From owner-doc-jp-work@jp.FreeBSD.org Fri Mar 22 15:08:55 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g2M68tN00953;
	Fri, 22 Mar 2002 15:08:55 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id g2M68tc00947
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 22 Mar 2002 15:08:55 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.hrslab.yi.org (p12087-adsao04hon-acca.tokyo.ocn.ne.jp [61.199.17.87])
	by eos.ocn.ne.jp (OCN) with ESMTP id PAA19373
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 22 Mar 2002 15:08:53 +0900 (JST)
Received: from localhost (alph.hrslab.yi.org [192.168.0.10])
	by mail.hrslab.yi.org (8.9.3/3.7W/DomainMaster) with ESMTP id PAA23261
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 22 Mar 2002 15:08:27 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Date: Fri, 22 Mar 2002 15:07:02 +0900 (JST)
Message-Id: <20020322.150702.48531528.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200203181500.g2IF04132479@freefall.freebsd.org>
References: <200203181500.g2IF04132479@freefall.freebsd.org>
X-Mailer: Mew version 2.1 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Fri_Mar_22_15:07:02_2002_149)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+020312
X-Sequence: doc-jp-work 311
Subject: [doc-jp-work 311] Re: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Fri_Mar_22_15:07:02_2002_149)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 $BCY$/$J$j$^$7$?!#(B
 02:14 $B=$@5HG(B + 02:15-02:18 $B$G$9!#(B

  # $BK;$7$/$F$?$^$i$s!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

----Next_Part(Fri_Mar_22_15:07:02_2002_149)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:14"
Content-Transfer-Encoding: 7bit

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:14 (2002-03-12)
 * pam-pgsql port authentication bypass
=============================================================================

 $B$3$N%a!<%k$O(B announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-02:14.pam-pgsql
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
  Date: Tue, 12 Mar 2002 06:27:51 -0800 (PST)
  Message-Id: <200203121427.g2CERpd64254@freefall.freebsd.org>
  X-Sequence: announce-jp 946

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S!"%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-02:14                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	pam-pgsql $B$N(B port $B$K$*$$$FG'>Z$,%P%$%Q%9$5$l$F$7$^$&LdBj(B
		(pam-pgsql port authentication bypass)

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	pam-pgsql
$B9pCNF|(B:		2002-03-12
$B%/%l%8%C%H(B:	Jacques A. Vidrine <nectar@FreeBSD.org>
$B1F6AHO0O(B:	pam-pgsql-0.5.2 $B$h$jA0$N(B pam-pgsql port
$B=$@5F|(B:		2002-01-21 20:06:05 UTC
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

pam-pgsql is a PAM module which allows PAM-enabled applications such
as login(1) to use a PostgreSQL database for user authentication.

pam-pgsql $B$O(B login(1) $B$J$I$N(B PAM $BBP1~%"%W%j%1!<%7%g%s$K$*$$$F!"(B
$B%f!<%6G'>Z$K(B PostgreSQL $B%G!<%?%Y!<%9$r;HMQ2DG=$K$9$k$?$a$N(B
PAM $B%b%8%e!<%k$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

The affected versions of the pam-pgsql port contain a vulnerability
that may allow a remote user to cause arbitrary SQL code to be
executed.  pam-pgsql constructs a SQL statement to be executed by the
PostgreSQL server in order to lookup user information, verify user
passwords, and change user passwords.  The username and password given
by the user is inserted into the SQL statement without any quoting or
other safety checks.

$BLdBj$r;}$C$?%P!<%8%g%s$N(B pam-pgsql $B$N(B port $B$K$O!"%j%b!<%H%f!<%6$K(B
$BG$0U$N(B SQL $B%3!<%I$r<B9T2DG=$K$9$k$h$&$J%;%-%e%j%F%#>e$N<eE@$,(B
$B4^$^$l$F$$$^$9!#(Bpam-pgsql $B$O!"%f!<%6>pJs$N>H2q!"%f!<%6%Q%9%o!<%I$N(B
$B>H9g!"%f!<%6%Q%9%o!<%I$NJQ99$r9T$J$&$?$a$K!"(BPostgreSQL $B%5!<%P$G(B
$B<B9T$9$k(B SQL $BJ8$r@8@.$7$^$9!#$=$N:]!"%f!<%6$+$i;XDj$5$l$k%f!<%6L>$H(B
$B%Q%9%o!<%I$O!"%/%)!<%H=hM}(B ($BLuCm(B: SQL $BJ8$H$7$F2r<a$5$l$J$$$h$&$K(B
$B$9$k=hM}(B) $B$J$I$N0BA4@-$N%A%'%C%/$,$^$C$?$/9T$J$o$l$J$$$^$^!"$=$N(B
SQL $BJ8$KA^F~$5$l$^$9!#(B

The pam-pgsql port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains thousands of third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.

pam-pgsql $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s!#(B
$B$=$l$i$O?t@i8D$K$*$h$V%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9!#(B
$B$3$N%;%-%e%j%F%#>e$N<eE@$O(B FreeBSD 4.4 $B$N%j%j!<%98e$KH=L@$7$?$b$N$G!"(B
FreeBSD 4.4 $B$K<}O?$5$l$?(B Ports Collection $B$K$b!"$3$NLdBj$,4^$^$l$F$$$^$9(B.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $B$$$+$J$kJ]>Z$b$7$F$$$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

A user interacting with a PAM-enabled application may insert arbitrary
SQL code into the username or password fields during authentication or
while changing passwords, leading to several exploit opportunities.
In all versions of the pam-pgsql port prior to 0.5.2, attackers may
add or change user account records.  In addition, in versions of the
pam-pgsql port prior to 0.3, attackers may cause pam-pgsql to
completely bypass password authentication, allowing them to
authenticate as any user and obtain unauthorized access using the
PAM-enabled application.  Since common PAM applications include
login(1) and sshd(8), both local and remote attacks are possible.

