From owner-doc-jp@jp.freebsd.org  Wed Nov  1 16:42:46 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id QAA49141;
	Wed, 1 Nov 2000 16:42:46 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from tortoise.jp.freebsd.org (root@tortoise.jp.FreeBSD.ORG [210.157.158.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id QAA49136
	for <doc-jp@jp.freebsd.org>; Wed, 1 Nov 2000 16:42:45 +0900 (JST)
	(envelope-from kuriyama@imgsrc.co.jp)
Received: from waterblue.imgsrc.co.jp (waterblue.imgsrc.co.jp [2001:218:422:2:2d0:b7ff:fea0:d487])
	by tortoise.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP/IPv6 id QAA06061
	for <doc-jp@jp.freebsd.org>; Wed, 1 Nov 2000 16:43:50 +0900 (JST)
	(envelope-from kuriyama@imgsrc.co.jp)
Received: from waterblue.imgsrc.co.jp (localhost [127.0.0.1])
	by waterblue.imgsrc.co.jp (8.11.0/8.11.0) with ESMTP id eA17hhr27662
	for <doc-jp@jp.freebsd.org>; Wed, 1 Nov 2000 16:43:44 +0900 (JST)
Date: Wed, 01 Nov 2000 16:43:43 +0900
Message-ID: <7mvgu8m91s.wl@waterblue.imgsrc.co.jp>
From: Jun Kuriyama <kuriyama@imgsrc.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <200010312126.GAA12759@eos.ocn.ne.jp>
References: <20001030231153.B618B37B4CF@hub.freebsd.org>
	<200010312126.GAA12759@eos.ocn.ne.jp>
User-Agent: Wanderlust/2.3.92 (Roam) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) MULE XEmacs/21.1 (patch 12) (Channel Islands) (i386--freebsd)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7784
Subject: [doc-jp 7784] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:58.chpass
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: kuriyama@imgsrc.co.jp


$B!!L2$$!D!D!#(B

At 31 Oct 2000 21:27:16 GMT,
Hiroki Sato wrote:
> ch{fn,pass,sh} are utilities for changing user "finger" information,
> passwords, and login shell, respectively. The yp* variants perform the
> analogous changes on a NIS account.
> 
> chfn, chpass, chsh $B$O%f!<%6$N(B finger $B>pJs(B, $B%Q%9%o!<%I(B, $B%m%0%$%s%7%'%k$r(B
> $BJQ99$9$k$?$a$N%f!<%F%#%j%F%#$G$9(B.  $B$^$?(B, yp* $B$H$$$&7A$N$b$N(B ($BLuCm(B: ypchfn
> $B$J$I(B) $B$O(B, NIS $B%"%+%&%s%H$KBP$7$FF1MM$N5!G=$rDs6!$7$^$9(B.

$B!!!V(Byp* $B$H$$$&L>A0$N$b$N!W$H$+$G$b$$$$$N$G$O!#(B

> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> A "format string vulnerability" was discovered in code used by the
> vipw utility during an internal FreeBSD code audit in July 2000. The
> vipw utility does not run with increased privileges and so it was
> believed at the time that it did not represent a security
> vulnerability. However it was not realised that this code is also
> shared with other utilities -- namely chfn, chpass, chsh, ypchfn,
> ypchpass, ypchsh and passwd -- which do in fact run setuid root.
> 
> 2000 $BG/(B 7 $B7n$K9T$J$o$l$?(B FreeBSD $BFbIt%3!<%I$N%;%-%e%j%F%#4F::$G(B,
> vipw $B%f!<%F%#%j%F%#$K;H$o$l$F$$$k%3!<%ICf$K!V=q<0;XDjJ8;zNs$K5/0x$9$k(B
> $B%;%-%e%j%F%#>e$N<eE@!W$,H/8+$5$l$^$7$?(B.  vipw $B%f!<%F%#%j%F%#$O(B
> $B9b$$8"8B$G<B9T$5$l$J$$$?$a(B, $B$=$N;~E@$G$O%;%-%e%j%F%#>e$N<eE@$K$O(B
> $B$J$i$J$$$@$m$&$H9M$($i$l$F$$$^$7$?$,(B, $B$3$N%3!<%I$,B>$N%f!<%F%#%j%F%#(B,
> chfn, chpass, chsh, ypchfn, ypchpass, ypchsh $B$*$h$S(B passwd $B$N4V$G(B
> $B6&M-$5$l$F$$$k$H$$$&$3$H$,8+Mn$H$5$l$F$$$^$7$?(B.  $B$3$l$i$N(B
> $B%f!<%F%#%j%F%#$O(B root $B%f!<%6$G(B setuid $B$5$l$F<B9T$5$l$^$9(B.

$B!!!V(Broot $B%f!<%6$K(B setuid $B$5$l$F!W$NJ}$,9%$_!#(B

> V.   $B2r7h:v(B - Solution
> 
> One of the following:
> $B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.
> 
> 1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE,
> 4.1.1-RELEASE, 4.1.1-STABLE or 3.5.1-STABLE after the respective
> correction dates.
> 1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r(B, $B$=$l$>$l$N=$@5F|0J9_$N(B
>    4.1-RELEASE, 4.1.1-STABLE $B$b$7$/$O(B 3.5.1-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

$B!!!V$=$l$>$l$N=$@5F|0J9_$N!W$H$9$k$H8e$m$NJ8$,$A$g$C$HJQ$J5$$,$9$k$N$G!"(B
$B!V=$@5F|0J9_$N!W$@$1$G$$$$$+$H!#(B


-- 
Jun Kuriyama <kuriyama@imgsrc.co.jp> // IMG SRC, Inc.
             <kuriyama@FreeBSD.org> // FreeBSD Project
