From owner-doc-jp@jp.freebsd.org  Wed Mar 14 09:23:38 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA23620;
	Wed, 14 Mar 2001 09:23:38 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id JAA23615
	for <doc-jp@jp.freebsd.org>; Wed, 14 Mar 2001 09:23:38 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.hrslab.yi.org (p0498-ip01funabasi.chiba.ocn.ne.jp [211.130.235.244])
	by eos.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id JAA04494
	for <doc-jp@jp.freebsd.org>; Wed, 14 Mar 2001 09:23:31 +0900 (JST)
Received: from localhost (alph.hrslab.yi.org [192.168.0.10])
	by mail.hrslab.yi.org (8.9.3/3.7W/DomainMaster) with ESMTP id JAA00938
	for <doc-jp@jp.freebsd.org>; Wed, 14 Mar 2001 09:23:03 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Date: Wed, 14 Mar 2001 09:10:57 +0900 (JST)
Message-Id: <20010314.091057.71082267.hrs@eos.ocn.ne.jp>
To: doc-jp@jp.freebsd.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200103122331.f2CNVdI26137@freefall.freebsd.org>
References: <200103122331.f2CNVdI26137@freefall.freebsd.org>
X-Mailer: Mew version 1.95b101 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Wed_Mar_14_09:10:57_2001_571)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 8043
Subject: [doc-jp 8043] Re: ANNOUNCE: FreeBSD Ports Security Advisory
 FreeBSD-SA-01:23.icecast
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Wed_Mar_14_09:10:57_2001_571)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 01:23,26,27,28,29 $B$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

----Next_Part(Wed_Mar_14_09:10:57_2001_571)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:23"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:23 (2001-03-12)
 * icecast port contains remote vulnerability
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 12 Mar 2001 15:31:39 -0800 (PST)
  Message-Id: <200103122331.f2CNVdI26137@freefall.freebsd.org>
  X-Sequence: announce-jp 719

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:23                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	icecast port contains remote vulnerability

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	icecast
$B9pCNF|(B:		2001-03-12
$B%/%l%8%C%H(B:	|CyRaX| <cyrax@pkcrew.org>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-03-10
$B%Y%s%@$NBP1~(B:	$B2sEz$J$7(B
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

icecast is a server for streaming MP3 audio.

icecast $B$O(B MP3 $B%*!<%G%#%*$N%9%H%j!<%_%s%0%5!<%P$N0l$D$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The icecast software, versions prior to 1.3.7_1, contains multiple
format string vulnerabilities, which allow a remote attacker to
execute arbitrary code as the user running icecast, usually the root
user.

icecast $B$N%P!<%8%g%s(B 1.3.7_1 $B$h$jA0$N$b$N$K$O=q<0J8;zNs$K5/0x$9$k(B
$B%;%-%e%j%F%#>e$N<eE@$,J#?t4^$^$l$F$$$^$9(B.  $B$=$N$?$a%j%b!<%H$N967b<T$O(B
icecast $B$r<B9T$7$F$$$k%f!<%6(B ($BDL>o$O(B root) $B$N8"8B$GG$0U$N%3!<%I$r(B
$BIT@5$K<B9T$9$k$3$H$,2DG=$G$9(B.

There are a number of other potential abuses of format strings which
may or may not pose security risks, but have not currently been
audited.

$B$^$?(B, $BB>$K$b%;%-%e%j%F%#>e$N4m81$rUT$s$G$$$k2DG=@-$N$"$k=q<0J8;zNs$N(B
$BMtMQ$,?tB?$/4^$^$l$F$$$^$9$,(B, $B8=;~E@$G$O$^$@(B, $B$=$l$i$K4X$9$kD4::$O(B
$B$5$l$F$$$^$;$s(B.

The icecast port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format.  The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

icecast $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4700 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Arbitrary remote users can execute arbitrary code on the local system
as the user running icecast, usually the root user.

$B%j%b!<%H%f!<%6$OC/$G$b(B, icecast $B$r<B9T$7$F$$$k%f!<%6(B ($BDL>o(B root) $B$N8"8B$G(B
$B%m!<%+%k%7%9%F%`>e$NG$0U$N%3!<%I$rIT@5$K<B9T$9$k$3$H$,2DG=$G$9(B.