PAM $B$KBP1~$7$?%"%W%j%1!<%7%g%s$rMxMQ$7$F$$$k%f!<%6$O!"%f!<%6G'>Z$d(B
$B%Q%9%o!<%I$NJQ99;~$K%f!<%6L>$d%Q%9%o!<%I$NF~NOItJ,$XG$0U$N(B SQL $B%3!<%I$r(B
$BA^F~$9$k$3$H$G!"%;%-%e%j%F%#>e$N<eE@$r0-MQ$G$-$k2DG=@-$,$"$j$^$9!#(B
0.5.2 $B$h$jA0$N$9$Y$F$N(B pam-pgsql $B$N(B port $B$K$*$$$F!"967b<T$O(B
$B%f!<%6%"%+%&%s%H%l%3!<%I$NDI2C!"JQ99$r9T$J$&$3$H$,2DG=$G$9!#(B
$B$^$?!"(B0.3 $B$h$jA0$N(B  pam-pgsql $B$N(B port $B$G$O!"$=$l$K2C$($F(B
$B%Q%9%o!<%IG'>Z$r40A4$K1*2s$9$k$3$H$,$G$-$k$?$a!"967b<T$OB>$N%f!<%6$r(B
$BAu$C$FG'>Z$r9T$J$C$?$j!"(BPAM $BBP1~%"%W%j%1!<%7%g%s$r;H$C$?(B
$BIT@5$J%"%/%;%9$r<B8=$9$k$3$H$,2DG=$K$J$j$^$9!#$h$/;H$o$l$F$$$k(B
PAM $BBP1~%"%W%j%1!<%7%g%s$K$O(B login(1) $B$*$h$S(B sshd(8) $B$,(B
$B4^$^$l$F$$$k$?$a!"%m!<%+%k$H%j%b!<%H$NN>J}$+$i$N967b$,2DG=$G$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

1) Deinstall the pam-pgsql port/package if you have it installed.

1) pam-pgsql $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O!"(B
   $B$=$l$r%7%9%F%`$+$i:o=|$7$^$9!#(B


V.   $B2r7h:v(B - Solution

$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Upgrade your entire ports collection and rebuild the port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B pam-pgsql $B$N(B port $B$r:F9=C[$9$k!#(B

2) Download a new port skeleton for the pam-pgsql port from:
2) pam-pgsql $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7!"(B
   $B$=$l$r;H$C$F(B port $B$r:F9=C[$9$k!#(B

http://www.freebsd.org/ports/

and use it to rebuild the port.

3) Use the portcheckout utility to automate option (2) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
3) $B>e5-(B (2) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$&!#(B
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9!#(B
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD Ports Collection.
$B<!$NI=$O(B FreeBSD Ports Collection $B$K$*$$$F!"(B
$B:#2s=$@5$5$l$?%U%!%$%k$N(B $FreeBSD$ $B%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
$B%Q%9L>(B                                                           $B%j%S%8%g%s(B
- -------------------------------------------------------------------------
ports/security/pam-pgsql/Makefile                                     1.9
ports/security/pam-pgsql/distinfo                                     1.3
ports/security/pam-pgsql/pkg-descr                                    1.2
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

This vulnerability is very similar to previous vulnerabilities
involving Apache modules and discovered by RUS-CERT.
<URL:http://cert.uni-stuttgart.de/advisories/apache_auth.php>

$B$3$N%;%-%e%j%F%#>e$N<eE@$O!"0JA0$K(B RUS-CERT $B$GH/8+$5$l$?(B
Apache $B%b%8%e!<%k$N<eE@$HHs>o$K$h$/;w$?$b$N$G$9!#(B
<URL:http://cert.uni-stuttgart.de/advisories/apache_auth.php>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7!"K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O!"F|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O!"(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:14,v 1.5 2002/03/22 06:06:16 hrs Exp $

----Next_Part(Fri_Mar_22_15:07:02_2002_149)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:15"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:15 (2002-03-12)
 * cyrus-sasl library contains format string vulnerability
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-02:15.cyrus-sasl
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 12 Mar 2002 06:27:58 -0800 (PST)
  Message-Id: <200203121427.g2CERwo64322@freefall.freebsd.org>
  X-Sequence: announce-jp 947

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-02:15                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	cyrus-sasl $B%i%$%V%i%j$K$*$1$k=q<0;XDjJ8;zNs$K5/0x$9$k(B
		$B%;%-%e%j%F%#>e$N<eE@(B
		(cyrus-sasl library contains format string vulnerability)

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	cyrus-sasl
$B9pCNF|(B:		2002-03-12
$B%/%l%8%C%H(B:	Kari Hurtta <hurtta+zz@leija.mh.fmi.fi>
$B1F6AHO0O(B:	cyrus-sasl-1.5.24_8 $B$h$jA0$N(B cyrus-sasl port
$B=$@5F|(B:		2001-12-09 03:07:36 UTC
FreeBSD $B$K8GM-$+(B:	NO
CVE:		CAN-2001-0869


I.   $BGX7J(B - Background

Cyrus-SASL is an implementation of RFC 2222 SASL (Simple
Authentication and Security Layer), a method for adding authentication
support to connection based protocols.

cyrus-SASL $B$O%3%M%/%7%g%s%Y!<%9$N%W%m%H%3%k$KG'>Z5!G=$rDI2C$9$k!"(B
RFC 2222 SASL (Simple Authentication and Security Layer) $B$N<BAu$N0l$D$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

Affected versions of the cyrus-sasl port contain a format string
vulnerability.  The format string vulnerability occurs during a call
to the syslog(3) function.

