From owner-doc-jp@jp.freebsd.org  Sun Sep 19 13:53:22 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id NAA13858;
	Sun, 19 Sep 1999 13:53:22 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp04.246.ne.jp (smtp04.246.ne.jp [210.253.192.38])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id NAA13853
	for <doc-jp@jp.freebsd.org>; Sun, 19 Sep 1999 13:53:21 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Message-Id: <199909190453.NAA13853@castle.jp.freebsd.org>
Received: (qmail 10705 invoked from network); 19 Sep 1999 13:53:20 +0900
Received: from tp4hr016.246.ne.jp (HELO localhost) (210.253.193.16)
  by smtp.246.ne.jp with SMTP; 19 Sep 1999 13:53:20 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <199909170252.LAA01052@kid.micon.co.jp>
References: <199909170252.LAA01052@kid.micon.co.jp>
	<14306.24698.450000.52913L@R2D2>
X-Mailer: Mew version 1.94 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 19 Sep 1999 13:53:14 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 990905(IM130)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6691
Subject: [doc-jp 6691] Re: FreeBSD-SA-99:04.core
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

Atushi Sakauchi <sakauchi@micon.co.jp>:
> =============================================================================
> FreeBSD-SA-99:04                                            Security Advisory

> I.  $BGX7J(B
> 
> As a diagnostic aid to help programmers find bugs in their programs,
> the system creates core files when an illegal instruction or other
> fatal error happens.  A flaw in the kernel allowed it to follow
> symbolic links when creating core files.
> 
> $B%W%m%0%i%^$,(B, $B%P%0$r8+$D$1$k$?$a$N?GCG$N=u$1$H$J$k$h$&$K(B, $BIT@5L?Na$J$I(B
> $B$NCWL?E*%(%i!<$,5/$-$k$H(B, $B%7%9%F%`$O%3%"%U%!%$%k$r@8@.$7$^$9(B. $B%+!<%M%k(B
> $BFb$NLdBj$K$h$j(B, $B%3%"%U%!%$%k$,@8@.$5$l$k:]$K%7%s%\%j%C%/%j%s%/$r$?$I$k(B
> $B$3$H$,5v$5$l$F$$$^$9(B.  

$B!V5v$5$l$F$$$k!W$O$A$g$C$HJQ$G!"!V$G$-$k!W!J$G$-$F$7$^$&!($b$H$b$H0U?^(B
$B$5$l$F$$$J$$$N$K$G$-$A$c$&$N$G!K$NJ}$,$h$$$+$H;W$$$^$9!#(B

$B!t7P83E*$K!"(Ballow $B$NLu$OB?$/$N>l9g!V$G$-$k!W$H$9$k$H<+A3$K$J$k$h$&$G$9!#(B

> II.  $B2r@b(B
> 
> The fts library functions had a flaw in them where which would lead to
> a core dump when periodic ran the security checking scripts (or other
> scripts which traverse trees that can be controlled by users).
> periodic(3) should limit core size to zero to disable core dumps while
> it is executing commands, but does not do so.  In addition, the kernel
> should not follow symbolic links.
> All three of these problems caused a situation where it was possible
> for an attacker could create or overwrite an arbitrary file on the
> system with a moderate degree of controll of its contents to cause a
> problem.

$B$3$l$O:4F#$5$s$N$,40`z$G$9$M!#(B

> IV.  $BBP:v(B
> 
> One can workaround this problem by preventing core dumps for periodic.
> This solution is less than completely satisfying, since it only plugs
> the known exploit hole.  None the less, this may provide a short term
> stopgap solution until a new kernel and/or userland can be installed.

$B:G=i$N0lJ8!":4F#$5$s$N$G$h$$$N$G$9$,!"!V0l$D$N!W$H$O=q$$$F$$$J$$$G$9$M!#(B
$B!V(Bperiodic(3) $B$N%3%"%@%s%W$rM^@)$9$k$3$H$G!"$3$NLdBj$r2r7h$9$k$3$H$,$G(B
$B$-$^$9!#!W(B

> V.   $B2r7h:v(B
> 
> Please note: there is a separate advisory describing the fts problem
> and solution.  Please see FreeBSD-SA-99:05.fts.asc in the advisories
> directory for additional information about the fts patch.
> 
> $BCm0U(B: fts $BLdBj$H2r7h$K$D$$$F$O(B, $BJL$N4+9p$,$"$j$^$9(B. fts $B%Q%C%A$N>\:Y(B
> $B$K$D$$$F$O(B FreeBSD-SA-99:05.fts.asc $B$r8fMw$/$@$5$$(B.

in the advisories directory $B$,H4$1$F$$$k$1$I!"MW$i$J$$!D$+$J!)(B

> =============================================================================
> FreeBSD, Inc.
> 
> Web Site:                       http://www.freebsd.org/
> Confidential contacts:          security-officer@freebsd.org
> Security notifications:         security-notifications@freebsd.org
> Security public discussion:     freebsd-security@freebsd.org
> PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
> 
> Notice: Any patches in this document may not apply cleanly due to
>         modifications caused by digital signature or mailer software.
>         Please reference the URL listed at the top of this document
>         for original copies of all patches if necessary.
> =============================================================================

$B$$$D$b$N!#(B
----
$B$3$,$h$&$$$A$m$&(B