If you have not chosen to install the icecast port/package, then your
system is not vulnerable to this problem.

icecast $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

Deinstall the icecast port/package, if you have installed it.

icecast $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
$B$=$l$r%7%9%F%`$+$i:o=|$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

Consider running the icecast software as a non-privileged user to
minimize the impact of further security vulnerabilities in this
software.

$B$^$:(B, icecast $B$N;}$D%;%-%e%j%F%#>e$N<eE@$K$h$k1F6A$r:G>.2=$9$k$?$a$K(B
$B9b$$8"8B$r;}$?$J$$%f!<%6$G(B icecast $B$r<B9T$9$k$3$H$r8!F$$7$F$/$@$5$$(B.

To upgrade icecast, choose one of the following options:

$B<!$N$$$:$l$+0l$D$K=>$$(B, icecast $B$r%"%C%W%0%l!<%I$7$^$9(B.

1) Upgrade your entire ports collection and rebuild the icecast port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, icecast $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: icecast $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B,
   $B=$@5F|0J9_$K:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F(B
   $B%$%s%9%H!<%k$7$^$9(B.

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.7_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.7_1.tgz

NOTE: It may be several days before updated packages are available
$BCm0U(B: $B=$@5HG$N(B package $B$,MxMQ$G$-$k$h$&$K$J$k$^$G?tF|$+$+$k2DG=@-$,$"$j$^$9(B.

[alpha]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/icecast-1.3.7_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/icecast-1.3.7_1.tgz

3) download a new port skeleton for the icecast port from:
3) icecast $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7(B,
   $B$=$l$i$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:23,v 1.1 2001/03/14 00:07:31 hrs Exp $

----Next_Part(Wed_Mar_14_09:10:57_2001_571)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:26"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:26 (2001-03-12)
 * interbase contains remote backdoor
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-01:26.interbase
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 12 Mar 2001 15:34:54 -0800 (PST)
  Message-Id: <200103122334.f2CNYsG26356@freefall.freebsd.org>
  X-Sequence: announce-jp 720

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:26                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	interbase contains remote backdoor

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	interbase
$B9pCNF|(B:		2001-03-12
$B%/%l%8%C%H(B:	Firebird project <http://firebird.sourceforge.net>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		$B2<5-;2>H(B
$B%Y%s%@$NBP1~(B:	$B=$@5HG$NDs6!$O9T$J$o$l$F$$$J$$(B
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

Interbase is a SQL database server from Borland.

interbase $B$O(B, Borland $B<R$,Ds6!$7$F$$$k(B SQL $B%G!<%?%Y!<%9%5!<%P$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The interbase software contains a remote backdoor account, which was
apparently introduced by the vendor in 1992.  The interbase source
code has recently been released and is the basis for a derivative
project called firebird, who are credited with discovering the
vulnerability.

interbase $B$K$O%j%b!<%H$+$i%"%/%;%92DG=$J%P%C%/%I%"%"%+%&%s%H$,(B
$BB8:_$7$^$9(B.  $B$3$l$O(B 1992 $BG/$K%Y%s%@<+?H$,F3F~$7$?$b$N$N$h$&$G$9(B.
interbase $B$N%=!<%9%3!<%I$O:G6a8x3+$5$l(B, firebird $B$H8F$P$l$k(B
$BGI@8%W%m%8%'%/%H$N%Y!<%9$H$J$C$F$$$^$9(B.  $B$3$N%;%-%e%j%F%#>e$N<eE@$N(B
$BH/8+$O(B firebird $B%W%m%8%'%/%H$K$h$k$b$N$G$9(B.

The backdoor account has full read and write access to databases
stored on the server, and also gives the ability to write to arbitrary
files on the server as the user running the interbase server (usually
user root).  Remote attackers may connect to the database on TCP port
3050.

$B%P%C%/%I%"%"%+%&%s%H$O(B, $B%5!<%P>e$N%G!<%?%Y!<%9$X$N40A4$J(B
$BFI$_=q$-%"%/%;%9$r;}$A(B,  interbase $B%5!<%P$r<B9T$7$F$$$k%f!<%6(B
($BDL>o$O(B root) $B$N8"8B$G%5!<%P>e$NG$0U$N%U%!%$%k$K=q$-9~$_$r(B
$B9T$J$($kG=NO$r;}$C$F$$$^$9(B.  $B%j%b!<%H$N967b<T$O(B,
TCP $B%]!<%H(B 3050 $B$+$i%G!<%?%Y!<%9$K@\B3$9$k$3$H$,2DG=$G$9(B.

