From owner-doc-jp@jp.freebsd.org  Thu Oct 12 01:26:30 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id BAA61690;
	Thu, 12 Oct 2000 01:26:30 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id BAA61685
	for <doc-jp@jp.freebsd.org>; Thu, 12 Oct 2000 01:26:29 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.hrslab.yi.org (p0189-ip01funabasi.chiba.ocn.ne.jp [211.123.225.189])
	by eos.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id BAA09134
	for <doc-jp@jp.freebsd.org>; Thu, 12 Oct 2000 01:26:22 +0900 (JST)
Message-Id: <200010111626.BAA09134@eos.ocn.ne.jp>
Received: from localhost (alph.hrslab.yi.org [192.168.0.10])
	by mail.hrslab.yi.org (8.9.3/3.7W/DomainMaster) with ESMTP id BAA38486
	for <doc-jp@jp.freebsd.org>; Thu, 12 Oct 2000 01:06:26 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <200010081246.VAA21332@eos.ocn.ne.jp>
References: <20001006214541.D836D37B502@hub.freebsd.org>
	<200010081246.VAA21332@eos.ocn.ne.jp>
	<wk4s2mzq91.wl@MHO-VAIO.hmp.sony.co.jp>
X-Mailer: Mew version 1.94.1 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Thu_Oct_12_01:06:20_2000_41)--"
Content-Transfer-Encoding: 7bit
Date: Thu, 12 Oct 2000 01:06:24 +0900
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 915
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7752
Subject: [doc-jp 7752] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:52/00:53
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Thu_Oct_12_01:06:20_2000_41)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 00:52/00:53 $B$N=$@5HG$G$9!#(B
 $B=iHG$+$i$N:9J,$HA4BN$NN>J}$rE:IU$7$F$$$^$9!#(B

Hori Masato <masato.hori@jp.sony.com> wrote
   in <wk4s2mzq91.wl@MHO-VAIO.hmp.sony.co.jp>:

> > TCP $B$N%M%C%H%o!<%/@\B3$K$O(B, $B@\B3$N%O%s%I%7%'%$%/$r9T$J$&:]$K(B
> > $B=i4|%7!<%1%s%9HV9f$,;H$o$l$^$9(B.  $BI8=`(B TCP $B%W%m%H%3%k$K$h$k$H(B,
> 
> $B$3$3$N!VI8=`!W$H$$$&$N$O$J$/$F$b$$$$$+$b!#(B
 
 $B0UL#E*$K$O$J$/$F$bNI$$$N$G$9$,!"(B
 $B5,3JJ8=q(B($B6qBNE*$K$O(B RFC793)$B$r;X$7$F$$$k$b$N$H$7$F(B
 the $B$N%K%e%"%s%9$r=P$7$?$+$C$?$N$GF~$l$F$"$j$^$9!#(B

 # TCP protocol $B$H$$$&8@$$J}$b(B
 # $B9M$($F$_$l$PJQ$J$s$G$9$1$I!#(B

> > $B30$+$i$N@\B3$r3NN)$7$h$&$H$7$F$$$k%j%b!<%H%[%9%H$+$i(B
> > $B@5$7$$%7!<%1%s%9HV9f$NIU$$$?3NG'%Q%1%C%H(B(acknowledgement packet)$B$,(B
> > $BAw$i$l$F$/$k$3$H$,A[Dj$5$l$F$*$j(B, 
> 
>   $B@5$7$$%7!<%1%s%9HV9f$NIU$$$?3NG'%Q%1%C%H(B(acknowledgement packet)$B$O@\B3(B
>   $B$r3NN)$7$h$&$H$7$F$$$k%j%b!<%H%[%9%H$+$iMh$?$b$N$H$5$l!"(B
> $B$NJ}$,$D$J$,$j$,$$$$$+$J!"$H;W$$$^$7$?!#(B

 $B;XE&ItJ,$r$A$g$C$H2~JQ$7$F:N$jF~$l$^$7$?!#(B

> and/or$B$J$N$G!V$+$D!W$@$H6/$$$+$J!"!V$d!W$G$7$g$&$+!#(B
(snip)
> $B!V$r!W$,$@$V$C$F$^$9!#(B

 $B=$@5$7$^$7$?!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
| sato@sekine00.ee.noda.sut.ac.jp(UNIV)
| hrs@FreeBSD.org(FreeBSD Project)

----Next_Part(Thu_Oct_12_01:06:20_2000_41)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="00:52.diff"
Content-Transfer-Encoding: 7bit

Index: 00:52
===================================================================
RCS file: /home/cvs/private/hrs/FreeBSD-SA/00:52,v
retrieving revision 1.1
retrieving revision 1.4
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.1 -r1.4
--- 00:52	2000/10/08 12:42:57	1.1
+++ 00:52	2000/10/11 15:29:21	1.4
@@ -62,10 +62,10 @@
 
 TCP $B$N%M%C%H%o!<%/@\B3$K$O(B, $B@\B3$N%O%s%I%7%'%$%/$r9T$J$&:]$K(B
 $B=i4|%7!<%1%s%9HV9f$,;H$o$l$^$9(B.  $BI8=`(B TCP $B%W%m%H%3%k$K$h$k$H(B,
-$B30$+$i$N@\B3$r3NN)$7$h$&$H$7$F$$$k%j%b!<%H%[%9%H$+$i(B
-$B@5$7$$%7!<%1%s%9HV9f$NIU$$$?3NG'%Q%1%C%H(B(acknowledgement packet)$B$,(B
-$BAw$i$l$F$/$k$3$H$,A[Dj$5$l$F$*$j(B, $B@\B3$O$=$N3NG'%Q%1%C%H$NE~Ce$K(B
-$B$h$C$F3NN)$5$l$k$H$5$l$F$$$^$9(B.
+$B%j%b!<%H%[%9%H$+$iAw$i$l$F$/$k@5$7$$%7!<%1%s%9HV9f$NIU$$$?(B
+$B3NG'%Q%1%C%H(B(acknowledgement packet)$B$O(B, $B30It$+$i@\B3$r(B
+$B3NN)$7$h$&$H$7$F$$$k%j%b!<%H%[%9%H$+$i$N$b$N$G$"$k$H$_$J$5$l(B,
+$B@\B3$O$=$N3NG'%Q%1%C%H$NE~Ce$K$h$C$F3NN)$5$l$k$H$5$l$F$$$^$9(B.
 
 
 II.  $BLdBj$N>\:Y(B - Problem Description
@@ -77,10 +77,10 @@
 the resulting TCP connection which will be accepted by the server as
 coming from the spoofed machine.
 
-$B<!$K30$+$iE~Ce$9$k(B TCP $B@\B3$KBP$7$F%7%9%F%`$,MQ$$$k(B
-$B=i4|%7!<%1%s%9HV9f$r967b<T$,?dB,$G$-$k$H$9$k$H(B, $B$"$k%^%7%s$+$i$N(B
-TCP $B%O%s%I%7%'%$%/@\B3$r5=$$$FK\Mh%"%/%;%9$7$F$$$J$$%^%7%s$K(B
-$B8~$1$k$3$H(B($BLuCm(B: IP spoofing $B967b$H$7$FCN$i$l$F$$$^$9(B) $B$,2DG=$G$"$k$H(B
+$B30$+$iE~Ce$9$k(B TCP $B@\B3$KBP$7$F(B, $B<!$K%7%9%F%`$,MQ$$$k(B
+$B=i4|%7!<%1%s%9HV9f$r967b<T$,?dB,$G$-$k$J$i$P(B, $B$"$k%^%7%s$+$i$N(B
+TCP $B%O%s%I%7%'%$%/@\B3$r5=$-(B, $BK\Mh%"%/%;%9$7$F$$$J$$%^%7%s$K(B
+$B8~$1$k$3$H(B($BLuCm(B: $B$3$l$O(B IP spoofing $B967b$H8F$P$l$^$9(B) $B$,2DG=$G$"$k$H(B
 $B9M$($i$l$F$$$^$9(B.  $B$=$N:](B, $B967b<T$O$=$l$K$h$C$FF@$i$l$?(B TCP $B@\B3$K(B
 $BG$0U$N%G!<%?$rAw$j(B, IP spoofing $B$5$l$?%^%7%s$+$i$N%G!<%?$rAu$C$F(B
 $B%5!<%P$K<u$1<h$i$;$k$3$H$,2DG=$K$J$j$^$9(B.
@@ -114,9 +114,9 @@
 connections from other systems at the time of attack) are therefore
 most vulnerable to the attack.
 
-a) $B%5!<%P$N3+$$$F$$$k%]!<%H$KBP$9$k(B TCP $B@\B3$r(B ($B967b$=$N$b$N$r(B
-   $B9T$J$&D>A0$K(B) $BC;;~4V$KO"B3$7$F9T$J$($k$3$H(B.  $B$7$?$,$C$F(B
-   $B@E;_$7$?%5!<%P(B ($B967b$r9T$J$C$F$$$k;~$K(B, $BB>$N%7%9%F%`$+$i(B
+a) $B%5!<%P$N3+$$$F$$$k%]!<%H$KBP$7$F(B, ($B967b$=$N$b$N$r(B
+   $B9T$J$&D>A0$K(B) $BC;;~4V$KO"B3$7$?(B TCP $B@\B3$r9T$J$($k$3$H(B.  
+   $B$7$?$,$C$F@E;_$7$?%5!<%P(B ($B967b$r9T$J$C$F$$$k;~$K(B, $BB>$N%7%9%F%`$+$i(B
    $B%M%C%H%o!<%/@\B3$r<u$1<h$C$F$$$J$$%5!<%P(B) $B$O:G$b4m81@-$,9b$/$J$j$^$9(B.
 
 b) be able to prevent the spoofed client machine from responding to
@@ -183,8 +183,8 @@
 address-based access controls, and others.
 
