From owner-doc-jp@jp.freebsd.org  Sun May 14 23:58:45 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id XAA27293;
	Sun, 14 May 2000 23:58:45 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id XAA27288
	for <doc-jp@jp.freebsd.org>; Sun, 14 May 2000 23:58:45 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id XAA09615 for <doc-jp@jp.freebsd.org>; Sun, 14 May 2000 23:58:45 +0900 (JST)
Received: from mail.hrs.jp (sutnmax2-ppp44.ed.noda.sut.ac.jp [133.31.173.114]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id XAA08745 for <doc-jp@jp.freebsd.org>; Sun, 14 May 2000 23:58:37 +0900 (JST)
Message-Id: <200005141458.XAA08745@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id XAA10120
	for <doc-jp@jp.freebsd.org>; Sun, 14 May 2000 23:52:21 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000514120242.12896.qmail@smtp.246.ne.jp>
References: <20000424224634.8A4B337B5AA@hub.freebsd.org>
	<200005141025.TAA02319@mail.geocities.co.jp>
	<20000514120242.12896.qmail@smtp.246.ne.jp>
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Sun_May_14_23:19:28_2000_518)--"
Content-Transfer-Encoding: 7bit
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Date: Sun, 14 May 2000 23:52:20 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 868
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7380
Subject: [doc-jp 7380] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:14.imap-uw
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

----Next_Part(Sun_May_14_23:19:28_2000_518)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

00:14 $B$+$i(B 00:17 $B$N;XE&ItJ,$r=$@5$7$^$7$?!#(B
$B0J2<$O<gMWItJ,$N:9J,$G$9!#(B

00:14 ...............................................................

 [$B%P%C%U%!%*!<%P%U%m!<$N4V0c$$$H(B only $B$^$o$j$N=$@5(B]

-$BG'>Z$r<u$1$?(B)$B%f!<%6$KBP$7$F(B, $BHs>o$KB?$/$N%P%C%U%!%U%m!<LdBj$,B8:_$7$^$9(B.
-$B%f!<%6$,%m%0%$%s$9$k$H(B, imapd $B$O(B root $B8"8B$rL58z2=$7(B, $B%m%0%$%s$7$?%f!<%6$N(B
-$B8"8B$GF0:n$9$k$h$&$K$J$j$^$9(B.  $B$=$N$?$a(B, $B$3$N%P%C%U%!%U%m!<LdBj$r(B
-$B0-MQ$7$?>l9g(B, $B$=$N%f!<%6$N8"8B$G%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9(B.
+$BG'>Z$r<u$1$?(B)$B%f!<%6$KBP$7$F(B, $BHs>o$KB?$/$N%P%C%U%!%*!<%P%U%m!<LdBj$,(B
+$BB8:_$7$^$9(B.  $B%f!<%6$,%m%0%$%s$9$k$H(B, imapd $B$O(B root $B8"8B$rL58z2=$7(B,
+$B%m%0%$%s$7$?%f!<%6$N8"8B$GF0:n$9$k$h$&$K$J$j$^$9(B.  $B$=$N$?$a(B,
+$B8"8B$O$=$N%f!<%6$K8B$i$l$^$9$,(B, $B$3$N%P%C%U%!%*!<%P%U%m!<LdBj$r(B
+$B0-MQ$9$k$3$H$G%3!<%I$r<B9T$9$k$3$H$,$G$-$^$9(B.

 [$BJD$8$?!A$N=$@5(B]
 
 $B$7$?$,$C$F(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$O!VJD$8$?!W%a!<%k%5!<%P$K(B
-$B$*$$$F$N$_LdBj$K$J$j$^$9(B.  $B!VJD$8$?!W%a!<%k%5!<%P$H$O(B, $B86B'E*$K(B
-$B%a!<%k$rMxMQ$9$k%f!<%6$KBP$7$FBPOC7?%m%0%$%s$r5v2D$7$F$$$J$$$b$N$G$9(B.
+$B$*$$$F$N$_LdBj$K$J$j$^$9(B.  $B!VJD$8$?!W%a!<%k%5!<%P$H$O(B, $B%a!<%k$r(B
+$BMxMQ$9$k%f!<%6$KBP$7$F(B, $B86B'E*$KBPOC7?%m%0%$%s$r5v2D$7$F$$$J$$$b$N$r;X$7$^$9(B.
 $B%f!<%6$K%m%0%$%s$r5v2D$7$F$$$?$j(B, $B%3!<%I$r<B9T$G$-$k%7%9%F%`$N>l9g(B,
 $B$3$N%;%-%e%j%F%#>e$N<eE@$O$[$H$s$ILdBj$H$J$j$^$;$s(B.

 [pop -> POP]
 
-2) $BFC$K(B IMAP $B$N5!G=$rI,MW$H$7$F$$$J$$(B($B$D$^$j(B pop2/pop3 $B$G==J,$J(B)$B>l9g$K$O(B,
-   /etc/inetd.conf $B$K$"$k(B IMAP $B%G!<%b%s$rL58z2=$7!"(Binetd $B$r:F5/F0$7$F$/$@$5$$(B.
+2) $BFC$K(B IMAP $B$N5!G=$rI,MW$H$7$F$$$J$$(B($B$D$^$j(B POP2/POP3 $B$G==J,$J(B)$B>l9g$K$O(B,
+   /etc/inetd.conf $B$K$"$k(B IMAP $B%G!<%b%s$rL58z2=$7(B, inetd $B$r:F5/F0$7$F$/$@$5$$(B.

 [$B9-$$HO0O!A$N=$@5(B]
 
-$B;DG0$J$,$i(B, imapd $B$KB8:_$9$k$3$N%;%-%e%j%F%#>e$N<eE@$O(B, $B9-$$HO0O$K(B
-$B9-$,$C$F$*$j(B, $B$=$l$i$r=$@5$9$k%Q%C%A$O8=;~E@$GDs6!$5$l$F$$$^$;$s(B.
+$B;DG0$J$,$i(B, imapd $B$KB8:_$9$k$3$N%;%-%e%j%F%#>e$N<eE@$O(B, $B%3!<%I$N(B
+$B9-$$HO0O$K$o$?$C$F$*$j(B, $B$=$l$i$r=$@5$9$k%Q%C%A$O8=;~E@$GDs6!$5$l$F$$$^$;$s(B.
 $BBe$o$j$KMxMQ$G$-$k(B IMAP $B%5!<%P$H$7$F(B mail/cyrus $B$H$$$&(B port $B$,$"$j$^$9$,(B,
 $B8=:_$N(B ports $B$K$O(B, $B$A$g$&$I(B imap-uw $B$HCV$-49$($k$3$H$,$G$-$k$h$&$J(B port $B$O(B
 $B$"$j$^$;$s(B.  cyrus $B$O(B imap-uw $B$H$O0[$J$k@_Dj$HA`:n$rI,MW$H$9$k$?$a(B,

00:15 ...............................................................

