From owner-doc-jp@jp.freebsd.org  Mon Sep 27 04:08:00 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id EAA24484;
	Mon, 27 Sep 1999 04:08:00 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from bilbo.micon.co.jp (bilbo.micon.co.jp [210.226.150.237])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id EAA24479
	for <doc-jp@jp.freebsd.org>; Mon, 27 Sep 1999 04:07:59 +0900 (JST)
	(envelope-from sakauchi@yamame.to)
Received: from R2D2.yamame.to (p84876d.kgci.ap.so-net.ne.jp [210.132.135.109])
	by bilbo.micon.co.jp (8.8.5/8.8.5) with ESMTP id EAA23222;
	Mon, 27 Sep 1999 04:07:53 +0900 (JST)
Date: Mon, 27 Sep 1999 04:09:06 +0900
Message-ID: <14318.28498.760000.34006G@R2D2>
From: Atushi Sakauchi <sakauchi@yamame.to>
To: doc-jp@jp.freebsd.org
User-Agent: Wanderlust/1.0.3 (Notorious) SEMI/1.13.3 (Komaiko) FLIM/1.12.5 (Hirahata) Emacs/20.2 (i386-*-windows95-4.10) MULE/3.0 (MOMIJINOGA) Meadow/1.00 (MIDORI)
MIME-Version: 1.0 (generated by SEMI 1.13.3 - "Komaiko")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6722
Subject: [doc-jp 6722] ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: sakauchi@yamame.to

$B:dFb$G$9!%(B

SA-99:06 $B$rK]Lu$7$^$7$?!%$h$m$7$/$*4j$$$7$^$9!%(B


  $B$3$N%a!<%k$O(B announce-jp $B$KN.$l$?(B

Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-99:06.amd
From: FreeBSD Security Officer <security-officer@freebsd.org>
Date: Mon, 20 Sep 1999 20:14:55 -0600 (MDT)
Message-Id: <199909210214.UAA22243@harmony.village.org>

$B$rF|K\8lLu$7$?$b$N$G$9(B.
  $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r9T(B
$B$J$&$K$O86J8$r;2>H$7$F$/$@$5$$(B. 
  $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B $B$=$NFbMF$K$D$$$F(B
$B$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B. 
  $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G(B
$B$*4j$$$7$^$9(B. 
=============================================================================
FreeBSD-SA-99:06                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:       remote amd attack

$B%+%F%4%j!<(B:     core
$B%b%8%e!<%k(B:     kernel
$B9pCNF|(B:         1999$BG/(B 9$B7n(B16$BF|(B
$B1F6ABP>](B:       FreeBSD 3.2 ($B$*$h$S(B 3.2 $B0JA0$N%P!<%8%g%s(B)
		$B=$@5$5$l$k0JA0$N(B FreeBSD-current
		$B=$@5$5$l$k0JA0$N(B FreeBSD 3.2-stable
$B=$@5:Q(B:         FreeBSD-3.3 RELEASE
		1999$BG/(B 9$B7n(B 7$BF|0J9_$N(B FreeBSD-current
		1999$BG/(B 8$B7n(B25$BF|0J9_$N(B FreeBSD-3.2-stable
		The FreeBSD-3.3-RC series of releases are not affected.
FreeBSD $B$@$1$NLdBj$+(B: $BH](B
Bugtraq Id:	614 (variation)
CERT ID:	CA-99.12

$B%Q%C%A(B:         ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:06/

I.   $BGX7J(B

The amd program allows for a very flexible array of remote and local
file systems to be mounted automatically on an as needed basis.  Amd
is an optional untility that system administrators must explicitly
enable.  If amd is not enabled on your system, then your system is not
vulnerable.

amd $B%W%m%0%i%`$O!$I,MW$K$J$C$?$H$-$K<+F0E*$K%^%&%s%H$9$k$3$H$G!$(B
$B%j%b!<%H$H%m!<%+%k$N%U%!%$%k%7%9%F%`$r<+M3<+:_$KG[CV$G$-$k$h$&$K(B
$B$7$^$9!%(Bamd $B$O%7%9%F%`4IM}<T$NL@<(E*$J@_Dj$rI,MW$H$9$k%*%W%7%g%s$N(B
$B%f!<%F%#%j%F%#$G$9!%(Bamd $B$,@_Dj$5$l$F$$$J$$%7%9%F%`$O!$LdBj$"$j$^$;$s!%(B

II.  $B2r@b(B

There are two buffer overflow vulnerabilities in the the amd daemon.

amd $B%G!<%b%s$K$OFs%v=j!$%P%C%U%!%*!<%P%U%m!<$NLdBj$,$"$j$^$9!%(B

III. $B1F6A(B

Remote users could execute arbitrary code as root in the amd daemon
context.

amd $B%G!<%b%s$N<B9TCf$K!$%j%b!<%H%f!<%6$,G$0U$N%3!<%I$r(B root $B8"8B$G(B
$B<B9T$9$k$3$H$,2DG=$G$9!%(B

IV.  $BBP1~:v(B

The only way to avoid these problems are to upgrade or not run the amd
daemon.  That leaves disabling the amd deamon as your only workaround.

