From owner-doc-jp@jp.freebsd.org  Thu Mar 23 23:26:00 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id XAA36352;
	Thu, 23 Mar 2000 23:26:00 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id XAA36347
	for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 23:25:59 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id XAA28415 for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 23:25:59 +0900 (JST)
Received: from mail.hrs.jp (sutkmax2-ppp07.ed.kagu.sut.ac.jp [133.31.177.73]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id XAA19729 for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 23:25:57 +0900 (JST)
Message-Id: <200003231425.XAA19729@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id WAA57643
	for <doc-jp@jp.freebsd.org>; Thu, 23 Mar 2000 22:03:55 +0900 (JST)
	(envelope-from hrs@hrs.jp)
In-Reply-To: <20000315173757.8949337BEBE@hub.freebsd.org>
References: <20000315173757.8949337BEBE@hub.freebsd.org>
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Thu, 23 Mar 2000 22:03:54 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 174
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7205
Subject: [doc-jp 7205] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:10.orville-write
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 SA-00:10.orville.write $B$NF|K\8lLu$G$9!#(B

 # $B$J$s$GLdBj$N2r@b$G(B
 # buffer-overflow $B$K?($l$F$J$$$s$@$m$&!D(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:10.orville-write
  From: FreeBSD Security Officer <security-officer@freebsd.org>
  Date: Wed, 15 Mar 2000 09:37:57 -0800 (PST)
  Message-Id: <20000315173757.8949337BEBE@hub.freebsd.org>
  X-Sequence: announce-jp 401

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,(B
 $B;29M$N$?$a$KDs6!$9$k$b$N$G(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B $B$=$NFbMF$K$D$$$F(B
 $B$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B. $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B,
 doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:10                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	orville-write port contains local root compromise.

$BJ,N`(B:           ports
$B%b%8%e!<%k(B:     orville-write
$B9pCNF|(B:         2000-03-15
$B1F6AHO0O(B:       $B=$@5F|0JA0$N(B Ports collection
$B=$@5F|(B:         2000-03-09
FreeBSD $B$K8GM-$+(B:   Yes

I.   $BGX7J(B - Background

Orville-write is a replacement for the write(1) command, which
provides improved control over message delivery and other features.

orville-write $B$O!"(Bwrite(1) $B$NBeBX%3%^%s%I$G!"(B
$B%a%C%;!<%8G[Aw@)8f$J$I!"$h$j9bEY$J5!G=$rDs6!$9$k$b$N$G$9!#(B

II.  $BLdBj$N>\:Y(B - Problem Description

One of the commands installed by the port is incorrectly installed
with setuid root permissions. The 'huh' command should not have any
special privileges since it is intended to be run by the local user to
view his saved messages.

$B$3$N(B port $B$G%$%s%9%H!<%k$5$l$k%3%^%s%I$N$R$H$D$K!"(Broot $B$G(B setuid $B$5$l$?(B
$B5v2DB0@-$GIT@5$K%$%s%9%H!<%k$5$l$F$7$^$&$b$N$,$"$j$^$9!#(B
'huh' $B%3%^%s%I$O%m!<%+%k%f!<%6$,5-O?$5$l$?<+J,$N%a%C%;!<%8$r(B
$B1\Mw$9$kL\E*$G<B9T$9$k$h$&@_7W$5$l$F$$$k$?$a!"(B
$BK\Mh!"FCJL$J8"8B$r;}$D$Y$-$b$N$G$O$"$j$^$;$s!#(B

The orville-write port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3100 third-party applications in a ready-to-install
format. The FreeBSD 4.0-RELEASE ports collection is not vulnerable to
this problem.

orville-write $B$N(B port $B$O!"%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B
FreeBSD $B%7%9%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s!#(B
$B$=$l$i$O!"(B3100 $B$rD6$($k%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,(B
$B$9$0$K%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B
FreeBSD Ports Collection $B$N0lIt$G$9!#(BFreeBSD 4.0-RELEASE $B$K4^$^$l$k(B
Ports Collection $B$K$O!"$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit of
the most security-critical ports.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$K(B
$BBP$7$FBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B. 

III. $B1F6AHO0O(B - Impact

A local user can exploit a buffer overflow in the 'huh' utility to
obtain root privileges.

$B%m!<%+%k%f!<%6$O!"(B'huh' $B%f!<%F%#%j%F%#$KB8:_$9$k%P%C%U%!%*!<%P%U%m!<LdBj$r(B
exploit $B$9$k$3$H$G!"(Broot $B8"8B$rF@$k$3$H$,$G$-$^$9!#(B

If you have not chosen to install the orville-write port/package, then
your system is not vulnerable.

orville-write $B$N(B port $B$b$7$/$O(B package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P!"(B
$B%7%9%F%`$K%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s!#(B

IV.  $BBP1~:v(B - Workaround

Remove the orville-write port if you have installed it.

orville-write $B$N(B port $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$K$O!"(B
$B$=$l$r:o=|$7$F2<$5$$!#(B

V.   $B=$@5=hCV(B - Solution

Remove the setuid bit from the huh utility, by executing the following
command as root:

chmod u-s /usr/local/bin/huh

It is not necessary to reinstall the orville-write port, although this
can be done in one of the following ways if desired:

huh $B%f!<%F%#%j%F%#$N(B setuid $B%S%C%H$rL58z$K$7$F2<$5$$!#(B
$B$=$l$K$O!"(Broot $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

chmod u-s /usr/local/bin/huh

orville-write $B$N(B port $B$r:F%$%s%9%H!<%k$9$kI,MW$O$"$j$^$;$s$,!"(B
$B<!$N$$$:$l$+$NJ}K!$G:F%$%s%9%H!<%k$9$k$3$H$,$G$-$^$9!#(B

1) Upgrade your entire ports collection and rebuild the orville-write port.

2) Reinstall a new package dated after the correction date, obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/orville-write-2.41a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/misc/orville-write-2.41a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/misc/orville-write-2.41a.tgz

Note: it may be several days before the updated packages are available.

3) download a new port skeleton for the orville-write port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz


1) Ports Collection $BA4BN$r99?7$7$F!"(Borville-write $B$N(B port $B$r:F%3%s%Q%$%k$9$k!#(B

2) $B0J2<$N>l=j$+$i?7$7$$(B package $B$rF~<j$7$F%$%s%9%H!<%k$9$k!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/orville-write-2.41a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/misc/orville-write-2.41a.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/misc/orville-write-2.41a.tgz

 $BCm(B: $B=$@5$5$l$?(B package $B$,8x3+$5$l$k$^$G!"?tF|$+$+$k$+$bCN$l$^$;$s!#(B

3) $B0J2<$N>l=j$+$i(B orville-write $B$N(B $B?7$7$$(B port $B%9%1%k%H%s$r%@%&%s%m!<%I$7!"(B
   $B$=$l$rMxMQ$7$F(B orville-write $B$N(B port $B$r:F%3%s%Q%$%k$9$k!#(B

http://www.freebsd.org/ports/

4) portcheckout $B%f!<%F%#%j%F%#$r;H$&$H(B, $B>e5-(B (3) $B$r<+F0E*$K(B
   $B9T$J$&$3$H$,$G$-$^$9(B.  portcheckout $B$O(B,
   /usr/ports/devel/portcheckout $B$d(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz
