.c 1.32.2.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.7
src/sys/conf/newvers.sh 1.69.2.8.2.3
usr.bin/ee/ee.c 1.32.4.1
- - -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0055
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:02.ee.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDxL4YFdaIBMps37IRAlL2AJ4x+2WoVU3OJMEab2ch6sbBRaLoogCglFSE
n4bkyDA2e6afV7tG4ja8foA=
=42lw
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:03.cpio Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities cpio
Category: contrib
Module: contrib_cpio
Announced: 2006-01-11
Credits: Imran Ghory, Richard Harms
Affects: All FreeBSD releases.
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name: CVE-2005-1111, CVE-2005-1229, CVE-2005-4268
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
.
I. Background
The cpio utility copies files into or out of a cpio or tar archive.
II. Problem Description
A number of issues has been discovered in cpio:
. When creating a new file, cpio closes the file before setting its
permissions. (CVE-2005-1111)
. When extracting files cpio does not properly sanitize file names
to filter out ".." components, even if the --no-absolute-filenames
option is used. (CVE-2005-1229)
. When adding large files (larger than 4 GB) to a cpio archive on
64-bit platforms an internal buffer might overflow. (CVE-2005-4268)
III. Impact
. The first problem can allow a local attacker to change the
permissions of files owned by the user executing cpio providing
that they have write access to the directory in which the file is
being extracted. (CVE-2005-1111)
. The lack of proper file name sanitation can allow an attacker to
overwrite arbitrary local files when extracting files from a cpio
a archive. (CVE-2005-1229)
. The buffer-overflow on 64-bit platforms could lead cpio to a
Denial-of-Service situation (crash) or possibly execute arbitrary
code with the permissions of the user running
cpio. (CVE-2005-4268)
IV. Workaround
Use a different utility to create and extract cpio archives, for
example pax(1) or (on FreeBSD 5.3 or later) tar(1). If this is not
possible, do not extract untrusted archives and when running on 64-bit
platforms do not add untrusted files to cpio archives.
V. Solution
NOTE WELL: The solution described below causes cpio to not exact files
with absolute paths by default anymore. If it is required that cpio
exact files with absolute names, use the --absolute-filenames
parameter.
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:03/cpio.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/cpio
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_4
contrib/cpio/copyin.c 1.6.6.2
contrib/cpio/copyout.c 1.2.8.1
contrib/cpio/cpio.1 1.3.6.1
contrib/cpio/extern.h 1.2.8.1
contrib/cpio/global.c 1.1.1.1.8.1
contrib/cpio/main.c 1.3.2.1
RELENG_4_11
src/UPDATING 1.73.2.91.2.15
src/sys/conf/newvers.sh 1.44.2.39.2.18
contrib/cpio/copyin.c 1.6.6.1.12.1
contrib/cpio/copyout.c 1.2.36.1
contrib/cpio/cpio.1 1.3.34.1
contrib/cpio/extern.h 1.2.36.1
contrib/cpio/global.c 1.1.1.1.36.1
contrib/cpio/main.c 1.3.30.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.21
src/sys/conf/newvers.sh 1.44.2.34.2.22
contrib/cpio/copyin.c 1.6.6.1.10.1
contrib/cpio/copyout.c 1.2.30.1
contrib/cpio/cpio.1 1.3.28.1
contrib/cpio/extern.h 1.2.30.1
contrib/cpio/global.c 1.1.1.1.30.1
contrib/cpio/main.c 1.3.24.1
RELENG_5
contrib/cpio/copyin.c 1.7.8.1
contrib/cpio/copyout.c 1.2.32.1
contrib/cpio/cpio.1 1.3.30.1
contrib/cpio/extern.h 1.2.32.1
contrib/cpio/global.c 1.1.1.1.32.1
contrib/cpio/main.c 1.3.26.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.18
src/sys/conf/newvers.sh 1.62.2.18.2.14
contrib/cpio/copyin.c 1.7.12.1
contrib/cpio/copyout.c 1.2.38.1