 [typo $B$H(B pop -> POP]

-$BMQ0U$7$?(B "libv-client" $B$H$$$&%i%$%V%i%j$rDs6!$7$F$$$^$9(B.
+$BMQ0U$7$?(B "libc-client" $B$H$$$&%i%$%V%i%j$rDs6!$7$F$$$^$9(B.

-$BG$0U$N(B mailbox $B$KBP$7$F(B, pop2/pop3 $B7PM3$G$N%"%/%;%9$rK832$7$?$j(B,
-imap $B7PM3$G$N%"%/%;%9$rFI$_$@$7@lMQ$K6/@)$9$k$3$H$,2DG=$G$9(B.
+$BG$0U$N(B mailbox $B$KBP$7$F(B, POP2/POP3 $B7PM3$G$N%"%/%;%9$rK832$7$?$j(B,
+IMAP $B7PM3$G$N%"%/%;%9$rFI$_$@$7@lMQ$K6/@)$9$k$3$H$,2DG=$G$9(B.

 [another $B$NLu=P(B]
 
-2) IMAP $B$N5!G=$rI,MW$H$7$F$$$J$$$J$i(B, POP2/POP3 $B%5!<%P$N;HMQ$r9M$($F$/$@$5$$(B.
-   $B$^$?(B, FreeBSD $B%;%-%e%j%F%#4+9p(B 00:14 $B$K$"$kBeBX(B IMAP $B%5!<%P$K4X$9$k(B
-   $BCm0U$b;2>H$7$F$/$@$5$$(B.
+2) IMAP $B$N5!G=$rI,MW$H$7$F$$$J$$$J$i(B, $B2?$+B>$N(B POP2/POP3 $B%5!<%P$r(B
+   $B;HMQ$9$k$3$H$r9M$($F$/$@$5$$(B.  $B$^$?(B, FreeBSD $B%;%-%e%j%F%#4+9p(B 00:14 $B$K(B
+   $B$"$k(B, $BBeBX(B IMAP $B%5!<%P$K4X$9$kCm0U$b;2>H$7$F$/$@$5$$(B.

00:16 ...............................................................

-golddig $B$N(B port $B$G$O(B, $B8m$C$F(B root $B$K(Bsetuid $B$5$l$?(B
-$B%l%Y%k:n@.%f!<%F%#%j%F%#$,%$%s%9%H!<%k$5$l$^$9(B.  $B$3$l$O%f!<%6$KBP$7(B,
+golddig $B$N(B port $B$G$O(B, $B8m$C$F(B root $B$K(B setuid $B$5$l$?%l%Y%k:n@.(B
+$B%f!<%F%#%j%F%#$,%$%s%9%H!<%k$5$l$^$9(B.  $B$7$+$7(B, $B$3$l$O%f!<%6$KBP$7$F(B

00:17 ...............................................................

 [$B9=B$$,$*$+$7$$ItJ,$N=$@5(B]

-libmytinfo $B$rMxMQ$9$k$3$H$G(B, $B%f!<%6$OBeBX$N(B termcap $B%U%!%$%k$d(B
-TERMCAP $B4D6-JQ?t$r;H$C$?%(%s%H%j$N;XDj$,2DG=$K$J$j$^$9(B.
+libmytinfo $B$O%f!<%6$KBP$7(B, TERMCAP $B4D6-JQ?t$r;H$C$F(B
+$BBeBX$N(B termcap $B%U%!%$%k$d%(%s%H%j$r;XDj$9$k$3$H$r2DG=$K$7$^$9(B.
 $B$7$+$7(B, $B$3$l$K$O0BA4$JJ}K!$,$H$i$l$F$*$i$:(B, $B%i%$%V%i%jFbIt$K(B
 $B%P%C%U%!%*!<%P%U%m!<$r5/$3$92DG=@-$N$"$kItJ,$,B8:_$7$^$9(B.
 
 [certain $B$NLu=P(B]

-setuid/setgid $B$5$l$?(B (FreeBSD ports/packages $B$r4^$`(B)$B%5!<%I%Q!<%F%#@=(B
-$B%=%U%H%&%'%"$O(B, $BFC8"$rI,MW$H$9$k%j%=!<%9$r%m!<%+%k$+$i0-MQ$G$-$k$H$$$&(B
-$B%;%-%e%j%F%#>e$N<eE@$H$J$k2DG=@-$,$"$j$^$9(B.  $BFC8"$rI,MW$H$9$k%j%=!<%9$K$O(B,
-$B$?$H$($P%M%C%H%o!<%/%=%1%C%H(B, $BFC8"$rI,MW$H$9$k%U%!%$%k%7%9%F%`$X$N%"%/%;%9$d(B
-(root $B%"%/%;%9$r4^$`(B)$B9b$$FC8"$rI,MW$H$9$k%7%'%k%"%/%;%9$J$I$,$"$j$^$9(B.
+$B$"$k<o$N(B setuid/setgid $B$5$l$?(B(FreeBSD ports/packages $B$r4^$a$?(B)$B%5!<%I(B
+$B%Q!<%F%#@=%=%U%H%&%'%"$O(B, $BFC8"$rI,MW$H$9$k%j%=!<%9$r%m!<%+%k$+$i(B
+$B0-MQ$G$-$k$H$$$&%;%-%e%j%F%#>e$N<eE@$H$J$k2DG=@-$,$"$j$^$9(B.  $BFC8"$r(B
+$BI,MW$H$9$k%j%=!<%9$K$O(B, $B$?$H$($P%M%C%H%o!<%/%=%1%C%H(B, $BFC8"$rI,MW$H$9$k(B
+$B%U%!%$%k%7%9%F%`$X$N%"%/%;%9$d(B(root $B%"%/%;%9$r4^$`(B)$B9b$$FC8"$rI,MW$H$9$k(B
+$B%7%'%k%"%/%;%9$J$I$,$"$j$^$9(B.


----Next_Part(Sun_May_14_23:19:28_2000_518)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="00_14_imap-uw.asc"

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:14.imap-uw
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Mon, 24 Apr 2000 15:46:34 -0700 (PDT)
  Message-Id: <20000424224634.8A4B337B5AA@hub.freebsd.org>
  X-Sequence: announce-jp 422

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:14                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	imap-uw contains security vulnerabilities for "closed"
		mail servers

$BJ,N`(B:           ports
$B%b%8%e!<%k(B:     imap-uw
$B9pCNF|(B:         2000-04-24
$B%/%l%8%C%H(B:	Michal Zalewski <lcamtuf@DIONE.IDS.PL>
		Michal Szymanski <siva9@CLICO.PL> (BugTraq ML $B$h$j(B)
$B1F6AHO0O(B:       Ports collection
$B=$@5F|(B:         $B2<5-;2>H(B.
$B%Y%s%@$NBP1~(B:	$BLdBj$O3NG':Q$_$@$,(B, $B40A4$JBP1~J}K!$ODs6!$5$l$F$$$J$$(B.
                Aware of the problem, no satisfactory solution provided.
FreeBSD $B$K8GM-$+(B:   NO

I.   $BGX7J(B - Background

imap-uw is a popular IMAP4/POP2/POP3 mail server from the University
of Washington.

imap-uw $B$O(B, $B%o%7%s%H%sBg3X$G3+H/$5$l$?(B, $B?M5$$N$"$k(B IMAP4/POP2/POP3
$B%a!<%k%5!<%P$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

There are numerous buffer overflows available to an imap user after
they have successfully logged into their mail account
(i.e. authenticated themselves by giving the correct password,
etc). Once the user logs in, imapd has dropped root privileges and is
running as the user ID of the mail account which has been logged into,
so the buffer overflow can only allow code to be executed as that
user.

