From owner-announce-jp@jp.FreeBSD.org Sat Aug  3 12:41:58 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g733fwG30183;
	Sat, 3 Aug 2002 12:41:58 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Date: Sat, 03 Aug 2002 12:28:40 +0900 (JST)
Message-Id: <20020803.122840.74740045.rushani@castle.jp.FreeBSD.org>
To: announce-jp@jp.FreeBSD.org
From: Hideyuki KURASHINA <rushani@jp.FreeBSD.org>
In-Reply-To: <200207301821.g6UIL4Mg034029@freefall.freebsd.org>
References: <200207301821.g6UIL4Mg034029@freefall.freebsd.org>
X-PGP-Public-Key: http://www.bl.mmtr.or.jp/~rushani/public_key.txt
X-PGP-Fingerprint: A052 6F98 6146 6FE3 91E2  DA6B F2FA 2088 439A DC57
X-URL: http://www.bl.mmtr.or.jp/~rushani/
X-Mailer: Mew version 3.0.54 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
X-Sequence: announce-jp 1021
Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio [REVISED]
Errors-To: owner-announce-jp@jp.FreeBSD.org
Sender: owner-announce-jp@jp.FreeBSD.org
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+020727



FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:23.stdio (2002-04-22)
 * insecure handling of stdio file descriptors
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio [REVISED]
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 30 Jul 2002 11:21:04 -0700 (PDT)
  Message-Id: <200207301821.g6UIL4Mg034029@freefall.freebsd.org>
  X-Sequence: announce-jp 1016

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                 [$BK]Lu<T(B: $BARIJ(B $B1Q9T(B <rushani@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-02:23.stdio                                      Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:       stdio $B%U%!%$%k5-=R;R$K$*$1$k%;%-%e%j%F%#E*$KITE,@Z$J=hM}LdBj(B
                (insecure handling of stdio file descriptors)

$BJ,N`(B:           core
$B%b%8%e!<%k(B:     kernel
$B9pCNF|(B:         2002-04-22
$B%/%l%8%C%H(B:     Joost Pol <joost@pine.nl>,
                Georgi Guninski <guninski@guninski.com>
$B1F6AHO0O(B:       4.6-RELEASE $B$r4^$`!"$3$l$^$G$N$9$Y$F$N(B FreeBSD $B%j%j!<%9(B
                $B=$@5F|$h$jA0$N(B 4.6-STABLE
$B=$@5F|(B:		2002-07-30 15:40:46 UTC (RELENG_4)
                2002-07-30 15:42:11 UTC (RELENG_4_6)
                2002-07-30 15:42:46 UTC (RELENG_4_5)
                2002-07-30 15:43:17 UTC (RELENG_4_4)
FreeBSD $B$K8GM-$+(B:       NO

0.   $B2~D{MzNr(B - Revision History

v1.0  2002-04-22  Initial release
v1.1  2002-04-23  Patch and revision numbers updated
v1.2  2002-07-29  procfs issue; updated patch

I.   $BGX7J(B - Background

POSIX $B%7%9%F%`$G$O8E$/$+$i!"%U%!%$%k5-=R;R(B 0, 1, 2 $B$r$=$l$>$l(B
$BI8=`F~NO!"I8=`=PNO!"I8=`%(%i!<=PNO$K3d$jEv$F$F$$$^$9!#$[$\$9$Y$F$N(B
$B%"%W%j%1!<%7%g%s$O!"$3$l$i$N(B stdio $B%U%!%$%k5-=R;R$r!"$?$H$($P(B
$B%(%i!<%a%C%;!<%8$rI8=`%(%i!<=PNO(B ($B%U%!%$%k5-=R;R(B 2) $B$K=q$-=P$9$J$I!"(B
$BFCJL$J0UL#$r;}$D$b$N$H$7$F07$C$F$$$^$9!#(B

$B?7$7$$%W%m%;%9$K$*$1$k%U%!%$%k5-=R;R$O$9$Y$F!"?F%W%m%;%9$+$i(B
$BJ#@=$5$l$?$b$N$G$9!#$3$l$i$N%U%!%$%k5-=R;R$O!V(Bexec $B;~$K%/%m!<%:$9$k(B
(close-on-exec)$B!W$H%^!<%/$5$l$F$$$J$$8B$j!"(Bexec $BCf$bB8:_$7B3$1$^$9!#(B