The interbase port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format.  The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

interbase $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4700 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Remote users who can connect to the interbase database server can
obtain full access to all databases using a backdoor account built
into the server itself.  This account cannot be disabled.

interbase $B%5!<%P$K@\B3$G$-$k%j%b!<%H%f!<%6$O(B, $B%5!<%P<+?H$K$"$i$+$8$a(B
$BAH$_9~$^$l$F$$$k%P%C%/%I%"%"%+%&%s%H$rMxMQ$9$k$3$H$G(B, $B%G!<%?%Y!<%9A4BN$X$N(B
$B40A4$K%"%/%;%98"$rIT@5$KF~<j$9$k$3$H$,2DG=$G$9(B.  $B$3$N%P%C%/%I%"%"%+%&%s%H$r(B
$BL58z2=$9$k$3$H$O$G$-$^$;$s(B.

If you have not chosen to install the interbase port/package, then
your system is not vulnerable to this problem.

interbase $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

 [$BLuCm(B] 1),2),3) $B$N$$$:$l$+0l$D$K=>$C$F$/$@$5$$(B.

1) Deinstall the interbase port/package, if you have installed it.
1) interbase $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
   $B$=$l$r%7%9%F%`$+$i:o=|$7$^$9(B.

2) Use packet filters on your perimeter firewalls, or ipfw(8)/ipf(8)
on the interbase server to prevent connections from untrusted systems
to TCP port 3050 on the interbase server.  Note that local users, or
arbitrary users on systems permitted to connect to the TCP port can
still access the backdoor account.
2) $B%U%!%$%"%&%)!<%k$N%Q%1%C%H%U%#%k%?5!G=$r;H$&$+(B, interbase $B%5!<%P>e$G(B
   ipfw(8)/ipf(8) $B$r2TF/$5$;$F(B, $B?.Mj$G$-$J$$%7%9%F%`$+$i(B
   interbase $B%5!<%P$N(B TCP $B%]!<%H(B 3050 $B$X$N@\B3$r9T$J$($J$$$h$&$K$7$^$9(B.
   $B$?$@$7(B, $B%m!<%+%k%f!<%6$dB>$N%7%9%F%`$+$i%5!<%P$N(B TCP $B%]!<%H(B 3050 $B$K(B
   $B%"%/%;%92DG=$J8"8B$r;}$D$9$Y$F$N%f!<%6$O(B, $B0MA3$H$7$F%P%C%/%I%"(B
   $B%"%+%&%s%H$X%"%/%;%9$9$k$3$H$,2DG=$J>uBV$N$^$^$K$J$j$^$9$N$G(B
   $BCm0U$7$F$/$@$5$$(B.

3) Migrate to the firebird database, which is an open-source
derivative of the interbase software which does not contain the
backdoor account.
3) firebird $B%G!<%?%Y!<%9$X0\9T$7$F$/$@$5$$(B.  $B$3$l$O(B interbase $B$+$i(B
   $BGI@8$7$?%*!<%W%s%=!<%9%=%U%H%&%'%"$N0l$D$G(B, $B%P%C%/%I%"%"%+%&%s%H$O(B
   $BB8:_$7$^$;$s(B.


V.   $B2r7h:v(B - Solution

The FreeBSD port of interbase is not provided by Borland -- it is
provided in binary form from Rios Corporation -- and there does not
appear to be a patch available for the security vulnerability.
Therefore there is currently no complete solution to this security
vulnerability; see the previous section for possible workarounds.

interbase $B$N(B FreeBSD $BMQ(B port $B$O(B, Borland $B<R$+$iDs6!$5$l$?$b$N$G$O$J$/(B,
Rios Corporation $B$+$i%P%$%J%j7A<0$GDs6!$5$l$F$$$k$b$N$G$9(B.  $B$^$?(B,
$B$3$N%;%-%e%j%F%#>e$N<eE@$r=$@5$9$k$?$a$N=$@5%Q%C%A$ODs6!$5$l$J$$$h$&$G$9(B.
$B$7$?$,$C$F(B, $B8=;~E@$G$3$N%;%-%e%j%F%#>e$N<eE@$r40A4$K2r7h$9$kJ}K!$O(B
$B$"$j$^$;$s(B.  $BM-8z$J2sHrK!$K$D$$$F$O(B, $BA0@a$r$4Mw$/$@$5$$(B.