IMAP $B%5!<%P$K%m%0%$%s$7$?(B($B$D$^$j(B, $B@5$7$$%Q%9%o!<%I$J$I$rDs<($9$k$3$H$G(B
$BG'>Z$r<u$1$?(B)$B%f!<%6$KBP$7$F(B, $BHs>o$KB?$/$N%P%C%U%!%*!<%P%U%m!<LdBj$,(B
$BB8:_$7$^$9(B.  $B%f!<%6$,%m%0%$%s$9$k$H(B, imapd $B$O(B root $B8"8B$rL58z2=$7(B,
$B%m%0%$%s$7$?%f!<%6$N8"8B$GF0:n$9$k$h$&$K$J$j$^$9(B.  $B$=$N$?$a(B,
$B8"8B$O$=$N%f!<%6$K8B$i$l$^$9$,(B, $B$3$N%P%C%U%!%*!<%P%U%m!<LdBj$r(B
$B0-MQ$9$k$3$H$G%3!<%I$r<B9T$9$k$3$H$,$G$-$^$9(B.

Thus, the vulnerability is only relevant on a "closed" mail server,
i.e. one which does not normally allow interactive logins by mail
users. For a system which allows users to log in or execute code on
the system, there is minimal vulnerability.

$B$7$?$,$C$F(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$O!VJD$8$?!W%a!<%k%5!<%P$K(B
$B$*$$$F$N$_LdBj$K$J$j$^$9(B.  $B!VJD$8$?!W%a!<%k%5!<%P$H$O(B, $B%a!<%k$r(B
$BMxMQ$9$k%f!<%6$KBP$7$F(B, $B86B'E*$KBPOC7?%m%0%$%s$r5v2D$7$F$$$J$$$b$N$r;X$7$^$9(B.
$B%f!<%6$K%m%0%$%s$r5v2D$7$F$$$?$j(B, $B%3!<%I$r<B9T$G$-$k%7%9%F%`$N>l9g(B,
$B$3$N%;%-%e%j%F%#>e$N<eE@$O$[$H$s$ILdBj$H$J$j$^$;$s(B.

Note that once a user has successfully exploited the vulnerability to
gain access to their user account they may be able to mount further
attacks against the local (or a remote) machine to upgrade their
privileges.

$B$?$@$7(B, $B%f!<%6$,$3$N<eE@$r0-MQ$7$F%f!<%6%"%+%&%s%H$X$N%"%/%;%9$r3MF@$9$k(B
$B$3$H$,$G$-$?>l9g(B, $B$h$j6/$$8"8B$rF@$k$?$a$K(B, $B$5$i$J$k967b$r(B
$B%m!<%+%k(B($B$^$?$O%j%b!<%H(B)$B%^%7%s$KBP$7$F=E$M$k2DG=@-$,$"$k(B,
$B$H$$$&$3$H$KCm0U$7$F$/$@$5$$(B.

The imap-uw port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3200 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

imap-uw $B$N(B port $B$O(B, $B%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B, 
FreeBSD $B%7%9%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.  $B$=$l$O(B, 3200 $B$r(B
$BD6$($k%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,$9$0$K%$%s%9%H!<%k$G$-$k7A$G(B
$B<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.  $B$3$N%;%-%e%j%F%#>e$N(B
$B<eE@$,H/8+$5$l$?$N$,%j%j!<%9;~E@$h$j8e$G$"$C$?$3$H$+$i(B, FreeBSD 4.0 $B$K(B
$B4^$^$l$k(B Ports Collection $B$K$b(B, $B$3$NLdBj$,B8:_$7$^$9(B.  

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#LdBj$K(B
$BBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B($BLuCm(B: Ports Collection $B$KF~$C$F(B
$B$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,0BA4$G$"$k$H(B
$BI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$FBg$-$J1F6A$r(B
$B;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B, $B8=:_EXNOCf$G$9(B. 

III. $B1F6AHO0O(B - Impact

A user with a mail account on the imap server can execute arbitrary
code as themselves on that machine. This is only likely to be a
security issue on "closed" mail servers which do not allow interactive
shell logins.

IMAP $B%5!<%P$K%a!<%k%"%+%&%s%H$r=jM-$7$F$$$k%f!<%6$O(B, $B%5!<%P%^%7%s>e$K(B
$B$*$$$F(B, $B<+?H$N%f!<%68"8B$GG$0U$N%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9(B.
$B$3$l$O(B, $BBPOC7?%7%'%k%m%0%$%s$,6X;_$5$l$F$$$k(B, $B$$$o$f$k!VJD$8$?!W%a!<%k(B
$B%5!<%P$G$N$_(B, $B%;%-%e%j%F%#>e$NLdBj$K$J$k$H;W$o$l$^$9(B.

Only imapd is known to be vulnerable to this time - the other daemons
installed by the imap-uw port (ipop2d/ipop3d) are not known to suffer
from the same vulnerability.

$B8=;~E@$G%;%-%e%j%F%#>e$N<eE@$NB8:_$,3NG'$5$l$F$$$k$N$O(B, imapd $B$@$1$G$9(B.
imap-uw port $B$K$h$j%$%s%9%H!<%k$5$l$k(B, $B$=$NB>$N%G!<%b%s(B(ipop2d/ipop3d)$B$K(B
$BF1MM$N<eE@$,B8:_$9$k$+$I$&$+$OITL@$G$9(B.

If you have not chosen to install the imap-uw port/package, then your
system is not vulnerable to this problem.

imap-uw $B$N(B port $B$b$7$/$O(B package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B$=$N(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $BBP1~:v(B - Workaround

1) Deinstall the imap-uw port/package, if you you have installed it.

1) imap-uw $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$K$O(B,
   $B$=$l$r:o=|$7$F$/$@$5$$(B.

