From owner-doc-jp@jp.freebsd.org  Fri Mar 24 19:08:41 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id TAA13549;
	Fri, 24 Mar 2000 19:08:41 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO203.gate.nec.co.jp (TYO203.gate.nec.co.jp [202.32.8.211])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id TAA13544
	for <doc-jp@jp.freebsd.org>; Fri, 24 Mar 2000 19:08:40 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv.nec.co.jp (mailsv-le1 [192.168.1.90])
	by TYO203.gate.nec.co.jp (8.9.3/3.7W00031314) with ESMTP id TAA04953
	for <doc-jp@jp.freebsd.org>; Fri, 24 Mar 2000 19:08:40 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv.nec.co.jp (8.9.3/3.7W-MAILSV-NEC) with ESMTP
	id TAA07888 for <doc-jp@jp.freebsd.org>; Fri, 24 Mar 2000 19:08:39 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id TAA19550 for <doc-jp@jp.freebsd.org>; Fri, 24 Mar 2000 19:05:14 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.0/3.7W-kai) with ESMTP id e2OA8bi27054;
	Fri, 24 Mar 2000 19:08:37 +0900 (JST)
Message-Id: <200003241008.e2OA8bi27054@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <200003230450.NAA19824@mail.geocities.co.jp>
References: <20000315173308.C8D9737BADE@hub.freebsd.org>
	<200003230450.NAA19824@mail.geocities.co.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Fri, 24 Mar 2000 19:08:37 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 78
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7216
Subject: [doc-jp 7216] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:07.mh
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

Hiroki Sato <hrs@geocities.co.jp>:
>  SA-00:07.mh $B$NF|K\8lLu$G$9!#(B

$B$Q$A$Q$A$Q$A!y(B

> =============================================================================
> FreeBSD-SA-00:07                                           Security Advisory
>                                                                 FreeBSD, Inc.
$B!D(B $B$5$/$C$HN,(B $B!D(B
> I.   $BGX7J(B - Background
> 
> MH and its successor NMH are popular Mail User Agents. EXMH and EXMH2 are
> TCL/TK-based front-ends to the MH system.
> MH $B$*$h$S!"$=$N8e7Q$G$"$k(B NMH $B$O!"M-L>$J%a!<%k%f!<%6%(!<%8%'%s%H$G$9!#(B

popular $B$O$d$C$Q$j?M5$$,$"$k$@$H;W$&!#(B

> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> The mhshow command used for viewing MIME attachments contains a buffer
> overflow which can be exploited by a specially-crafted email attachment,
> which will allow the execution of arbitrary code as the local user when the
> attachment is opened.
> mhshow $B%3%^%s%I$O!"(BMIME attachments ($BLuCm(B: $B$$$o$f$kE:IU%U%!%$%k$N$3$H!#(B
> $B0J2<!"(Battachments $B$r!VE:IU%U%!%$%k!W$HI=5-$7$^$9(B) $B$NI=<($K;H$o$l$^$9!#(B
> $B$3$N%3%^%s%I$K$O!"FCJL$K$D$/$i$l$?%a!<%kE:IU%U%!%$%k$K$h$C$F(B exploit $B2DG=$J(B
> $B%P%C%U%!%*!<%P%U%m!<LdBj$,$"$j$^$9!#$=$N$?$a!"E:IU%U%!%$%k$r3+$/:]$K!"(B
> $B%m!<%+%k%f!<%6$N8"8B$GG$0U$N%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9!#(B

$B!V(BMIME attachments $B$NI=<($K;HMQ$5$l$k(B mhshow $B%3%^%s%I$K$O!"!D!W(B

$B!t$G$b!"(BMH $B$K$O(B mhshow $B%3%^%s%I$J$s$F$J$$$h$&$J5$$,!D(B ports $B$G$$$8$C$F(B
$B!t$$$k$N$+$J!)(B

> The *MH ports are not installed by default,
> *MH $B$N(B port $B$O!"%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/!"(B

$B86J8$,0-$$$s$@$1$I!"!V(B*MH$B!W$d$a$F!V(BMH$B4XO"!W$+!":#2sLdBj07$$$K$7$F$$$k(B
$B$b$N$r$-$A$s$H%j%9%H$7$^$7$g$&!#FI<T$K%o%$%k%I%+!<%I$NE83+$r4|BT$9$k$N(B
$B$O4V0c$$$@(B :-<

> III. $B1F6AHO0O(B - Impact
> 
> An attacker who can convince a user to open a hostile MIME attachment sent
> as part of an email message can execute arbitrary binary code running with
> the privileges of that user.
> $B967b<T$,%a!<%k%a%C%;!<%8$N0lIt$H$7$FAw$i$l$k0-0U$N$"$k(B MIME $BE:IU%U%!%$%k$r!"(B
> $B<u$1<h$C$?%f!<%6$K3+$+$;$k$3$H$,$G$-$k>l9g!"$=$N%U%!%$%k$r3+$$$?%f!<%6$N8"8B$G(B
> $BG$0U$N%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9!#(B

$B$s!<$H!"$3$NLu$G$O<g8l$N!V967b<T!W$O0lBN2?$7$F$$$k$s$G$7$g$&(B ;)
$B$$$/$D$+JB$Y49$(!uI=8=$r9)IW$9$k$H$$$$$H;W$$$^$9!#(B

> IV.  $BBP1~:v(B - Workaround
> 
> 1) Remove the mhshow binary, located in /usr/local/bin/mhshow. This will
> prevent the viewing of MIME attachments from within *mh.
> 1) /usr/local/bin/mhshow $B$K$"$k(B mhshow $B$N%P%$%J%j%U%!%$%k$r:o=|$7$F2<$5$$!#(B
>    $B$3$l$K$h$j!"(B*mh $B$G(B MIME $BE:IU%U%!%$%k$r1\Mw$9$k$3$H$O$G$-$J$/$J$j$^$9!#(B

$B$3$3$b(B *mh $B$O$h$/$J$$$G$9$M!#(B

$B!t$G$b!"$d$C$Q$j(B MH $B$K$O(B mhshow $B%3%^%s%I$J$s$F$J$$$h$&$J5$$,!D(B

> V.   $B=$@5=hCV(B - Solution
> 
> The English language version of the MH software is no longer actively
> developed, and no fix is currently available.
> $B1Q8lHG$N(B MH $B$O$9$G$K3hH/$J3+H/$,=*N;$7$F$$$k$?$a!"8=:_$N$H$3$m(B
> $B=$@5HG$OB8:_$7$^$;$s!#(B

$B!V$9$G$K=*N;$7$F$$$k!W$h$j$O!V$b$O$d$*$3$J$o$l$F$$$J$$!W$+$J$!!#(B

> $B$=$N$?$a!"(BMH $B$rMxMQ$9$k$N$G$O$J$/!"(BNMH $B$K99?7$9$k$3$H$r8!F$$7$F2<$5$$!#(B

$B!V2<$5$$!W"*!V$/$@$5$$!W(B
----
$B$3$,$h$&$$$A$m$&(B