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:26,v 1.1 2001/03/14 00:07:31 hrs Exp $

----Next_Part(Wed_Mar_14_09:10:57_2001_571)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:27"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:27 (2001-03-12)
 * cfengine port contains remote root vulnerability
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Ports Security Advisory FreeBSD-SA-01:27.cfengine
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 12 Mar 2001 15:37:53 -0800 (PST)
  Message-Id: <200103122337.f2CNbrV26867@freefall.freebsd.org>
  X-Sequence: announce-jp 721

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:27                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	cfengine port contains remote root vulnerability

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	cfengine
$B9pCNF|(B:		2001-03-12
$B%/%l%8%C%H(B:	Pekka Savola <pekkas@NETCORE.FI>
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-01-21
$B%Y%s%@$NBP1~(B:	$B=$@5HG$,8x3+:Q$_(B
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

cfengine is a system for automating the configuration and maintenance
of large networks.

cfengine $B$OBg5,LO%M%C%H%o!<%/$N@_Dj$dJ]<i$r<+F02=$9$k%7%9%F%`$N0l$D$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

The cfengine port, versions prior to 1.6.1, contained several format
string vulnerabilities which allow a remote attacker to execute
arbitrary code on the local system as the user running cfengine,
usually user root.

cfengine port $B$N%P!<%8%g%s(B 1.6.1 $B$h$jA0$N$b$N$K$O(B, $B=q<0J8;zNs$K(B
$B5/0x$9$k%;%-%e%j%F%#>e$N<eE@$,$$$/$D$+B8:_$7$^$9(B.  $B$3$l$K$h$j(B,
$B%j%b!<%H$N967b<T$O(B cfengine $B$r<B9T$7$F$$$k%f!<%6(B ($BDL>o(B root) $B$N8"8B$G(B
$B%m!<%+%k%7%9%F%`>e$NG$0U$N%3!<%I$rIT@5$K<B9T$9$k$3$H$,2DG=$G$9(B.

The cfengine port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format.  The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

cfengine $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B,
$B!V(BFreeBSD $B%7%9%F%`$N0lIt!W$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B.
$B$=$l$i$O(B 4700 $B$r1[$($k%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$,$9$0$K(B
$B%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B.
$B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a(B, FreeBSD 3.5.1 $B$*$h$S(B 4.2 $B$H$H$b$K(B
$B=P2Y$5$l$?(B Ports Collection $B$O$3$NLdBj$r4^$s$G$$$^$9(B.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports Collection $B$K(B
$BF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j%1!<%7%g%s$,(B
$B0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B).  $B$?$@$7(B, $B%;%-%e%j%F%#LdBj$KBP$7$F(B
$BBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::$rDs6!$9$Y$/(B,
$B8=:_EXNOCf$G$9(B.


III. $B1F6AHO0O(B - Impact

Arbitrary remote users can execute code on the local system as the
user running cfengine, usually user root.

$B%j%b!<%H%f!<%6$OC/$G$b(B, cfengine $B$r<B9T$7$F$$$k%f!<%6(B ($BDL>o(B root) $B$N(B
$B8"8B$G%m!<%+%k%7%9%F%`>e$NG$0U$N%3!<%I$rIT@5$K<B9T$9$k$3$H$,2DG=$G$9(B.

If you have not chosen to install the cfengine port/package, then your
system is not vulnerable to this problem.

cfengine $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B
$B%7%9%F%`$K$3$NLdBj$K$h$k%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.


IV.  $B2sHrJ}K!(B - Workaround

One of the following:
$B<!$N$$$:$l$+0l$D$K=>$C$F$/$@$5$$(B.

1) Deinstall the cfengine port/package, if you have installed it.
1) cfengine $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
   $B$=$l$r%7%9%F%`$+$i:o=|$7$^$9(B.

