From owner-doc-jp@jp.freebsd.org  Thu Nov 23 06:08:07 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id GAA45828;
	Thu, 23 Nov 2000 06:08:07 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from ns4.sony.co.jp (ns4.Sony.CO.JP [202.238.80.4])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id GAA45823
	for <doc-jp@jp.freebsd.org>; Thu, 23 Nov 2000 06:08:06 +0900 (JST)
	(envelope-from mho@pobox.com)
Received: from mail3.sony.co.jp (gatekeeper7.Sony.CO.JP [202.238.80.21])
	by ns4.sony.co.jp (R8) with ESMTP id GAA60356
	for <doc-jp@jp.freebsd.org>; Thu, 23 Nov 2000 06:08:06 +0900 (JST)
Received: from mail3.sony.co.jp (localhost [127.0.0.1])
	by mail3.sony.co.jp (R8) with ESMTP id eAMLCoW28623
	for <doc-jp@jp.freebsd.org>; Thu, 23 Nov 2000 06:12:50 +0900 (JST)
Received: from sjp01002.meis.sony.co.jp (sjp01002.meis.sony.co.jp [43.15.126.31])
	by mail3.sony.co.jp (R8) with ESMTP id eAMLCoG28619
	for <doc-jp@jp.freebsd.org>; Thu, 23 Nov 2000 06:12:50 +0900 (JST)
Received: from FREYA.hmp.sony.co.jp (tdc-ap-44.rmt.sony.co.jp [43.22.247.44]) by sjp01002.meis.sony.co.jp with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2651.97)
	id X2HN5VMF; Thu, 23 Nov 2000 06:08:05 +0900
Date: Thu, 23 Nov 2000 06:07:42 +0900
Message-ID: <wkitpfww9t.wl@FREYA.hmp.sony.co.jp>
From: Hori Masato <mho@pobox.com>
To: doc-jp@jp.freebsd.org
In-Reply-To: In your message of "Wed, 22 Nov 2000 01:34:27 +0900"
	<200011211644.BAA25549@eos.ocn.ne.jp>
References: <200011211644.BAA25549@eos.ocn.ne.jp>
User-Agent: Wanderlust/1.1.1 (Purple Rain) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.4 (i386-*-windows98.1998) MULE/4.1 (AOI) Meadow/1.10 (TSUYU)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7864
Subject: [doc-jp 7864] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA	-00:68.ncurses [REVISED]
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: mho@pobox.com


$B$$$D$b$46lO+MM$G$9(B.

At Wed, 22 Nov 2000 01:34:27 +0900,
Hiroki Sato <hrs@eos.ocn.ne.jp> wrote:
> =============================================================================
> FreeBSD-SA-00:68                                            Security Advisory

> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> when the vulnerable ncurses code is called.  This allows them to
> execute arbitrary code on the local system with the privileges of the
> exploited binary.
> 
> $B$3$N<eE@$K$h$j(B, $B967b<T$O%m!<%+%k%7%9%F%`>e$K$*$$$F(B, $B0-MQ$5$l$?(B
> $B%"%W%j%1!<%7%g%s$r<B9T$7$F$$$k%f!<%6$N8"8B$G(B, $BG$0U$N%3!<%I$r(B
> $B<B9T$G$-$k$h$&$K$J$j$^$9(B.

set[gu]id$B$NOC$7$,8e$K$"$k$N$G!V%f!<%6$N8"8B!W$H8@$o$J$$$[$&$,$o$+$j$d(B
$B$9$$$+$b!#(B

  $B$3$N<eE@$K$h$j(B, $B967b<T$O%m!<%+%k%7%9%F%`>e$K$*$$$F(B, $B0-MQ$5$l$?%"%W%j(B
  $B%1!<%7%g%s$N<B9T;~$N8"8B$G(B, $BG$0U$N%3!<%I$r<B9T$G$-$k$h$&$K$J$j$^$9(B.

> FreeBSD 3.x and earlier versions use a very old, customized version of
> ncurses which is difficult to update without breaking
> backwards-compatibility.  The update was made for FreeBSD 4.0, but 3.x
> will not be updated to the newer version.  At this stage the
> vulnerability has not been fixed in FreeBSD 3.x.
> 
> FreeBSD 3.x $B$H$=$l0JA0$N$b$N$O(B, $BHs>o$K8E$/(B, $B<j$N2C$($i$l$?(B
> $B%P!<%8%g%s$N(B ncurses $B$,;H$o$l$F$$$k$?$a(B, $B8eJ}8_49@-$r(B
> $B3NJ]$7$J$,$i=$@5$r9T$J$&$N$O:$Fq$G$9(B.  FreeBSD 4.0 $BMQ$N(B
> $B=$@5$O:n@.$5$l$F$$$^$9$,(B, FreeBSD 3.x $B$X$N=$@5$OM=Dj$5$l$F$$$^$;$s(B.
> $B8=:_$N$H$3$m(B, FreeBSD 3.x $B$KB8:_$9$k<eE@$O=$@5$5$l$F$$$^$;$s(B.

