From owner-doc-jp@jp.freebsd.org  Sun Feb  4 00:19:12 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id AAA41527;
	Sun, 4 Feb 2001 00:19:12 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id AAA41522
	for <doc-jp@jp.freebsd.org>; Sun, 4 Feb 2001 00:19:11 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.hrslab.yi.org (p0649-ip01funabasi.chiba.ocn.ne.jp [61.119.147.141])
	by eos.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id AAA19250
	for <doc-jp@jp.freebsd.org>; Sun, 4 Feb 2001 00:18:59 +0900 (JST)
Received: from localhost (alph.hrslab.yi.org [192.168.0.10])
	by mail.hrslab.yi.org (8.9.3/3.7W/DomainMaster) with ESMTP id AAA10862
	for <doc-jp@jp.freebsd.org>; Sun, 4 Feb 2001 00:18:36 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Date: Sun, 04 Feb 2001 00:11:20 +0900 (JST)
Message-Id: <20010204.001120.112630433.hrs@eos.ocn.ne.jp>
To: doc-jp@jp.freebsd.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <20010130.140446.74754201.hrs@eos.ocn.ne.jp>
References: <87u26h64cd.wl@jazz.wakabaya.net>
	<20010130135319B.hino@nwk.cl.nec.co.jp>
	<20010130.140446.74754201.hrs@eos.ocn.ne.jp>
X-Mailer: Mew version 1.95b101 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Sun_Feb__4_00:11:20_2001_801)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7965
Subject: [doc-jp 7965] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-01:08.ipfw
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 01:08,09 $B$N=$@5HG$H(B 01:11-17 $B$^$G$G$9!#(B


08 $B$N=$@5ItJ,(B
=============

 * established $B$N8mLuD{@5$HLuCm$NDI2C$G$9!#(B


 ipfw $B$*$h$S(B ip6fw $B$O(B, ECE $B%U%i%0$N%;%C%H$5$l$?$9$Y$F$N%Q%1%C%H$r(B
-TCP $B@\B3$r3NN)$7$h$&$H$9$k%Q%1%C%H$N0l$D$H$7$F07$$$^$9(B.  
+$B3NN):Q$_(B TCP $B@\B3$N%Q%1%C%H$N0l$D$H$7$F07$$$^$9(B.  
 $B$3$l$O(B TCP $BM=Ls%U%i%0%U%#!<%k%I$N%*!<%P%m!<%I$,860x$G$9(B.
-$B$=$N$?$a(B, $B$=$l$i$OK\Mh(B TCP $B@\B3$r3NN)$7$h$&$H$9$k%Q%1%C%H$G$J$$$K$b(B
-$B4X$o$i$:(B, 'established' $B=$>~;R$,IU$$$?(B ipfw $B%k!<%k$KIT@5$K(B
-$B%^%C%A$7$F$7$^$$$^$9(B.
+$B$=$N$?$a(B, $B$=$l$i$OK\Mh(B, $B3NN):Q$_(B TCP $B@\B3$N%Q%1%C%H$G$J$$$K$b4X$o$i$:(B,
+'established' $B=$>~;R$,IU$$$?(B ipfw $B%k!<%k$KIT@5$K%^%C%A$7$F$7$^$$$^$9(B.
 
+ [$BLuCm(B] ipfw $BFbIt$G$O(B, $B%Q%1%C%H$NJ,N`$K(B TCP $BM=Ls%U%i%0%U%#!<%k%I$,(B
+        $BMQ$$$i$l$F$$$^$9(B.$B!V(BTCP $BM=Ls%U%i%0%U%#!<%k%I$N%*!<%P%m!<%I!W$H$O(B,
+        ipfw $B$,!V3NN):Q$_!W$KJ,N`$9$k$?$a$K@_Dj$7$F$$$?%U%i%0$H(B,
+        ECE $B%U%i%0$,0lCW$7$F$7$^$C$F$$$?$3$H$r;X$7$^$9(B.
+        $B$3$N$?$a(B, $B85!9(B ECE $B%U%i%0$,@_Dj$5$l$F$$$k%Q%1%C%H$H(B,
+        ipfw $B$,3NN):Q$_$N@\B3$K4^$^$l$k$HH=CG$7$?%Q%1%C%H$N(B
+        $B6hJL$,IU$+$J$/$J$C$F$7$^$C$?$3$H$,:#2s$NLdBj$N860x$G$9(B.
+


09 $B$N=$@5ItJ,(B
=============

 * $B$A$g$$D9$$$G$9$,!"(B"sensitive data such as keying material" $B$G(B
  $B!VG'>Z80$N?dB,$r2DG=$H$9$k$h$&$J=EMW$J>pJs!W$H$7$^$7$?!#(B

 crontab $B%(%s%H%j$,K=O*$5$l$k$3$H$G$9(B.  crontab $B%(%s%H%j$K$O(B
-keying material $B$J$I$N=EMW$J>pJs$,4^$^$l$F$$$k2DG=@-$,$"$j$^$9(B
+$BG'>Z80$N?dB,$r2DG=$K$9$k$h$&$J=EMW$J>pJs$,4^$^$l$F$$$k2DG=@-$,$"$j$^$9(B
 ($B$?$@$7(B, $B$=$l$i$O(B crontab $B%8%g%V$N<B9T;~$K(B, $B%W%m%;%9$N0z?t$d(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|
| sato@sekine00.ee.noda.sut.ac.jp (UNIV)
| hrs@FreeBSD.org (FreeBSD Project)

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:08"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:08 (2001-01-23)
 * ipfw/ip6fw allows bypassing of 'established' keyword
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Tue, 23 Jan 2001 13:08:23 -0800 (PST)
  Message-Id: <20010123210823.349E837B402@hub.freebsd.org>
  X-Sequence: announce-jp 671

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-01:08                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	ipfw/ip6fw allows bypassing of 'established' keyword

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2001-01-23
$B%/%l%8%C%H(B:	Aragon Gouveia <aragon@phat.za.net>
$B1F6AHO0O(B:	FreeBSD 3.x ($BA4%j%j!<%9(B),
                FreeBSD 4.x ($BA4%j%j!<%9(B),
                $B=$@5F|0JA0$N(B FreeBSD 3.5-STABLE $B$*$h$S(B 4.2-STABLE
$B=$@5F|(B:		2001-01-09 (FreeBSD 4.2-STABLE)
		2001-01-12 (FreeBSD 3.5-STABLE)
FreeBSD $B$K8GM-$+(B:	Yes


I.   $BGX7J(B - Background

ipfw is a system facility which allows IP packet filtering,
redirecting, and traffic accounting.  ip6fw is the corresponding
utility for IPv6 networks, included in FreeBSD 4.0 and above.  It is
based on an old version of ipfw and does not contain as many features.

ipfw $B$O(B, IP $B%Q%1%C%H$N%U%#%k%?%j%s%0(B, $B%j%@%$%l%/%H(B, $B%H%i%U%#%C%/2]6b$r(B
$B<B8=$9$k$?$a$N%7%9%F%`5!G=$N0l$D$G$9(B.  ip6fw $B$O(B IPv6 $B%M%C%H%o!<%/$KBP1~$7$?(B
$B%f!<%F%#%j%F%#$G(B, FreeBSD 4.0 $B$H$=$l0J9_$K4^$^$l$F$$$^$9(B.
$B$?$@$78e<T$O8E$$%P!<%8%g%s$N(B ipfw $B$r85$K$7$F$*$j(B, $B$"$^$jB?$/$N5!G=$O(B
$B;}$C$F$$$^$;$s(B.