contrib/cpio/cpio.1 1.3.36.1
contrib/cpio/extern.h 1.2.38.1
contrib/cpio/global.c 1.1.1.1.38.1
contrib/cpio/main.c 1.3.32.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.27
src/sys/conf/newvers.sh 1.62.2.15.2.29
contrib/cpio/copyin.c 1.7.10.1
contrib/cpio/copyout.c 1.2.34.1
contrib/cpio/cpio.1 1.3.32.1
contrib/cpio/extern.h 1.2.34.1
contrib/cpio/global.c 1.1.1.1.34.1
contrib/cpio/main.c 1.3.28.1
RELENG_6
contrib/cpio/copyin.c 1.7.14.1
contrib/cpio/copyout.c 1.2.40.1
contrib/cpio/cpio.1 1.3.38.1
contrib/cpio/extern.h 1.2.40.1
contrib/cpio/global.c 1.1.1.1.40.1
contrib/cpio/main.c 1.3.34.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.7
src/sys/conf/newvers.sh 1.69.2.8.2.3
contrib/cpio/copyin.c 1.7.16.1
contrib/cpio/copyout.c 1.2.42.1
contrib/cpio/cpio.1 1.3.40.1
contrib/cpio/extern.h 1.2.42.1
contrib/cpio/global.c 1.1.1.1.42.1
contrib/cpio/main.c 1.3.36.1
- - -------------------------------------------------------------------------
VII. References
[CVE-2005-1111]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1111
http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120
https://savannah.gnu.org/patch/?func=detailitem&item_id=4006
https://savannah.gnu.org/patch/?func=detailitem&item_id=4007
[CVE-2005-1229]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1229
http://marc.theaimsgroup.com/?l=bugtraq&m=111403177526312
https://savannah.gnu.org/patch/?func=detailitem&item_id=4005
[CVE-2005-4268]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4268
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172669
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:03.cpio.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDxL4mFdaIBMps37IRAqQnAJ9Js/Joq8LJJT1kX6DXStgJMliqJQCfdZCx
bxuCX+ps+C0MR5UcLOExHvM=
=7laG
- -----END PGP SIGNATURE-----
4.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:04.ipfw Security Advisory
The FreeBSD Project
Topic: ipfw IP fragment denial of service
Category: core
Module: ipfw
Announced: 2006-01-11
Credits: Oleg Bulyzhin
Affects: FreeBSD 6.0-RELEASE
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
CVE Name: CVE-2006-0054
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
.
I. Background
ipfw(8) is a system facility which provides IP packet filtering,
accounting, and redirection. Among the many features, while discarding
packets it can perform actions defined by the user, such as sending
back TCP reset or ICMP unreachable packets. These operations can be
performed by using the reset, reject or uncreach actions.
II. Problem Description
The firewall maintains a pointer to layer 4 header information in the
event that it needs to send a TCP reset or ICMP error message to
discard packets. Due to incorrect handling of IP fragments, this
pointer fails to get initialized.
III. Impact
An attacker can cause the firewall to crash by sending ICMP IP
fragments to or through firewalls which match any reset, reject or
unreach actions.
IV. Workaround
Change any reset, reject or unreach actions to deny. It should be
noted that this will result in packets being silently discarded.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0
security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.0
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- - -------------------------------------------------------------------------
RELENG_6
src/sys/netinet/ip_fw2.c 1.106.2.6
RELENG_6_0
src/UPDATING 1.416.2.3.2.7
src/sys/conf/newvers.sh 1.69.2.8.2.3
src/sys/netinet/ip_fw2.c 1.106.2.3.2.1
- - -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0054
The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDxL4vFdaIBMps37IRAmrZAJ4qRzdR0zR0u9ZY5RTTsMF5ZcGBUACfa5Gn
9kbuhOTex8BBlNFRHYCd9e4=
=WcS+
- -----END PGP SIGNATURE-----