2) Implement access controls on connections to the cfengine server,
either at the application level using the cfengine configuration file,
or by using network-level packet filtering on the local system using
ipfw(8)/ipf(8), or on the perimeter firewalls.
2) cfengine $B%5!<%P$X$N@\B3$KBP$7$F%"%/%;%9@)8f5!9=$rF3F~$7$^$9(B.
   $B$3$l$O(B cfengine $B@_Dj%U%!%$%k$r;H$C$F%"%W%j%1!<%7%g%s%l%Y%k$G(B
   $B@)8f$9$kJ}K!$H(B, $B%M%C%H%o!<%/%l%Y%k$N%Q%1%C%H%U%#%k%?5!G=$r(B
   $BMxMQ$9$kJ}K!$,$"$j$^$9(B.  $B8e<T$O(B, $B%m!<%+%k%7%9%F%`>e$G(B
   ipfw(8)/ipf(8) $B$r2TF/$5$;$?$j(B, $B%U%!%$%"%&%)!<%k$N5!G=$r;H$&$3$H$G(B
   $B<B8=$G$-$^$9(B.

V.   $B2r7h:v(B - Solution

One of the following:
$B<!$N$$$:$l$+0l$D$K=>$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the cfengine port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B, cfengine $B$N(B port $B$r:F9=C[$7$^$9(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
2) $B8E$$(B ($BLuCm(B: cfengine $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B,
   $B=$@5F|0J9_$K:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i<hF@$7$F(B
   $B%$%s%9%H!<%k$7$^$9(B.

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/cfengine-1.6.3.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/cfengine-1.6.3.tar.gz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O(B alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s(B.
$B$3$l$O(B, $B9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a$G$9(B.

3) download a new port skeleton for the cfengine port from:
3) cfengine $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7(B,
   $B$=$l$i$r;H$C$F(B port $B$r:F9=C[$7$^$9(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$$$^$9(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:27,v 1.1 2001/03/14 00:07:31 hrs Exp $

----Next_Part(Wed_Mar_14_09:10:57_2001_571)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:28"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:28 (2001-03-12)
 * timed allows remote denial of service
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-01:28.timed
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 12 Mar 2001 15:44:00 -0800 (PST)
  Message-Id: <200103122344.f2CNi0527614@freefall.freebsd.org>
  X-Sequence: announce-jp 722

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:28                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	timed allows remote denial of service

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	timed
$B9pCNF|(B:		2001-03-12
$B%/%l%8%C%H(B:	$BFbIt%;%-%e%j%F%#4F::Cf$KH/8+(B
$B1F6AHO0O(B:	FreeBSD 3.x $B$*$h$S(B 4.x $B7ONs$N$9$Y$F$N%j%j!<%9(B
                $B=$@5F|0JA0$N(B FreeBSD 3.5-STABLE
                $B=$@5F|0JA0$N(B FreeBSD 4.2-STABLE
$B=$@5F|(B:		2001-03-10 (FreeBSD 3.5-STABLE)
                2001-01-07 (FreeBSD 4.2-STABLE)
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

timed(8) is a server for the Time Synchronisation Protocol, for
synchronising the system clocks of multiple clients.

timed(8) $B$O(B, $BJ#?t$N%/%i%$%"%s%H4V$G%7%9%F%`;~7W$rF14|$5$;$k$?$a$N(B
$B;~9oF14|%W%m%H%3%k(B (Time Synchronisation Protocol) $B%5!<%P$N0l$D$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

Malformed packets sent to the timed daemon could cause it to crash,
thereby denying service to clients if timed is not run under a
watchdog process which causes it to automatically restart in the event
of a failure.  The timed daemon is not run in this way in the default
invocation from /etc/rc.conf using the timed_enable variable.

timed $B%G!<%b%s$O(B, $BIT@5$J%Q%1%C%H$r<u$1<h$k$H%/%i%C%7%e$9$k$3$H$,(B
$B$"$j$^$9(B.  $B$=$N$?$a(B, $B%G!<%b%s$,5!G=$7$J$/$J$C$?;~$K<+F0E*$K(B
timed $B$N:F5/F0$r9T$J$&4F;k%W%m%;%9$,@_Dj$5$l$F$$$J$$>l9g(B,
$B7k2L$H$7$F%/%i%$%"%s%H$X$N%5!<%S%9$,Dd;_$9$k$3$H$K$J$j$^$9(B.
/etc/rc.conf $B$N(B timed_enable $BJQ?t$r;H$&I8=`$N5/F0J}K!$G$O(B,
timed $B%G!<%b%s$O$=$N$h$&$J%W%m%;%9$N4F;k2<$KCV$+$l$^$;$s(B.