II.  $BLdBj$N>\:Y(B - Problem Description

Due to overloading of the TCP reserved flags field, ipfw and ip6fw
incorrectly treat all TCP packets with the ECE flag set as being part
of an established TCP connection, which will therefore match a
corresponding ipfw rule containing the 'established' qualifier, even
if the packet is not part of an established connection.

ipfw $B$*$h$S(B ip6fw $B$O(B, ECE $B%U%i%0$N%;%C%H$5$l$?$9$Y$F$N%Q%1%C%H$r(B
$B3NN):Q$_(B TCP $B@\B3$N%Q%1%C%H$N0l$D$H$7$F07$$$^$9(B.  
$B$3$l$O(B TCP $BM=Ls%U%i%0%U%#!<%k%I$N%*!<%P%m!<%I$,860x$G$9(B.
$B$=$N$?$a(B, $B$=$l$i$OK\Mh(B, $B3NN):Q$_(B TCP $B@\B3$N%Q%1%C%H$G$J$$$K$b4X$o$i$:(B,
'established' $B=$>~;R$,IU$$$?(B ipfw $B%k!<%k$KIT@5$K%^%C%A$7$F$7$^$$$^$9(B.

 [$BLuCm(B] ipfw $BFbIt$G$O(B, $B%Q%1%C%H$NJ,N`$K(B TCP $BM=Ls%U%i%0%U%#!<%k%I$,(B
        $BMQ$$$i$l$F$$$^$9(B.$B!V(BTCP $BM=Ls%U%i%0%U%#!<%k%I$N%*!<%P%m!<%I!W$H$O(B,
        ipfw $B$,!V3NN):Q$_!W$KJ,N`$9$k$?$a$K@_Dj$7$F$$$?%U%i%0$H(B,
        ECE $B%U%i%0$,0lCW$7$F$7$^$C$F$$$?$3$H$r;X$7$^$9(B.
        $B$3$N$?$a(B, $B85!9(B ECE $B%U%i%0$,@_Dj$5$l$F$$$k%Q%1%C%H$H(B,
        ipfw $B$,3NN):Q$_$N@\B3$K4^$^$l$k$HH=CG$7$?%Q%1%C%H$N(B
        $B6hJL$,IU$+$J$/$J$C$F$7$^$C$?$3$H$,:#2s$NLdBj$N860x$G$9(B.

The ECE flag is not believed to be in common use on the Internet at
present, but is part of an experimental extension to TCP for
congestion notification.  At least one other major operating system
will emit TCP packets with the ECE flag set under certain operating
conditions.

ECE $B%U%i%0$O8=;~E@$K$*$$$F(B, $B%$%s%?!<%M%C%H>e$G9-$/;H$o$l$F$$$k$b$N$G$O(B
$B$J$$$H9M$($i$l$F$$$^$9(B.  $B$3$l$OmUmTDLCN$N$?$a$K(B TCP $B$K2C$($i$l$?(B
$B<B83E*$J3HD%5!G=$N0l$D$G$9(B.  $B$7$+$7(B, $BB>$NM-L>$J%*%Z%l!<%F%#%s%0%7%9%F%`$N(B
$B0l$D$O>/$J$/$H$b(B, $B$3$N(B ECE $B%U%i%0$N$D$$$?%Q%1%C%H$rFCDj$N>r7o2<$G(B
$B=PNO$9$k$3$H$,3NG'$5$l$F$$$^$9(B.

Only systems which have enabled ipfw or ip6fw and use a ruleset
containing TCP rules which make use of the 'established' qualifier,
such as "allow tcp from any to any established", are vulnerable.  The
exact impact of the vulnerability on such systems is undetermined and
depends on the exact ruleset in use.

$B$7$?$,$C$F(B, $B$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$,B8:_$9$k$N$O(B,
ipfw $B$b$7$/$O(B ip6fw $B$,M-8z2=$5$l(B, 'established' $B=$>~;R$rMxMQ$7$?(B,
$B$?$H$($P(B "allow tcp from any to any established" $B$H$$$&$h$&$J(B
TCP $B%k!<%k$r4^$`%k!<%k%;%C%H$r;H$C$F$$$k%7%9%F%`$K8B$i$l$^$9(B.
$B$3$N<eE@$K$h$k1F6AHO0O$r0lHLE*$KFCDj$9$k$3$H$O$G$-$^$;$s(B.
$B$=$l$i$O(B, $B;H$o$l$F$$$k%k!<%k%;%C%H$K$b0MB8$9$k$?$a$G$9(B.

All released versions of FreeBSD prior to the correction date
including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was
corrected prior to the (future) release of FreeBSD 4.3.

FreeBSD 3.5.1 $B$*$h$S(B FreeBSD 4.2 $B$r4^$`(B, $B=$@5F|0JA0$N$9$Y$F$N(B
FreeBSD $B%j%j!<%9$,(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$N1F6A$r<u$1$^$9(B.
$B$3$NLdBj$O(B, ($B>-Mh%j%j!<%9$5$l$k(B) FreeBSD 4.3 $B$N8x3+A0$K=$@5$5$l$^$7$?(B.

III. $B1F6AHO0O(B - Impact

Remote attackers who construct TCP packets with the ECE flag set may
bypass certain ipfw rules, allowing them to potentially circumvent
the firewall.

$B%j%b!<%H$N967b<T$O(B, ECE $B%U%i%0$,@_Dj$5$l$?(B TCP $B%Q%1%C%H$rMxMQ$7$F(B
$BFCDj$N(B ipfw $B%k!<%k$rDL2a$9$k$3$H$,2DG=$G$9(B.  $B$3$l$O%U%!%$%"%&%)!<%k$N(B
$B5!G=$rL5NO2=$9$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.


IV.  $B2sHrJ}K!(B - Workaround

Because the vulnerability only affects 'established' rules and ECE-
flagged TCP packets, this vulnerability can be removed by adjusting
the system's rulesets.  In general, it is possible to express most
'established' rules in terms of a general TCP rule (with no TCP flag
qualifications) and a 'setup' rule, but may require some restructuring
and renumbering of the ruleset.

$B$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O(B, 'established' $B%k!<%k$H(B
ECE $B%U%i%0$,@_Dj$5$l$?(B TCP $B%Q%1%C%H$N$_$K1F6A$7$^$9(B.  $B$=$N$?$a(B
$B%7%9%F%`$N%k!<%k%;%C%H$rD4@0$9$k$3$H$G(B, $B$3$N<eE@$r2sHr$9$k$3$H$,2DG=$G$9(B.
$B0lHLE*$K(B, 'established' $B%k!<%k$N$[$H$s$I$O(B (TCP $B%U%i%0=$>~;R$,$J$$(B) $BDL>o$N(B
TCP $B%k!<%k$H(B 'setup' $B%k!<%k$rMQ$$$F5-=R$9$k$3$H$,$G$-$^$9(B.
$B$?$@$7$=$N>l9g(B, $B%k!<%k%;%C%H$N9=B$E*$JJQ99$*$h$S(B, $BHV9f$N?6$jD>$7$,I,MW$K(B
$B$J$k$+$bCN$l$^$;$s(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, or
or 4.2-STABLE after the correction date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 3.5-STABLE $B$b$7$/$O(B
   4.2-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

2) Patch your present system by downloading the relevant patch from the
below location:
2) $B0J2<$N>l=j$K$"$k=$@5%Q%C%A$r8=:_MxMQCf$N%7%9%F%`$KE,MQ$7$F(B,
   $B%7%9%F%`$r:F9=C[$7$^$9(B.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch.asc

[FreeBSD 3.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch.asc

Verify the detached PGP signature using your PGP utility.
PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

Execute the following commands as root:
root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9(B.

# cd /usr/src
# patch -p < /path/to/patch
# cp /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/
# cd /usr/src/sbin/ipfw
# make depend && make all install
# cd /usr/src/sys/modules/ipfw
# make depend && make all install

For 4.x systems, perform the following additional steps:
4.x $B%7%9%F%`$N>l9g$O(B, $B>e$K2C$($F<!$N<j=g$r9T$J$$$^$9(B.