2) If you do not specifically require imap functionality
(i.e. pop2/pop3 is sufficient) then disable the imap daemon in
/etc/inetd.conf and restart inetd (e.g. with the command 'killall -HUP
inetd')

2) $BFC$K(B IMAP $B$N5!G=$rI,MW$H$7$F$$$J$$(B($B$D$^$j(B POP2/POP3 $B$G==J,$J(B)$B>l9g$K$O(B,
   /etc/inetd.conf $B$K$"$k(B IMAP $B%G!<%b%s$rL58z2=$7(B, inetd $B$r:F5/F0$7$F$/$@$5$$(B.
   ($B$?$H$($P(B 'killall -HUP inetd' $B$H$$$&%3%^%s%I$r;HMQ$7$^$9(B)

V.   $B=$@5=hCV(B - Solution

Unfortunately the vulnerabilities in imapd are quite extensive and no
patch is currently available to address them. There is also no
"drop-in" replacement for imap-uw currently available in ports,
although the mail/cyrus port is another imap server which may be a
suitable replacement. Cyrus has different configuration and
operational requirements than imap-uw however, which may make it
unsuitable for many users.

$B;DG0$J$,$i(B, imapd $B$KB8:_$9$k$3$N%;%-%e%j%F%#>e$N<eE@$O(B, $B%3!<%I$N(B
$B9-$$HO0O$K$o$?$C$F$*$j(B, $B$=$l$i$r=$@5$9$k%Q%C%A$O8=;~E@$GDs6!$5$l$F$$$^$;$s(B.
$BBe$o$j$KMxMQ$G$-$k(B IMAP $B%5!<%P$H$7$F(B mail/cyrus $B$H$$$&(B port $B$,$"$j$^$9$,(B,
$B8=:_$N(B ports $B$K$O(B, $B$A$g$&$I(B imap-uw $B$HCV$-49$($k$3$H$,$G$-$k$h$&$J(B port $B$O(B
$B$"$j$^$;$s(B.  cyrus $B$O(B imap-uw $B$H$O0[$J$k@_Dj$HA`:n$rI,MW$H$9$k$?$a(B,
$BB?$/$NMxMQ<T$K$H$C$F(B, $B$=$l$O(B imap-uw $B$NBeBX$H$7$F$U$5$o$7$$$b$N$G$O(B
$B$J$$$G$7$g$&(B.

Until a security audit of the imap-uw source can be completed and the
vulnerabilities patched, it is recommended that operators of "closed"
imapd servers take steps to minimize the impact of users being able to
run code on the server (i.e., by tightening the local security on the
machine to minimize the damage an intruding user can cause).

imap-uw $B$N%=!<%9$KBP$9$k%;%-%e%j%F%#D4::$,40N;$7(B, $B<eE@$K=$@5%Q%C%A$,(B
$BE,MQ$5$l$k$^$G(B, $B!VJD$8$?!W(Bimapd $B%5!<%P$N4IM}<T$O(B, $B$=$N%5!<%P$G(B
$B%W%m%0%i%`%3!<%I$r<B9T$G$-$k%f!<%6$K$h$k1F6A$r(B, ($B?/F~$7$h$&$H$9$k(B
$B%f!<%6$K$h$kHo32$r:G>.8B$K$9$k$?$a(B, $B%^%7%s$N%m!<%+%k%;%-%e%j%F%#$r(B
$B6/2=$7$F(B) $B2DG=$J8B$j>.$5$/$9$kBP:v$r$H$k$3$H$r?d>)$7$^$9(B.  

This advisory will be updated once the known vulnerabilities in
imap-uw have been addressed.

$B$3$N%;%-%e%j%F%#4+9p$O(B, imap-uw $B$KB8:_$9$k(B
$B$3$N4{CN$N<eE@$KBP$7$FBP:v$,9T$J$o$l$?8e$K(B, $B99?7$5$l$kM=Dj$G$9(B.

----Next_Part(Sun_May_14_23:19:28_2000_518)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="00_15_imap-uw.asc"

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:15.imap-uw
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Mon, 24 Apr 2000 15:46:35 -0700 (PDT)
  Message-Id: <20000424224635.EEF4B37BBB4@hub.freebsd.org>
  X-Sequence: announce-jp 423

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:15                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	imap-uw allows local users to deny service to any mailbox

$BJ,N`(B:           ports
$B%b%8%e!<%k(B:     imap-uw
$B9pCNF|(B:         2000-04-24
$B%/%l%8%C%H(B:     Alex Mottram <alex@NET-CONNECT.NET> (BugTraq ML $B$h$j(B)
$B1F6AHO0O(B:       Ports collection
$B=$@5F|(B:         $B2<5-;2>H(B
$B%Y%s%@$NBP1~(B:   $B%Y%s%@$KLdBj$r9pCN:Q$_(B
FreeBSD $B$K8GM-$+(B:   NO

I.   $BGX7J(B - Background

imap-uw is a popular IMAP4/POP2/POP3 mail server from the University
of Washington.

imap-uw $B$O(B, $B%o%7%s%H%sBg3X$G3+H/$5$l$?(B, $B?M5$$N$"$k(B IMAP4/POP2/POP3
$B%a!<%k%5!<%P$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

The imap-uw port supplies a "libc-client" library which provides
various functionality common to mail servers. The algorithm used for
locking of mailbox files contains a weakness which allows an
unprivileged local user to lock an arbitrary local mailbox.

imap-uw $B$N(B port $B$O(B, $B%a!<%k%5!<%P$G6&DL$K;H$o$l$k$5$^$6$^$J5!G=$r(B
$BMQ0U$7$?(B "libc-client" $B$H$$$&%i%$%V%i%j$rDs6!$7$F$$$^$9(B.
$B$=$l$K4^$^$l$k(B mailbox $B%U%!%$%k$N%m%C%/=hM}$r9T$J$&%"%k%4%j%:%`$K$O(B,
$B8"8B$N$J$$%m!<%+%k%f!<%6$,(B, $BG$0U$N%m!<%+%k(B mailbox $B$r%m%C%/$G$-$k$H$$$&(B
$B%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.

In the case of POP2/POP3 servers, this means that the mailbox will not
be able to be accessed at all by the owner. In the case of IMAP4
servers, the folder can be opened for reading, but not writing
(i.e. can only be accessed read-only).

$B$3$l$O(B POP2/POP3 $B%5!<%P$N>l9g(B, $B=jM-<T$,(B mailbox $B$K$^$C$?$/(B
$B%"%/%;%9$G$-$J$/$J$k$3$H$r0UL#$7$^$9(B.  IMAP4 $B%5!<%P$N>l9g(B,
$B%U%)%k%@$NFI$_=P$7%*!<%W%s$O$G$-$^$9$,(B, $B=q$-9~$_$,(B
$B$G$-$J$/$J$j$^$9(B($B$D$^$j(B, $B2DG=$J%"%/%;%9$OFI$_=P$7$N$_$K$J$j$^$9(B).

Note that this is a different vulnerability than that described in
FreeBSD Security Advisory 00:14, and affects all imap-uw servers which
provide shell-level access to users. However note that by virtue of
advisory 00:14, all users who can access their mail remotely via imap
can acquire such access even without explicit shell login access.