$B$3$NLdBj$r2sHr$9$k$K$O!$(Bamd $B%G!<%b%s$r%"%C%W%0%l!<%I$9$k$+!$Dd;_$9$k(B
$B$7$+$"$j$^$;$s!%BP1~:v$O(B amd $B%G!<%b%s$rDd;_$9$k$3$H$G$9!%(B

V.   $B2r7h:v(B

Upgrade your system to one that is listed above as having the problem
resolved, or you may patch your present systems.

$B!V=$@5:Q!W$K5s$2$?$b$N$K%"%C%W%0%l!<%I$9$k$+!$%Q%C%A$rE,MQ$7$^$9!%(B

To patch your present system apply the following patches to amd,
rebuild, install and restart amd (or reboot).

$B%Q%C%A$rM-8z$K$9$k$K$O!$(Bamd $B$K%Q%C%A$rE,MQ$7!$:F%3%s%Q%$%k!$(B
$B%$%s%9%H!<%k8e!$(Bamd $B$r:F5/F0(B ($B$^$?$O%j%V!<%H(B) $B$7$^$9!%(B

Patches for 3.2-stable and -current systems before the resolution date:

$B=$@50JA0$N(B 3.2-stable $B$H(B -current $B$KBP$9$k%Q%C%A(B:

    Index: xutil.c
    ===================================================================
    RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v
    retrieving revision 1.1.1.3
    retrieving revision 1.1.1.3.2.1
    diff -u -r1.1.1.3 -r1.1.1.3.2.1
    --- xutil.c	1999/01/13 19:20:33	1.1.1.3
    +++ xutil.c	1999/08/25 18:59:39	1.1.1.3.2.1
    @@ -272,16 +272,18 @@

     /*
      * Take a log format string and expand occurrences of %m
    - * with the current error code taken from errno.
    + * with the current error code taken from errno.  Make sure
    + * 'e' never gets longer than maxlen characters.
      */
     static void
    -expand_error(char *f, char *e)
    +expand_error(char *f, char *e, int maxlen)
     {
       extern int sys_nerr;
    -  char *p;
    +  char *p, *q;
       int error = errno;
    +  int len = 0;

    -  for (p = f; (*e = *p); e++, p++) {
    +  for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) {
	 if (p[0] == '%' && p[1] == 'm') {
	   const char *errstr;
	   if (error < 0 || error >= sys_nerr)
    @@ -289,13 +291,15 @@
	   else
	    errstr = sys_errlist[error];
	   if (errstr)
    -	strcpy(e, errstr);
    +	strcpy(q, errstr);
	   else
    -	sprintf(e, "Error %d", error);
    -      e += strlen(e) - 1;
    +	sprintf(q, "Error %d", error);
    +      len += strlen(q) - 1;
    +      q += strlen(q) - 1;
	   p++;
	 }
       }
    +  e[maxlen-1] = '\0';		/* null terminate, to be sure */
     }


    @@ -401,9 +405,15 @@
       checkup_mem();
     #endif /* DEBUG_MEM */

    -  expand_error(fmt, efmt);
    +  expand_error(fmt, efmt, 1024);

    +  /*
    +   * XXX: ptr is 1024 bytes long.  It is possible to write into it
    +   * more than 1024 bytes, if efmt is already large, and vargs expand
    +   * as well.
    +   */
       vsprintf(ptr, efmt, vargs);
    +  msg[1023] = '\0';		/* null terminate, to be sure */

       ptr += strlen(ptr);
       if (ptr[-1] == '\n')
    Index: amq_subr.c
    ===================================================================
    RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v
    retrieving revision 1.3
    retrieving revision 1.4
    diff -u -r1.3 -r1.4
    --- amq_subr.c	1999/01/13 20:03:54	1.3
    +++ amq_subr.c	1999/09/07 23:07:03	1.4
    @@ -204,11 +204,24 @@
     int *
     amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp)
     {
    -  static int rc;
    -  char *s = *(amq_string *) argp;
    +  static int rc = EINVAL;
    +  char s[AMQ_STRLEN];
       char *cp;
    +  char dq[20];
    +  struct sockaddr_in *sin;
    +
    +  if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) {
    +    plog(XLOG_ERROR, "amu_svc_getcaller returned NULL");
    +    return &rc;
    +  }
    +
    +  strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1);
    +  s[AMQ_STRLEN-1] = '\0';	/* null terminate, to be sure */
    +  plog(XLOG_ERROR,
    +       "amq requested mount of %s from %s.%d",
    +       s, inet_dquad(dq, sin->sin_addr.s_addr),
    +       ntohs(sin->sin_port));

    -  plog(XLOG_INFO, "amq requested mount of %s", s);
       /*
	* Minimalist security check.
	*/


=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

$BCm0U(B: $BK\J8=qCf$K%Q%C%A$,4^$^$l$F$$$k>l9g(B, $BEE;R=pL>$d%a%$%i$N=hM}$GJQ99(B
      $B$5$l$k$?$a(B, $B$=$N$^$^$G$O$-$A$s$HE,MQ$G$-$J$$$+$b$7$l$^$;$s(B. $BI,MW(B
      $B$G$"$l$P(B, $BK\J8=q$NKAF,$K5-:\$7$F$"$k(B URL $B$r;2>H$7$F%*%j%8%J%k$N(B
      $B%3%T!<$rF~<j$7$F$/$@$5$$(B.
=============================================================================