$B$3$NItJ,$G(BFreeBSD 4.0$B$H(B3.x$B$,BPHf$5$l$F$$$k$N$G$3$l$O:#2s$N%P%0$N$3$H$G(B
$B$O$J$/$FNr;K$NOC$+$J$H;W$C$F;nLu$7$F$_$^$7$?!#?<FI$_2a$.!)(B

   FreeBSD 3.x $B$H$=$l0JA0$N%P!<%8%g%s$G$O(B, $B8eJ}8_49@-$r3NJ]$7$D$D99?7(B
   $B$9$k$N$,:$Fq$J(B, $BHs>o$K8E$$(Bncurses $B$,%+%9%?%^%$%:$5$l$F;H$o$l$F$$$^(B
   $B$9(B.  FreeBSD 4.0 $B$G$O99?7$5$l$^$7$?$,(B FreeBSD 3.x $B$G$O?7$7$$%P!<%8%g(B
   $B%s$X$N99?7$OM=Dj$5$l$F$$$^$;$s(B.  $B8=:_$N$H$3$m(B, FreeBSD 3.x $B$KB8:_$9(B
   $B$k<eE@$O=$@5$5$l$F$$$^$;$s(B.

> IV.  $B2sHrJ}K!(B - Workaround

> Dynamically linked binaries will be corrected by simply patching and
> recompiling libc as described below.

> $B:F%3%s%Q%$%k$9$Y$-$G$9(B.  $BF0E*$K%j%s%/$5$l$?%i%$%V%i%j$O(B,
> libc $B$K=$@5%Q%C%A$rE,MQ$7$F:F%3%s%Q%$%k$9$k$@$1$G=$@5$5$l$^$9(B.

$B:Y$+$$OC$7$G$9$,(B as described below$B$rF~$l$F$_$^$7$?!%(B

   $B:F%3%s%Q%$%k$9$Y$-$G$9(B.  $BF0E*$K%j%s%/$5$l$?%i%$%V%i%j$O(B, $B8e=R$N$h$&(B
   $B$K(Blibc $B$K=$@5%Q%C%A$rE,MQ$7$F:F%3%s%Q%$%k$9$k$@$1$G=$@5$5$l$^$9(B.

$B0J2<$N#22U=j$G$O(B as appropriate$B$,(B or $B$GJB$s$@N>J}$K$+$+$C$F$$$k$N$G$O(B
$B$J$$$+$H;W$$$^$9!%(B

> As an interim measure, consider removing any identified setuid or
> setgid binary, removing set[ug]id privileges from the file, or
> limiting the file access permissions, as appropriate.
> 
> $B;CDjE*$JA<CV$H$7$F(B, $BJs9p$5$l$?$9$Y$F$N(B setuid/setgid $B$5$l$?%P%$%J%j$r(B
> $B:o=|$9$k$+(B, setuid/setgid $B$5$l$F$$$k%U%!%$%k$+$i9b$$8"8B$r<h$j=|$/$+(B,
> $B$"$k$$$O%U%!%$%k$N5v2DB0@-$rE,59@)8B$9$k$3$H$r9MN8$7$F$/$@$5$$(B.

 $B;CDjE*$JA<CV$H$7$F(B, $BE,59(B, $BJs9p$5$l$?$9$Y$F$N(B setuid/setgid $B$5$l$?%P%$%J%j$r(B
 $B:o=|$9$k$+(B, setuid/setgid $B$5$l$F$$$k%U%!%$%k$+$i9b$$8"8B$r<h$j=|$/$+(B,
 $B$"$k$$$O%U%!%$%k$N5v2DB0@-$r@)8B$9$k$3$H$r9MN8$7$F$/$@$5$$(B.

> 4) Remove the binaries, or reduce their file permissions, as appropriate.
> 4) $B3:Ev$9$k%P%$%J%j$r:o=|$9$k$+(B, $B%U%!%$%k$N5v2DB0@-$rE,@Z$K@)8B$7$^$9(B.

  4) $BE,59(B, $B3:Ev$9$k%P%$%J%j$r:o=|$9$k$+(B, $B%U%!%$%k$N5v2DB0@-$r@)8B$7$^$9(B.

> V.   $B2r7h:v(B - Solution

> In contrast to the usual practise, a simple patch fixing the security
> vulnerability is not provided because the vendor did not make one
> available, and the updated ncurses snapshot which fixed it contains
> numerous other changes whose purpose and relation to the fix was
> unclear.
> 
> $BDL>o$H0[$J$j(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$r=$@5$O(B, $BC1$J$k=$@5%Q%C%A$N7A$G$O(B
> $BDs6!$5$l$F$$$^$;$s(B.  $B$3$l$O(B ncurses $B$N%Y%s%@$,$=$l$rMQ0U$7$J$+$C$?$3$H(B,
> $B$^$?(B, $B<eE@$,=$@5$5$l$F$$$k:G?7$N(B ncurses snapshot $B$K$OB>$K$b?tB?$/$N(B
> $BJQ99$,2C$($i$l$F$*$j(B, $B$=$l$i$,$=$l$>$l(B, $B<eE@$N=$@5$K4X78$,$"$k$b$N$J$N$+(B
> $B$I$&$+NI$/J,$+$i$J$$$?$a$G$9(B.

$B$"$($F(Bpurpose$B$rLu$9$k$H(B

  $B$^$?(B, $B<eE@$,=$@5$5$l$F$$$k:G?7$N(B ncurses snapshot $B$K$OB>$K$b?tB?$/$N(B
  $BJQ99$,2C$($i$l$F$*$j(B, $B$=$l$i$NL\E*$H$=$l$>$l$,<eE@$N=$@5$K4X78$,$"$k(B
  $B$b$N$J$N$+$I$&$+$,$h$/J,$+$i$J$$$?$a$G$9(B.

$B0J>e$G$9!%(B

$BKY!!???M(B