$B$3$N%;%-%e%j%F%#>e$N<eE@$O(B, FreeBSD $B%;%-%e%j%F%#4+9p(B 00:14 $B$G(B
$B=R$Y$i$l$F$$$k$b$N$H$O0[$J$k$b$N$G(B, $BMxMQ<T$K%7%'%k%l%Y%k$N%"%/%;%9$r(B
$BDs6!$7$F$$$k(B, $B$9$Y$F$N(B imap-uw $B%5!<%P$K1F6A$,$"$k$H$$$&$3$H$KCm0U$7$F$/$@$5$$(B.
$B$^$?(B, $B%;%-%e%j%F%#4+9p(B 00:14 $B$N1F6A$N$?$a(B, IMAP $B7PM3$G%j%b!<%H$+$i(B
$B%a!<%k$K%"%/%;%9$G$-$kMxMQ<T$O(B, $B$?$H$(%7%'%k%m%0%$%s%"%/%;%9$,L@<(E*$K(B
$B5v2D$5$l$F$$$J$$%5!<%P$G$"$C$F$b(B, $B%7%'%k%l%Y%k$N%"%/%;%9$r3MF@$G$-$k$3$H(B
$B$KCm0U$7$J$1$l$P$J$j$^$;$s(B.

The imap-uw port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3200 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

imap-uw $B$N(B port $B$O(B, $B%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B, 
FreeBSD $B%7%9%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.  $B$=$l$O(B, 3200 $B$r(B
$BD6$($k%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,$9$0$K%$%s%9%H!<%k$G$-$k7A$G(B
$B<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.  $B$3$N%;%-%e%j%F%#>e$N(B
$B<eE@$,H/8+$5$l$?$N$,%j%j!<%9;~E@$h$j8e$G$"$C$?$3$H$+$i(B, FreeBSD 4.0 $B$K(B
$B4^$^$l$k(B Ports Collection $B$K$b(B, $B$3$NLdBj$,B8:_$7$^$9(B.  

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#LdBj$K(B
$BBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B($BLuCm(B: Ports Collection $B$KF~$C$F(B
$B$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,0BA4$G$"$k$H(B
$BI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$FBg$-$J1F6A$r(B
$B;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B, $B8=:_EXNOCf$G$9(B. 

III. $B1F6AHO0O(B - Impact

A user who has, or who can obtain (see advisory 00:14) shell access to
the mail server can prevent an arbitrary mailbox from being opened via
pop2/pop3, or can force the mailbox to be only opened read-only via
imap.

$B%a!<%k%5!<%P$KBP$9$k%7%'%k%"%/%;%9$r5v2D$5$l$?%f!<%6(B, $B$b$7$/$O(B
$B%7%'%k%"%/%;%9$r3MF@$G$-$k%f!<%6(B($B%;%-%e%j%F%#4+9p(B 00:14 $B$r;2>H(B)$B$O(B,
$BG$0U$N(B mailbox $B$KBP$7$F(B, POP2/POP3 $B7PM3$G$N%"%/%;%9$rK832$7$?$j(B,
IMAP $B7PM3$G$N%"%/%;%9$rFI$_$@$7@lMQ$K6/@)$9$k$3$H$,2DG=$G$9(B.

If you have not chosen to install the imap-uw port/package, then your
system is not vulnerable to this problem.

imap-uw $B$N(B port $B$b$7$/$O(B package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B$=$N(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $BBP1~:v(B - Workaround

1) Deinstall the imap-uw port/package, if you you have installed it.

1) imap-uw $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$K$O(B,
   $B$=$l$r:o=|$7$F$/$@$5$$(B.

2) Consider using another POP2/POP3 server if you do not require IMAP
functionality. See the notes regarding alternative IMAP servers in
FreeBSD Security Advisory 00:14.

2) IMAP $B$N5!G=$rI,MW$H$7$F$$$J$$$J$i(B, $B2?$+B>$N(B POP2/POP3 $B%5!<%P$r(B
   $B;HMQ$9$k$3$H$r9M$($F$/$@$5$$(B.  $B$^$?(B, FreeBSD $B%;%-%e%j%F%#4+9p(B 00:14 $B$K(B
   $B$"$k(B, $BBeBX(B IMAP $B%5!<%P$K4X$9$kCm0U$b;2>H$7$F$/$@$5$$(B.

V.   $B=$@5=hCV(B - Solution

No patch is currently available. It is encumbent on the imap-uw
developers to redesign the mailbox locking scheme to provide a secure
locking mechanism which is not vulnerable to local denial-of-service
attacks.

$B8=;~E@$G=$@5%Q%C%A$OB8:_$7$^$;$s(B.  $B%m!<%+%k$N%5!<%S%9ITG=967b$N860x$H(B
$B$J$i$J$$(B, $B0BA4$J%U%!%$%k%m%C%/5!9=$rDs6!$9$k$h$&$K(B mailbox $B$N%m%C%/=hM}K!$r(B
$B:F@_7W$9$k$3$H$O(B, imap-uw $B$N3+H/<T$?$A$K$H$C$FBgJQ$J:n6H$J$N$G$9(B.

This advisory will be updated once the known vulnerabilities in
imap-uw have been addressed.

$B$3$N%;%-%e%j%F%#4+9p$O(B, imap-uw $B$KB8:_$9$k(B
$B$3$N4{CN$N<eE@$KBP$7$FBP:v$,9T$J$o$l$?8e$K(B, $B99?7$5$l$kM=Dj$G$9(B.

----Next_Part(Sun_May_14_23:19:28_2000_518)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="00_16_golddig.asc"

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Tue,  9 May 2000 12:15:12 -0700 (PDT)
  Message-Id: <20000509191512.385BC37BEA3@hub.freebsd.org>
  X-Sequence: announce-jp 425

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:16                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	golddig port allows users to overwrite local files

$BJ,N`(B:           ports
$B%b%8%e!<%k(B:     golddig
$B9pCNF|(B:         2000-05-09
$B%/%l%8%C%H(B:	Ports Collection $B$ND4::Cf$KH/8+(B
                Discovered during internal ports collection auditing.
$B1F6AHO0O(B:       Ports Collection
$B=$@5F|(B:         2000-04-30
$B%Y%s%@$NBP1~(B:	$B%Y%s%@$HEE;R%a!<%k$K$h$kO"Mm$,$G$-$J$$(B
                Email bounced.
FreeBSD $B$K8GM-$+(B:   NO

I.   $BGX7J(B - Background

Golddig is an X11 game provided as part of the FreeBSD ports collection.

golddig $B$O(B, FreeBSD Ports Collection $B$N0l$D$H$7$FDs6!$5$l$F$$$k(B
X11 $BBP1~%2!<%`%=%U%H$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