 $B3:Ev$9$k%W%m%H%3%k$*$h$S%5!<%S%9$O(B, $B$?$H$($P<!$N$h$&$J$b$N$G$9(B.
-(.rhosts $B$d(B .hosts.equiv $B$rMQ$$$F(B) $B%Q%9%o!<%I$J$7$N%"%/%;%9G'>Z$r(B
-$B9T$J$&;~$KMxMQ$5$l$k(B rlogin/rsh/rexec $B%U%!%_%j(B,
+(.rhosts $B$d(B hosts.equiv $B%U%!%$%k$rMQ$$$F(B) $B%Q%9%o!<%I$J$7$N(B
+$B%"%/%;%9G'>Z$r9T$J$&;~$KMxMQ$5$l$k(B rlogin/rsh/rexec $B%U%!%_%j(B,
 $B%f!<%6G'>Z$rMW5a$7$J$$(B, $B9b$$8"8B$r;}$D%j%=!<%9$r@)8f$9$k(B
 $B%9%/%j%W%H$K;H$o$l$k%&%'%V%5!<%P%"%I%l%9$K4p$E$/%"%/%;%9@)8f(B,
 $B@\B3$NG'>Z$r9T$J$o$J$$%5!<%S%9$K;H$o$l$F$$$k(B TCP Wrappers $B$N(B
@@ -198,14 +198,14 @@
 default, and must be specifically enabled through use of a per-user
 .rhosts file, or a global /etc/hosts.equiv file.
 
-rlogin $B%W%m%H%3%k%U%!%_%j$,(B Kerberos $B$d(B UNIX $B%Q%9%o!<%I$r;H$&$h$&$K(B
-$B@_Dj$5$l$F$$$l$P(B, $B$3$N967b$KBP$9$k%;%-%e%j%F%#>e$N4m81@-$OB8:_$7$J$$(B
-$B$3$H$KCm0U$7$F$/$@$5$$(B.  $B$=$N>l9g(B, $B@\B3$K$O(B ($BA0<T$J$i(B Kerberos $BG'>Z(B
-$B%A%1%C%H(B, $B8e<T$J$i%f!<%6%"%+%&%s%H%Q%9%o!<%I$K$h$C$F(B) $BG'>Z$,(B
-$B9T$J$o$l$k$?$a$G$9(B.  rlogin $B%W%m%H%3%k%U%!%_%j$G$O(B, $BI8=`@_Dj$G(B
-$B@\B385%"%I%l%9$r4p$K$7$?G'>Z$O9T$J$o$l$^$;$s(B.  $B$=$&$9$k$K$O(B,
-$B%f!<%6C10L$N(B .rhosts $B%U%!%$%k(B, $B$b$7$/$O%7%9%F%`A4BN$K1F6A$rM?$($k(B
-/etc/hosts.equiv $B%U%!%$%k$rMxMQ$7$F(B, $BL@<(E*$KM-8z2=$9$kI,MW$,$"$j$^$9(B.
+$B$?$@$7(B, rlogin $B%W%m%H%3%k%U%!%_%j$,(B Kerberos $B$d(B UNIX $B%Q%9%o!<%I$r(B
+$B;H$&$h$&$K@_Dj$5$l$F$$$l$P(B, $B$3$N967b$KBP$9$k%;%-%e%j%F%#>e$N4m81@-$O(B
+$BB8:_$7$^$;$s(B.  $B$=$N>l9g(B, $B@\B3$K$O(B ($BA0<T$J$i(B Kerberos $BG'>Z%A%1%C%H(B,
+$B8e<T$J$i%f!<%6%"%+%&%s%H%Q%9%o!<%I$K$h$C$F(B) $BG'>Z$,9T$J$o$l$k$?$a$G$9(B.
+rlogin $B%W%m%H%3%k%U%!%_%j$G$O(B, $BI8=`@_Dj$G@\B385%"%I%l%9$r4p$K$7$?G'>Z$O(B
+$B9T$J$o$l$^$;$s(B.  $B$=$&$9$k$K$O(B, $B%f!<%6C10L$N(B .rhosts $B%U%!%$%k(B, $B$b$7$/$O(B
+$B%7%9%F%`A4BN$K1F6A$rM?$($k(B /etc/hosts.equiv $B%U%!%$%k$rMxMQ$7$F(B,
+$BL@<(E*$KM-8z2=$9$kI,MW$,$"$j$^$9(B.
 
 Attackers can also forge TCP connections to arbitrary TCP protocols
 (including protocols not vulnerable to the spoofing attack described
@@ -214,8 +214,8 @@
 potentially misleading the administrators of the server into thinking
 they are under attack from the spoofed client.
 
-$B967b<T$O(B ($B>e5-$N(B IP spoofing $B967b$KBP$7$F<eE@$r;}$?$J$$$b$N$r4^$`(B) $BG$0U$N(B
-TCP $B%W%m%H%3%k$KBP$9$k(B TCP $B@\B3$rL5M}LpM}$D$/$j=P$7(B,
+$B$^$?(B, $B967b<T$O(B ($B>e5-$N(B IP spoofing $B967b$KBP$7$F<eE@$r;}$?$J$$(B
+$B$b$N$r4^$`(B) $BG$0U$N(B TCP $B%W%m%H%3%k$KBP$9$k(B TCP $B@\B3$rL5M}LpM}$D$/$j=P$7(B,
 $B967bBP>]%^%7%s$+$i(B ($B$?$H$($P%Q%9%o!<%I$N?dB,$r7+$jJV$9$h$&$J(B) $BIT@5$J(B
 $B%j%b!<%H%"%/%;%9$r9T$J$C$?$+$N$h$&$J>u67$r$D$/$j=P$9$3$H$b2DG=$G$9(B.  
 $B$3$l$O%5!<%P$N4IM}<T$r8m2r$5$;(B, IP spoofing $B$5$l$?%/%i%$%"%s%H$+$i(B
@@ -232,11 +232,12 @@
 used to detect and trace the attacker.
 
 $B967b<T$O$3$N%;%-%e%j%F%#>e$N<eE@$r0-MQ$9$k$?$a$K(B, $B967bBP>]%^%7%s(B
-($B$?$H$($P%&%'%V%5!<%P(B) $B$N(B, $B$"$k%]!<%H$K2?EY$+C;;~4V$KO"B3$7$F@\B3$r(B
-$B;n$_$kI,MW$,$"$k$3$H$KCm0U$7$F$/$@$5$$(B.  $B967b$r@.8y$5$;$k$K$O(B
+($B$?$H$($P%&%'%V%5!<%P(B) $B$N0l$D$N%]!<%H$KBP$7$F?t2s(B, $BC;;~4V$KO"B3$7$?(B
+$B@\B3$r;n$_$kI,MW$,$"$k$3$H$KCm0U$7$F$/$@$5$$(B.  $B967b$r@.8y$5$;$k$K$O(B
 $B967bBP>]%^%7%s$,@E;_$7$F(B ($B$D$^$jB>$N@\B3$r0l$D$b<u$1<h$i$J$$$G(B)
-$B$$$J$1$l$P$J$i$J$$$?$a(B, $B0BA4$G$J$$%5!<%S%9$KAGAa$/O"B3$7$F9T$J$o$l$k(B
-$B@\B3F0:n$O(B, $B967b<T$r8!=P(B, $BDI@W$9$k$?$a$N>pJs$H$7$FMxMQ$G$-$k$+$bCN$l$^$;$s(B.
+$B$$$J$1$l$P$J$i$J$$$?$a(B, $B0BA4$G$J$$%5!<%S%9$KBP$7$FAGAa$/O"B3$7$F(B
+$B9T$J$o$l$k@\B3F0:n$O(B, $B967b<T$r8!=P(B, $BDI@W$9$k$?$a$N>pJs$H$7$F(B
+$BMxMQ$G$-$k$G$7$g$&(B.
 
 Possible workarounds for the vulnerability include one or both of the
 following:
@@ -254,10 +255,11 @@
 1) ($B%"%I%l%9$K4p$E$/G'>Z$rMQ$$$k$h$&$K@_Dj$5$l$F$$$k>l9g$K$O(B)
    rlogin, rsh, rexec $B$r4^$`(B, $B0BA4$G$J$$%W%m%H%3%k$*$h$S(B
    $B%5!<%S%9$r$9$Y$FL58z2=$9$k$+(B, $B$b$7$/$O@\B3G'>Z$r(B
-   $B@\B385%"%I%l%9$N$_$K4p$E$$$F9T$J$o$J$$$h$&$K:F@_Dj$7$F$/$@$5$$(B.
-   $B0lHLE*$K(B, rlogin $B%U%!%_%j$OMxMQ$5$l$k$Y$-$G$O$"$j$^$;$s(B.
-   ssh $B%3%^%s%I%U%!%_%j(B (ssh, scp, slogin) $B$O9b$$%;%-%e%j%F%#$r(B
-   $B;}$DBeBX$G$"$j(B, FreeBSD 4.0 $B$H$=$l0J9_$K4^$^$l$F$$$^$9(B.
+   $B@\B385%"%I%l%9$N$_$K4p$E$$$F9T$J$o$J$$$h$&$K:F@_Dj$7$^$9(B.
+   $B0lHLE*$K(B, $B$I$s$J>l9g$G$"$C$F$b(B rlogin $B%U%!%_%j$OMxMQ$5$l$k$Y$-$G$O(B
+   $B$"$j$^$;$s(B. ssh $B%3%^%s%I%U%!%_%j(B (ssh, scp, slogin) $B$O(B
+   $B9b$$%;%-%e%j%F%#$r;}$DBeBX$G$"$j(B, FreeBSD 4.0 $B$H$=$l0J9_$K(B
+   $B4^$^$l$F$$$^$9(B.
 