# cp /usr/src/sys/netinet6/ip6_fw.h /usr/include/netinet6/
# cd /usr/src/sbin/ip6fw
# make depend && make all install
# cd /usr/src/sys/modules/ip6fw
# make depend && make all install

NOTE: The ip6fw patches have not yet been tested but are believed to
be correct.  The ip6fw software is not currently maintained and may be
removed in a future release.

$BCm0U(B: ip6fw $B$N=$@5%Q%C%A$O$^$@;n83$5$l$F$$$^$;$s$,(B,
      $B=$@5$O@5$7$$$b$N$G$"$k$H9M$($i$l$F$$$^$9(B.  ip6fw $B$O(B
      $B8=:_J]<i$5$l$F$*$i$:(B, $B>-Mh$N%j%j!<%9$G$O:o=|$5$l$kM=Dj$G$9(B.

If the system is using the ipfw or ip6fw kernel modules (see
kldstat(8)), the module may be unloaded and the corrected module
loaded into the kernel using kldload(8)/kldunload(8).  This will
require that the firewall rules be reloaded, usually be executing the
/etc/rc.firewall script.  Because the loading of the ipfw or ip6fw
module will result in the system denying all packets by default, this
should only be attempted when accessing the system via console or by
careful use of a command such as:

$B%7%9%F%`$,(B ipfw $B$b$7$/$O(B ip6fw $B%+!<%M%k%b%8%e!<%k(B (kldstat(8) $B;2>H(B) $B$r(B
$B;HMQ$7$F$$$k>l9g$K$O(B, kldload(8)/kldunload(8) $B$rMQ$$$k$3$H$G(B
$B%+!<%M%k$+$i%b%8%e!<%k$r<h$j30$7(B, $B=$@5HG$N%b%8%e!<%k$rF3F~$9$k$3$H$,(B
$B2DG=$G$9(B.  $B$3$N:](B, $BDL>o$O(B /etc/rc.firewall $B%9%/%j%W%H$G<B9T$5$l$k(B
$B%U%!%$%"%&%)!<%k%k!<%k$N:FFI$_9~$_$r(B, $BL@<(E*$K9T$J$&I,MW$,$"$j$^$9(B.
$B$3$3$G(B, ipfw $B$b$7$/$O(B ip6fw $B%b%8%e!<%k$NF3F~;~$K$O(B, $B%G%U%)%k%H$G(B
$B$9$Y$F$N%Q%1%C%H$r5qH]$9$k$h$&$K%7%9%F%`$,@_Dj$5$l$F$7$^$&$3$H$K(B
$BCm0U$7$F$/$@$5$$(B.  $B$=$N$?$a$3$N:n6H$O(B, $B%3%s%=!<%k7PM3$G%7%9%F%`$K(B
$B%"%/%;%9$7$F$$$k;~$+(B, $B$b$7$/$O:Y?4$NCm0U$rJ'$C$F<!$N$h$&$J(B
$B%3%^%s%I$r<B9T$9$k$3$H$G$N$_(B, $B9T$J$&$Y$-$G$9(B.

# kldload ipfw && sh /etc/rc.firewall

which performs both operations sequentially.

$B>e$N%3%^%s%I$O(B, $B%+!<%M%k%b%8%e!<%k$NF3F~(B, $B$*$h$S(B
$B%U%!%$%"%&%)!<%k%k!<%k$N:FFI$_9~$_$r=gHV$K<B9T$7$^$9(B.

Otherwise, if the system has ipfw or ip6fw compiled into the kernel,
the kernel will also have to be recompiled and installed, and the
system will have to be rebooted for the changes to take effect.

$B$^$?(B, ipfw $B$b$7$/$O(B ip6fw $B$,%7%9%F%`$N%+!<%M%k$K%3%s%Q%$%k$5$l$F$$$k(B
$B>l9g(B, $B=$@5$rM-8z2=$5$;$k$?$a$K%+!<%M%k$N:F9=C[(B, $B:F%$%s%9%H!<%k(B, $B$*$h$S(B
$B%7%9%F%`$N:F5/F0$,I,MW$K$J$j$^$9(B.


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:08,v 1.3 2001/02/03 14:58:24 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:09"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:09 (2001-01-25)
 * crontab allows users to read certain files [REVISED]
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab [REVISED]
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Thu, 25 Jan 2001 13:01:37 -0800 (PST)
  Message-Id: <200101252101.f0PL1bs78217@freefall.freebsd.org>
  X-Sequence: announce-jp 672

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-01:09                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	crontab allows users to read certain files [REVISED]

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	crontab
$B9pCNF|(B:		2001-01-23
$B2~D{F|(B:		2001-01-25
$B%/%l%8%C%H(B:	Kyong-won Cho <dubhe@HACKERSLAB.COM>
		$B=$@5%Q%C%ADs6!(B: OpenBSD (Todd Miller <millert@openbsd.org>)
$B1F6AHO0O(B:	FreeBSD 3.x ($BA4%j%j!<%9(B),
                FreeBSD 4.x (4.2 $B$h$jA0$NA4%j%j!<%9(B)
                $B=$@5F|0JA0$N(B FreeBSD 3.5.1-STABLE $B$*$h$S(B 4.1.1-STABLE
$B=$@5F|(B:		2000-11-11 (FreeBSD 4.1.1-STABLE)
		2000-11-20 (FreeBSD 3.5.1-STABLE)
FreeBSD $B$K8GM-$+(B:	No

0.   $B2~D{MzNr(B - Revision History

v1.0  2001-01-23  $B=iHG8x3+(B
v1.1  2001-01-25  Update to credit OpenBSD as source of patch
                  $B=$@5%Q%C%A$NDs6!85$G$"$k(B OpenBSD $B$N%/%l%8%C%H$r99?7(B


I.   $BGX7J(B - Background

crontab(8) is a program to edit crontab(5) files for use by the cron
daemon, which schedules jobs to run at specified times.

crontab(8) $B$O(B, $BFCDj$N;~4V$K<B9T$9$k$h$&$K%8%g%V$r%9%1%8%e!<%k$9$k(B
cron $B%G!<%b%sMQ$N(B crontab(5) $B%U%!%$%k$rJT=8$9$k%W%m%0%i%`$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

crontab(8) was discovered to contain a vulnerability that may allow
local users to read any file on the system that conform to a valid
crontab(5) file syntax.  Due to crontab(5) syntax requirements, the
files that may be read is limited and subject to the following
restrictions:

crontab(8) $B$K$O(B, $B%m!<%+%k%f!<%6$,%7%9%F%`>e$K$"$k(B crontab(5) $B$N(B
$BJ8K!$KB'$C$?7A<0$r;}$D(B, $B$9$Y$F$N%U%!%$%k$rFI$`$3$H$,$G$-$k$H$$$&(B
$B%;%-%e%j%F%#>e$N<eE@$,H/8+$5$l$F$$$^$9(B.  $BFI$`$3$H$N$G$-$k%U%!%$%k$O(B
crontab(5) $BJ8K!$KB'$kI,MW$,$"$j(B, $B<!$N$h$&$J$b$N$K8B$i$l$^$9(B.

* The file is a valid crontab(5) file, or:
* The file is entirely commented out; every line contains either only
  whitespace, or begins with a '#' character.

* $BM-8z$J(B crontab(5) $B%U%!%$%k$G$"$k$+(B,
* $B%U%!%$%kA4BN$,%3%a%s%H%"%&%H$5$l$F$$$k$b$N(B, $B$D$^$j$9$Y$F$N9T$,(B
  $B6uGr$N$_$N9T(B, $B$b$7$/$O(B '#' $BJ8;z$+$i;O$^$C$F$$$k9T$K$J$C$F$$$k$b$N(B.