The golddig port erroneously installs a level-creation utility setuid
root, which allows users to overwrite the contents of arbitrary local
files. It is not believed that any elevation of privileges is possible
with this vulnerability because the contents of the file are a textual
representation of a golddig game level which is highly constrained.

golddig $B$N(B port $B$G$O(B, $B8m$C$F(B root $B$K(B setuid $B$5$l$?%l%Y%k:n@.(B
$B%f!<%F%#%j%F%#$,%$%s%9%H!<%k$5$l$^$9(B.  $B$7$+$7(B, $B$3$l$O%f!<%6$KBP$7$F(B
$BG$0U$N%m!<%+%k%U%!%$%k$NFbMF$r>e=q$-$9$k$3$H$r2DG=$K$7$^$9(B.
$B>e=q$-2DG=$J%U%!%$%kFbMF$O(B, golddig $B%2!<%`%l%Y%k$NFbItI=8=$H$$$&(B
$BHs>o$K@)8B$5$l$?$b$N$G$"$k$?$a(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$rMxMQ$7$F(B
$BB>$N%f!<%6$NFC8"$rF@$k$3$H$OIT2DG=$@$m$&$H9M$($i$l$F$$$^$9(B.

The golddig port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3200 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

golddig $B$N(B port $B$O(B, $B%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B, 
FreeBSD $B%7%9%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.  $B$=$l$O(B, 3200 $B$r(B
$BD6$($k%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,$9$0$K%$%s%9%H!<%k$G$-$k7A$G(B
$B<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.  $B$3$N%;%-%e%j%F%#>e$N(B
$B<eE@$,H/8+$5$l$?$N$,%j%j!<%9;~E@$h$j8e$G$"$C$?$3$H$+$i(B, FreeBSD 4.0 $B$K(B
$B4^$^$l$k(B Ports Collection $B$K$b(B, $B$3$NLdBj$,B8:_$7$^$9(B.  

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#LdBj$K(B
$BBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B($BLuCm(B: Ports Collection $B$KF~$C$F(B
$B$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,0BA4$G$"$k$H(B
$BI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$FBg$-$J1F6A$r(B
$B;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B, $B8=:_EXNOCf$G$9(B. 

III. $B1F6AHO0O(B - Impact

An unprivileged local user can overwrite the contents of any file,
although they are restricted in the possible contents of the new file.

$BFC8"$r;}$?$J$$%m!<%+%k%f!<%6$O(B, $BG$0U$N%U%!%$%k$NFbMF$r>e=q$-$9$k$3$H$,(B
$B2DG=$G$9(B.  $B$?$@$7(B, $B>e=q$-2DG=$JFbMF$O@)8B$5$l$F$$$^$9(B.

If you have not chosen to install the golddig port/package, then your
system is not vulnerable to this problem.

golddig $B$N(B port $B$b$7$/$O(B package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B$=$N(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $BBP1~:v(B - Workaround

$B$D$.$N$$$:$l$+$K=>$C$F$/$@$5$$(B.
One of the following:

1) Deinstall the golddig port/package, if you you have installed it.

1) golddig $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$K$O(B,
   $B$=$l$r:o=|$7$F$/$@$5$$(B.

2) Remove the setuid bit from /usr/local/bin/makelev. This will mean
unprivileged users cannot create or modify golddig levels except in
their own directories.

2) /usr/local/bin/makelev $B$+$i(B setuid $B%S%C%H$H<h$j=|$$$F$/$@$5$$(B.
   $B$3$l$K$h$j(B, $BFC8"$r;}$?$J$$%f!<%6$O(B, $B<+J,$N=jM-$9$k%G%#%l%/%H%j0J30$G(B
   golddig $B%l%Y%k$r:n@.$7$?$j(B, $BJQ99$9$k$3$H$,$G$-$J$/$J$j$^$9(B.

V.   $B=$@5=hCV(B - Solution

$B$D$.$N$$$:$l$+$K=>$C$F$/$@$5$$(B.
One of the following:

1) Upgrade your entire ports collection and rebuild the golddig port.

1) Ports Collection $BA4BN$r99?7$7$F(B, golddig $B$N(B port $B$r:F%3%s%Q%$%k$9$k(B.  

2) Reinstall a new package dated after the correction date, obtained from:

2) $B0J2<$N>l=j$+$i(B, $B=$@5F|$h$j8e$K:n@.$5$l$??7$7$$(B package $B$rF~<j$7$F(B
   $B:F%$%s%9%H!<%k$9$k(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/games/golddig-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/games/golddig-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/games/golddig-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/games/golddig-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/games/golddig-2.0.tgz

Note: it may be several days before the updated packages are available.
$BCm0U(B: $B99?7$5$l$?(B package $B$,MxMQ$G$-$k$h$&$K$J$k$^$G(B, $B?tF|$+$+$k2DG=@-$,$"$j$^$9(B.

3) download a new port skeleton for the golddig port from:

3) $B0J2<$N>l=j$+$i(B golddig $B$N(B $B?7$7$$(B port $B%9%1%k%H%s$r%@%&%s%m!<%I$7(B, 
   $B$=$l$rMxMQ$7$F(B golddig $B$N(B port $B$r:F%3%s%Q%$%k$9$k(B.  

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) portcheckout $B%f!<%F%#%j%F%#$r;H$&$H(B, $B>e5-(B (3) $B$r<+F0E*$K(B
   $B9T$J$&$3$H$,$G$-$^$9(B.  portcheckout $B$O(B,
   /usr/ports/devel/portcheckout $B$d(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

----Next_Part(Sun_May_14_23:19:28_2000_518)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="00_17_libmytinfo.asc"

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Tue,  9 May 2000 12:20:49 -0700 (PDT)
  Message-Id: <20000509192049.5712437BFB7@hub.freebsd.org>
  X-Sequence: announce-jp 426

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:17                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:       Buffer overflow in libmytinfo may yield increased
		privileges with third-party software.

$BJ,N`(B:           core
$B%b%8%e!<%k(B:     libmytinfo
$B9pCNF|(B:         2000-05-09
$B1F6AHO0O(B:       $B=$@5F|0JA0$N(B FreeBSD 3.x
$B=$@5F|(B:         2000-04-25
FreeBSD $B$K8GM-$+(B:   Yes

$B=$@5%Q%C%A(B:     ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch

I.   $BGX7J(B - Background

libmytinfo is part of ncurses, a text-mode display library.

libmytinfo $B$O(B ncurces $B$H$$$&(B, $B%F%-%9%H%b!<%II=<($N$?$a$N(B
$B%i%$%V%i%j$N0lIt$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

libmytinfo allows users to specify an alternate termcap file or entry
via the TERMCAP environment variable, however this is not handled
securely and contains a overflowable buffer inside the library.

libmytinfo $B$O%f!<%6$KBP$7(B, TERMCAP $B4D6-JQ?t$r;H$C$F(B
$BBeBX$N(B termcap $B%U%!%$%k$d%(%s%H%j$r;XDj$9$k$3$H$r2DG=$K$7$^$9(B.
$B$7$+$7(B, $B$3$l$K$O0BA4$JJ}K!$,$H$i$l$F$*$i$:(B, $B%i%$%V%i%jFbIt$K(B
$B%P%C%U%!%*!<%P%U%m!<$r5/$3$92DG=@-$N$"$kItJ,$,B8:_$7$^$9(B.