 To disable the rlogin family of protocols, make sure the
 /etc/inetd.conf file does not contain any of the following entries
@@ -305,7 +307,7 @@
 2) $B%M%C%H%o!<%/6-3&(B, $B$b$7$/$O1F6A$r<u$1$k%^%7%s>e$K(B IP $B%l%Y%k$N(B
    $B%Q%1%C%H%U%#%k%?$r@_CV$7(B, $B<eE@$H$J$C$F$$$kFbIt$N%5!<%S%9$KBP$7$F(B
    $B30It$+$i!V8"8B$N9b$$!W@\B385%"%I%l%9$r;H$C$?%"%/%;%9$,$G$-$J$$(B
-   $B$h$&$K$7$F$/$@$5$$(B.  $B$?$H$($P(B, $BFbIt%M%C%H%o!<%/(B 10.0.0.0/24 $B$K(B
+   $B$h$&$K$7$^$9(B.  $B$?$H$($P(B, $BFbIt%M%C%H%o!<%/(B 10.0.0.0/24 $B$K(B
    $BB8:_$9$k%^%7%s$+$i%5!<%P$X$N%Q%9%o!<%I$J$7$N(B rlogin $B%"%/%;%9$,(B
    $B2DG=$G$"$l$P(B, $B30It$N%f!<%6$,30It%M%C%H%o!<%/$+$i(B
    $BFbIt%M%C%H%o!<%/$X(B 10.0.0.0/24 $B$r@\B385$H$9$k%Q%1%C%H$r(B
@@ -327,12 +329,12 @@
 of IPSEC is beyond the scope of this document, however see the
 following web resources:
 
-3) $B<eE@$H$J$k(B TCP $B@\B3$r(B IP $BAX$GG'>Z(B ($B$+$D0E9f2=(B) $B$9$k$?$a$K(B
-   IPSEC $B$rM-8z2=$7$F$/$@$5$$(B.  IPSEC $B$rMQ$$$k$H(B, $B%]!<%H$X$N30It$+$i$N(B
-   $B@\B3$O$9$Y$FG'>Z$,MW5a$5$l$k$h$&$K$J$j(B, $B$3$N4+9p$G=R$Y$i$l$F$$$k$h$&$J(B
+3) IPSEC $B$rM-8z2=$7(B, $B<eE@$H$J$k(B TCP $B@\B3$r(B IP $BAX$GG'>Z(B ($B$d0E9f2=(B) $B$9$k$h$&$K(B
+   $B$7$^$9(B.  IPSEC $B$rMQ$$$k$H(B, $B%]!<%H$X$N30It$+$i$N@\B3$K$O(B
+   $B$9$Y$FG'>Z$,MW5a$5$l$k$h$&$K$J$j(B, $B$3$N4+9p$G=R$Y$i$l$F$$$k$h$&$J(B
    IP spoofing $B967b$d(B, $B%Q%1%C%H$NN.$l$K%"%/%;%9$7$F(B TCP $B%;%C%7%g%s$r(B
    $B>h$C<h$k9T0Y$O$G$-$J$/$J$j$^$9(B.  FreeBSD 4.0 $B$*$h$S(B
-   $B$=$l0J9_$O%+!<%M%kFb$K(B IPSEC $B5!G=$r$r;}$C$F$*$j(B, 4.1 $B$*$h$S(B
+   $B$=$l0J9_$O%+!<%M%kFb$K(B IPSEC $B5!G=$r;}$C$F$*$j(B, 4.1 $B$*$h$S(B
    $B$=$l0J9_$N(B Ports Collection $B$K$O(B racoon $B$H$$$&(B IKE $B%G!<%b%s$,(B
    $B4^$^$l$F$$$^$9(B.  IPSEC $B$N@_Dj$K$D$$$F$O$3$NJ8=q$NHO0O$rD6$($k$?$a(B,
    $B0J2<$N%&%'%V>e$N;qNA$r;2>H$7$F$/$@$5$$(B.
@@ -386,6 +388,10 @@
 [ http://www.freebsd.org/handbook/kernelconfig.html 
 $B$K=q$+$l$F$$$k$h$&$K%+!<%M%k$r:F9=C[$7$F(B, $B%7%9%F%`$r:F5/F0$7$F$/$@$5$$(B ]
 
+  [$BLuCm(B] $BF|K\8lLu$O(B
+    http://www.jp.FreeBSD.org/www.freebsd.org/ja/handbook/kernelconfig.html
+    $B$K$"$j$^$9(B.
+
 2b) FreeBSD 4.x systems
 
 2b) FreeBSD 4.x $B%7%9%F%`$N>l9g(B
@@ -414,6 +420,10 @@
 [ http://www.freebsd.org/handbook/kernelconfig.html 
 $B$K=q$+$l$F$$$k$h$&$K%+!<%M%k$r:F9=C[$7$F(B, $B%7%9%F%`$r:F5/F0$7$F$/$@$5$$(B ]
 
+  [$BLuCm(B] $BF|K\8lLu$O(B
+    http://www.jp.FreeBSD.org/www.freebsd.org/ja/handbook/kernelconfig.html
+    $B$K$"$j$^$9(B.
+
 Patch for vulnerable 4.x systems:
 $B<eE@$r;}$C$?(B 4.x $B%7%9%F%`MQ$N=$@5%Q%C%A(B:
 

----Next_Part(Thu_Oct_12_01:06:20_2000_41)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="00:53.diff"
Content-Transfer-Encoding: 7bit

Index: 00:53
===================================================================
RCS file: /home/cvs/private/hrs/FreeBSD-SA/00:53,v
retrieving revision 1.1
retrieving revision 1.2
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.1 -r1.2
--- 00:53	2000/09/29 16:59:03	1.1
+++ 00:53	2000/10/11 15:22:34	1.2
@@ -175,11 +175,10 @@
 $B<eE@$H!V$J$jF@$k!W(B, $B@EE*%j%s%/$5$l$?(B setlocale() $B4X?t$r(B
 $B;H$C$F$$$k%P%$%J%j$bJs9p$7$^$9(B.  $BJs9p$5$l$k%P%$%J%j$N$[$H$s$I$O(B
 $B<B:]$K%;%-%e%j%F%#>e$N<eE@$r;}$C$F$$$J$$$H;W$o$l$^$9$,(B,
-$BK|A4$N%;%-%e%j%F%#$r4|$9$?$a$K$O(B, $B$=$l$i$9$Y$F$r(B
-$B:F%3%s%Q%$%k$9$Y$-$G$7$g$&(B.  FreeBSD $B%7%9%F%`$K4^$^$l$k%P%$%J%j$b$^$?(B
-$B$3$N%9%/%j%W%H$K$h$C$F<eE@$r;}$D2DG=@-$,$"$k$HJs9p$5$l$k$+$b(B
-$BCN$l$^$;$s$,(B, $B$=$l$O%;%-%e%j%F%#>e$NLdBj$H$J$k$b$N$G$O$"$j$^$;$s$N$G(B
-$B$4Cm0U$/$@$5$$(B.
+$BK|A4$N%;%-%e%j%F%#$r4|$9$?$a$K$O(B, $B$=$l$i$9$Y$F$r:F%3%s%Q%$%k$9$Y$-$G$7$g$&(B.
+FreeBSD $B%7%9%F%`$K4^$^$l$k%P%$%J%j$b$^$?(B, $B$3$N%9%/%j%W%H$K$h$C$F(B
+$B<eE@$r;}$D2DG=@-$,$"$k$HJs9p$5$l$k$+$bCN$l$^$;$s$,(B, $B$=$l$O(B
+$B%;%-%e%j%F%#>e$NLdBj$H$J$k$b$N$G$O$"$j$^$;$s$N$G$4Cm0U$/$@$5$$(B.
 
 Statically linked binaries which are identified as vulnerable or
 potentially vulnerable should be recompiled from source code after
@@ -256,7 +255,7 @@
 setlocale() $B4X?t$r;H$C$F$$$F(B, setuid $B$b$7$/$O(B setgid $B$5$l$F$$$k%P%$%J%j$r(B
 $BC5$7$^$9(B.  $B$?$H$($P$=$N%P%$%J%j$r(B, $B%;%-%e%j%F%#>e$N<eE@$r0-MQ$G$-$k(B
 $B%m!<%+%k%f!<%6$NC/$+$,9b$$%f!<%68"8B$rF@$kL\E*$G<B9T$G$-$k$+$I$&$+$J$I(B,
-$B%m!<%+%k4D6-$,$I$N$h$&$J%;%-%e%j%F%#>e$N4m81$K;/$5$l$k$N$+$K$D$$$F(B
+$B%m!<%+%k4D6-$,$I$N$h$&$J%;%-%e%j%F%#>e$N4m81$K;/$5$l$k$N$+$K$D$$$F(B,
 $B%9%/%j%W%H$,Js9p$9$k%P%$%J%j0l$D0l$D$K$D$$$F(B ($B$?$H$($P(B 'ls- l' $B$d(B
 $B$=$NB>$N%D!<%k$G(B) $B3NG'$9$Y$-$G$7$g$&(B.  
 