$B$9$Y$F$N(B POSIX $B%7%9%F%`$G$O%U%!%$%k5-=R;R$r!";HMQ$7$F$$$J$$:G$b>.$5$$?tCM$+$i(B
$B=gHV$K3d$jEv$F$^$9!#$?$H$($P!"?7$7$/(B exec $B$5$l$?%W%m%;%9$K$*$$$F!"(B
$B%U%!%$%k5-=R;R(B 0 $B$H(B 1 $B$,%*!<%W%s$5$l$F$$$F!"%U%!%$%k5-=R;R(B 2 $B$,(B
$B%/%m!<%:$5$l$F$$$k>l9g!"$=$N%W%m%;%9$,%U%!%$%k$r%*!<%W%s$9$k$H!"(B
$B$=$N?7$7$$%U%!%$%k5-=R;R$O(B 2 ($BI8=`%(%i!<=PNO(B) $B$K$J$k$3$H$,J]>Z$5$l$F$$$^$9!#(B

II.  $BLdBj$N>\:Y(B - Problem Description

set-user-id, set-group-id $B$5$l$F$$$k%W%m%0%i%`$O9b$$8"8B$GF0:n$7$^$9!#(B
$B$=$N$h$&$J%W%m%0%i%`$,(B stdio $B%U%!%$%k5-=R;R$N$$$/$D$+$,%/%m!<%:$5$l$?(B
$B>uBV$G<B9T$5$l$?>l9g!"$=$N%W%m%0%i%`$,%U%!%$%k$r%*!<%W%s$9$k$H!"(B
$B$=$N%U%!%$%k$,I8=`F~NO$dI8=`=PNO!"$"$k$$$OI8=`%(%i!<=PNO$K0U?^$;$:$K(B
$B7k$S$D$$$F$7$^$&2DG=@-$,$"$j$^$9!#$=$&$J$k$H!"$=$N%W%m%0%i%`$OITE,@Z$K(B
$B$=$N%U%!%$%k$+$i%G!<%?$rFI$_9~$s$@$j!"%G!<%?$r%U%!%$%k$K=q$-9~$s$@$j(B
$B$9$k$+$b$7$l$^$;$s!#2>$K$=$N%U%!%$%k$,DL>o0lHL%f!<%6$N8"8B$G$O(B
$B%*!<%W%s$G$-$J$$%U%!%$%k$G$"$C$?$H$9$k$H!"$3$l$O9b$$8"8B$r(B
$BF@$k$?$a$KMxMQ$G$-$k2DG=@-$,$"$j$^$9!#(B

$B$3$NLdBj$N(B ($B$3$N4+9p$N:G=i$N2~Dj$K$"$?$k(B) $BA0$N=$@5$K$O8m$j$,$"$j$^$7$?!#(B
procfs $B$^$?$O(B linprocfs $B$rMxMQ$7$F$$$k%7%9%F%`$O0JA0$H$7$F@H<e@-$,(B
$B;D$C$F$$$^$9!#@h$NIT40A4$J=$@5$O0J2<$NF|;~$K9T$o$l$^$7$?!#(B

$B=$@5F|(B:		2002-04-21 13:06:45 UTC (RELENG_4)
                2002-04-21 13:08:57 UTC (RELENG_4_5)
                2002-04-21 13:10:51 UTC (RELENG_4_4)

III. $B1F6AHO0O(B - Impact

$B%m!<%+%k%f!<%6$O%9!<%Q%f!<%68"8B$rF@$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B
`keyinit' $B$H$$$&(B set-user-id $B$5$l$?%W%m%0%i%`$O!"$3$N<jK!$G0-MQ2DG=$J$3$H$,(B
$BH=L@$7$F$$$^$9!#$*$=$i$/!"B>$N%W%m%0%i%`$K$bF1MM$K0-MQ$,2DG=$J$b$N$,(B
$BB8:_$9$k$H;W$o$l$^$9!#(B

IV.  $B2sHrJ}K!(B - Workaround

[FreeBSD 4.5-RELEASE-p4 $B$H(B 4.4-RELEASE-p11 $B$h$jA0$N%7%9%F%`(B]