The greatest security vulnerability is the disclosure of crontab
entries owned by other users, which may contain sensitive data such as
keying material (although this would often be publically disclosed
anyway at the time when the crontab job executes, via process
arguments and environment, etc).

$B$3$N%;%-%e%j%F%#>e$N<eE@$K$h$k:G$bBg$-$J1F6A$O(B, $BB>$N%f!<%6$N(B
crontab $B%(%s%H%j$,K=O*$5$l$k$3$H$G$9(B.  crontab $B%(%s%H%j$K$O(B
$BG'>Z80$N?dB,$r2DG=$K$9$k$h$&$J=EMW$J>pJs$,4^$^$l$F$$$k2DG=@-$,$"$j$^$9(B
($B$?$@$7(B, $B$=$l$i$O(B crontab $B%8%g%V$N<B9T;~$K(B, $B%W%m%;%9$N0z?t$d(B
$B4D6-JQ?t$J$I$r7PM3$7$F8x3+$5$l$F$7$^$&$3$H$b$"$j$^$9(B).

All released versions of FreeBSD prior to the correction date
including FreeBSD 4.1.1 are vulnerable to this problem.  The problem
was corrected prior to the release of FreeBSD 4.2.

FreeBSD 4.1.1 $B$r4^$`(B, $B=$@5F|0JA0$N$9$Y$F$N(B FreeBSD $B%j%j!<%9$,(B
$B$3$N%;%-%e%j%F%#<eE@$N1F6A$r<u$1$^$9(B.
$B$3$NLdBj$O(B, FreeBSD 4.2 $B$N8x3+A0$K=$@5$5$l$^$7$?(B.


III. $B1F6AHO0O(B - Impact

Malicious local users can read arbitrary local files that conform to
a valid crontab file syntax.

$B0-0U$r;}$C$?%m!<%+%k%f!<%6$O(B, $BM-8z$J(B crontab $BJ8K!$KB'$C$?(B
$BG$0U$N%m!<%+%k%U%!%$%k$rFI$`$3$H$,2DG=$G$9(B.


IV.  $B2sHrJ}K!(B - Workaround

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Utilize crontab allow/deny files (/var/cron/allow and
/var/cron/deny) to limit access to use the crontab(8) utility.
1) crontab $B$N(B $B5v2D(B/$B5qH](B (allow/deny) $B%U%!%$%k(B (/var/cron/allow
   $B$*$h$S(B /var/cron/deny) $B$r;H$C$F(B cronrab(8) $B%f!<%F%#%j%F%#$K(B
   $B;HMQ@)8B$r@_$1$^$9(B.

2) Remove the setuid privileges from /usr/sbin/crontab.  However, this
will not allow users other than root to use cron.
2) /usr/sbin/crontab $B$+$i(B setuid $B8"8B$r<h$j=|$-$^$9(B.
   $B$?$@$7(B, $B$3$&$9$k$H(B root $B%f!<%60J30$N%f!<%6$O(B cron $B$r(B
   $B;H$&$3$H$,$G$-$J$/$J$j$^$9(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.1.1-STABLE
after the correction date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 3.5-STABLE $B$b$7$/$O(B
4.1.1-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

To patch your present system: download the relavent patch from the
below location and execute the following commands as root:
2) $B0J2<$N>l=j$K$"$k=$@5%Q%C%A$r8=:_MxMQCf$N%7%9%F%`$KE,MQ$7$F(B,
   root $B8"8B$G0J2<$N%3%^%s%I$r<B9T$7$^$9(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch.asc

Verify the detached PGP signature using your PGP utility.
PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

# cd /usr/src/usr.sbin/cron/crontab
# patch -p < /path/to/patch
# make depend && make all install


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:09,v 1.2 2001/02/03 15:04:18 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:11"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:11 (2001-01-29)
 * inetd ident server allows remote users to partially
   read arbitrary wheel-accessible files [REVISED]
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED]
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Mon, 29 Jan 2001 13:06:31 -0800 (PST)
  Message-Id: <20010129210631.015E137B698@hub.freebsd.org>
  X-Sequence: announce-jp 676

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:11                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	inetd ident server allows remote users to partially
                read arbitrary wheel-accessible files [REVISED]

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	inetd
$B9pCNF|(B:		2001-01-29
$B2~D{F|(B:		2001-01-29
$B%/%l%8%C%H(B:	dynamo <dynamo@ime.net>
$B1F6AHO0O(B:	FreeBSD 3.x ($BA4%j%j!<%9(B)
                FreeBSD 4.x ($BA4%j%j!<%9(B)
$B=$@5F|(B:		2000-11-25 (FreeBSD 4.2-STABLE)
                2001-01-26 (FreeBSD 3.5-STABLE)
FreeBSD $B$K8GM-$+(B:	Yes


0.   $B2~D{MzNr(B - Revision History

v1.0  2001-01-29  $B=iHG8x3+(B
v1.1  2001-01-29  Correctly credit original problem reporter
                  $B85$H$J$C$?LdBjE@$NJs9p<T$N%/%l%8%C%H$r=$@5(B


I.   $BGX7J(B - Background

The inetd ident server is an implementation of the RFC1413
identification server which returns the local username of the
user connecting to a remote service.

inetd ident $B%5!<%P$O(B, RFC1413 $BG'>Z%5!<%P$N<BAu$N0l$D$G$9(B.
$B$3$NG'>Z%5!<%P$O(B, $B%j%b!<%H%5!<%S%9$K@\B3$7$F$$$k%f!<%6$N(B
$B%m!<%+%k%f!<%6L>$rJV$7$^$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

During internal auditing, the internal ident server in inetd was found
to incorrectly set group privileges according to the user.  Due to
ident using root's group permissions, users may read the first 16
(excluding initial whitespace) bytes of wheel-accessible files.

$BFbIt%;%-%e%j%F%#4F::$K$h$j(B, inetd $B$KFbB"$5$l$F$$$k(B indent $B%5!<%P$O(B
$B%f!<%6$HL54X78$J%0%k!<%W8"8B$rIT@5$K@_Dj$9$k$H$$$&;v<B$,H/8+$5$l$^$7$?(B.
ident $B$O>o$K(B root $B%f!<%6%0%k!<%W8"8B$r;HMQ$9$k$?$a(B, $B$9$Y$F$N%f!<%6$O(B
wheel $B%0%k!<%W$,%"%/%;%92DG=$J%U%!%$%k$N(B ($B:G=i$NO"B3$9$k6uGrJ8;z$r(B
$B=|$$$?(B) $B@hF,(B 16 $B%P%$%H$rFI$`$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.

All released versions of FreeBSD prior to the correction date
including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable.

FreeBSD 3.5.1 $B$*$h$S(B FreeBSD 4.2 $B$r4^$`(B, $B=$@5F|0JA0$N$9$Y$F$N(B
FreeBSD $B%j%j!<%9$,(B, $B$3$NLdBj$N1F6A$r<u$1$^$9(B.


III. $B1F6AHO0O(B - Impact

Users can read the first 16 bytes of wheel-accessible files.

$B$9$Y$F$N%f!<%6$O(B, wheel $B%0%k!<%W$,%"%/%;%92DG=$J%U%!%$%k$N(B
$B@hF,(B 16 $B%P%$%H$rFI$`$3$H$,2DG=$G$9(B.

To determine which may be potentially read, execute the following
command as root:

$B$I$N%U%!%$%k$,FI$^$l$k2DG=@-$,$"$k$+D4$Y$k$K$O(B, root $B8"8B$G(B
$B<!$N%3%^%s%I$r<B9T$7$F$/$@$5$$(B.

