From owner-doc-jp@jp.freebsd.org  Tue Jul 11 12:49:34 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id MAA70072;
	Tue, 11 Jul 2000 12:49:34 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id MAA70067
	for <doc-jp@jp.freebsd.org>; Tue, 11 Jul 2000 12:49:34 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv4.nec.co.jp (mailsv4-le1 [192.168.1.93])
	by TYO202.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id MAA05852
	for <doc-jp@jp.freebsd.org>; Tue, 11 Jul 2000 12:49:33 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv4.nec.co.jp (8.9.3/3.7W-MAILSV4-NEC) with ESMTP
	id MAA08113 for <doc-jp@jp.freebsd.org>; Tue, 11 Jul 2000 12:49:32 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id MAA02312 for <doc-jp@jp.freebsd.org>; Tue, 11 Jul 2000 12:43:27 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e6B3nUR00596;
	Tue, 11 Jul 2000 12:49:30 +0900 (JST)
Message-Id: <200007110349.e6B3nUR00596@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000705230721.2E6CB37BCFB@hub.freebsd.org>
References: <20000705230721.2E6CB37BCFB@hub.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Tue, 11 Jul 2000 12:49:30 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 189
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7525
Subject: [doc-jp 7525] Re: ANNOUNCE: FreeBSD Ports Security Advisory:
 FreeBSD-SA-00:27.XFree86-4
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B$@$$$VJRIU$$$F$-$?!#(B

$B;D$j(B:
FreeBSD-SA-00:28
FreeBSD-SA-00:30
FreeBSD-SA-00:31
FreeBSD-SA-00:32

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-00:27.XFree86-4
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed,  5 Jul 2000 16:07:21 -0700 (PDT)
  Message-Id: <20000705230721.2E6CB37BCFB@hub.freebsd.org>
  X-Sequence: announce-jp 467

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:27                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	XFree86-4.0 port contains local root overflow

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	Xfree86-4
$B9pCNF|(B:		2000-07-05
$B%/%l%8%C%H(B:	Michal Zalewski <lcamtuf@TPI.PL>
$B1F6AHO0O(B:	Ports collection
$B=$@5F|(B:		2000-06-09
$B%Y%s%@$N%9%F!<%?%9(B:	$B%Q%C%A$,8x3+$5$l$F$$$k(B
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

XFree86 4.0 is a development version of the popular XFree86 X Windows
system.

XFree86 4.0 $B$O(B, $B?M5$$N$"$k(B XFree86 X Window $B%7%9%F%`$N3+H/%P!<%8%g%s$G(B
$B$9(B. 

II.  $BLdBj$N>\:Y(B - Problem Description

XFree86 4.0 contains a local root vulnerability in the XFree86 server
binary, due to incorrect bounds checking of command-line
arguments.

XFree86 4.0 $B$N%5!<%P$K$O(B, $B%3%^%s%I%i%$%s0z?t$N6-3&%A%'%C%/$,ITE,@Z$G$"(B
$B$k$?$a(B, $B%m!<%+%k$N(B root $B8"8B$,C%$o$l$k<eE@$,$"$j$^$9(B. 

The server binary is setuid root, in contrast to previous versions
which had a small setuid wrapper which performed (among other things)
argument sanitizing. 

$B0JA0$N%P!<%8%g%s$G$O(B, $B0z?t$N%A%'%C%/$J$I$r9T$J$&>.$5$J(B setuid $B$5$l$?(B 
wrapper $B%W%m%0%i%`$,MQ0U$5$l$F$$$^$7$?$,(B, XFree86 4.0 $B$G$O%5!<%P$N<B9T(B
$B%U%!%$%k$O(B, root $B$G(B setuid $B$5$l$F$$$^$9(B. 

The XFree86-4 port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3400 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release, but it was fixed in
time for FreeBSD 3.5.

XFree86-4 $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
FreeBSD $B%7%9%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B. $B$=$l$i$O(B, 3400 $B$r(B
$BD6$($k%5!<%I%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,$9$0$K%$%s%9%H!<%k$G$-$k7A$G(B
$B<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B. FreeBSD 4.0 $B$H$H$b(B
$B$K=P2Y$5$l$?(B ports $B%3%l%/%7%g%s$O(B, $B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a$K(B
$B$3$NLdBj$r4^$s$G$$$^$9$,(B, FreeBSD 3.5 $B$G$O=$@5$5$l$F$$$^$9(B. 

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports
Collection $B$KF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j(B
$B%1!<%7%g%s$,0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j(B
$B%F%#LdBj$KBP$7$FBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::(B
$B$rDs6!$9$Y$/(B, $B8=:_EXNOCf$G$9(B. 