----Next_Part(Thu_Oct_12_01:06:20_2000_41)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="00:52"
Content-Transfer-Encoding: 7bit

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:52.tcp-iss
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Fri,  6 Oct 2000 14:45:41 -0700 (PDT)
  Message-Id: <20001006214541.D836D37B502@hub.freebsd.org>
  X-Sequence: announce-jp 558

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
 FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
 $B%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
 http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
 ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
 $B$=$l$>$lCV$-49$($F$/$@$5$$(B.

 $B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
 $B9MN8$9$k$h$&$*4j$$$7$^$9(B.  $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

  http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
  http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

 $B$K(B, $B$^$?(B, $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

  http://www.FreeBSD.org/ja/security/

 $B$K$^$H$a$i$l$F$$$^$9(B.

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:52                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	TCP uses weak initial sequence numbers

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2000-10-06
$B%/%l%8%C%H(B:	Hacker Emergency Response Team <hert@hert.org>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B FreeBSD 3.x, 4.x $B$*$h$S(B 5.x
$B=$@5F|(B:		2000-09-28 (5.0-CURRENT, 4.1.1-STABLE, 3.5.1-STABLE) 
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

TCP $B$N%M%C%H%o!<%/@\B3$K$O(B, $B@\B3$N%O%s%I%7%'%$%/$r9T$J$&:]$K(B
$B=i4|%7!<%1%s%9HV9f$,;H$o$l$^$9(B.  $BI8=`(B TCP $B%W%m%H%3%k$K$h$k$H(B,
$B%j%b!<%H%[%9%H$+$iAw$i$l$F$/$k@5$7$$%7!<%1%s%9HV9f$NIU$$$?(B
$B3NG'%Q%1%C%H(B(acknowledgement packet)$B$O(B, $B30It$+$i@\B3$r(B
$B3NN)$7$h$&$H$7$F$$$k%j%b!<%H%[%9%H$+$i$N$b$N$G$"$k$H$_$J$5$l(B,
$B@\B3$O$=$N3NG'%Q%1%C%H$NE~Ce$K$h$C$F3NN)$5$l$k$H$5$l$F$$$^$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

$B30$+$iE~Ce$9$k(B TCP $B@\B3$KBP$7$F(B, $B<!$K%7%9%F%`$,MQ$$$k(B
$B=i4|%7!<%1%s%9HV9f$r967b<T$,?dB,$G$-$k$J$i$P(B, $B$"$k%^%7%s$+$i$N(B
TCP $B%O%s%I%7%'%$%/@\B3$r5=$-(B, $BK\Mh%"%/%;%9$7$F$$$J$$%^%7%s$K(B
$B8~$1$k$3$H(B($BLuCm(B: $B$3$l$O(B IP spoofing $B967b$H8F$P$l$^$9(B) $B$,2DG=$G$"$k$H(B
$B9M$($i$l$F$$$^$9(B.  $B$=$N:](B, $B967b<T$O$=$l$K$h$C$FF@$i$l$?(B TCP $B@\B3$K(B
$BG$0U$N%G!<%?$rAw$j(B, IP spoofing $B$5$l$?%^%7%s$+$i$N%G!<%?$rAu$C$F(B
$B%5!<%P$K<u$1<h$i$;$k$3$H$,2DG=$K$J$j$^$9(B.

FreeBSD $B$r4^$`(B 4.4BSD-Lite2 $BM3Mh$N%7%9%F%`$K$O(B, $B%j%b!<%H$N967b<T$,(B
$B%7!<%1%s%9HV9f?dB,967b$r9T$J$($J$$$h$&$K$9$k$?$a(B, $B=i4|%7!<%1%s%9HV9f$K(B
$BM=B,IT2DG=$JMWAG$rF3F~$9$k%3!<%I$,4^$^$l$F$$$^$9(B.  $B$7$+$7(B, $B$=$3$K(B
$B;H$o$l$F$$$k5?;wMp?tH/@84o$OC1=c$J@~7A9gF1K!$K$h$k$b$N$G(B, $B%5!<%P$H$N(B
$B@5$7$$@\B3$GF@$i$l$?=i4|%7!<%1%s%9HV9f$N4QB,$K4p$E$$$F$$$^$9(B.
$B$=$N$?$a(B, $B967b<T$O<!2s$N@\B3$K;H$o$l$kHV9f$r9b$$3NN($GM=B,$9$k$3$H$,(B
$B2DG=$G$9(B.

$B$3$N%;%-%e%j%F%#>e$N<eE@$r$&$^$/0-MQ$9$k$K$O(B, $B967b<T$O<!$K$"$2$k(B
$B>r7o$rK~$?$5$J$1$l$P$J$j$^$;$s(B.

a) $B%5!<%P$N3+$$$F$$$k%]!<%H$KBP$7$F(B, ($B967b$=$N$b$N$r(B
   $B9T$J$&D>A0$K(B) $BC;;~4V$KO"B3$7$?(B TCP $B@\B3$r9T$J$($k$3$H(B.  
   $B$7$?$,$C$F@E;_$7$?%5!<%P(B ($B967b$r9T$J$C$F$$$k;~$K(B, $BB>$N%7%9%F%`$+$i(B
   $B%M%C%H%o!<%/@\B3$r<u$1<h$C$F$$$J$$%5!<%P(B) $B$O:G$b4m81@-$,9b$/$J$j$^$9(B.

b) $B%5!<%P$+$iAw$i$l$F$/$k%Q%1%C%H$KBP$7$F(B, IP spoofing $B$5$l$?(B
   $B%/%i%$%"%s%H%^%7%s$,1~Ez$7$J$$$h$&$K$G$-$k$3$H(B.  $B$3$l$K$O(B
   $B@\B3$5$l$F$$$J$$%"%I%l%9$rMxMQ$7$?$j(B, $B1~Ez$G$-$J$$$h$&$K(B
   $B$=$N%/%i%$%"%s%H%^%7%s$K%5!<%S%9K832967b(B (denial of service attack)
   $B$r2C$($k$3$H$G<B8=$5$l$^$9(B.

c) $B%Q%9%o!<%I$d0E9f80$H$$$C$?9b%l%Y%k$NG'>Z5!9=$r;}$?$:(B,
   $B%/%i%$%"%s%H$N(B IP $B%"%I%l%9$N$_$K4p$E$$$FG'>Z$d?.Mj4X78$N(B
   $B3NG'$r9T$J$&%"%W%j%1!<%7%g%s%l%Y%k$N%W%m%H%3%k$,(B
   $B%5!<%P>e$GMxMQ$5$l$F$$$k$3$H(B.

d) $B967b<T$,%"%/%;%9$7$J$$(B, IP spoofing $B$5$l$?%/%i%$%"%s%H$K(B
   $B%5!<%P$+$iAw$i$l$F$/$k(B TCP $B%G!<%?$,(B ($B$b$7$"$k$J$i(B) $B?dB,$G$-$k$3$H(B.  

4.1.1 $B$*$h$S(B 3.5.1 $B$r4^$`(B, $B=$@5F|0JA0$N$9$Y$F$N%P!<%8%g%s$N(B FreeBSD $B$O(B
$B$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$r;}$C$F$$$^$9(B.

Hacker Emergency Response Team $B$O(B, $B$3$NLdBj$K4X$9$k<(:6$*$h$S(B,
$B4+9p8x3+$N<h$j$^$H$a$K$D$$$F(B, $B$o$?$7$?$A$H6&F1$G:n6H$7$F$/$l$^$7$?(B.
FreeBSD Security Officer $B$H$7$F(B, $BH`$i$N6(NO$K46<U$7$?$$$H;W$$$^$9(B.

III. $B1F6AHO0O(B - Impact

$B;XDj$5$l$?(B IP $B%"%I%l%9$+$i$N(B TCP $B@\B3$r(B, $BB>$NG'>Z$rMW5a$;$:$K(B
$BL5>r7o$K?.MQ$9$k$h$&$J0BA4$G$J$$%W%m%H%3%k$r1?MQ$7$F$$$k%7%9%F%`$O(B
$B%j%b!<%H$N967b<T$K$h$C$F(B IP spoofing $B$5$l$k4m81@-$,$"$j$^$9(B.
$B$3$l$O%m!<%+%k%7%9%F%`$X$N%"%/%;%9$d9b$$8"8B$rC%$&$3$H$N$G$-$k(B
$B@x:_E*$J<eE@$H$J$k$b$N$G$9(B.

$B3:Ev$9$k%W%m%H%3%k$*$h$S%5!<%S%9$O(B, $B$?$H$($P<!$N$h$&$J$b$N$G$9(B.
(.rhosts $B$d(B hosts.equiv $B%U%!%$%k$rMQ$$$F(B) $B%Q%9%o!<%I$J$7$N(B
$B%"%/%;%9G'>Z$r9T$J$&;~$KMxMQ$5$l$k(B rlogin/rsh/rexec $B%U%!%_%j(B,
$B%f!<%6G'>Z$rMW5a$7$J$$(B, $B9b$$8"8B$r;}$D%j%=!<%9$r@)8f$9$k(B
$B%9%/%j%W%H$K;H$o$l$k%&%'%V%5!<%P%"%I%l%9$K4p$E$/%"%/%;%9@)8f(B,
$B@\B3$NG'>Z$r9T$J$o$J$$%5!<%S%9$K;H$o$l$F$$$k(B TCP Wrappers $B$N(B
$B%[%9%H%"%/%;%9@)8f(B, lpr $B$N%"%I%l%9$K4p$E$/%"%/%;%9@)8f(B, $BEy!9(B.