# find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls

The inetd internal ident server is not enabled by default.  If you
have not enabled the ident portion of inetd, you are not vulnerable.

inetd $B$KFbB"$5$l$F$$$k(B ident $B%5!<%P$O(B, $B%G%U%)%k%H>uBV$G(B
$BL58z2=$5$l$F$$$^$9(B.  $B$7$?$,$C$F(B, inetd $B$N(B indent $B5!G=$rL@<(E*$K(B
$BM-8z2=$7$F$$$J$1$l$P(B, $B$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$OB8:_$7$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

Disable the internal ident server, if enabled: comment out all lines
beginning with "auth" in /etc/inetd.conf, then restart inetd by
sending it a SIGHUP:

$BFbB"$N(B ident $B%5!<%P$,M-8z2=$5$l$F$$$k>l9g$O(B, $B$=$l$rL58z2=$7$^$9(B.
/etc/inetd.conf $B$K$"$k(B, auth $B$G;O$^$k$9$Y$F$N9T$r%3%a%s%H%"%&%H$7$F(B,
$B<!$N$h$&$K(B SIGHUP $B$rAw$C$F(B inetd $B$r:F5/F0$7$F$/$@$5$$(B.

# killall -HUP inetd


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the correction date.
$B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 3.5-STABLE $B$b$7$/$O(B
4.2-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
$B0J2<$N>l=j$K$"$k=$@5%Q%C%A$r8=:_MxMQCf$N%7%9%F%`$KE,MQ$7$F(B,
$B%7%9%F%`$r:F9=C[$7$^$9(B.

[FreeBSD 4.2 base system]
[FreeBSD 4.2 $B%Y!<%9%7%9%F%`$N>l9g(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc

Verify the detached PGP signature using your PGP utility.
PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

# cd /usr/src/usr.sbin/inetd
# patch -p < /path/to/patch
# make depend && make all install
# killall -HUP inetd

[FreeBSD 3.5.1 base system]
[FreeBSD 3.5.1 $B%Y!<%9%7%9%F%`$N>l9g(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc

Verify the detached PGP signature using your PGP utility.
PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

# cd /usr/src/usr.sbin/inetd
# patch -p < /path/to/patch
# make depend && make all install
# killall -HUP inetd


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:11,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:12"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:12 (2001-01-29)
 * periodic uses insecure temporary files [REVISED]
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-01:12.periodic [REVISED]
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Mon, 29 Jan 2001 13:06:12 -0800 (PST)
  Message-Id: <20010129210612.30FE737B402@hub.freebsd.org>
  X-Sequence: announce-jp 677

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:12                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	periodic uses insecure temporary files [REVISED]

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	periodic
$B9pCNF|(B:		2001-01-29
$B2~D{F|(B:		2001-01-29
$B%/%l%8%C%H(B:	David Lary <dlary@secureworks.net>
$B1F6AHO0O(B:	2000-09-20 $B0J9_$N(B FreeBSD 4.1-STABLE,
                4.1.1-RELEASE,
                $B=$@5F|0JA0$N(B 4.1.1-STABLE
		FreeBSD 3.x $B$K$O1F6A$J$7(B
$B=$@5F|(B:		2000-11-11
FreeBSD $B$K8GM-$+(B:	Yes


0.   $B2~D{MzNr(B - Revision History

v1.0  2001-01-29  $B=iHG8x3+(B
v1.1  2001-01-29  Correctly credit original problem reporter
                  $B85$H$J$C$?LdBjE@$NJs9p<T$N%/%l%8%C%H$r=$@5(B


I.   $BGX7J(B - Background

periodic is a program to run periodic system functions.

periodic $B$O%7%9%F%`$NDj4|E*$JJ]<i:n6H$r<B9T$9$k$?$a$N(B
$B%W%m%0%i%`$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

A vulnerability was inadvertently introduced into periodic that caused
temporary files with insecure file names to be used in the system's
temporary directory.  This may allow a malicious local user to cause
arbitrary files on the system to be corrupted.

periodic $B%W%m%0%i%`$O(B, $B%7%9%F%`$N0l;~%G%#%l%/%H%j$K(B
$B:n@.$5$l$k%U%!%$%k$H$7$F(B, $B%;%-%e%j%F%#$r9MN8$7$J$$%U%!%$%kL>$N(B
$B0l;~%U%!%$%k$r;H$$$^$9(B.  $B$=$N$?$a(B periodic $B$K$O(B,
$B0-0U$r;}$C$?%m!<%+%k%f!<%6$,%7%9%F%`>e$NG$0U$N%U%!%$%k$r(B
$BGK2u$9$k$3$H$,$G$-$k$H$$$&%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.

By default, periodic is normally called by cron for daily, weekly, and
monthly maintenance.  Because these scripts run as root, an attacker
may potentially corrupt any file on the system.

$B%7%9%F%`$NI8=`@_Dj$G$O(B, periodic $B$O0lF|$K0l2s(B, $B0l=54V$K0l2s(B,
$B0l%+7n$K0l2s(B, $B$=$l$>$lDj4|E*$JJ]<i:n6H$N<B9T$N$?$a$K(B cron $B$K(B
$B$h$C$F8F$S=P$5$l$^$9(B.  $B$3$l$i$NJ]<i:n6H$r9T$J$&%9%/%j%W%H$O(B
root $B8"8B$G<B9T$5$l$k$?$a(B, $B967b<T$O%7%9%F%`>e$NG$0U$N%U%!%$%k$r(B
$BGK2u$G$-$k2DG=@-$,$"$j$^$9(B.

FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE
prior to the correction date are vulnerable.  The problem was
corrected prior to the release of FreeBSD 4.2.

2000-09-20 $B0J9_$N(B FreeBSD 4.1-STABLE $B$*$h$S(B,
$B=$@5F|0JA0$N(B 4.1.1-STABLE $B$,(B, $B$3$NLdBj$N1F6A$r<u$1$^$9(B.
FreeBSD 4.2-RELEASE $B$N8x3+A0$K(B, $B$3$NLdBj$O=$@5$5$l$^$7$?(B.


III. $B1F6AHO0O(B - Impact

Malicious local users can cause arbitrary files on the system to be
corrupted.

$B0-0U$r;}$C$?%m!<%+%k%f!<%6$O(B, $B%7%9%F%`>e$NG$0U$N%U%!%$%k$r(B
$BGK2u$9$k$3$H$,2DG=$G$9(B.


IV.  $B2sHrJ}K!(B - Workaround

Do not allow periodic to be used in untrusted multi-user environments.

Disable the normal periodic system maintenance scripts by either
commenting-out or removing the periodic entries in /etc/crontab.

$B?.Mj$G$-$J$$%^%k%A%f!<%64D6-$K$*$1$k(B periodic $B$N<B9T$r$r6X;_$7$^$9(B.

/etc/crontab $B$K$"$k(B periodic $B$N%(%s%H%j$r%3%a%s%H%"%&%H$9$k$+:o=|$7$F(B,
$BI8=`$G@_Dj$5$l$F$$$kDj4|E*$J%7%9%F%`J]<i%9%/%j%W%H$N<B9T$r(B
$BL58z$K$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the
correction date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 4.1.1-STABLE $B$K(B
$B%"%C%W%0%l!<%I$7$^$9(B.

2) Affected FreeBSD 4.x systems prior to the correction date:
2) $B=$@5F|0JA0$N(B FreeBSD 4.x $B%7%9%F%`$N>l9g(B:

Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
$B0J2<$N>l=j$K$"$k=$@5%Q%C%A$r%@%&%s%m!<%I$7$F(B, PGP $B%f!<%F%#%j%F%#$r(B
$B;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc

Execute the following commands as root:
$B$=$7$F(B root $B8"8B$G0J2<$N%3%^%s%I$r<B9T$7$F$/$@$5$$(B.