III. $B1F6AHO0O(B - Impact

Unprivileged local users can obtain root access.

$BFC8"$r;}$?$J$$%m!<%+%k$N%f!<%6$,(B, root $B8"8B$rF@$k$3$H$,$G$-$^$9(B. 

If you have not chosen to install the XFree86-4 port/package, then
your system is not vulnerable to this problem.

XFree86-4 $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B$=$N%7%9%F%`$K(B
$B$3$NLdBj$K$D$$$F$N%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $BBP1~:v(B - Workaround

Deinstall the XFree86-4 port/package, if you you have installed it, or
limit the execution file permissions on the /usr/X11R6/bin/XFree86
binary so that only members of a trusted group may run the binary.

XFree86-4 $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$k>l9g(B, $B$=$l$r%"%s%$%s%9(B
$B%H!<%k$9$k(B. $B$"$k$$$O(B, /usr/X11R6/bin/XFree86 $B%P%$%J%j%U%!%$%k$N<B9T8"(B
$B$r@)8B$7$F(B, $B?.Mj$G$-$k%0%k!<%W$N%a%s%P$N$_<B9T$G$-$k$h$&$K$9$k(B. 

V.   $B=$@5=hCV(B - Solution

At this time, we do not recommend using XFree86 4.0 on multi-user
systems with untrusted users, because of the lack of security in the
server binary. The current "stable" version, XFree86 3.3.6, is also
available in FreeBSD ports.

$B8=;~E@$G$O(B, $B%5!<%P$N%P%$%J%j$K$D$$$F%;%-%e%j%F%#$K4X$9$kG[N8$,7g$1$F$$(B
$B$k$?$a(B, XFree86 4.0 $B$r?.Mj$G$-$J$$%f!<%6$N$$$k%^%k%A%f!<%6%7%9%F%`>e$G(B
$B;HMQ$9$k$3$H$r?d>)$7$^$;$s(B. $B8=:_$N0BDj%P!<%8%g%s$G$"$k(B XFree86 3.3.6 
$B$b(B FreeBSD $B$N(B ports $B$H$7$FDs6!$5$l$F$$$^$9(B. 

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B. 

1) Upgrade your entire ports collection and rebuild the XFree86-4 port.

1) Ports Collection $BA4BN$r99?7$7$F(B, XFree86-4 $B$N(B port $B$r:F%3%s%Q%$%k$9$k(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

2) $B8E$$(B package $B$r%"%s%$%s%9%H!<%k$7(B, $B=$@5F|0J9_$N?7$7$$(B package $B$r%$(B
$B%s%9%H!<%k$9$k(B. $B?7$7$$%Q%C%1!<%8$O(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.tar.gz

An updated version of XFree86, version 4.0.1, has just been released,
which is believed to also fix the problems detailed in this advisory,
however the X server is still installed setuid root and so the above
warning against installation on multi-user machines still applies. The
packages will be available at the following locations in the next few
days:

$B99?7$5$l$?%P!<%8%g%s$G$"$k(B XFree86 4.0.1 $B$,8x3+$5$l$F$$$^$9(B. $B$3$N%P!<(B
$B%8%g%s$G$O(B, $BK\4+9p$G=R$Y$F$$$kLdBj$K$D$$$F=$@5$5$l$F$$$k$h$&$G$9(B. $B$7$+(B
$B$7(B, X $B%5!<%P$O0MA3(B root $B$G(B setuid $B$5$l$F%$%s%9%H!<%k$5$l$^$9$N$G(B, $B%^%k(B
$B%A%f!<%6$N%^%7%s$K%$%s%9%H!<%k$9$k>l9g$K$O>e=R$NDL$jCm0U$,I,MW$G$9(B. 
$B$=$N(B packages $B$O(B, $B6aF|Cf$K0J2<$N(B URL $B$KMQ0U$5$l$k$G$7$g$&(B. 

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.1.tar.gz

3) download a new port skeleton for the XFree86-4 port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

3) $B0J2<$N>l=j$+$i(B XFree86-4 $B$N?7$7$$(B port $B%9%1%k%H%s$r%@%&%s%m!<%I$7(B,
   $B$=$l$r;HMQ$7$F(B XFree86-4 $B$N(B port $B$r:F%3%s%Q%$%k$9$k(B.

http://www.freebsd.org/ports/

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

4) portcheckout $B%f!<%F%#%j%F%#$r;HMQ$9$k$H(B, $B>e5-(B (3) $B$r<+F0E*$K(B
   $B9T$J$&$3$H$,$G$-$^$9(B.  portcheckout $B$O(B,
   /usr/ports/devel/portcheckout $B$d(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz
END--------------------- $B$3$3$^$G(B ------------------------
----
$B$3$,$h$&$$$A$m$&(B