This is a security vulnerability for binaries which are linked against
libmytinfo and which are setuid or setgid (i.e. run with elevated
privileges). It may also be a vulnerability in other more obscure
situations where a user can exert control over the environment with
which an ncurses binary is run by another user.

$B$3$l$O(B, libmytinfo $B$H%j%s%/$5$l(B, setuid $B$b$7$/$O(B setgid $B$5$l$?(B
($B$D$^$j(B, $B<B9T;~$KDL>o$h$j$b9b$$FC8"$r;}$D$h$&$J(B)$B%P%$%J%j$K$*$$$F(B
$B%;%-%e%j%F%#>e$N<eE@$H$J$j$^$9(B.  $B$^$?(B, ncurses $B%P%$%J%j$r(B
$B<B9T$7$F$$$k%f!<%6$N4D6-$r%3%s%H%m!<%k$G$-$k%f!<%6$,B8:_$9$k(B
$BJ#;($J>u67$K$*$$$F$b(B, $B%;%-%e%j%F%#>e$N<eE@$H$J$k2DG=@-$,$"$k$G$7$g$&(B.

FreeBSD 3.x and earlier versions use a very old, customized version of
ncurses which is difficult to update without breaking
backwards-compatibility. The update was made for FreeBSD 4.0, but it
is unlikely that 3.x will be updated. However, the ncurses source is
currently being audited for further vulnerabilities.

FreeBSD 3.x $B$r4^$`0JA0$N%P!<%8%g%s$G$O(B, $BHs>o$K8E$/(B, $B<j$r2C$($i$l$?(B
$B%P!<%8%g%s$N(B ncurses $B%i%$%V%i%j$,;H$o$l$F$$$^$9(B.  $B$=$N$?$a(B,
$B2a5n$N$b$N$H8_49@-$rJ]$C$?$^$^99?7$9$k$N$O:$Fq$G$9(B.  FreeBSD 4.0 $BMQ$N(B
$B99?7HG$O:n@.$5$l$F$$$^$9$,(B, FreeBSD 3.x $B$N99?7$,9T$J$o$l$k8+9~$_$O(B
$B$"$j$^$;$s(B.  $B8=:_$b$J$*(B, ncurses $B$N%=!<%9%U%!%$%k$KB>$N<eE@$,(B
$BB8:_$9$k$+$I$&$+D4::Cf$G$9(B.

III. $B1F6AHO0O(B - Impact

Certain setuid/setgid third-party software (including FreeBSD
ports/packages) may be vulnerable to a local exploit yielding
privileged resources, such as network sockets, privileged filesystem
access, or outright privileged shell access (including root access).

$B$"$k<o$N(B setuid/setgid $B$5$l$?(B(FreeBSD ports/packages $B$r4^$a$?(B)$B%5!<%I(B
$B%Q!<%F%#@=%=%U%H%&%'%"$O(B, $BFC8"$rI,MW$H$9$k%j%=!<%9$r%m!<%+%k$+$i(B
$B0-MQ$G$-$k$H$$$&%;%-%e%j%F%#>e$N<eE@$H$J$k2DG=@-$,$"$j$^$9(B.  $BFC8"$r(B
$BI,MW$H$9$k%j%=!<%9$K$O(B, $B$?$H$($P%M%C%H%o!<%/%=%1%C%H(B, $BFC8"$rI,MW$H$9$k(B
$B%U%!%$%k%7%9%F%`$X$N%"%/%;%9$d(B(root $B%"%/%;%9$r4^$`(B)$B9b$$FC8"$rI,MW$H$9$k(B
$B%7%'%k%"%/%;%9$J$I$,$"$j$^$9(B.

No program in the FreeBSD base system is believed to be vulnerable to
the bug.

FreeBSD $B$N%Y!<%9%7%9%F%`$K4^$^$l$k%W%m%0%i%`$K$O(B, $B$3$N%P%0$K$h$k(B
$B%;%-%e%j%F%#>e$N<eE@$OB8:_$7$J$$$H9M$($i$l$F$$$^$9(B.

FreeBSD 4.0 and above are NOT vulnerable to this problem.

FreeBSD 4.0 $B$r4^$`(B, $B$=$l0J9_$N(B FreeBSD $B$K$O(B, $B$3$NLdBj$K$h$k(B
$B%;%-%e%j%F%#>e$N<eE@$O!VB8:_$7$^$;$s!W(B.

IV.  $BBP1~:v(B - Workaround

Remove any setuid or setgid binary which is linked against libmytinfo
(including statically linked), or remove set[ug]id privileges from the
file as appropriate.

libmytinfo $B$H%j%s%/$7$F$$$k(B setuid, setgid $B$5$l$?%P%$%J%j(B($B@EE*%j%s%/(B
$B$5$l$F$$$k$b$N$b4^$^$l$^$9(B)$B$r$9$Y$F:o=|$9$k$+(B, $B$=$l$>$l$N%U%!%$%k$+$i(B
setuid, setgid $BFC8"(B($BLuCm(B: setuid, setgid $B5v2DB0@-$N$3$H(B)$B$r:o=|$7$F$/$@$5$$(B.

The following instructions will identify the binaries installed on the
system which are candidates for removal or removal of file
permissions. Since there may be other as yet undiscovered
vulnerabilities in libmytinfo it may be wise to perform this audit
regardless of whether or not you upgrade your system as described in
section V below. In particular, see the note regarding static linking
in section V.

$B0J2<$N<j=g$O(B, $B%7%9%F%`$K%$%s%9%H!<%k$5$l$F$$$k%U%!%$%k$N$&$A(B,
$B:o=|$b$7$/$O5v2DB0@-$NJQ99$,I,MW$J%P%$%J%j$rFCDj$9$k$?$a$N$b$N$G$9(B.
libmytinfo $B$K$O(B, $B$^$@H/8+$5$l$F$$$J$$%;%-%e%j%F%#>e$N<eE@$,B8:_$9$k(B
$B2DG=@-$,$"$j$^$9(B.  $B$=$N$?$a(B, $B2<$N%;%/%7%g%s(B V $B$G=R$Y$i$l$F$$$k$h$&$J(B
$B%7%9%F%`$N99?7$r9T$J$&$+$I$&$+$K4X$o$i$:(B, $B$3$ND4::$r9T$J$&J}$,(B
$BK>$^$7$$$G$7$g$&(B.  $BFC$K(B, $B%;%/%7%g%s(B V $B$K$"$k@EE*%j%s%/$K4X$9$k(B
$BCm0UE@$r;2>H$9$k$h$&$K$*4j$$$7$^$9(B.