# cd /usr/src/usr.sbin/periodic
# patch -p < /path/to/patch
# make depend && make all install


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:12,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:13"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:13 (2001-01-29)
 * sort uses insecure temporary files
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-01:13.sort
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Mon, 29 Jan 2001 13:19:19 -0800 (PST)
  Message-Id: <20010129211919.5B75F37B699@hub.freebsd.org>
  X-Sequence: announce-jp 678

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:13                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	sort uses insecure temporary files

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	sort
$B9pCNF|(B:		2001-01-29
$B%/%l%8%C%H(B:	$BFbIt%;%-%e%j%F%#4F::Cf$KH/8+(B
$B1F6AHO0O(B:	FreeBSD 3.x ($BA4%j%j!<%9(B),
                FreeBSD 4.x (4.2 $B$h$jA0$NA4%j%j!<%9(B),
                $B=$@5F|0JA0$N(B FreeBSD 3.5-STABLE
$B=$@5F|(B:		2000-11-11 (FreeBSD 4.1.1-STABLE)
                2001-01-01 (FreeBSD 3.5-STABLE)
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

sort(1) is a program to sort lines of text.  It is externally
maintained, contributed software which is included in FreeBSD by
default.

sort(1) $B$O(B, $B%F%-%9%H$N9T$r%=!<%H$9$k%W%m%0%i%`$G$9(B.
$B$3$l$OFbIt$GJ]<i$5$l$F$$$k$b$N$G$O$J$/(B, $B30It$+$i4sB#$5$l(B,
FreeBSD $B$KI8=`$GAH$_9~$^$l$F$$$^$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

During internal auditing, sort(1) was found to use easily predictable
temporary file names.  It does create these temporary files correctly
such that they cannot be "subverted" by a symlink attack, but the
program will abort if the temporary filename chosen is already in use.
This allows an attacker to cause the sort(1) command to abort, which
may have a cascade effect on other scripts which make use of it (such
as system management and reporting scripts).  For example, it may be
possible to use this failure mode to hide the reporting of malicious
system activity which would otherwise be detected by a management
script.

$BFbIt%;%-%e%j%F%#4F::$K$h$j(B, sort(1) $B$O0l;~%U%!%$%k$K(B
$BMF0W$K?dB,2DG=$J%U%!%$%kL>$r;HMQ$7$F$$$k$3$H$,H/8+$5$l$^$7$?(B.
sort(1) $B$O%7%s%\%j%C%/%j%s%/967b$G0l;~%U%!%$%k$r$9$jBX$($k$3$H$,(B
$B$G$-$J$$$h$&$JE,@Z$JJ}K!$G0l;~%U%!%$%k$r:n@.$9$k$N$G$9$,(B,
$B:n@.$7$h$&$H$7$?%U%!%$%kL>$,4{$K;HMQCf$N>l9g$O(B, sort(1) $B%W%m%0%i%`$,(B
$B0[>o=*N;$7$^$9(B.  $B$=$N$?$a(B, $B$3$l$O(B sort(1) $B$r;HMQ$7$F$$$k(B
$BB>$N%9%/%j%W%H(B ($B%7%9%F%`$NDj4|E*$JJ]<i!&Js9pMQ%9%/%j%W%H$J$I(B) $B$K(B
$B0-1F6A$r5Z$\$92DG=@-$,$"$j$^$9(B.  $B$?$H$($P(B, $B$3$N0[>o=*N;$rMxMQ$9$k$H(B,
$BK\Mh(B, $BJ]<iMQ%9%/%j%W%H$GH/8+$5$l$k$O$:$N(B, $B0-0U$r;}$C$F9T$J$o$l$?(B
$B%7%9%F%`A`:n$r1#JC$9$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.

All released versions of FreeBSD prior to the correction date including
FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable.  The problem was
corrected prior to the release of FreeBSD 4.2.

FreeBSD 3.5.1 $B$*$h$S(B FreeBSD 4.1.1 $B$r4^$`(B, $B=$@5F|0JA0$N$9$Y$F$N(B
FreeBSD $B%j%j!<%9$,(B, $B$3$NLdBj$KBP$7$F<eE@$r;}$C$F$$$^$9(B.
FreeBSD 4.2 $B$N8x3+A0$K(B, $B$3$NLdBj$O=$@5$5$l$^$7$?(B.


III. $B1F6AHO0O(B - Impact

Attackers can cause the operation of sort(1) to fail, possibly
disrupting aspects of system operation.

$B967b<T$O(B sort(1) $B$r0[>o=*N;$5$;(B, $B%7%9%F%`$K$*$1$k(B
$B$5$^$6$^$JF0:n$rCfCG$5$;$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.


IV.  $B2sHrJ}K!(B - Workaround

None appropriate.

$BM-8z$J2sHrJ}K!$O$"$j$^$;$s(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE,
4.2-RELEASE, or 4.2-STABLE after the correction date.

$B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r(B, $B=$@5F|0J9_$N(B FreeBSD 3.5-STABLE $B$b$7$/$O(B
FreeBSD 4.2-RELEASE, $B$"$k$$$O(B 4.2-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
$B0J2<$N>l=j$K$"$k=$@5%Q%C%A$r8=:_MxMQCf$N%7%9%F%`$KE,MQ$7$F(B,
$B%7%9%F%`$r:F9=C[$7$^$9(B.

[FreeBSD 4.1.1 base system]
[FreeBSD 4.1.1 $B%Y!<%9%7%9%F%`$N>l9g(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch.asc

Verify the detached PGP signature using your PGP utility.
PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

# cd /usr/src/gnu/usr.bin/sort
# patch -p < /path/to/patch
# make depend && make all install

[FreeBSD 3.5.1 base system]
[FreeBSD 3.5.1 $B%Y!<%9%7%9%F%`$N>l9g(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch.asc

Verify the detached PGP signature using your PGP utility.
PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9(B.

# cd /usr/src/gnu/usr.bin/sort
# patch -p < /path/to/patch
# make depend && make all install


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:13,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:14"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:14 (2001-01-29)
 * micq remote buffer overflow vulnerability
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 30 Jan 2001 01:25:01 -0800 (PST)
  Message-Id: <200101300925.f0U9P1C89113@freefall.freebsd.org>
  X-Sequence: announce-jp 679

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:14                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	micq remote buffer overflow vulnerability

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	micq
$B9pCNF|(B:		2001-01-29
$B%/%l%8%C%H(B:	recidjvo@pkcrew.org
$B1F6AHO0O(B:       $B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-01-24
$B%Y%s%@$NBP1~(B:	$B=$@5HG$,8x3+:Q$_(B
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

micq is a text-based ICQ client.

micq $B$O%F%-%9%H%Y!<%9$N(B ICQ $B%/%i%$%"%s%H$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The micq port, versions prior to 0.4.6.1, contains a remote
vulnerability: due to a buffer overflow, a malicious remote user
sending specially-crafted packets may be able to execute arbitrary
code on the local system with the privileges of the micq process.  To
accomplish this, the attacker must be able to sniff the packets
between the micq client and ICQ server in order to gain the session
key to cause the client to accept the malicious packets.

micq port $B$N%P!<%8%g%s(B 0.4.6.1 $B0JA0$N$b$N$K$O(B, $B%j%b!<%H$+$i0-MQ2DG=$J(B
$B%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.  $B0-0U$r;}$C$?%j%b!<%H%f!<%6$O(B
$BFC<l$J%Q%1%C%H$rAw$k$3$H$G(B micq $B$K%P%C%U%!%*!<%P%U%m!<$rH/@8$5$;(B,
$B%m!<%+%k%7%9%F%`$K$*$$$FG$0U$N%3!<%I$r(B micq $B%W%m%;%9$N8"8B$G(B
$B<B9T$9$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.  $B$?$@$7(B, $B$3$N967b$N<B8=$K$O(B,
micq $B%/%i%$%"%s%H$K967bMQ%Q%1%C%H$r<u$1<h$i$;$k$?$a(B,
$B967b<T$,%/%i%$%"%s%H$H(B ICQ $B%5!<%P$N4V$N%Q%1%C%H$rEpD0$7(B,
$B%;%7%g%s%-!<$r<j$KF~$l$k$3$H$,$G$-$kI,MW$,$"$j$^$9(B.

