From owner-doc-jp@jp.freebsd.org  Sat Sep 16 00:17:00 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id AAA96568;
	Sat, 16 Sep 2000 00:17:00 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id AAA96563
	for <doc-jp@jp.freebsd.org>; Sat, 16 Sep 2000 00:16:59 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id AAA25718 for <doc-jp@jp.freebsd.org>; Sat, 16 Sep 2000 00:16:59 +0900 (JST)
Received: from mail.hrs.jp (p0190-ip01funabasi.chiba.ocn.ne.jp [211.123.225.190]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id AAA15665 for <doc-jp@jp.freebsd.org>; Sat, 16 Sep 2000 00:16:56 +0900 (JST)
Message-Id: <200009151516.AAA15665@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id AAA51681
	for <doc-jp@jp.freebsd.org>; Sat, 16 Sep 2000 00:03:20 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000913203457.E4D9137B69F@hub.freebsd.org>
References: <20000913203457.E4D9137B69F@hub.freebsd.org>
X-Mailer: Mew version 1.94.1 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Sat_Sep_16_00:03:09_2000_179)--"
Content-Transfer-Encoding: 7bit
Date: Sat, 16 Sep 2000 00:03:19 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 177
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7704
Subject: [doc-jp 7704] Re: ANNOUNCE: FreeBSD Ports Security Advisory:
 FreeBSD-SA-00:49.eject
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

----Next_Part(Sat_Sep_16_00:03:09_2000_179)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 FreeBSD-SA-00:49.eject $B$NK]Lu$G$9!#(B


----Next_Part(Sat_Sep_16_00:03:09_2000_179)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="00:49"

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory: FreeBSD-SA-00:49.eject
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed, 13 Sep 2000 13:34:57 -0700 (PDT)
  Message-Id: <20000913203457.E4D9137B69F@hub.freebsd.org>
  X-Sequence: announce-jp 538

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
 FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
 $B%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
 http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
 ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
 $B$=$l$>$lCV$-49$($F$/$@$5$$(B.

 $B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
 $B9MN8$9$k$h$&$*4j$$$7$^$9(B.  $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

  http://www.FreeBSD.org/handbook/mirrors-ftp.html ($B1QJ8(B)
  http://www.FreeBSD.org/ja/handbook/mirrors-ftp.html ($BF|K\8lLu(B)

 $B$K(B, $B$^$?(B, $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

  http://www.FreeBSD.org/ja/security/

 $B$K$^$H$a$i$l$F$$$^$9(B.

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:49                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	eject port allows local root exploit

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	eject
$B9pCNF|(B:		2000-09-13
$B1F6AHO0O(B:	Ports Collection
$B=$@5F|(B:		2000-08-21
$B%/%l%8%C%H(B:	$BFbIt%;%-%e%j%F%#4F::Cf$KH/8+(B
$B%Y%s%@$NBP1~(B:	$BO"Mm:Q$_(B
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

Eject is a utility for ejecting the media from a CD or optical disk
drive.
eject $B$O(B CD $B$d8w%G%#%9%/%I%i%$%V$NCf$K$"$k%a%G%#%"$r(B
$B<h$j=P$9$?$a$N%f!<%F%#%j%F%#$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

The eject program is installed setuid root, and contains several
exploitable buffers which can be overflowed by local users, yielding
root privileges.
eject $B%W%m%0%i%`$O(B root $B%f!<%6$G(B setuid $B$5$l$F%$%s%9%H!<%k$5$l$^$9$,(B,
$B$3$N%W%m%0%i%`$K$O%m!<%+%k%f!<%6$,%*!<%P%U%m!<$r0z$-5/$3$;$k$h$&$J(B
$B%P%C%U%!$,$$$/$D$+;H$o$l$F$$$^$9(B. $B$3$l$i$O(B, root $B8"8B$rC%$&$?$a$K(B
$B0-MQ$9$k$3$H$,2DG=$G$9(B.

The eject port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3800 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 4.1 and 3.5.1
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

eject $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B. $B$=$l$i$O(B
3800 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.1 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.
 
FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.

III. $B1F6AHO0O(B - Impact

Unprivileged users can obtain root privileges on the local system.
$B9b$$8"8B$r;}$?$J$$%f!<%6$,%m!<%+%k%7%9%F%`>e$G(B root $B8"8B$r(B
$BF@$k$3$H$,2DG=$G$9(B.

If you have not chosen to install the eject port/package, then your
system is not vulnerable to this problem.
eject $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B,
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $B2sHrJ}K!(B - Workaround

Deinstall the eject port/package, if you have installed it, or limit
the file permissions on the /usr/local/sbin/eject file (e.g. remove
setuid permission, or limit it to a trusted group)
eject $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B
$B$=$l$r%7%9%F%`$+$i:o=|$9$k$+(B, $B$"$k$$$O(B /usr/local/sbin/eject $B%U%!%$%k$N(B
$B5v2DB0@-$r@)8B(B ($B$?$H$($P(B setuid $BB0@-$r<h$j=|$/(B, $B<B9T$r?.Mj$G$-$k%0%k!<%W$K(B
$B8BDj$9$k$J$I(B) $B$7$F$/$@$5$$(B.

V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the eject port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, eject $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: eject $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B, $B=$@5F|0J9_$K(B
   $B:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F%$%s%9%H!<%k$7$^$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/eject-1.4.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/eject-1.4.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/sysutils/eject-1.4.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/eject-1.4.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/sysutils/eject-1.4.tgz

NOTE: Be sure to check the file creation date on the package, because
the version number of the software has not changed.
$BCm0U(B: $B%=%U%H%&%'%"$N%P!<%8%g%sHV9f$OJQ99$5$l$F$$$^$;$s$N$G(B,
      package $B%U%!%$%k$N:n@.F|;~$,9g$C$F$$$k$+3NG'$9$k$h$&$K$7$F$/$@$5$$(B.

3) download a new port skeleton for the eject port from:
3) eject port $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7(B,
   $B$=$l$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

$hrs: FreeBSD-SA/00:49,v 1.1 2000/09/15 14:56:51 hrs Exp $

----Next_Part(Sat_Sep_16_00:03:09_2000_179)----