$B$?$@$7(B, rlogin $B%W%m%H%3%k%U%!%_%j$,(B Kerberos $B$d(B UNIX $B%Q%9%o!<%I$r(B
$B;H$&$h$&$K@_Dj$5$l$F$$$l$P(B, $B$3$N967b$KBP$9$k%;%-%e%j%F%#>e$N4m81@-$O(B
$BB8:_$7$^$;$s(B.  $B$=$N>l9g(B, $B@\B3$K$O(B ($BA0<T$J$i(B Kerberos $BG'>Z%A%1%C%H(B,
$B8e<T$J$i%f!<%6%"%+%&%s%H%Q%9%o!<%I$K$h$C$F(B) $BG'>Z$,9T$J$o$l$k$?$a$G$9(B.
rlogin $B%W%m%H%3%k%U%!%_%j$G$O(B, $BI8=`@_Dj$G@\B385%"%I%l%9$r4p$K$7$?G'>Z$O(B
$B9T$J$o$l$^$;$s(B.  $B$=$&$9$k$K$O(B, $B%f!<%6C10L$N(B .rhosts $B%U%!%$%k(B, $B$b$7$/$O(B
$B%7%9%F%`A4BN$K1F6A$rM?$($k(B /etc/hosts.equiv $B%U%!%$%k$rMxMQ$7$F(B,
$BL@<(E*$KM-8z2=$9$kI,MW$,$"$j$^$9(B.

$B$^$?(B, $B967b<T$O(B ($B>e5-$N(B IP spoofing $B967b$KBP$7$F<eE@$r;}$?$J$$(B
$B$b$N$r4^$`(B) $BG$0U$N(B TCP $B%W%m%H%3%k$KBP$9$k(B TCP $B@\B3$rL5M}LpM}$D$/$j=P$7(B,
$B967bBP>]%^%7%s$+$i(B ($B$?$H$($P%Q%9%o!<%I$N?dB,$r7+$jJV$9$h$&$J(B) $BIT@5$J(B
$B%j%b!<%H%"%/%;%9$r9T$J$C$?$+$N$h$&$J>u67$r$D$/$j=P$9$3$H$b2DG=$G$9(B.  
$B$3$l$O%5!<%P$N4IM}<T$r8m2r$5$;(B, IP spoofing $B$5$l$?%/%i%$%"%s%H$+$i(B
$B967b$r<u$1$F$$$k$H;W$$9~$^$;$k$3$H$,$G$-$k4m81@-$,$"$j$^$9(B.

IV.  $B2sHrJ}K!(B - Workaround

$B967b<T$O$3$N%;%-%e%j%F%#>e$N<eE@$r0-MQ$9$k$?$a$K(B, $B967bBP>]%^%7%s(B
($B$?$H$($P%&%'%V%5!<%P(B) $B$N0l$D$N%]!<%H$KBP$7$F?t2s(B, $BC;;~4V$KO"B3$7$?(B
$B@\B3$r;n$_$kI,MW$,$"$k$3$H$KCm0U$7$F$/$@$5$$(B.  $B967b$r@.8y$5$;$k$K$O(B
$B967bBP>]%^%7%s$,@E;_$7$F(B ($B$D$^$jB>$N@\B3$r0l$D$b<u$1<h$i$J$$$G(B)
$B$$$J$1$l$P$J$i$J$$$?$a(B, $B0BA4$G$J$$%5!<%S%9$KBP$7$FAGAa$/O"B3$7$F(B
$B9T$J$o$l$k@\B3F0:n$O(B, $B967b<T$r8!=P(B, $BDI@W$9$k$?$a$N>pJs$H$7$F(B
$BMxMQ$G$-$k$G$7$g$&(B.

$B0J2<$N$&$A$N0l$D(B, $B$b$7$/$ON>J}$,$3$N%;%-%e%j%F%#>e$N<eE@$r(B
$B2sHr$G$-$k$H9M$($i$l$F$$$kJ}K!$G$9(B.

1) ($B%"%I%l%9$K4p$E$/G'>Z$rMQ$$$k$h$&$K@_Dj$5$l$F$$$k>l9g$K$O(B)
   rlogin, rsh, rexec $B$r4^$`(B, $B0BA4$G$J$$%W%m%H%3%k$*$h$S(B
   $B%5!<%S%9$r$9$Y$FL58z2=$9$k$+(B, $B$b$7$/$O@\B3G'>Z$r(B
   $B@\B385%"%I%l%9$N$_$K4p$E$$$F9T$J$o$J$$$h$&$K:F@_Dj$7$^$9(B.
   $B0lHLE*$K(B, $B$I$s$J>l9g$G$"$C$F$b(B rlogin $B%U%!%_%j$OMxMQ$5$l$k$Y$-$G$O(B
   $B$"$j$^$;$s(B. ssh $B%3%^%s%I%U%!%_%j(B (ssh, scp, slogin) $B$O(B
   $B9b$$%;%-%e%j%F%#$r;}$DBeBX$G$"$j(B, FreeBSD 4.0 $B$H$=$l0J9_$K(B
   $B4^$^$l$F$$$^$9(B.

rlogin $B%W%m%H%3%k%U%!%_%j$rL58z2=$9$k$K$O(B, /etc/inetd.conf $B%U%!%$%k$G(B
$B0J2<$N%(%s%H%j$,M-8z2=$5$l$F$$$J$$$3$H$r3NG'$7$F$/$@$5$$(B ($B$D$^$j(B
$B$3$l$i$,(B inetd.conf $B%U%!%$%k$K$"$k>l9g$K$O(B, $B2<$K<($9$h$&$K(B
$B%3%a%s%H%"%&%H$5$l$F$$$J$1$l$P$J$j$^$;$s(B).

#shell   stream  tcp     nowait  root    /usr/libexec/rshd       rshd
#login   stream  tcp     nowait  root    /usr/libexec/rlogind    rlogind
#exec    stream  tcp     nowait  root    /usr/libexec/rexecd     rexecd

$B%U%!%$%k$NJQ99$r9T$J$C$?$i(B, HUP $B%7%0%J%k$rAw$C$F(B inetd $B$r(B
$B:F5/F0$9$k$N$rK:$l$J$$$G$/$@$5$$(B.

# kill -HUP `cat /var/run/inetd.pid`

$B>e5-%;%/%7%g%s(B III $B$GCm0U$7$?$b$N$r4^$`$=$NB>$N%5!<%S%9$,MxMQ$5$l$F(B
$B$$$k$+$I$&$+D4::$7(B, $B%5!<%S%9$rDd;_$9$k$+(B, $B2DG=$J$i$P(B, $B$h$j6/8G$J(B
$BG'>ZJ}K!$rMQ$$$k$h$&$KJQ99$7$F$/$@$5$$(B. $B2sHrJ}K!(B 3) $B$b;2>H$N$3$H(B.

2) $B%M%C%H%o!<%/6-3&(B, $B$b$7$/$O1F6A$r<u$1$k%^%7%s>e$K(B IP $B%l%Y%k$N(B
   $B%Q%1%C%H%U%#%k%?$r@_CV$7(B, $B<eE@$H$J$C$F$$$kFbIt$N%5!<%S%9$KBP$7$F(B
   $B30It$+$i!V8"8B$N9b$$!W@\B385%"%I%l%9$r;H$C$?%"%/%;%9$,$G$-$J$$(B
   $B$h$&$K$7$^$9(B.  $B$?$H$($P(B, $BFbIt%M%C%H%o!<%/(B 10.0.0.0/24 $B$K(B
   $BB8:_$9$k%^%7%s$+$i%5!<%P$X$N%Q%9%o!<%I$J$7$N(B rlogin $B%"%/%;%9$,(B
   $B2DG=$G$"$l$P(B, $B30It$N%f!<%6$,30It%M%C%H%o!<%/$+$i(B
   $BFbIt%M%C%H%o!<%/$X(B 10.0.0.0/24 $B$r@\B385$H$9$k%Q%1%C%H$r(B
   $BAw$k$3$H$,$G$-$J$$$h$&$K$9$k$Y$-$G$9(B.  $B$3$l$O0lHLE*$KK>$^$7$$$H(B
   $B$5$l$F$$$k%;%-%e%j%F%#%]%j%7$G$9(B.  $B$?$@$7(B, $B$b$7%m!<%+%k$N(B
   $B%j%=!<%9$K%"%/%;%9$9$k:]$K30It%M%C%H%o!<%/$N%"%I%l%9$r;H$C$FG'>Z$9$k(B
   $BI,MW$,$"$k>l9g$K$O(B, $B$3$N<o$N%U%#%k%?$rE,MQ$9$k$3$H$,$G$-$^$;$s(B. 
   $B$^$?(B, $B$3$l$O%M%C%H%o!<%/6-3&$NFbIt$+$i$N(B IP spoofing $B967b$K(B
   $BBP$9$k8z2L$O$"$j$^$;$s(B.  $B1F6A$N$"$k%^%7%s$K=$@5%Q%C%A$,E,MQ$G$-$k$^$G(B,
   $B3:Ev$9$k%5!<%S%9$rDd;_$9$k$3$H$r9M$($F$/$@$5$$(B.