$B1F6A$r<u$1$k(B cyrus-sasl $B$N(B port $B$K$O!"=q<0;XDjJ8;zNs$K5/0x$9$k(B
$B%;%-%e%j%F%#>e$N<eE@$,$"$j$^$9!#$3$N<eE@$O(B syslog(3) $B4X?t$N8F$S=P$7;~$K(B
$BLdBj$H$J$j$^$9!#(B

The cyrus-sasl port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains thousands of third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 is vulnerable
to this problem since it was discovered after its release.

cyrus-sasl $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s!#(B
$B$=$l$i$O?t@i8D$K$*$h$V%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9!#(B
$B$3$N%;%-%e%j%F%#>e$N<eE@$O(B FreeBSD 4.4 $B$N%j%j!<%98e$KH=L@$7$?$b$N$G!"(B
FreeBSD 4.4 $B$K<}O?$5$l$?(B Ports Collection $B$K$b!"$3$NLdBj$,4^$^$l$F$$$^$9(B.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD $B$G$O!"$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F!"$$$+$J$kJ]>Z$b$7$F$$$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B)$B!#$?$@$7!"%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/!"(B
$B8=:_EXNOCf$G$9!#(B


III. $B1F6AHO0O(B - Impact

Malicious remote users may cause an application using cyrus-sasl to
execute arbitrary code with the privileges of the process using the
cyrus-sasl library.  However, there are no known exploits at this
writing, and the author of cyrus-sasl does not believe that this bug
is exploitable.  See the `References' section for more information.

$B0-0U$r;}$C$?%j%b!<%H%f!<%6$O(B cyrus-sasl $B$r;H$&%"%W%j%1!<%7%g%s$r0-MQ$7!"(B
$B$=$N(B cyrus-sasl $B$r;H$&%W%m%;%9$N8"8B$GG$0U$N%3!<%I$r<B9T$9$k$3$H$,(B
$B2DG=$G$9!#$3$N4+9p$N<9I.;~E@$G$O6qBNE*$J0-MQJ}K!$O3NG'$5$l$F$*$i$:!"(B
cyrus-sasl $B$N:n<T$O!"$3$N%P%0$r0-MQIT2DG=$J$b$N$G$"$k$H9M$($F$$$^$9!#(B
$B>\:Y$K$D$$$F$O!V;29M;qNA!W$N@a$r$4Mw$/$@$5$$!#(B

If the cyrus-sasl port is not installed, then your system is not
vulnerable to this problem.  The following command can be used to
determine whether or not the cyrus-sasl port is installed:

cyrus-sasl $B$N(B port $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P!"(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B
cyrus-sasl $B$N(B port $B$,%$%s%9%H!<%k$5$l$F$$$k$+$I$&$+$O!"(B
$B<!$N%3%^%s%I$r;H$&$3$H$G3NG'$9$k$3$H$,$G$-$^$9!#(B

# pkg_info -I cyrus-sasl-\*


IV.  $B2sHrJ}K!(B - Workaround

Deinstall the cyrus-sasl port if you have installed it.
cyrus-sasl $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O!"(B
$B$=$l$r%7%9%F%`$+$i:o=|$7$^$9!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Upgrade your entire ports collection and rebuild the port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B cyrus-sasl $B$N(B port $B$r:F9=C[$9$k!#(B

2) Deinstall the old port and install a corrected version from the
following directories.
2) $B8E$$(B ($BLuCm(B: cyrus-sasl $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7!"(B
   $B=$@5F|0J9_$K:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i(B
   $B<hF@$7$F%$%s%9%H!<%k$9$k!#(B

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O(B alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s!#(B
$B$3$l$O!"9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a$G$9!#(B

3) Download a new port skeleton for cyrus-sasl from:
3) cyrus-sasl $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7!"(B
   $B$=$l$r;H$C$F(B port $B$r:F9=C[$9$k!#(B

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$&!#(B
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9!#(B
   $B$^$?!"(Bportcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
$B<!$NI=$O(B FreeBSD Ports Collection $B$K4^$^$l$k!"(B
$B:#2s=$@5$5$l$?%U%!%$%k$N(B $FreeBSD$ $B%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
$B%Q%9L>(B                                                       $B%j%S%8%g%sHV9f(B
- -------------------------------------------------------------------------
ports/security/cyrus-sasl/Makefile                                   1.30
ports/security/cyrus-sasl/files/patch-lib::common.c                  1.1
- -------------------------------------------------------------------------


VII.  $B;29M;qNA(B - References

<URL:http://www.securityfocus.com/archive/1/224148>
<URL:http://www.iss.net/security_center/static/7443.php>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:15,v 1.2 2002/03/22 06:01:02 hrs Exp $

----Next_Part(Fri_Mar_22_15:07:02_2002_149)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:16"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:16 (2002-03-12)
 * GIF/JPEG comment vulnerability in Netscape
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-02:16.netscape
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 12 Mar 2002 06:28:03 -0800 (PST)
  Message-Id: <200203121428.g2CES3e64408@freefall.freebsd.org>
  X-Sequence: announce-jp 948

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-02:16                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	GIF/JPEG comment vulnerability in Netscape
                Netscape $B$K$*$1$k(B GIF/JPEG $B$N%3%a%s%H$K5/0x$9$k(B
                $B%;%-%e%j%F%#>e$N<eE@(B

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	netscape
$B9pCNF|(B:		2002-03-12
$B%/%l%8%C%H(B:	Florian Wesch <fw@dividuum.de>
$B1F6AHO0O(B:	$B%P!<%8%g%s(B 4.77 $B$h$jA0$N(B Netscape ports $B$9$Y$F(B
$B=$@5F|(B:		2001-04-07 16:41:36 UTC
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

Netscape Navigator or Communicator is a popular web browser, available
in several versions in the FreeBSD ports collection.