Of course, it is possible that some of the identified files may be
required for the correct operation of your local system, in which case
there is no clear workaround except for limiting the set of users who
may run the binaries, by an appropriate use of user groups and
removing the "o+x" file permission bit.

$B$b$A$m$s(B, $BD4::Cf$K3:Ev$7$?%U%!%$%k$,(B, $B%m!<%+%k%7%9%F%`$K$*$1$k(B
$B@5>o$J1?MQ$KI,MW$J%U%!%$%k$G$"$k2DG=@-$b$"$j$^$9(B.  $B$=$N$h$&$J>l9g$K$O(B,
$B%U%!%$%k5v2DB0@-$+$i(B "o+x" $B$r<h$j=|$-(B, $BE,@Z$J%f!<%6%0%k!<%W$rMQ$$$F(B
$B$=$N%P%$%J%j$r<B9T$G$-$k%f!<%6$r@)8B$9$k0J30$K(B, $BM-8z$JBP:v$O$"$j$^$;$s(B.

1) Download the 'libfind.sh' script from

1) $B0J2<$N>l=j$+$i(B 'libfind.sh' $B%9%/%j%W%H$r%@%&%s%m!<%I$7$^$9(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh

e.g. with the fetch(1) command:

fetch(1) $B%3%^%s%I$r;H$&>l9g$NNc(B:

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh
Receiving libfind.sh (460 bytes): 100%
460 bytes transferred in 0.0 seconds  (394.69 Kbytes/s)
#

2) Verify the md5 checksum and compare to the value below:

2) md5 $B%A%'%C%/%5%`$r3NG'$7(B, $B0J2<$NCM$HHf3S$7$F$/$@$5$$(B.

# /sbin/md5 libfind.sh
MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b

3) Run the libfind script against your system:

3) $B%7%9%F%`$KBP$7$F(B libfind $B%9%/%j%W%H$r<B9T$7$^$9(B.

# sh libfind.sh /

This will scan your entire system for setuid or setgid binaries which
are linked against libmytinfo. Each returned binary should be examined
(e.g. with 'ls -l' and/or other tools) to determine what security risk
it poses to your local environment, e.g. whether it can be run by
arbitrary local users who may be able to exploit it to gain
privileges.

$B$3$N%9%/%j%W%H$O%7%9%F%`A4BN$rAv::$7(B, setuid, setgid $B$5$l$F$$$F(B,
libmytinfo $B$H%j%s%/$7$F$$$k%P%$%J%j$rC5$7$^$9(B.  $B$3$l$K$h$j=PNO$5$l$k(B
$B%P%$%J%j$=$l$>$l$K$D$$$F(B, ('ls -l' $B$dB>$N%D!<%k$rMQ$$$F(B)$B%m!<%+%k4D6-$K(B
$B$I$&$$$&%;%-%e%j%F%#>e$N<eE@$r$b$?$i$9$N$+(B---$B$?$H$($P(B, $B$=$l$O(B
$B%m!<%+%k%f!<%6$,FC8"$rF@$k$?$a$K0-MQ$G$-$k$+$I$&$+(B---$B$H$$$C$?E@$K$D$$$F(B
$B3NG'$9$kI,MW$,$"$j$^$9(B.

4) Remove the binaries, or reduce their file permissions, as appropriate.

4)$B%P%$%J%j$r:o=|$9$k$+(B, $BE,59(B, $B%U%!%$%k$N5v2DB0@-$r8BDj$7$F$/$@$5$$(B.

V.   $B=$@5=hCV(B - Solution

Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction
date, or patch your present system source code and rebuild. Then run
the libfind script as instructed in section IV and identify any
statically-linked binaries (those reported as "STATIC" by the
libfind script). These should either be removed, recompiled, or have
privileges restricted to secure them against this vulnerability (since
statically-linked binaries will not be affected by recompiling the
shared libmytinfo library).

FreeBSD 3.x $B%7%9%F%`$N>l9g$O=$@5F|0J9_$N(B 3.4-STABLE $B$K99?7$9$k$+(B,
$B%7%9%F%`$N%=!<%9%3!<%I$K%Q%C%A$rE,MQ$7$F:F9=C[$7$F$/$@$5$$(B.
$B$=$N8e(B, $B%;%/%7%g%s(B IV $B$K=q$+$l$F$$$k$H$*$j$K(B libfind $B%9%/%j%W%H$r(B
$B<B9T$7$F(B, $B@EE*%j%s%/$5$l$?$9$Y$F$N%P%$%J%j$rD4::$7$^$9(B(libfind
$B%9%/%j%W%H$O(B, $B3:Ev$9$k%P%$%J%j$r(B "STATIC" $B$HJs9p$7$^$9(B).
$B$=$l$i$O$9$Y$F:o=|(B, $B$b$7$/$O:F9=C[$9$k$+(B, $B%;%-%e%j%F%#>e$N<eE@$H(B
$B$J$i$J$$$h$&$K(B, $B%U%!%$%k$N5v2DB0@-$r@)8B$9$kI,MW$,$"$j$^$9(B($B$3$l$O(B,
$B@EE*%j%s%/$5$l$?%P%$%J%j$K(B, libmytinfo $B6&M-%i%$%V%i%j$N:F9=C[$N8z2L$,(B
$B8=$o$l$J$$$?$a$G$9(B).

To patch your present system: save the patch below into a file, and
execute the following commands as root:

$B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k$K$O(B, $B2<$K$"$k=$@5%Q%C%A$r%U%!%$%k$K(B
$BJ]B8$7(B, root $B8"8B$G0J2<$N%3%^%s%I$r<B9T$7$F$/$@$5$$(B.

cd /usr/src/lib/libmytinfo
patch < /path/to/patch/file
make all
make install

Patches for 3.x systems before the resolution date:

$B=$@5F|0JA0$N(B 3.x $B%7%9%F%`$KBP$9$k=$@5%Q%C%A$O0J2<$N$H$*$j$G$9(B.

  Index: findterm.c
  ===================================================================
  RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v
  retrieving revision 1.3
  diff -u -r1.3 findterm.c
  --- findterm.c	1997/08/13 01:21:36	1.3
  +++ findterm.c	2000/04/25 16:58:19
  @@ -242,7 +242,7 @@
   			} else {
   				s = path->file;
   				d = buf;
  -				while(*s != '\0' && *s != ':')
  +				while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1)
   					*d++ = *s++;
   				*d = '\0';
   				if (_tmatch(buf, name)) {
  @@ -259,7 +259,7 @@
   			} else {
   				s = path->file;
   				d = buf;
  -				while(*s != '\0' && *s != ',')
  +				while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1)
   					*d++ = *s++;
   				*d = '\0';
   				if (_tmatch(buf, name)) {

----Next_Part(Sun_May_14_23:19:28_2000_518)----
