From owner-doc-jp@jp.freebsd.org  Mon Jul 10 23:48:45 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id XAA24853;
	Mon, 10 Jul 2000 23:48:45 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp03.246.ne.jp (smtp03.246.ne.jp [210.253.192.37])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id XAA24848
	for <doc-jp@jp.freebsd.org>; Mon, 10 Jul 2000 23:48:45 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 18908 invoked by alias); 10 Jul 2000 23:48:39 +0900
Message-ID: <20000710144839.18907.qmail@smtp.246.ne.jp>
Received: (qmail 18884 invoked from network); 10 Jul 2000 23:48:36 +0900
Received: from tp4hrb224.246.ne.jp (HELO localhost) (210.253.196.224)
  by smtp.246.ne.jp with SMTP; 10 Jul 2000 23:48:36 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
References: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Mon, 10 Jul 2000 23:50:01 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7518
Subject: [doc-jp 7518] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B$+$J$jAF$$Lu$G$9$,!"Aa$$$H$3=hM}$9$k$?$a$K=P$7$^$9!#(B
$B$P$7$P$7C!$$$F$/$@$5$$!#(B

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed,  5 Jul 2000 16:02:39 -0700 (PDT)
  Message-Id: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
  X-Sequence: announce-jp 465

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:24                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	libedit reads config file from current directory

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	libedit
$B9pCNF|(B:		2000-07-05
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N$9$Y$F$N%P!<%8%g%s$N(B FreeBSD
$B%/%l%8%C%H(B:	Tim Vanderhoek <hoek@FreeBSD.org>
$B%Y%s%@$N%9%F!<%?%9(B:	$BDLCN:Q(B
$B=$@5F|(B:		2000-05-22
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

libedit is a library of routines for providing command editing and
history retrieval for interactive command-oriented programs.

libedit $B$O!"BPOCE*$J%3%^%s%I;X8~%W%m%0%i%`MQ$K!"%3%^%s%IJT=8$d%R%9%H%j(B
$B$N3MF@5!G=$rDs6!$9$k%i%$%V%i%j$G$9!#(B

II.  $BLdBj$N>\:Y(B - Problem Description

libedit incorrectly reads an ".editrc" file in the current directory
if it exists, in order to specify configurable program
behaviour. However it does not check for ownership of the file, so an
attacker can cause a libedit application to execute arbitrary key
rebindings and exercise terminal capabilities by creating an .editrc
file in a directory from which another user executes a libedit binary
(e.g. root running ftp(1) from /tmp). This can be used to fool the
user into unknowingly executing program commands which may compromise
system security. For example, ftp(1) includes the ability to escape to
a shell and execute a command, which can be done under libedit
control.

libedit $B$O!"%+%l%s%H%G%#%l%/%H%j$K(B .editrc $B%U%!%$%k$,B8:_$9$k>l9g!"(B
$B$3$l$rITE,@Z$KFI$_9~$s$G!"(Bconfigurable $B$J%W%m%0%i%`$NF0:n$r;XDj$7$F$7(B
$B$^$$$^$9!#(B.editrc $B%U%!%$%k$N%*!<%J$r3NG'$7$J$$$N$G!"(Blibedit $B$r;HMQ$7$F(B
$B$$$k%W%m%0%i%`$rB>$N%f!<%6$,<B9T$9$k%G%#%l%/%H%j$K(B .editrc $B%U%!%$%k$r(B
$BMQ0U$9$k$3$H$G!"$=$N%W%m%0%i%`$G;HMQ$9$k%-!<%P%$%s%I$r:F@_Dj$5$;$?$j!"(B
$BC<Kv$N(B capabilities $B$r(B exercise $B$9$k$h$&$J967b$,2DG=$G$9(B ($BNc(B. /tmp 
$B%G%#%l%/%H%j$G(B root $B$,(B ftp(1) $B$r<B9T$9$k(B)$B!#$3$N967b$K$h$j!"%W%m%0%i%`(B
$B$N%3%^%s%I$r<B9T$9$k%f!<%6$,Lu$NJ,$+$i$J$$>uBV$K$J$j!"%;%-%e%j%F%#>e(B
$BLdBj$H$J$j$^$9!#$?$H$($P!"(Bftp(1) $B$O%7%'%k$K%(%9%1!<%W$9$k$7$F%3%^%s%I(B
$B$r<B9T$9$k$3$H$,$G$-$^$9$,!"$3$l$O(B libedit $B$N%3%s%H%m!<%kG[2<$G<B9T$5(B
$B$l$^$9!#(B