The timed daemon is not enabled by default, and its use is not
recommended (FreeBSD includes ntpd(8), the network time protocol
daemon, which provides superior functionality).

timed $B%G!<%b%s$O%$%s%9%H!<%k;~$NI8=`@_Dj$GL58z2=$5$l$F$*$j(B,
$B$=$NMxMQ$O?d>)$5$l$F$$$^$;$s(B (FreeBSD $B$K$O(B, $B$h$j9bEY$J5!G=$r;}$D(B
ntpd(8) $B$H$$$&(B NTP (network time protocol) $B%G!<%b%s$,4^$^$l$F$$$^$9(B).

All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run timed.  It was corrected
prior to the forthcoming release of FreeBSD 4.3.

FreeBSD 3.5.1-RELEASE, FreeBSD 4.2-RELEASE $B$r4^$`(B, $B=$@5F|0JA0$N(B
$B$9$Y$F$N(B FreeBSD 3.x $B$*$h$S(B FreeBSD 4.x $B$G(B, $B$+$D(B timed $B$r(B
$B<B9T$9$k$h$&$K@_Dj$5$l$F$$$k$b$N$,$3$N%;%-%e%j%F%#>e$N<eE@$N1F6A$r(B
$B<u$1$^$9(B.  $B$3$NLdBj$O(B, $B6aF|8x3+M=Dj$N(B FreeBSD 4.3 $B$,8x3+$5$l$kA0$K(B
$B=$@5$5$l$^$7$?(B.


III. $B1F6AHO0O(B - Impact

Remote users can cause the timed daemon to crash, denying service to
clients.

$B%j%b!<%H%f!<%6$O(B timed $B%G!<%b%s$r%/%i%C%7%e$5$;(B, timed $B%/%i%$%"%s%H$X$N(B
$B%5!<%S%9$rDd;_$5$;$k$3$H$,2DG=$G$9(B.


IV.  $B2sHrJ}K!(B - Workaround

Implement packet filtering at perimeter firewalls or on the local
machine using ipfw(8)/ipf(8) to prevent untrusted users from
connecting to the timed service.  The timed daemon listens on UDP port
525 by default.

$B%U%!%$%"%&%)!<%k$N%Q%1%C%H%U%#%k%?5!G=$r;H$&$+(B, $B%m!<%+%k%^%7%s>e$G(B
ipfw(8)/ipf(8) $B$r2TF/$5$;$F?.Mj$G$-$J$$%7%9%F%`$+$i(B timed $B$X$N@\B3$r(B
$B9T$J$($J$$$h$&$K$7$F$/$@$5$$(B.  timed $B%G!<%b%s$OI8=`$G(B UDP $B%]!<%H(B 525 $B$r(B
listen $B$7$^$9(B.


V.   $B2r7h:v(B - Solution

Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.

$B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B FreeBSD 3.5-STABLE
$B$b$7$/$O(B 4.2-STABLE $B$K%"%C%W%0%l!<%I$7$F$/$@$5$$(B.

To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

$B8=:_MxMQCf$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k$K$O(B, $B0J2<$N>l=j$+$i(B
$B=$@5%Q%C%A$r%@%&%s%m!<%I$7(B, root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9(B.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch.asc

This patch has been verified to apply to FreeBSD 4.2-RELEASE and
FreeBSD 3.5.1-RELEASE.  It may or may not apply to older releases.

$B$3$N=$@5%Q%C%A$O(B FreeBSD 4.2-RELEASE $B$*$h$S(B 3.5.1-RELEASE $B$K(B
$BE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9(B.  $B$=$l$h$j8E$$%j%j!<%9$KBP$7$F(B
$BE,MQ2DG=$+$I$&$+$O3NG'$5$l$F$$$^$;$s(B.

