[17376] in bugtraq
NetBSD Security Advisory 2000-015
daemon@ATHENA.MIT.EDU (security-officer@NETBSD.ORG)
Thu Oct 26 20:58:56 2000
Message-Id: <20001026233432.CF9BE2A2A@orchard.arlington.ma.us>
Date: Thu, 26 Oct 2000 19:34:27 -0400
Reply-To: security-officer@netbsd.org
From: security-officer@NETBSD.ORG
X-To: netbsd-announce@netbsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2000-015
=================================
Topic: format-string bugs in passwd/libutil
Version: all releases up to and including 1.4.2
Severity: local root compromise possible
Fixed: 2000/10/03 in -current and netbsd-1-5 branches
2000/10/04 in netbsd-1-4 branch.
fix will be in the 1.4.3 and 1.5 releases
Abstract
========
The pw_error() function of the system libutil library, used by several
programs including the setuid passwd program, was vulnerable to a
format string attack.
Technical Details
=================
pw_error passed its first argument to the warn(3) function, which
interprets its first argument as a format string. in certain
circumstances, passwd(1) passes a value derived from untrusted user
input to pw_error().
Solutions and Workarounds
=========================
The problem was fixed in NetBSD-current on 2000/10/03; systems running
NetBSD-current dated from before that date should be upgraded to
NetBSD-current dated 2000/10/04 or later. The two active release
branches were both fixed by 2000/10/05.
Systems running releases older than NetBSD 1.4 should be upgraded to
NetBSD 1.4.2 before applying the fixes described here.
Systems running 1.4.2 should apply the following patch to
lib/libutil/passwd.c usign the patch(1), and rebuild and reinstall the
"libutil" library. On systems which do not support shared libraries,
you should then rebuild and reinstall the "passwd" command.
- --- lib/libutil/passwd.c 1999/12/04 20:00:55 1.15.2.1
+++ lib/libutil/passwd.c 2000/10/04 14:11:02 1.15.2.2
@@ -319,7 +319,7 @@
int err, eval;
{
if (err)
- - warn(name);
+ warn("%s", name);
warnx("%s: unchanged", _PATH_MASTERPASSWD);
pw_abort();
Revision History
================
20001024 Initial draft of advisory.
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2000-015.txt,v 1.3 2000/10/26 15:22:01 sommerfeld Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOfhMIT5Ru2/4N2IFAQFsPQP+P0d5nzIuDDlXFeS/8Oksb91uGaGoPrZl
sd2JASfLXcgPAemQVLzuAqNsJwxjcDpKlwvbDUrySSrvi4FxJ8scjlUl4g7XCf3G
MfY/NqB2bfoLJIUv3PT3Vx/bHi5rYodu4uqopXQZwWg/PfmXEa0LRgDk/UOuxoNC
+yq0nhXqsOE=
=iNoz
-----END PGP SIGNATURE-----