The supplied patch removes this behaviour and causes libedit to only
search for its configuration file in the home directory of the user,
if it exists and the binary is not running with increased privileges
(i.e. setuid or setgid).

$B$3$3$GDs6!$9$k%Q%C%A$O!"LdBj$H$J$k=hM}$r:o=|$7!"(B.editrc $B%U%!%$%k$,B8:_(B
$B$7!"$+$D<B9T%U%!%$%k$,8"8B$r>e>:$5$;$k$3$H$,$J$$>l9g(B ($B$9$J$o$A(B setuid 
$B$d(B setgid $B$5$l$F$$$J$$>l9g(B)$B!"(Blibedit $B$,%f!<%6$N%[!<%`%G%#%l%/%H%j$K(B
$B$"$k@_Dj%U%!%$%k$@$1$r;2>H$9$k$h$&$K$7$^$9!#(B

FreeBSD 3.5-RELEASE is not affected by this vulnerability, although
4.0-RELEASE is affected since the problem was discovered after it was
released.

FreeBSD 3.5-RELEASE $B$K$O$3$NLdBj$O$"$j$^$;$s!#$7$+$7!"(B4.0-RELEASE $B$O(B
$B%j%j!<%98e$K$3$NLdBj$,H/8+$5$l$?$?$a!"$3$NLdBj$K$h$k1F6A$,$"$j$^$9!#(B

III. $B1F6AHO0O(B - Impact

An attacker can cause a user to execute arbitrary commands within a
program which is run from a directory to which the attacker has write
access, potentially leading to system compromise if run as a
privileged user (such as root).

$B967b<T$,=q$-9~$_2DG=$J%G%#%l%/%H%j$K$*$$$F%f!<%6$,%W%m%0%i%`$r<B9T$7$?(B
$B>l9g!"967b<T$OG$0U$N%3%^%s%I(B ($BLuCm(B: $B%W%m%0%i%`$,Ds6!$9$kBPOCE*$J%3%^%s(B
$B%I(B) $B$r<B9T$5$;$k$3$H$,$G$-$^$9!#(B(root $B$N$h$&$J(B) $BFC8"%f!<%6$G$=$N%W%m%0(B
$B%i%`$r<B9T$9$k$H!"%7%9%F%`$,4m81$K$J$k2DG=@-$,$"$j$^$9!#(B

IV.  $BBP1~:v(B - Workaround

Do not interactively run utilities which link against libedit from
directories which can be written to by other users.

$BB>$N%f!<%6$,=q$-9~$_2DG=$J%G%#%l%/%H%j$G!"(Blibedit $B$r%j%s%/$7$F$$$k%f!<(B
$B%F%#%j%F%#$rBPOCE*$K<B9T$7$J$$$h$&$K$7$^$9!#(B

To identify utilities which link dynamically against libedit, download
the libfind tool and detached PGP signature as follows: 

libedit $B$rF0E*$K%j%s%/$7$F$$$k%f!<%F%#%j%F%#$r3NG'$9$k$?$a$K!"(Blibfind 
$B$H$$$&%D!<%k$H$=$N(B PGP $B=pL>$r$r%@%&%s%m!<%I$7$^$9!#(B

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc

Verify the detached signature using your PGP utility.

PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F!"(BPGP $B=pL>$H>H9g$7$^$9!#(B

Run the libfind.sh tool as root, as follows:

root $B8"8B$G(B libfind.sh $B%D!<%k$r<B9T$7$^$9!#(B

# sh libfind.sh libedit /

Note that it is not feasible to locate utilities which link statically
against libedit since there are no common strings embedded in such
binaries. However the following is believed to be a complete list of
statically and dynamically linked FreeBSD system utilities which link
against the library:

$B@EE*$K(B libedti $B$,%j%s%/$5$l$?%f!<%F%#%j%F%#$K$D$$$F$O!"$=$N$h$&$J%P%$(B
$B%J%j$r8+$D$1$k$?$a$NJ8;zNs$,Kd$a9~$^$l$F$$$J$$$N$G!"8+$D$1$i$l$J$$$3$H(B
$B$KCm0U$,I,MW$G$9!#$7$+$70J2<$N%j%9%H$O!"(BFreeBSD $B%7%9%F%`$N%f!<%F%#%j%F(B
$B%#$G!"@EE*$^$?$OF0E*$K(B libedit $B$,%j%s%/$5$l$F$$$k$b$N$N40A4$J%j%9%H$G(B
$B$"$k$H;W$$$^$9!#(B

/bin/sh
/sbin/fsdb
/usr/bin/ftp
/usr/sbin/cdcontrol
/usr/sbin/lpc
/usr/sbin/nslookup
/usr/sbin/pppctl

Because libedit is not a portable library in common use there are
unlikely to be many FreeBSD ports which link statically against it: no
such ports are known at this time.

libedit $B$ODL>o$N;HMQ$K$*$$$F%]!<%?%V%k$J%i%$%V%i%j$G$O$"$j$^$;$s$N$G!"(B
$B$3$l$r@EE*$K%j%s%/$7$F$$$k$h$&$J(B FreeBSD ports $B$O$"$^$j$J$$$H;W$o$l$^(B
$B$9(B ($B8=;~E@$G$O!"$=$N$h$&$J(B ports $B$O3NG'$5$l$F$$$^$;$s(B)$B!#(B

V.   $B=$@5=hCV(B - Solution

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to a version dated after the
correction date.

$B<eE@$N$"$k%7%9%F%`$r!"=$@5F|0J9_$N%P!<%8%g%s$K%"%C%W%0%l!<%I$9$k!#(B

2) Save the advisory into a file or download the patch and detached
PGP signature:

$BK\4+9p$r%U%!%$%k$KJ]B8$9$k$+!"0J2<$N(B URL $B$+$i%Q%C%A$H$=$N(BPGP $B=pL>$r(B
$B%@%&%s%m!<%I$9$k!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc

Verify the detached PGP signature using your PGP utility.

PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B PGP $B=pL>$H>H9g$7$^$9!#(B

Apply the patch and rebuild as follows:

$B%Q%C%A$rE,MQ$7!"0J2<$N$h$&$K$7$F:F9=C[$7$^$9!#(B

# cd /usr/src/lib/libedit
# patch -p < /path/to/patch/or/advisory

and rebuild your system as described in 

$B0J2<$N%Z!<%8$K$7$?$,$C$F%7%9%F%`$r:F9=C[$7$^$9!#(B

http://www.freebsd.org/handbook/makeworld.html

    --- el.c	1999/08/20 01:17:12	1.6
    +++ el.c	2000/05/22 05:55:22	1.7
    @@ -290,13 +294,10 @@
         char *ptr, path[MAXPATHLEN];
     
         if (fname == NULL) {
    -	fname = &elpath[1];
    -	if ((fp = fopen(fname, "r")) == NULL) {
    -	    if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
    -		return -1;
    -	    (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath);
    -	    fname = path;
    -	}
    +	if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
    +	    return -1;
    +	(void) snprintf(path, sizeof(path), "%s%s", ptr, elpath);
    +	fname = path;
         }
     
         if ((fp = fopen(fname, "r")) == NULL)
    
END--------------------- $B$3$3$^$G(B ------------------------

----
$B$3$,$h$&$$$A$m$&(B