$B$"$j$^$;$s!#<!$N%3%^%s%I$r<B9T$9$k$3$H$G(B `keyinit' $B$+$i(B set-user-id $B%S%C%H$r(B
$B<h$j=|$/$3$H$,2DG=$G$9$,!"$*$=$i$/B>$K$b0-MQ2DG=$J%W%m%0%i%`$OB8:_$9$k$G$7$g$&!#(B

# chmod 0555 /usr/bin/keyinit

[FreeBSD 4.5-RELEASE-p4 $B0J9_!"(B4.4-RELEASE-p11 $B0J9_!"(B4.6-RELEASE$B!"(B
 $B=$@5F|0JA0$N(B 4.6-STABLE $B$N%7%9%F%`(B]

umount(8) $B$rMQ$$$F(B procfs$B!"(Blinprocfs $B%U%!%$%k%7%9%F%`$N%^%&%s%H$r(B
$B$O$:$7$F$/$@$5$$!#(B

# umount -f -a -t procfs
# umount -f -a -t linprocfs

V.   $B2r7h:v(B - Solution

kernel $B$O!"(Bset-user-ID $B$d(B set-group-ID $B$5$l$?<B9T%U%!%$%k$r5/F0$9$k;~!"(B
$B%U%!%$%k5-=R;R(B 0$B!"(B1$B!"(B2 $B$r8!::$9$k$h$&$K$J$j$^$7$?!#$3$l$i$N$&$A$N(B
$B$$$:$l$+$,;H$o$l$F$$$J$$>l9g!"(B/dev/null $B$X%j%@%$%l%/%H$5$l$^$9!#(B

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4.6-STABLE $B$K%"%C%W%0%l!<%I(B
   $B$9$k$+!"=$@5F|0J9_$N(B RELENG_4_6 (4.6.1-RELEASE-p1)$B!"(BRELENG_4_5
   (4.5-RELEASE-p10)$B!"(BRELENG_4_4 (4.4-RELEASE-p17) $B%;%-%e%j%F%#(B
   $B%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

2) $B8=:_$N%7%9%F%`$K%Q%C%A$rE,MQ$9$k!#(B

a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

[FreeBSD 4.5-RELEASE-p4 $B$H(B 4.4-RELEASE-p11 $B$h$jA0$N%7%9%F%`(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.v1.2.asc

[FreeBSD 4.5-RELEASE-p4 $B0J9_!"(B4.4-RELEASE-p11 $B0J9_!"(B4.6-RELEASE$B!"(B
 $B=$@5F|0JA0$N(B 4.6-STABLE $B$N%7%9%F%`(B]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio2.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio2.patch.v1.2.asc

b) root $B$G0J2<$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

c) http://www.freebsd.org/handbook/kernelconfig.html $B$K5-=R$5$l$F$$$k$h$&$K!"(B
   kernel $B$r:F%3%s%Q%$%k$7!"%7%9%F%`$r:F5/F0$7$^$9!#(B

VI.  $B=$@5$N>\:Y(B - Correction details

FreeBSD $B$N$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$r0J2<$K<($7$^$9!#(B

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
sys/sys/filedesc.h
  RELENG_4                                                       1.19.2.4
  RELENG_4_6                                                     1.19.2.4
  RELENG_4_5                                                 1.19.2.3.6.1
  RELENG_4_4                                                 1.19.2.3.4.1
sys/kern/kern_exec.c
  RELENG_4                                                     1.107.2.15
  RELENG_4_6                                               1.107.2.14.2.1
  RELENG_4_5                                               1.107.2.13.2.2
  RELENG_4_4                                                1.107.2.8.2.3
sys/kern/kern_descrip.c
  RELENG_4                                                      1.81.2.12
  RELENG_4_6                                                    1.81.2.14
  RELENG_4_5                                                 1.81.2.9.2.2
  RELENG_4_4                                                 1.81.2.8.2.2
sys/conf/newvers.sh
  RELENG_4_6                                                1.44.2.23.2.6
  RELENG_4_5                                               1.44.2.20.2.11
  RELENG_4_4                                               1.44.2.17.2.16
- -------------------------------------------------------------------------

VII. $B;29M;qNA(B - References

PINE-CERT-20020401 <URL:http://www.pine.nl/advisories/pine-cert-20020401.txt>

A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B