Netscape Navigator, Netscape Communicator $B$O?M5$$N$"$k%&%'%V%V%i%&%6$G$9!#(B
FreeBSD Ports Collection $B$G$O!"$$$/$D$+$N%P!<%8%g%s$,Ds6!$5$l$F$$$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

The GIF89a and JPEG standards permit images to have embedded comments,
in which any kind of textual data may be stored.

GIF89a $B$*$h$S(B JPEG $B5,3J$G$O!"2hA|$K%3%a%s%H$rKd$a9~$`$3$H$,2DG=$G$9!#(B
$B$=$N%3%a%s%HItJ,$K$O!"%F%-%9%H%G!<%?$G$"$l$P$I$s$J<oN`$N$b$N$G$b3JG<$G$-$^$9!#(B

Versions 4.76 and earlier of the Netscape browser will execute
JavaScript contained in such a comment block, if execution of
JavaScript is enabled in the configuration of the browser.

Netscape $B%V%i%&%6$N%P!<%8%g%s(B 4.76 $B$*$h$S$=$l0JA0$N$b$N$G(B
JavaScript $B$N<B9T$H$$$&@_Dj$rM-8z$K$7$F$$$k>l9g!"(B
$B$=$N$h$&$J%3%a%s%HItJ,$K4^$^$l$k(B JavaScript $B$b<B9T$5$l$^$9!#(B

The Netscape browser supports a non-standard URL scheme, `about:'.
Visiting `about:' URLs causes Navigator to display information which
may be sensitive.  For example, `about:global' gives a listing of
recently accessed URLs; `about:cache' shows a similar listing, but
with the time each page was visited and the name of each corresponding
file in the disk cache; and `about:config' displays the full
configuration of the browser.

Netscape $B%V%i%&%6$OHsI8=`$N(B URL $B%9%-!<%`$G$"$k(B `about:' $B$KBP1~$7$F$$$^$9!#(B
Navigator $B$K(B `about:' $B$+$i$O$8$^$k(B URL $B$r;XDj$9$k$H!"%;%-%e%j%F%#>e=EMW$J(B
$B>pJs$rI=<($5$;$k$3$H$,2DG=$G$9!#$?$H$($P(B `about:global' $B$O:G6a%"%/%;%9$7$?(B
URL $B$N%j%9%H$rI=<($7$^$9$7!"(B`about:cache' $B$O$=$l$K2C$(!"%Z!<%8$r(B
$B1\Mw$7$?;~9o$H%G%#%9%/%-%c%C%7%e$K$*$$$FBP1~$9$k%U%!%$%kL>$rI=<($7$^$9!#(B
$B$^$?(B `about:config' $B$O!"$9$Y$F$N%V%i%&%6$N@_Dj$rI=<($5$;$k$3$H$,$G$-$^$9!#(B

JavaScript executed from the comment block of a maliciously
constructed image can send information from an `about:' URL back to a
hostile Web server.

$B0-0U$r;}$C$F:n@.$5$l$?(B JavaScript $B$,2hA|$N%3%a%s%HItJ,$K4^$^$l$F$$$k>l9g!"(B
$B$=$N<B9T$5$l$k(B JavaScript $B$r;H$&$3$H$G(B  `about:' URL $B$GF@$i$l$k>pJs$r(B
$B$"$k0-0U$r;}$C$?%&%'%V%5!<%P$XAw$i$;$k$3$H$,2DG=$G$9!#(B

The Netscape ports are not installed by default, nor are they "part of
FreeBSD" as such: they are part of the FreeBSD ports collection, which
contains thousands of third-party applications in a ready-to-install
format.  The ports collection shipped with FreeBSD 4.5 contains some
Netscape versions which are vulnerable to these problems.

Netscape $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s!#(B
$B$=$l$i$O?t@i8D$K$*$h$V%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9!#(B
FreeBSD 4.5 $B$K<}O?$5$l$?(B Ports Collection $B$K$O$$$/$D$+$N%P!<%8%g%s$N(B
Netscape $B$,4^$^$l$F$*$j!"$=$l$i$K$O$3$NLdBj$,4^$^$l$F$$$^$9!#(B

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit
of the most security-critical ports.

FreeBSD $B$G$O!"$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F!"$$$+$J$kJ]>Z$b$7$F$$$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B)$B!#$?$@$7!"%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/!"(B
$B8=:_EXNOCf$G$9!#(B


III. $B1F6AHO0O(B - Impact

The browser can be caused to transmit sensitive information to a
hostile Web server, if JavaScript is enabled and a page on the server
is visited.

JavaScript $B$N<B9T$rM-8z$K$7$F$$$k%V%i%&%6$G0-0U$r;}$C$?(B
$B%&%'%V%5!<%P>e$N%Z!<%8$K%"%/%;%9$7$?>l9g!"$=$N%V%i%&%6$r0-MQ$7$F(B
$B%&%'%V%5!<%P$K%;%-%e%j%F%#>e=EMW$J>pJs$rAw$i$;$k$3$H$,2DG=$G$9!#(B

If you have not chosen to install a Netscape port or package, your
system is not vulnerable to this problem.

$B$b$7(B Netscape $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P!"%7%9%F%`$K(B
$B$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B


IV.  $B2sHrJ}K!(B - Workarounds

Do one of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Deinstall affected Netscape ports or packages, if any are installed.

1) $BLdBj$N$r;}$C$?(B Netscape $B$N(B port $B$b$7$/$O(B package $B$,(B
   $B%$%s%9%H!<%k$5$l$F$$$k>l9g$O!"$=$l$i$r:o=|$7$^$9!#(B

2) Disable JavaScript.  This can be done interactively by running
Navigator, going to the Edit menu, choosing Preferences, and changing the
setting in the Advanced section.