Verify the detached PGP signature using your PGP utility.

$B$^$?(B, PGP $B%f!<%F%#%j%F%#$r;H$C$F=$@5%Q%C%A$N(B PGP $B=pL>$r(B
$B3NG'$7$F$/$@$5$$(B.

# cd /usr/src/usr.sbin/timed/timed
# patch -p < /path/to/patch
# make depend && make all install

Kill and restart timed to cause the changes to take effect.  If you
have started timed with non-standard options (e.g. by setting
timed_flags in /etc/rc.conf) then the below command will need to be
modified appropriately.

$B=$@5$rM-8z2=$5$;$k$K$O(B, $B<!$N$h$&$K$7$F(B timed $B$r(B kill $B$7:F5/F0$5$;$k(B
$BI,MW$,$"$j$^$9(B.  $B$b$7(B (/etc/rc.conf $B$N(B timed_flags $B$r;H$&$J$I$7$F(B)
timed $B$rI8=`$G$J$$%*%W%7%g%s$G<B9T$7$F$$$k>l9g$O(B, $B<!$N%3%^%s%I$r(B
$BE,59JQ99$9$kI,MW$,$"$k$G$7$g$&(B.

# killall -KILL timed
# /usr/sbin/timed


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:28,v 1.1 2001/03/14 00:07:31 hrs Exp $

----Next_Part(Wed_Mar_14_09:10:57_2001_571)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:29"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:29 (2001-03-12)
 * rwhod allows remote denial of service
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-01:29.rwhod
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 12 Mar 2001 15:47:59 -0800 (PST)
  Message-Id: <200103122347.f2CNlxT28110@freefall.freebsd.org>
  X-Sequence: announce-jp 723

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:29                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	rwhod allows remote denial of service

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	rwhod
$B9pCNF|(B:		2001-03-12
$B%/%l%8%C%H(B:	Mark Huizer <xaa@xaa.iae.nl>
$B1F6AHO0O(B:	FreeBSD 3.x $B$*$h$S(B 4.x $B7ONs$N$9$Y$F$N%j%j!<%9(B
                $B=$@5F|0JA0$N(B FreeBSD 3.5-STABLE
                $B=$@5F|0JA0$N(B FreeBSD 4.2-STABLE
$B=$@5F|(B:		2000-12-23 (FreeBSD 3.5-STABLE)
                2000-12-22 (FreeBSD 4.2-STABLE)
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

rwhod(8) is a server which implements the rwho protocol, which
communicates information on system uptime and logged-in users between
machines on a network.

rwhod(8) $B$O%M%C%H%o!<%/>e$N%^%7%s4V$G3F%7%9%F%`$N(B uptime $B$d%m%0%$%sCf$N(B
$B%f!<%6$H$$$C$?>pJs$rEA$($k$?$a$N(B, rwho $B%W%m%H%3%k%5!<%P<BAu$N0l$D$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

Malformed packets sent to the rwhod daemon could cause it to crash,
thereby denying service to clients if rwhod is not run under a
watchdog process which causes it to automatically restart in the event
of a failure.  The rwhod daemon is not run in this way in the default
invocation from /etc/rc.conf using the rwhod_enable variable.

rwhod $B%G!<%b%s$O(B, $BIT@5$J%Q%1%C%H$r<u$1<h$k$H%/%i%C%7%e$9$k$3$H$,(B
$B$"$j$^$9(B.  $B$=$N$?$a(B, $B%G!<%b%s$,5!G=$7$J$/$J$C$?;~$K<+F0E*$K(B
rwhod $B$N:F5/F0$r9T$J$&4F;k%W%m%;%9$,@_Dj$5$l$F$$$J$$>l9g(B,
$B7k2L$H$7$F%/%i%$%"%s%H$X$N%5!<%S%9$,Dd;_$9$k$3$H$K$J$j$^$9(B.
/etc/rc.conf $B$N(B rwhod_enable $BJQ?t$r;H$&I8=`$N5/F0J}K!$G$O(B,
rwhod $B%G!<%b%s$O$=$N$h$&$J%W%m%;%9$N4F;k2<$KCV$+$l$^$;$s(B.

All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem, if they have been configued to run rwhod (this is not enabled
by default).