The micq port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 4500 third-party applications in a ready-to-install format.  The
ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this
problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

micq $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4500 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Malicious remote users may cause arbitrary code to be executed
with the privileges of the micq process.

$B0-0U$r;}$C$?%j%b!<%H%f!<%6$O(B, micq $B%W%m%;%9$N8"8B$G(B
$BG$0U$N%3!<%I$r<B9T$G$-$k2DG=@-$,$"$j$^$9(B.

If you have not chosen to install the micq port/package, then
your system is not vulnerable to this problem.

micq $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

Deinstall the micq port/package, if you have installed it.

micq $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
$B$=$l$r%7%9%F%`$+$i:o=|$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the micq port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, micq $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: micq $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B, $B=$@5F|0J9_$K(B
   $B:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F%$%s%9%H!<%k$7$^$9(B.

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/micq-0.4.6.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/micq-0.4.6.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/micq-0.4.6.1.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a(B,
alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s(B.

3) download a new port skeleton for the micq port from:
3) micq $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i(B
   $B%@%&%s%m!<%I$7(B, $B$=$l$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:14,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:15"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:15 (2001-01-29)
 * tinyproxy contains remote vulnerabilities
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-01:15.tinyproxy
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 30 Jan 2001 01:25:24 -0800 (PST)
  Message-Id: <200101300925.f0U9POS89150@freefall.freebsd.org>
  X-Sequence: announce-jp 680

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:15                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	tinyproxy contains remote vulnerabilities

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	tinyproxy
$B9pCNF|(B:		2001-01-29
$B%/%l%8%C%H(B:	|CyRaX| <cyrax@pkcrew.org>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-01-22
$B%Y%s%@$NBP1~(B:	$B=$@5HG$,8x3+:Q$_(B
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

tinyproxy is a lightweight http proxy.

tinyproxy $B$O(B, $BF0:n$N7Z$$(B http proxy $B$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The tinyproxy port, versions prior to 1.3.3a, contains remote
vulnerabilities: due to a heap overflow, malicious remote users can
cause a denial-of-service by crashing the proxy.  Additionally, the
attacker may potentially cause arbitrary code to be executed as the
user running tinyproxy.

tinyproxy port $B$N%P!<%8%g%s(B 1.3.3a $B$K$O(B, $B%j%b!<%H$+$i0-MQ2DG=$J(B
$B%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.  $B0-0U$N$"$k%j%b!<%H%f!<%6$O(B,
$B%R!<%W%*!<%P%U%m!<$rMxMQ$7$F(B proxy $B$r%/%i%C%7%e$5$;$k$3$H$G(B
$B%5!<%S%9K832967b$r2C$($k$3$H$,2DG=$G$9(B.  $B$^$?(B, $B967b<T$O$5$i$K(B
tinyproxy $B$r<B9T$7$F$$$k%f!<%6$N8"8B$GG$0U$N%3!<%I$r<B9T$G$-$k(B
$B2DG=@-$,$"$j$^$9(B.

The tinyproxy port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 4500 third-party applications in a ready-to-install
format.  The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

tinyproxy $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4500 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Malicious remote users may cause a denial-of-service and potentially
cause arbitrary code to be executed.

$B0-0U$r;}$C$?%j%b!<%H%f!<%6$O(B, tinyproxy $B%5!<%P$KBP$7$F(B
$B%5!<%S%9K832967b$r2C$($k$3$H$,2DG=$G$9(B.  $B$^$?(B, $B$=$N%5!<%P>e$G(B
$BG$0U$N%3!<%I$r<B9T$G$-$k2DG=@-$,$"$j$^$9(B.

If you have not chosen to install the tinyproxy port/package, then
your system is not vulnerable to this problem.

tinyproxy $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

Deinstall the tinyproxy port/package, if you have installed it.

tinyproxy $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
$B$=$l$r%7%9%F%`$+$i:o=|$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the tinyproxy port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, tinyproxy $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: tinyproxy $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B, $B=$@5F|0J9_$K(B
   $B:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F%$%s%9%H!<%k$7$^$9(B.

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/tinyproxy-1.3.3a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/tinyproxy-1.3.3a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/tinyproxy-1.3.3a.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a(B,
alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s(B.

3) download a new port skeleton for the tinyproxy port from:
3) tinyproxy $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i(B
   $B%@%&%s%m!<%I$7(B, $B$=$l$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:15,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:16"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:16 (2001-01-29)
 * mysql may allow remote users to gain increased
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-01:16.mysql
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 30 Jan 2001 01:25:43 -0800 (PST)
  Message-Id: <200101300925.f0U9Phr89218@freefall.freebsd.org>
  X-Sequence: announce-jp 681

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:16                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	mysql may allow remote users to gain increased
                privileges

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	mysql322-server/mysql323-server
$B9pCNF|(B:		2001-01-29
$B%/%l%8%C%H(B:	Nicolas GREGOIRE <nicolas.gregoire@7THZONE.COM>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-01-19
$B%Y%s%@$NBP1~(B:	$B=$@5HG$,8x3+:Q$_(B
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

mysql is a high-performance database server.

mysql $B$O9b5!G=$J%G!<%?%Y!<%9%5!<%P$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The mysql323-server port, versions prior to 3.23.22, and all
mysql322-server ports contain remote vulerabilities.  Due to a buffer
overflow, a malicious remote user can cause a denial-of-service by
crashing the database.  Additionally, the attacker may be able to gain
the privileges of the mysqld user, allowing access to all databases
and the ability to leverage other local attacks as the mysqld user.
In order to accomplish this, the attacker must have a valid mysql
account.

mysql323-server port $B$N%P!<%8%g%s(B 3.23.22 $B$h$jA0$N$b$N(B, $B$*$h$S(B
$B$9$Y$F$N%P!<%8%g%s$N(B mysql322-server port $B$K$O(B, $B%j%b!<%H$+$i0-MQ2DG=$J(B
$B%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.  $B0-0U$r;}$C$?%j%b!<%H%f!<%6$O(B,
$B%P%C%U%!%*!<%P%U%m!<$rMxMQ$7$F(B mysql $B%G!<%?%Y!<%9$r%/%i%C%7%e$5$;(B,
$B%5!<%P$KBP$7$F%5!<%S%9K832967b$r2C$($k$3$H$,2DG=$G$9(B.
$B$^$?(B, $B967b<T$O$5$i$K(B mysqld $B$r<B9T$7$F$$$k%f!<%6$N8"8B$r<j$KF~$l$k$3$H$,(B
$B$G$-$k2DG=@-$,$"$j$^$9(B.  mysqld $B%f!<%68"8B$,C%$o$l$k$H(B, $B967b<T$O(B
$BA4%G!<%?%Y!<%9$X$N%"%/%;%9(B, $B$*$h$S(B mysqld $B%f!<%6$N8"8B$G$N(B
$B%m!<%+%k4D6-$X967b$r2C$($k$3$H$,$G$-$^$9(B.  $B$?$@$7(B, $B$3$N967b$N<B8=$K$O(B,
$B967b<T$,M-8z$J(B mysql $B%"%+%&%s%H$r;}$C$F$$$kI,MW$,$"$j$^$9(B.