2) JavaScript $B$rL58z$K$7$^$9!#$3$l$O(B Navigator $B$r5/F0$7$F(B
   $BJT=8(B (Edit) $B%a%K%e!<$rA*Br$7!"@_Dj(B (Preferences) $B$rA*$s$G(B
   $B>\:Y(B (Advanced) $B$NItJ,$N@_Dj$rJQ$($k$3$H$G9T$J$&$3$H$,$G$-$^$9!#(B

Alternatively, append the line:

$B$^$?!"$b$&0l$D$NJ}K!$H$7$F!"<!$N9T(B

user_pref("javascript.enabled", false);

to the $HOME/.netscape/preferences.js of every user.  Users are likely
to want to re-enable JavaScript, because its use is required by some
Web sites.  If they do, they could become vulnerable again.

$B$r!"3F%f!<%6A40w$N(B $HOME/.netscape/preferences.js $B$KDI2C$9$k$H$$$&J}K!$,(B
$B$"$j$^$9!#$?$@$7(B JavaScript $B$rM-8z$K$7$J$1$l$P$J$i$J$$%&%'%V%5%$%H$,(B
$B$"$k$?$a!"%f!<%6$O:FEY(B JavaScript $B$rM-8z$K$9$k$H;W$o$l$^$9!#$b$7%f!<%6$,(B
$B:FEYM-8z$K$7$?>l9g!"%;%-%e%j%F%#>e$N<eE@$,$"$k>uBV$KLa$C$F$7$^$$$^$9!#(B

3) Similarly, disable automatic loading of images.  The corresponding
configuration line is:

3) $BF1$8$/!"2hA|$N<+F0FI$_9~$_$rL58z$K$7$^$9!#BP1~$9$k@_Dj9T$O(B

user_pref("general.always_load_images", false);

$B$G$9!#$$$/$D$+$N%&%'%V%5%$%H$G$O2hA|$NFI$_9~$_$,MW5a$5$l$^$9!#$b$7(B
$B%f!<%6$,2hA|$N<+F0FI$_9~$_$rM-8z$K$7$?$j2hA|%\%?%s$r%/%j%C%/$7$?>l9g$O!"(B
$B$$$:$l$b%;%-%e%j%F%#>e$N<eE@$,$"$k>uBV$KLa$C$F$7$^$$$^$9!#(B

Some Web sites require images.  If users enable automatic loading, or
if they click the Images button, they could become vulnerable again.

4) Install a filtering proxy, and configure it to block all images
from untrusted sites.  The www/adzap or www/adzapper ports may be
suitable.  Doing this will make many Web sites unviewable.

4) $B%U%#%k%?%j%s%05!G=$D$-$N%W%m%-%7$rF3F~$7!"?.Mj$G$-$J$$%5%$%H$+$i$N(B
   $B2hA|$NE>Aw$r$9$Y$F%V%m%C%/$7$^$9!#$=$l$K$O(B www/adzap $B$d(B www/adzapper $B$N(B
   port $B$,E,Ev$G$7$g$&!#$?$@$7!"$3$l$r9T$J$&$HB?$/$N%&%'%V%5%$%H$,(B
   $B1\MwITG=$J>uBV$K$J$k$G$7$g$&!#(B


V.   $B2r7h:v(B - Solution

$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Upgrade your entire ports collection and rebuild the relevant Netscape
port, if available.  Netscape binaries for several platforms, including
FreeBSD/i386, were discontinued before the release of 4.77.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B $BBP1~$9$k(B Netscape $B$N(B port $B$,(B
   $B$"$l$P$=$l$r:F9=C[$9$k!#(BFreeBSD/i386 $B$r4^$`$$$/$D$+$N%W%i%C%H%U%)!<%`MQ$N(B
   Netscape $B%P%$%J%j$O!"(B4.77 $B$N%j%j!<%90J9_Ds6!$5$l$F$$$^$;$s!#(B

2) Deinstall the old package and install a new package, obtained from the
following directories:
2) $B8E$$(B ($BLuCm(B: Netscape $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7!"(B
   $B?7$7$$(B package $B$r0J2<$N%G%#%l%/%H%j$+$i<hF@$7$F%$%s%9%H!<%k$9$k!#(B

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/
   linux-netscape-communicator-4.79.tgz
   linux-netscape-navigator-4.79.tgz

[alpha]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/
   netscape-communicator-4.78.tgz

3) Download a new port skeleton for the Netscape port from:
3) Netscape $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7!"(B
   $B$=$l$r;H$C$F(B port $B$r:F9=C[$9$k!#(B

http://www.freebsd.org/ports/

and use it to rebuild the port.

NOTE: Since there are so many variations of the Netscape ports in the
FreeBSD ports collection they are not listed separately
here. Localized versions are also available in the respective language
subdirectory.

$BCm0U(B: FreeBSD Ports Collection $B$GDs6!$5$l$F$$$k(B Netscape $B$N(B port $B$K$O(B
      $BHs>o$K$?$/$5$s$NJQ<o$,B8:_$9$k$?$a!"$3$3$G$O$=$l$i$r8DJL$K(B
      $B<($7$F$$$^$;$s!#3F8@8l$N%5%V%G%#%l%/%H%j$K$O!"%m!<%+%i%$%:$5$l$?(B
      $B%P!<%8%g%s$N(B Netscape $B$bCV$+$l$F$$$^$9!#(B

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$&!#(B
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9!#(B
   $B$^$?!"(Bportcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz


VI.  $B;29M;qNA(B - References

<URL:http://www.securityfocus.com/archive/1/175060>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:16,v 1.3 2002/03/22 06:01:02 hrs Exp $

----Next_Part(Fri_Mar_22_15:07:02_2002_149)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:17"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:17 (2002-03-12)
 * mod_frontpage port contains exploitable buffer overflow
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-02:17.mod_frontpage
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 12 Mar 2002 06:28:09 -0800 (PST)
  Message-Id: <200203121428.g2CES9q64473@freefall.freebsd.org>
  X-Sequence: announce-jp 949