3) IPSEC $B$rM-8z2=$7(B, $B<eE@$H$J$k(B TCP $B@\B3$r(B IP $BAX$GG'>Z(B ($B$d0E9f2=(B) $B$9$k$h$&$K(B
   $B$7$^$9(B.  IPSEC $B$rMQ$$$k$H(B, $B%]!<%H$X$N30It$+$i$N@\B3$K$O(B
   $B$9$Y$FG'>Z$,MW5a$5$l$k$h$&$K$J$j(B, $B$3$N4+9p$G=R$Y$i$l$F$$$k$h$&$J(B
   IP spoofing $B967b$d(B, $B%Q%1%C%H$NN.$l$K%"%/%;%9$7$F(B TCP $B%;%C%7%g%s$r(B
   $B>h$C<h$k9T0Y$O$G$-$J$/$J$j$^$9(B.  FreeBSD 4.0 $B$*$h$S(B
   $B$=$l0J9_$O%+!<%M%kFb$K(B IPSEC $B5!G=$r;}$C$F$*$j(B, 4.1 $B$*$h$S(B
   $B$=$l0J9_$N(B Ports Collection $B$K$O(B racoon $B$H$$$&(B IKE $B%G!<%b%s$,(B
   $B4^$^$l$F$$$^$9(B.  IPSEC $B$N@_Dj$K$D$$$F$O$3$NJ8=q$NHO0O$rD6$($k$?$a(B,
   $B0J2<$N%&%'%V>e$N;qNA$r;2>H$7$F$/$@$5$$(B.

http://www.freebsd.org/handbook/ipsec.html
http://www.netbsd.org/Documentation/network/ipsec/
http://www.kame.net/

V.   $B2r7h:v(B - Solution

$B%"%I%l%9$K4p$E$/G'>Z$O0lHLE*$K@H<e$G$"$j(B, $B%7!<%1%s%9HV9f$r2~A1$7$?(B
$B4D6-$G$"$C$F$bHr$1$k$Y$-$b$N$G$"$k$H$$$&$3$H$KCm0U$7$F$/$@$5$$(B.
$B$I$s$J>l9g$G$b2DG=$J$i$P(B, $BBe$o$j$K0E9f$K$h$C$FJ]8n$5$l$?(B
$B%W%m%H%3%k$*$h$S%5!<%S%9$rMxMQ$9$Y$-$G$9(B.

$B<!$N$$$:$l$+$K$7$?$,$C$F$/$@$5$$(B.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r$=$l$>$l(B, $B=$@5F|0J9_$N(B 4.1.1-STABLE
$B$b$7$/$O(B 3.5.1-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

2a) FreeBSD 3.x $B%7%9%F%`$N>l9g(B

$B=$@5%Q%C%A$H(B PGP $B=pL>$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7(B,
PGP $B%f!<%F%#%j%F%#$r;H$C$F=pL>$r3NG'$7$F$/$@$5$$(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss-3.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss-3.x.patch.asc

# cd /usr/src/sys/
# patch -p < /path/to/patch

[ http://www.freebsd.org/handbook/kernelconfig.html 
$B$K=q$+$l$F$$$k$h$&$K%+!<%M%k$r:F9=C[$7$F(B, $B%7%9%F%`$r:F5/F0$7$F$/$@$5$$(B ]

  [$BLuCm(B] $BF|K\8lLu$O(B
    http://www.jp.FreeBSD.org/www.freebsd.org/ja/handbook/kernelconfig.html
    $B$K$"$j$^$9(B.

2b) FreeBSD 4.x $B%7%9%F%`$N>l9g(B

$B2<$N=$@5%Q%C%A$rE,MQ$7(B, $B%+!<%M%k$r:F9=C[$7$F$/$@$5$$(B.

$B$3$N4+9p$r%U%!%$%k$KJ]B8$9$k$+(B, $B=$@5%Q%C%A$H(B PGP $B=pL>$r0J2<$N>l=j$+$i(B
$B%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;H$C$F=pL>$r3NG'$7$F$/$@$5$$(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss.patch.asc

# cd /usr/src/sys/netinet
# patch -p < /path/to/patch_or_advisory

[ http://www.freebsd.org/handbook/kernelconfig.html 
$B$K=q$+$l$F$$$k$h$&$K%+!<%M%k$r:F9=C[$7$F(B, $B%7%9%F%`$r:F5/F0$7$F$/$@$5$$(B ]

  [$BLuCm(B] $BF|K\8lLu$O(B
    http://www.jp.FreeBSD.org/www.freebsd.org/ja/handbook/kernelconfig.html
    $B$K$"$j$^$9(B.

$B<eE@$r;}$C$?(B 4.x $B%7%9%F%`MQ$N=$@5%Q%C%A(B:

    Index: tcp_seq.h
    ===================================================================
    RCS file: /usr2/ncvs/src/sys/netinet/tcp_seq.h,v
    retrieving revision 1.11
    retrieving revision 1.12
    diff -u -r1.11 -r1.12
    --- tcp_seq.h	1999/12/29 04:41:02	1.11
    +++ tcp_seq.h	2000/09/29 01:37:19	1.12
    @@ -91,7 +91,7 @@
      * number in the range [0-0x3ffff] that is hard to predict.
      */
     #ifndef tcp_random18
    -#define	tcp_random18()	((random() >> 14) & 0x3ffff)
    +#define	tcp_random18()	(arc4random() & 0x3ffff)
     #endif
     #define	TCP_ISSINCR	(122*1024 + tcp_random18())
     
    Index: tcp_subr.c
    ===================================================================
    RCS file: /usr2/ncvs/src/sys/netinet/tcp_subr.c,v
    retrieving revision 1.80
    retrieving revision 1.81
    diff -u -r1.80 -r1.81
    --- tcp_subr.c	2000/09/25 23:40:22	1.80
    +++ tcp_subr.c	2000/09/29 01:37:19	1.81
    @@ -178,7 +178,7 @@
     {
     	int hashsize;
     	
    -	tcp_iss = random();	/* wrong, but better than a constant */
    +	tcp_iss = arc4random();	/* wrong, but better than a constant */
     	tcp_ccgen = 1;
     	tcp_cleartaocache();

$hrs: FreeBSD-SA/00:52,v 1.5 2000/10/11 15:33:30 hrs Exp $

----Next_Part(Thu_Oct_12_01:06:20_2000_41)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="00:53"
Content-Transfer-Encoding: 7bit

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:53.catopen
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed, 27 Sep 2000 17:48:35 -0700 (PDT)
  Message-Id: <20000928004835.B030B37B424@hub.freebsd.org>
  X-Sequence: announce-jp 553

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
 FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
 $B%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
 http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
 ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
 $B$=$l$>$lCV$-49$($F$/$@$5$$(B.

 $B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
 $B9MN8$9$k$h$&$*4j$$$7$^$9(B.  $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

  http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
  http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

 $B$K(B, $B$^$?(B, $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

  http://www.FreeBSD.org/ja/security/

 $B$K$^$H$a$i$l$F$$$^$9(B.

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:53                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	catopen() may pose security risk for third party code

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	libc
$B9pCNF|(B:		2000-09-27
$B1F6AHO0O(B:	$B=$@5F|A0$N(B FreeBSD 5.0-CURRENT, 4.x $B$*$h$S(B 3.x
$B=$@5F|(B:		$BLdBj(B 1: 2000-08-06 (FreeBSD 5.0-CURRENT)
                        2000-08-22 (FreeBSD 4.1-STABLE)
                        2000-09-07 (FreeBSD 3.5-STABLE)
                $BLdBj(B 2: 2000-09-08 (FreeBSD 5.0-CURRENT, 4.1-STABLE $B$*$h$S(B
                                    3.5-STABLE)
$B%/%l%8%C%H(B:	$BLdBj(B 1: $BFbIt%;%-%e%j%F%#4F::Cf$KH/8+(B
		$BLdBj(B 2: Ivan Arce <iarce@core-sdi.com>
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

catopen() $B$*$h$S(B setlocale() $B$O(B, $B$?$H$($PHs1Q8l7w$N%f!<%68~$1$K(B
$BCO0h2=$5$l$?=q<0(B (localized format) $B$G%F%-%9%H$rI=<($9$k:]$K(B
$B;H$o$l$k4X?t$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

$B$3$N%;%-%e%j%F%#4+9p$G=R$Y$kLdBj$O(B 2 $B$D$"$j$^$9(B.

1) catopen() $B4X?t$OFbIt%P%C%U%!$N6-3&%A%'%C%/$r@5$7$/9T$J$C$F(B
$B$$$J$+$C$?$?$a(B, $B$"$k4D6-JQ?t$KFC<l$J@_Dj$r$9$k$3$H$G(B,
$B4V@\E*$K%P%C%U%!%*!<%P%U%m!<$r0z$-5/$3$;$k2DG=@-$,$"$j$^$9(B.
$B$=$N$?$a(B, catopen() $B$r;HMQ$7$F$$$F9b$$8"8B$GF0:n$7$F$$$k(B
$B%"%W%j%1!<%7%g%s$O(B, $B8"8B$r;}$?$J$$%m!<%+%k%f!<%6$K$h$C$F(B
$BG$0U$N%3!<%I$r<B9T$9$k$N$KMxMQ$5$l$k4m81@-$,$"$j$^$9(B.

2) catopen() $B$H(B setlocale() $B4X?t$O(B, $BCO0h2=$5$l$?%G!<%?$d(B
$B%a%C%;!<%8%+%?%m%0$rFI$_9~$`:](B, $B%7%9%F%`%U%!%$%k$NBe$o$j$K(B
$BG$0U$N%U%!%$%k$r;H$&$3$H$,$G$-$^$9(B.  $B967b<T$O(B
$BFC<l$J=q<0;XDjJ8;zNs$r4^$`M-8z$J%m%1!<%k%U%!%$%k$d(B
$B%a%C%;!<%8%+%?%m%0%U%!%$%k$r:n@.$7(B, $B$=$N%U%!%$%k$r;H$C$F(B
$B%;%-%e%j%F%#>e$N<eE@$r4^$`9b$$8"8B$r;}$C$?%"%W%j%1!<%7%g%s$r0-MQ$7(B,
$B9b$$%f!<%68"8B$GG$0U$N%3!<%I$r<B9T$G$-$k2DG=@-$,$"$j$^$9(B.