The mysql322-server and mysql323-server ports are not installed by
default, nor are they "part of FreeBSD" as such: they are part of the
FreeBSD ports collection, which contains over 4500 third-party
applications in a ready-to-install format.  The ports collections
shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was
discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

mysql322-server $B$*$h$S(B mysql323-server $B$N(B port $B$O(B
$B%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4500 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Malicious remote mysql users may cause a denial-of-service and
potentially gain access as the mysqld user, allowing access to all
databases on the mysql server and the ability to leverage other local
attacks as the mysqld user.

$B0-0U$r;}$C$?%j%b!<%H$N(B mysql $B%f!<%6$O(B, mysql $B%5!<%P$KBP$7$F(B
$B%5!<%S%9K832967b$r2C$($k$3$H$,$G$-$^$9(B.  $B$^$?(B, mysqld $B$r(B
$B<B9T$7$F$$$k%f!<%6$N8"8B$rC%$&$3$H$,$G$-$k2DG=@-$,$"$j$^$9(B.
mysqld $B$r<B9T$7$F$$$k%f!<%68"8B$rMxMQ$9$k$H(B, $B$=$N(B mysql $B%5!<%P>e$N(B
$BA4%G!<%?%Y!<%9$X$N%"%/%;%9$9$k$3$H(B, $B$*$h$S%m!<%+%k4D6-$X(B mysqld $B$r(B
$B<B9T$7$F$$$k%f!<%6$N8"8B$G$5$i$K967b$r2C$($k$3$H$,2DG=$K$J$j$^$9(B.

If you have not chosen to install the mysql322-server or
mysql323-server ports/packages, then your system is not vulnerable to
this problem.

mysql322-server $B$b$7$/$O(B mysql323-server $B$N(B port/package $B$r(B
$B%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B%7%9%F%`$K$3$NLdBj$K$h$k(B
$B%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

Deinstall the mysql322-server or mysql323-server port/package, if you
have installed it.

mysql322-server $B$b$7$/$O(B mysql323-server $B$N(B port/package $B$,(B
$B%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B, $B$=$l$i$r%7%9%F%`$+$i:o=|$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

Note: the mysql322-server port has been removed since mysql 3.23 is
now the stable mysql branch.  People using older mysql322-server
ports/packages are urged to update to the mysql323-server
port/package.

$BCm0U(B: mysql 3.23 $B$,(B mysql $B$N0BDj$7$?(B (stable) $B%V%i%s%A$K$J$C$?$?$a(B,
      mysql322-server $B$N(B port $B$O:o=|$5$l$^$7$?(B.
      $B8E$$(B mysql322-server $B$N(B port/package $B$rMxMQ$5$l$F$$$k>l9g$O(B,
      mysql323-server $B$N(B port/package $B$K99?7$5$l$k$3$H$r6/$/?d>)$7$^$9(B.

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the
mysql323-server port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, mysql323-server $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: mysql323-server $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B, $B=$@5F|0J9_$K(B
   $B:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F%$%s%9%H!<%k$7$^$9(B.

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-3.23.32.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/databases/mysql-3.23.32.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/databases/mysql-3.23.32.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a(B,
alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s(B.

3) download a new port skeleton for the mysql323-server port from:
3) mysql323-server $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i(B
   $B%@%&%s%m!<%I$7(B, $B$=$l$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:16,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:17"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:17 (2001-01-29)
 * exmh symlink vulnerability
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-01:17.exmh2
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 30 Jan 2001 01:26:13 -0800 (PST)
  Message-Id: <200101300926.f0U9QD589290@freefall.freebsd.org>
  X-Sequence: announce-jp 682

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:17                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	exmh symlink vulnerability

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	exmh2
$B9pCNF|(B:		2001-01-29
$B%/%l%8%C%H(B:	Stanley G. Bubrouski <stan@CCS.NEU.EDU>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-01-22
$B%Y%s%@$NBP1~(B:	$B=$@5HG$,8x3+:Q$_(B
FreeBSD $B$K8GM-$+(B:	No

I.   $BGX7J(B - Background

exmh is a tcl/tk based interface to the mh mail user agent.

exmh $B$O(B tcl/tk $B%Y!<%9$N(B, mh $B%a!<%k%f!<%6%(!<%8%'%s%HMQ$N(B
$B%$%s%?!<%U%'%$%9%=%U%H%&%'%"$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The exmh2 port, versions prior to 2.3.1, contains a local
vulnerability: at startup, if exmh detects a problem in its code or
configuration an error dialog appears giving the user an option to
fill in a bug report and email it to the maintainer.  If the user
agrees to mail the maintainer a file named /tmp/exmhErrorMsg is
created.  If the file exists and is a symlink, it will follow the
link, allowing local files writable by the user to be overwritten.

exmh2 port $B$N%P!<%8%g%s(B 2.3.1 $B$h$jA0$N$b$N$K$O(B, $B%m!<%+%k$+$i0-MQ2DG=$J(B
$B%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.  exmh $B$O5/F0;~$K%3!<%I$d@_Dj%U%!%$%k$K(B
$B%(%i!<$r8!=P$9$k$H%(%i!<%@%$%"%m%0$rI=<($7(B, $B%P%0%l%]!<%H$r:n@.$7$F(B
$B:n<T$K%a!<%k$GAw$k$+$I$&$+$NA*Br$r%f!<%6$K5a$a$^$9(B.
$B$=$7$F%f!<%6$,:n<T$X%a!<%k$rAw$k(B, $B$HA*Br$7$?>l9g$O(B
/tmp/exmhErrorMsg $B$H$$$&L>A0$N%U%!%$%kL>$r:n@.$7$^$9(B.
$B$3$N;~(B, $B$=$N%U%!%$%k$,4{$KB8:_$7(B, $B$+$D$=$l$,%7%s%\%j%C%/%j%s%/$@$C$?>l9g(B,
exmh $B$O$=$N%j%s%/$r$?$I$C$F=q$-9~$_$r9T$J$&$?$a(B, $B$=$N%f!<%6$,(B
$B=q$-9~$_2DG=$J%m!<%+%k%U%!%$%k$r>e=q$-$9$k$3$H$K$J$j$^$9(B.

The exmh2 port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 4500 third-party applications in a ready-to-install
format.  The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

exmh2 $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4500 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Malicious local users may cause arbitrary files writable by the user
running exmh to be overwritten, in certain restricted situations.

$B0-0U$r;}$C$?%m!<%+%k%f!<%6$O(B, $B$"$kFCDj$N8B$i$l$?>u672<$G(B
exmh $B$r<B9T$7$F$$$k%f!<%6$N8"8B$G=q$-9~$_2DG=$JG$0U$N%U%!%$%k$r(B
$B>e=q$-$9$k$3$H$,2DG=$G$9(B.

If you have not chosen to install the exmh2 port/package, then your
system is not vulnerable to this problem.

exmh2 $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B,
$B$=$N%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

Deinstall the exmh2 port/package, if you have installed it.

exmh2 $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
$B$=$l$i$r%7%9%F%`$+$i:o=|$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the exmh2 port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, exmh2 $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: exmh2 $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B, $B=$@5F|0J9_$K(B
   $B:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F%$%s%9%H!<%k$7$^$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/exmh-2.3.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/exmh-2.3.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/exmh-2.3.1.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a(B,
alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s(B.

3) download a new port skeleton for the exmh2 port from:
3) exmh2 $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i(B
   $B%@%&%s%m!<%I$7(B, $B$=$l$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:17,v 1.1 2001/02/03 14:59:13 hrs Exp $

----Next_Part(Sun_Feb__4_00:11:20_2001_801)----