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-02:17                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	mod_frontpage $B$N(B port $B$K$*$1$k0-MQ2DG=$J%P%C%U%!(B
                $B%*!<%P%U%m!<LdBj(B
                (mod_frontpage port contains exploitable buffer overflow)
$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	mod_frontpage
$B9pCNF|(B:		2002-03-12
$B%/%l%8%C%H(B:	Martin Blapp <mbr@freebsd.org>
$B1F6AHO0O(B:	mod_portname-1.6.1 $B$h$jA0$N%P!<%8%g%s$N(B mod_frontpage port
$B=$@5F|(B:		2002-02-05 16:18:42 2002 UTC
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

mod_frontpage is a replacecement for Microsoft's frontpage apache
patch to support FP extensions. It is installed as a DSO module.

mod_frontpage $B$O(B apache $B$r(B FP $B3HD%$KBP1~$5$;$k$?$a$N(B Microsoft $B$N(B
frontpage apache $B%Q%C%A$NBeBXIJ$G$9!#$3$l$O(B DSO $B%b%8%e!<%k$H$7$F(B
$B%$%s%9%H!<%k$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

Affected versions of the mod_frontpage port contains several
exploitable buffer overflows in the fpexec wrapper, which is installed
setuid root.

$BLdBj$N$"$k%P!<%8%g%s$N(B  mod_frontpage $B$N(B port $B$K$O!"(Broot $B$G(B setuid
$B$5$l$F%$%s%9%H!<%k$5$l$k(B fpexec $B%i%C%Q$K$$$/$D$+$N%P%C%U%!%*!<%P(B
$B%U%m!<LdBj$,4^$^$l$F$$$^$9!#(B

The mod_frontpage port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.5 contains this
security problem since it was discovered after the release.

mod_frontpage $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s!#(B
$B$=$l$i$O(B 6000 $B0J>e$b$N%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9!#(B
$B$3$N%;%-%e%j%F%#>e$N<eE@$O(B FreeBSD 4.5 $B$N%j%j!<%98e$KH=L@$7$?$b$N$G!"(B
FreeBSD 4.5 $B$K<}O?$5$l$?(B Ports Collection $B$K$b!"$3$NLdBj$,4^$^$l$F$$$^$9(B.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD $B$G$O!"$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F!"$$$+$J$kJ]>Z$b$7$F$$$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B)$B!#$?$@$7!"%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/!"(B
$B8=:_EXNOCf$G$9!#(B


III. $B1F6AHO0O(B - Impact

A local attacker may obtain superuser privileges by exploiting the
buffer overflow bugs in fpexec.

$B%m!<%+%k$N967b<T$O(B fpexec $B$K4^$^$l$k%P%C%U%!%*!<%P%U%m!<$N%P%0$r(B
$B0-MQ$9$k$3$H$G!"%9!<%Q%f!<%68"8B$rIT@5$KF@$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

1) Deinstall the mod_frontpage ports/packages if you have them installed.
mod_frontpage $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O!"(B
$B$=$l$r%7%9%F%`$+$i:o=|$7$^$9!#(B

V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Upgrade your entire ports collection and rebuild the port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B mod_frontpage $B$N(B port $B$r:F9=C[$9$k!#(B

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
2) $B8E$$(B ($BLuCm(B: mod_frontpage $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7!"(B
   $B=$@5F|0J9_$K:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i(B
   $B<hF@$7$F%$%s%9%H!<%k$9$k!#(B

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O(B alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s!#(B
$B$3$l$O!"9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a$G$9!#(B

NOTE: It may be several days before updated packages are available.
$BCm0U(B: $B99?7$5$l$?(B package $B$,Ds6!$5$l$k$^$G!"?tF|$+$+$k2DG=@-$,$"$j$^$9!#(B

3) Download a new port skeleton for the mod_frontpage port from:
3) mod_frontpage $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7!"(B
   $B$=$l$r;H$C$F(B port $B$r:F9=C[$9$k!#(B

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$&!#(B
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9!#(B
   $B$^$?!"(Bportcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source.
$B<!$NI=$O(B FreeBSD Ports Collection $B$K4^$^$l$k!"(B
$B:#2s=$@5$5$l$?%U%!%$%k$N(B $FreeBSD$ $B%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
$B%Q%9L>(B                                                       $B%j%S%8%g%sHV9f(B
- -------------------------------------------------------------------------
ports/www/mod_frontpage/Makefile                                      1.7
ports/www/mod_frontpage/distinfo                                      1.4
ports/www/mod_frontpage/files/patch-Makefile.PL                       1.3
ports/www/mod_frontpage/files/patch-Makefile.in                       1.1
ports/www/mod_frontpage/files/patch-mod_frontpage.c                   1.4
- -------------------------------------------------------------------------


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:17,v 1.3 2002/03/22 06:01:02 hrs Exp $

----Next_Part(Fri_Mar_22_15:07:02_2002_149)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:18"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:18 (2002-03-18)
 * zlib double-free
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
  Date: Mon, 18 Mar 2002 07:00:04 -0800 (PST)
  Message-Id: <200203181500.g2IF04C32485@freefall.freebsd.org>
  X-Sequence: announce-jp xxx

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-02:18                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	zlib $B$K$*$1$kFs=E(B free $BLdBj(B
                (zlib double-free)

$BJ,N`(B:		core, ports
$B%b%8%e!<%k(B:	zlib
$B9pCNF|(B:		2002-03-18
$B%/%l%8%C%H(B:	Matthias Clasen <maclas@gmx.de>
                Owen Taylor <otaylor@redhat.com>
$B1F6AHO0O(B:	FreeBSD $B$N$9$Y$F$N%j%j!<%9(B
                $B=$@5F|$h$jA0$N(B FreeBSD 4.5-STABLE
                zlib $B$r;HMQ$b$7$/$O(B include $B$7$F$$$kB?$/$N(B ports
$B=$@5F|(B:		2002-02-22 02:48:40 UTC (RELENG_4)
                2002-02-23 00:14:28 UTC (RELENG_4_5)
                2002-02-23 00:15:19 UTC (RELENG_4_4)
                2002-02-23 00:15:50 UTC (RELENG_4_3)
CVE:            CAN-2002-0059
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

zlib is a compression library used by numerous applications to provide
data compression/decompression routines.