2 $BHVL\$N<eE@$O(B Core-SDI $B$N(B Ivan Arce $B$,85!9H/8+$7$?LdBj$H$O(B
$B<c430[$J$k$b$N$G$9(B.  $BH`$K$h$C$FH/8+$5$l$?LdBj$O(B
$BJ#?t$N(B UNIX $B%*%Z%l!<%F%#%s%0%7%9%F%`$,1F6A$r<u$1$k$b$N$G(B,
$B0[$J$k4D6-JQ?t$K4X78$7$^$9(B.  FreeBSD $B$O$=$NLdBj$N1F6A$r(B
$B<u$1$J$$$N$G$9$,(B, Core-SDI $B%;%-%e%j%F%#4+9p$NH/9T8e(B, $B>e5-LdBj(B 2 $B$,(B
FreeBSD $B$KH/8+$5$l$^$7$?(B.  $B$3$l$O<eE@$r;}$D%"%W%j%1!<%7%g%s$K(B
$BBP$7$FF1$81F6A$rM?$($k$b$N$G$9(B.

FreeBSD $B%Y!<%9%7%9%F%`$K$O(B, $B$3$NN>J}$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O(B
$BB8:_$7$J$$$H9M$($i$l$F$$$^$9(B.  $B$^$?(B, $B$3$N<eE@$r4^$`(B
$B%5!<%I%Q!<%F%#@=$N%W%m%0%i%`(B (FreeBSD Ports Collection $B$r4^$`(B) $B$b(B
$B8=;~E@$GH/8+$5$l$F$$$J$$(B, $B$H$$$&$3$H$KCm0U$7$F$/$@$5$$(B.
$B$=$N$?$a(B, $BBgItJ,$N(B FreeBSD $B%7%9%F%`$K$O(B, $B$3$N<eE@$K$h$k(B
$B1F6A$O$J$$$H;W$o$l$^$9(B.

III. $B1F6AHO0O(B - Impact

setuid/setgid $B$5$l$?(B (FreeBSD ports/packages $B$r4^$`(B)
$B%5!<%I%Q!<%F%#@=%=%U%H%&%'%"$K$O(B, $B%m!<%+%k$+$i9b$$8"8B$N%"%/%;%9$r(B
$BC%$&$?$a$K0-MQ$G$-$k%;%-%e%j%F%#>e$N<eE@$,B8:_$9$k2DG=@-$,$"$j$^$9(B.
$B$?$@$7(B, $B$=$N$h$&$J%=%U%H%&%'%"$O8=;~E@$G8+$D$+$C$F$$$^$;$s(B.

FreeBSD $B%Y!<%9%7%9%F%`$K$O(B, $B$3$l$i$N%P%0$K$h$k%;%-%e%j%F%#>e$N<eE@$r(B
$B;}$D%W%m%0%i%`$OB8:_$7$J$$$H9M$($i$l$F$$$^$9(B.

$B$3$NLdBj$O(B, FreeBSD 4.1.1 $B$N8x3+A0$K=$@5$5$l$^$7$?(B.

IV.  $B2sHrJ}K!(B - Workaround

$B>e5-LdBj(B 1 $B$O(B, $B<eE@$r0-MQ$9$k$N$K%3!<%G%#%s%0>e$N7g4Y$rI,MW$H(B
$B$7$J$$$?$a(B, $BLdBj(B 2 $B$h$j$b?<9o$G$9(B.  
($B@EE*%j%s%/$*$h$SF0E*%j%s%/$5$l$?(B) catopen() $B4X?t$r;H$C$F$$$F(B
$B9b$$8"8B$r;}$A(B, $B:F9=C[$d@x:_E*$J4m81$r:G>.2=$9$k$?$a$K8"8B$r@)8B$9$k(B
$BI,MW$N$"$k%P%$%J%j$rH/8+(B, $B8!::$9$k%f!<%F%#%j%F%#$,Ds6!$5$l$F$$$^$9(B.

2 $BHVL\$NLdBj$N1F6A$r<u$1$k%P%$%J%j$r8!=P$9$k$3$H$OIT2DG=$G$9$,(B,
$BDs6!$5$l$F$$$k%f!<%F%#%j%F%#$O(B, $B@x:_E*$K%;%-%e%j%F%#>e$N(B
$B<eE@$H!V$J$jF@$k!W(B, $B@EE*%j%s%/$5$l$?(B setlocale() $B4X?t$r(B
$B;H$C$F$$$k%P%$%J%j$bJs9p$7$^$9(B.  $BJs9p$5$l$k%P%$%J%j$N$[$H$s$I$O(B
$B<B:]$K%;%-%e%j%F%#>e$N<eE@$r;}$C$F$$$J$$$H;W$o$l$^$9$,(B,
$BK|A4$N%;%-%e%j%F%#$r4|$9$?$a$K$O(B, $B$=$l$i$9$Y$F$r:F%3%s%Q%$%k$9$Y$-$G$7$g$&(B.
FreeBSD $B%7%9%F%`$K4^$^$l$k%P%$%J%j$b$^$?(B, $B$3$N%9%/%j%W%H$K$h$C$F(B
$B<eE@$r;}$D2DG=@-$,$"$k$HJs9p$5$l$k$+$bCN$l$^$;$s$,(B, $B$=$l$O(B
$B%;%-%e%j%F%#>e$NLdBj$H$J$k$b$N$G$O$"$j$^$;$s$N$G$4Cm0U$/$@$5$$(B.

$B@EE*%j%s%/$5$l$?%P%$%J%j$G(B, $B%;%-%e%j%F%#>e$N<eE@$r;}$C$F$$$k$+(B,
$B$b$7$/$O@x:_E*$J%;%-%e%j%F%#>e$N<eE@$r;}$D2DG=@-$,$"$k$HJs9p$5$l$?$b$N$O(B,
$B2DG=$J$i$P$3$N<eE@$r=$@5$9$k$?$a$K(B libc $B$r:F%3%s%Q%$%k$7$F(B,
$B=$@5%Q%C%A$rE,MQ$7$?8e$N%=!<%9%3!<%I$+$i:F%3%s%Q%$%k$9$Y$-$G$9(B.
$BF0E*$K%j%s%/$5$l$?%P%$%J%j$O(B, $B2<$K=R$Y$k$h$&$K=$@5%Q%C%A$rE,MQ$7$F(B
libc $B$r:F%3%s%Q%$%k$9$k$@$1$G=$@5$5$l$^$9(B.

$B;CDjE*$JA<CV$H$7$F(B, $BJs9p$5$l$?$9$Y$F$N(B setuid $B$b$7$/$O(B setgid $B%P%$%J%j$r(B
$B:o=|$9$k$+(B, setuid/setgid $B$5$l$F$$$k%U%!%$%k$+$i9b$$8"8B$r<h$j=|$/$+(B,
$B$"$k$$$O%U%!%$%k$N5v2DB0@-$rE,59@)8B$9$k$3$H$r9MN8$7$F$/$@$5$$(B.

$B$b$A$m$s(B, $BJs9p$5$l$?%U%!%$%k$N$$$/$D$+$O%m!<%+%k%7%9%F%`$N@5>o$J1?MQ$K(B
$BI,MW$J$b$N$G$"$k$+$bCN$l$^$;$s(B.  $B$=$N>l9g$OE,@Z$J%f!<%6%0%k!<%W$r@_Dj$7$F(B
$B$=$N%P%$%J%j$+$i(B "o+x" $B$N%U%!%$%k5v2DB0@-%S%C%H$r<h$j=|$-(B, $B$=$N%P%$%J%j$r(B
$B<B9T2DG=$J%f!<%6$r@)8B$9$k$3$H0J30$KL@3N$JLdBj2sHrJ}K!$O$"$j$^$;$s(B.

1) $B<!$N>l=j$+$i(B 'scan_locale.sh' $B$*$h$S(B 'test_locale.sh' $B%9%/%j%W%H$r(B
   $B%@%&%s%m!<%I$7$^$9(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:53/scan_locale.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:53/test_locale.sh

$B0J2<$O(B fetch(1) $B%3%^%s%I;H$C$?Nc$G$9(B.

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:53/scan_locale.sh
Receiving scan_locale.sh (337 bytes): 100%
337 bytes transferred in 0.0 seconds (1.05 MBps)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:53/test_locale.sh
Receiving test_locale.sh (889 bytes): 100%
889 bytes transferred in 0.0 seconds (1.34 MBps)

2) md5 $B%A%'%C%/%5%`$r8!::$7(B, $B2<$NCM$HHf3S$7$^$9(B.

# /sbin/md5 scan_locale.sh
MD5 (scan_locale.sh) = efea80f74b05e7ddbc0261ef5211e453
# /sbin/md5 test_locale.sh
MD5 (test_locale.sh) = 2a485bf8171cc984dbc58b4d545668b4

3) $B%7%9%F%`$KBP$7$F(B scan_locale.sh $B$r<B9T$7$^$9(B.