zlib $B$O!"B?$/$N%"%W%j%1!<%7%g%s$G;HMQ$5$l$F$$$k!"%G!<%?05=L(B/$BI|85%k!<%A%s$r(B
$BDs6!$9$k05=L%i%$%V%i%j$N0l$D$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

A programming error in zlib may cause segments of dynamically
allocated memory to be released more than once (double-freed).
If an attacker is able to pass a specially-crafted block of invalid
compressed data to a program that includes zlib, the program's
attempt to decompress the crafted data may cause the zlib routines
to attempt to free memory multiple times.

zlib $B$K$O%W%m%0%i%`$K8m$j$,$"$j!"F0E*$K3NJ]$7$?%a%b%j%;%0%a%s%H$r(B
(2 $B=E$K(B free $B$9$k$3$H$G(B) 2 $B2s0J>e2rJ|$7$h$&$H$9$k2DG=@-$,$"$j$^$9!#(B
$B$=$N$?$a967b<T$,(B zlib $B$rMxMQ$7$F$$$k%W%m%0%i%`$KBP$7$FFC<l$J(B
$B:Y9)$r;\$7$?IT@5$J05=L:Q$_%G!<%?%V%m%C%/$rEO$9$3$H$,$G$-$k>l9g!"(B
$B$=$N%W%m%0%i%`$,:Y9)$5$l$?%G!<%?$rI|85$7$h$&$H$7$?;~$K!"(Bzlib $B%k!<%A%s$,(B
$B%a%b%j$rJ#?t2s2rJ|$7$h$&$H$9$k$h$&$K$G$-$k2DG=@-$,$"$j$^$9!#(B

Unlike some implementations of malloc(3)/free(3), the malloc(3) and
free(3) routines used in FreeBSD (aka phkmalloc, written by
Poul-Henning Kamp <phk@FreeBSD.org>), are not vulnerable to this type
of bug.  From the author:

FreeBSD $B$,:NMQ$7$F$$$k(B malloc(3) $B$H(B free(3) $B$N<BAu(B (Poul-Henning Kamp
<phk@FreeBSD.org> $B;a$K$h$C$F=q$+$l$?$b$N$G!"(Bphkmalloc $B$H$b(B
$B8F$P$l$F$$$^$9(B) $B$O!"B>$N(Bmalloc(3)/free(3) $B$N<BAu$H$O0[$J$j!"(B
$B$3$N<o$N%P%0$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B
Poul-Henning Kamp $B;a$O<!$N$h$&$K=R$Y$F$$$^$9!#(B

  Most mallocs keep their housekeeping data right next to the
  allocated range.  This gives rise to all sorts of unpleassant
  situations if programs stray outside the dotted line, free(3)
  things twice or free(3) modified pointers.

  malloc $B$NB?$/$O4IM}MQ%G!<%?$r3NJ]$7$?%a%b%j$N$9$0NY$KCV$$$F$$$k!#(B
  $B$3$&$9$k$H(B 2 $B2s(B free(3) $B$9$k$H$+!"JQ99$7$?%]%$%s%?$r(B free(3) $B$9$k(B
  $B$H$$$&$h$&$K!"%W%m%0%i%`$,3NJ]$7$?%a%b%j$N30$r%"%/%;%9$7$F$7$^$&(B
  $B$h$&$J>l9g$K9%$^$7$/$J$$>u67$r$D$/$j=P$92DG=@-$,9b$$!#(B

  phkmalloc(3) does not store housekeeping next to allocated data,
  and in particular it has code that detects and complains about
  exactly this kind of double free.

  phkmalloc(3) $B$N>l9g$O4IM}MQ$N>pJs$r3NJ]$7$?%a%b%j$NNY$KCV$$$F$$$J$$!#(B
  $B$^$?!"$3$l$K$O(B 2 $B=E(B free $B$N$h$&$JA`:n$r3N<B$K8!=P!&Js9p$9$k$?$a$N(B
  $BFCJL$J%3!<%I$,4^$^$l$F$$$k!#(B

When attempting to double-free an area of memory, phkmalloc will
issue a warning:

$B%a%b%jNN0h$r(B 2 $B=E$K(B free $B$7$h$&$H$7$?>l9g!"(Bphkmalloc $B$O<!$N$h$&$J(B
$B7Y9p%a%C%;!<%8(B

  progname in free(): error: chunk is already free

and may call abort(3) if the malloc flag 'A' is used.

$B$rI=<($7$^$9!#$^$?(B malloc $B%U%i%0(B 'A' $B$,;H$o$l$F$$$l$P!"(Babort(3) $B$r(B
$B8F$S=P$7$^$9!#(B


III. $B1F6AHO0O(B - Impact

If an attacker is able to pass a specially-crafted block of invalid
compressed data to an application that utilizes zlib, the attempt to
decompress the data may cause incorrect operation of the application,
including possibly crashing the application.  Also, the malloc
implementation will issue warnings and, if the `A' malloc option is
used, cause the application to abort(3).  In short, an attacker may
cause a denial of service in applications utilizing zlib.

$B967b<T$,(B zlib $B$rMxMQ$7$F$$$k%"%W%j%1!<%7%g%s$KFC<l$J:Y9)$r;\$7$?(B
$BIT@5$J05=L:Q$_%G!<%?%V%m%C%/$rEO$9$3$H$,$G$-$k>l9g!"%"%W%j%1!<%7%g%s$,(B
$B%G!<%?$rI|85$7$h$&$H$9$k;~$K$=$N%"%W%j%1!<%7%g%s$r%/%i%C%7%e$5$;$k$h$&$J(B
$BIT@5$JF0:n$r9T$J$o$;$k$3$H$,2DG=$G$9!#$^$?!"(BFreeBSD $B$N(B malloc $B<BAu$O(B
$B$=$N;~$K7Y9p%a%C%;!<%8$rI=<($7!"(B`A' malloc $B%*%W%7%g%s$,;H$o$l$F$$$l$P(B
$B%"%W%j%1!<%7%g%s$O(B abort(3) $B$r8F$S=P$7$^$9!#$D$^$j!"967b<T$O(B zlib $B$r(B
$BMxMQ$7$F$$$k%"%W%j%1!<%7%g%s$KBP$7$F%5!<%S%9K832$r9T$J$&$3$H$,2DG=$G$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

To prevent affected programs from aborting, remove the 'A' from
the malloc flags.  To check which malloc flags are in use, issue the
following commands:

$B1F6A$r<u$1$k%W%m%0%i%`$,(B abort $B$7$J$$$h$&$K!"(Bmalloc $B%U%i%0$+$i(B 'A' $B$r(B
$B:o=|$7$^$9!#;HMQ$7$F$$$k(B malloc $B%U%i%0$r3NG'$9$k$K$O!"<!$N%3%^%s%I$r(B
$B<B9T$7$F$/$@$5$$!#(B

# ls -l /etc/malloc.conf
# echo $MALLOC_OPTIONS

A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable
means that no malloc flags are in use.  See the malloc(3) man page for
more information.

/etc/malloc.conf $B$d(B MALLOC_OPTIONS $B4D6-JQ?t$,B8:_$7$F$$$J$1$l$P!"(B
malloc $B%U%i%0$O@_Dj$5$l$F$$$^$;$s!#>\$7$/$O(B malloc(3) $B$N%^%K%e%"%k%Z!<%8$r(B
$B;2>H$7$F$/$@$5$$!#(B


V.   $B2r7h:v(B - Solution

[FreeBSD 4.x base system]
[FreeBSD 4.x $B%Y!<%9%7%9%F%`$N>l9g(B]

1) Upgrade your vulnerable system to 4.5-STABLE or to one of the
RELENG_4_4 or RELENG_4_5 security branches dated after the respective
correction dates.
1) $B<eE@$r;}$C$?%7%9%F%`$r(B 4.5-STABLE, $B$"$k$$$O=$@5F|0J9_$N(B RELENG_4_4
   $B$b$7$/$O(B RELENG_4_5 $B$K99?7$7!"%7%9%F%`$r:F9=C[$9$k!#(B

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#0J2<$N>l=j$+$iBP1~$9$k=$@5%Q%C%A$r(B
   $B%@%&%s%m!<%I$7!"(Broot $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch.asc

PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9!#(B

This patch has been verified to apply to all FreeBSD 4.x versions.
$B$3$N=$@5%Q%C%A$O$9$Y$F$N(B FreeBSD 4.x $B$KE,MQ2DG=$J$3$H$,(B
$B3NG'$5$l$F$$$k$b$N$G$9!#(B

# cd /usr/src
# patch -p < /path/to/patch
# cd lib/libz
# make depend && make all install

Then rebuild and reinstall your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system with the new kernel for the changes to take effect.

$B$=$N8e(B http://www.freebsd.org/handbook/kernelconfig.html $B$K(B
$B5-:\$5$l$F$$$k<j=g$K$7$?$,$C$F%+!<%M%k$r:F9=C[!&:F%$%s%9%H!<%k$7!"(B
$BJQ99$rM-8z2=$9$k$?$a$K%7%9%F%`$r:F5/F0$7$F$/$@$5$$!#(B

[ports]

Various ports may statically link zlib or contain their own versions
of zlib that have not been corrected by updating the FreeBSD libz.
Efforts are underway to identify and correct these ports.

$B$5$^$6$^$J(B port $B$,(B zlib $B$r@EE*$K%j%s%/$7$F$$$k$+!"FH<+$N%P!<%8%g%s$N(B
zlib $B$r;H$C$F$$$k$N$G$9$,!"$3$l$i$O(B FreeBSD $B$N(B libz $B$r99?7$7$F$b(B
$B%;%-%e%j%F%#>e$NLdBj$,=$@5$5$l$k$3$H$O$"$j$^$;$s!#8=:_!"$=$N$h$&$J(B
port $B$rFCDj!&=$@5$9$k:n6H$,9T$J$o$l$F$$$^$9!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

$B<!$NI=$O!":#2s=$@5$5$l$?(B FreeBSD $B$K4^$^$l$k3F%U%!%$%k$N%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  Branch
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
src/lib/libz/infblock.c
  RELENG_4                                                    1.1.1.4.6.1
  RELENG_4_5                                                 1.1.1.4.12.1
  RELENG_4_4                                                 1.1.1.4.10.1
  RELENG_4_3                                                  1.1.1.4.8.1
src/sys/net/zlib.c
  RELENG_4                                                       1.10.2.1
  RELENG_4_5                                                     1.10.8.1
  RELENG_4_4                                                     1.10.6.1
  RELENG_4_3                                                     1.10.4.1
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://online.securityfocus.com/archive/1/261205>

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to this issue.

Common Vulnerabilities and Exposures $B%W%m%8%'%/%H(B (cve.mitre.org) $B$O!"(B
$B$3$NLdBj$K(B CAN-2002-0059 $B$H$$$&L>A0$r3d$jEv$F$F$$$^$9!#(B


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:18,v 1.3 2002/03/22 06:01:02 hrs Exp $

----Next_Part(Fri_Mar_22_15:07:02_2002_149)----