# sh scan_locale.sh ./test_locale.sh /

$B$3$N%9%/%j%W%H$O%7%9%F%`A4BN$r8!::$7(B, $B0-MQ$5$l$k4m81@-$N$"$k(B
catopen() $B4X?t(B, $B$b$7$/$O@x:_E*$J%;%-%e%j%F%#>e$N<eE@$H$J$jF@$k(B
setlocale() $B4X?t$r;H$C$F$$$F(B, setuid $B$b$7$/$O(B setgid $B$5$l$F$$$k%P%$%J%j$r(B
$BC5$7$^$9(B.  $B$?$H$($P$=$N%P%$%J%j$r(B, $B%;%-%e%j%F%#>e$N<eE@$r0-MQ$G$-$k(B
$B%m!<%+%k%f!<%6$NC/$+$,9b$$%f!<%68"8B$rF@$kL\E*$G<B9T$G$-$k$+$I$&$+$J$I(B,
$B%m!<%+%k4D6-$,$I$N$h$&$J%;%-%e%j%F%#>e$N4m81$K;/$5$l$k$N$+$K$D$$$F(B,
$B%9%/%j%W%H$,Js9p$9$k%P%$%J%j0l$D0l$D$K$D$$$F(B ($B$?$H$($P(B 'ls- l' $B$d(B
$B$=$NB>$N%D!<%k$G(B) $B3NG'$9$Y$-$G$7$g$&(B.  

$B$3$N%9%/%j%W%H$G8!=P$G$-$k(B setlocale() $B4X?t$rMxMQ$7$?(B ($B$D$^$j(B
$BLdBj(B 2 $B$H4X78$9$k(B) $B%P%$%J%j$O(B, $B@EE*$K%j%s%/$5$l$?%P%$%J%j$N$_$G$9(B.
$BF0E*$K%j%s%/$5$l$?%P%$%J%j$O9b$$3NN($G?.Mj@-$N$*$1$J$$7k2L$H$J$k$?$a(B
$BJs9p$5$l$^$;$s(B.  setlocale() $B$rMxMQ$7$F$$$k$HJs9p$5$l$?%P%$%J%j$N(B
$BBgItJ,$O(B, $B<B:]$K%;%-%e%j%F%#>e$N<eE@$,B8:_$7$J$$2DG=@-$,$"$j$^$9(B.
$B$7$?$,$C$F(B, $B$3$N%9%/%j%W%H$GJs9p$5$l$?$+$i$H$$$C$F(B, $B$=$l$O(B
$B%;%-%e%j%F%#>e$N<eE@$,B8:_$9$k>Z5r$K$O$J$j$^$;$s(B.  $B$7$+$7(B, $BK|A4$N(B
$B%;%-%e%j%F%#$r4|$9$?$a$K$O(B, $B$=$l$i$9$Y$F$r:F%3%s%Q%$%k$9$Y$-$G$7$g$&(B.

4) $B3:Ev$9$k%P%$%J%j$r:o=|$9$k$+(B, $B%U%!%$%k$N5v2DB0@-$rE,@Z$K@)8B$7$^$9(B.

V.   $B2r7h:v(B - Solution

$B%;%-%e%j%F%#>e$N<eE@$r;}$D(B FreeBSD $B%7%9%F%`$r(B, $B=$@5F|0J9_$N(B
4.1-STABLE $B$b$7$/$O(B 3.5-STABLE $B$K%"%C%W%0%l!<%I$9$k$+(B,
$B8=9T$N%7%9%F%`$N%=!<%9%3!<%I$K=$@5%Q%C%A$rE,MQ$7$F:F9=C[$7$F$/$@$5$$(B.
$B$=$N8e(B, $B%;%/%7%g%s(B IV $B$K=q$+$l$F$$$k$h$&$K(B scan_locale.sh $B%9%/%j%W%H$r(B
$B<B9T$7(B, $B$3$N%9%/%j%W%H$,Js9p$9$k(B, $B@EE*%j%s%/$5$l$?$9$Y$F$N%P%$%J%j$r(B
$B3NG'$7$^$9(B.  $B$3$l$i$N%U%!%$%k$O:o=|$9$k$+(B, $B:F%3%s%Q%$%k$9$k$+(B,
$B$"$k$$$O$3$N%;%-%e%j%F%#>e$NLdBj$KBP$9$k0BA4@-$r9b$a$k$?$a$K(B
$B8"8B$r@)8B$9$Y$-$G$9(B ($B@EE*%j%s%/$5$l$?%P%$%J%j$K$O(B, $BC1$K(B
libc $B6&M-%i%$%V%i%j$r:F%3%s%Q%$%k$7$?$@$1$G$O=$@5$N8z2L$,$J$$$?$a$G$9(B).

$B8=9T$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k$K$O(B, $B0J2<$N=$@5%Q%C%A$r(B
$B%U%!%$%k$KJ]B8$7$F(B, root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9(B.

cd /usr/src/lib/libc
patch < /path/to/patch/file
make all
make install

$B=$@5F|0JA0$N(B FreeBSD $B$KBP$9$k=$@5%Q%C%A(B:

    Index: msgcat.c
    ===================================================================
    RCS file: /usr2/ncvs//src/lib/libc/nls/msgcat.c,v
    retrieving revision 1.21
    retrieving revision 1.27
    diff -u -r1.21 -r1.27
    --- nls/msgcat.c	2000/01/27 23:06:33	1.21
    +++ nls/msgcat.c	2000/09/01 11:56:31	1.27
    @@ -91,8 +91,9 @@
         __const char *catpath = NULL;
         char        *nlspath;
         char	*lang;
    -    long	len;
         char	*base, *cptr, *pathP;
    +    int		spcleft;
    +    long	len;
         struct stat	sbuf;
     
         if (!name || !*name) {
    @@ -106,10 +107,10 @@
         } else {
     	if (type == NL_CAT_LOCALE)
     		lang = setlocale(LC_MESSAGES, NULL);
    -	else {
    -		if ((lang = (char *) getenv("LANG")) == NULL)
    -			lang = "C";
    -	}
    +	else
    +		lang = getenv("LANG");
    +	if (lang == NULL || strchr(lang, '/') != NULL)
    +		lang = "C";
     	if ((nlspath = (char *) getenv("NLSPATH")) == NULL
     #ifndef __NETBSD_SYSCALLS
     	    || issetugid()
    @@ -129,13 +130,22 @@
     		*cptr = '\0';
     		for (pathP = path; *nlspath; ++nlspath) {
     		    if (*nlspath == '%') {
    +		        spcleft = sizeof(path) - (pathP - path);
     			if (*(nlspath + 1) == 'L') {
     			    ++nlspath;
    -			    strcpy(pathP, lang);
    +			    if (strlcpy(pathP, lang, spcleft) >= spcleft) {
    +				free(base);
    +				errno = ENAMETOOLONG;
    +				return(NLERR);
    +			    }
     			    pathP += strlen(lang);
     			} else if (*(nlspath + 1) == 'N') {
     			    ++nlspath;
    -			    strcpy(pathP, name);
    +			    if (strlcpy(pathP, name, spcleft) >= spcleft) {
    +				free(base);
    +			        errno = ENAMETOOLONG;
    +				return(NLERR);
    +			    }
     			    pathP += strlen(name);
     			} else *(pathP++) = *nlspath;
     		    } else *(pathP++) = *nlspath;
    @@ -186,7 +196,7 @@
         MCSetT	*set;
         long	lo, hi, cur, dir;
     
    -    if (!cat || setId <= 0) return(NULL);
    +    if (cat == NULL || setId <= 0) return(NULL);
     
         lo = 0;
         if (setId - 1 < cat->numSets) {
    @@ -212,8 +222,8 @@
     	if (hi - lo == 1) cur += dir;
     	else cur += ((hi - lo) / 2) * dir;
         }
    -    if (set->invalid)
    -	(void) loadSet(cat, set);
    +    if (set->invalid && loadSet(cat, set) <= 0)
    +	return(NULL);
         return(set);
     }
     
    @@ -225,7 +235,7 @@
         MCMsgT	*msg;
         long	lo, hi, cur, dir;
     
    -    if (!set || set->invalid || msgId <= 0) return(NULL);
    +    if (set == NULL || set->invalid || msgId <= 0) return(NULL);
     
         lo = 0;
         if (msgId - 1 < set->numMsgs) {
    @@ -318,7 +328,7 @@
         off_t	nextSet;
     
         cat = (MCCatT *) malloc(sizeof(MCCatT));
    -    if (!cat) return(NLERR);
    +    if (cat == NULL) return(NLERR);
         cat->loadType = MCLoadBySet;
     
         if ((cat->fd = _open(catpath, O_RDONLY)) < 0) {
    @@ -351,7 +361,7 @@
     
         cat->numSets = header.numSets;
         cat->sets = (MCSetT *) malloc(sizeof(MCSetT) * header.numSets);
    -    if (!cat->sets) NOSPACE();
    +    if (cat->sets == NULL) NOSPACE();
     
         nextSet = header.firstSet;
         for (i = 0; i < cat->numSets; ++i) {
    Index: setlocale.c
    ===================================================================
    RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v
    retrieving revision 1.27
    retrieving revision 1.28
    diff -u -r1.27 -r1.28
    --- locale/setlocale.c	2000/09/04 03:43:24	1.27
    +++ locale/setlocale.c	2000/09/08 07:29:48	1.28
    @@ -129,7 +129,7 @@
     		if (!env || !*env)
     			env = getenv("LANG");
     
    -		if (!env || !*env)
    +		if (!env || !*env || strchr(env, '/'))
     			env = "C";
     
     		(void) strncpy(new_categories[category], env, ENCODING_LEN);

$hrs: FreeBSD-SA/00:53,v 1.3 2000/10/11 15:33:30 hrs Exp $

----Next_Part(Thu_Oct_12_01:06:20_2000_41)----