FreeBSD 3.5.1-RELEASE, FreeBSD 4.2-RELEASE $B$r4^$`(B, $B=$@5F|0JA0$N(B
$B$9$Y$F$N(B FreeBSD 3.x $B$*$h$S(B FreeBSD 4.x $B$G(B, $B$+$D(B rwhod $B$r(B
$B<B9T$9$k$h$&$K@_Dj$5$l$F$$$k$b$N$,$3$N%;%-%e%j%F%#>e$N<eE@$N1F6A$r(B
$B<u$1$^$9(B (rwhod $B$O%$%s%9%H!<%k;~$NI8=`@_Dj$GL58z2=$5$l$F$$$^$9(B).


III. $B1F6AHO0O(B - Impact

Remote users can cause the rwhod daemon to crash, denying service to
clients.

$B%j%b!<%H%f!<%6$O(B rwhod $B%G!<%b%s$r%/%i%C%7%e$5$;(B, rwhod $B%/%i%$%"%s%H$X$N(B
$B%5!<%S%9$rDd;_$5$;$k$3$H$,2DG=$G$9(B.


IV.  $B2sHrJ}K!(B - Workaround

Implement packet filtering at perimeter firewalls or on the local
machine using ipfw(8)/ipf(8) to prevent untrusted users from
connecting to the rwhod service.  The rwhod daemon listens on UDP port
513 by default.

$B%U%!%$%"%&%)!<%k$N%Q%1%C%H%U%#%k%?5!G=$r;H$&$+(B, $B%m!<%+%k%^%7%s>e$G(B
ipfw(8)/ipf(8) $B$r2TF/$5$;$F?.Mj$G$-$J$$%7%9%F%`$+$i(B rwhod $B$X$N@\B3$r(B
$B9T$J$($J$$$h$&$K$7$F$/$@$5$$(B.  rwhod $B%G!<%b%s$OI8=`$G(B UDP $B%]!<%H(B 513 $B$r(B
listen $B$7$^$9(B.


V.   $B2r7h:v(B - Solution

Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.

$B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B FreeBSD 3.5-STABLE
$B$b$7$/$O(B 4.2-STABLE $B$K%"%C%W%0%l!<%I$7$F$/$@$5$$(B.

To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

$B8=:_MxMQCf$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k$K$O(B, $B0J2<$N>l=j$+$i(B
$B=$@5%Q%C%A$r%@%&%s%m!<%I$7(B, root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9(B.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch.asc

This patch has been verified to apply to FreeBSD 4.2-RELEASE and
FreeBSD 3.5.1-RELEASE.  It may or may not apply to older releases.

$B$3$N=$@5%Q%C%A$O(B FreeBSD 4.2-RELEASE $B$*$h$S(B 3.5.1-RELEASE $B$K(B
$BE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9(B.  $B$=$l$h$j8E$$%j%j!<%9$KBP$7$F(B
$BE,MQ2DG=$+$I$&$+$O3NG'$5$l$F$$$^$;$s(B.

Verify the detached PGP signature using your PGP utility.

$B$^$?(B, PGP $B%f!<%F%#%j%F%#$r;H$C$F=$@5%Q%C%A$N(B PGP $B=pL>$r(B
$B3NG'$7$F$/$@$5$$(B.

# cd /usr/src/usr.sbin/rwhod
# patch -p < /path/to/patch
# make depend && make all install

Kill and restart rwhod to cause the changes to take effect.  If you
have started rwhod with non-standard options (e.g. by setting
rwhod_flags in /etc/rc.conf) then the below command will need to be
modified appropriately.

$B=$@5$rM-8z2=$5$;$k$K$O(B, $B<!$N$h$&$K$7$F(B rwhod $B$r(B kill $B$7:F5/F0$5$;$k(B
$BI,MW$,$"$j$^$9(B.  $B$b$7(B (/etc/rc.conf $B$N(B rwhod_flags $B$r;H$&$J$I$7$F(B)
rwhod $B$rI8=`$G$J$$%*%W%7%g%s$G<B9T$7$F$$$k>l9g$O(B, $B<!$N%3%^%s%I$r(B
$BE,59JQ99$9$kI,MW$,$"$k$G$7$g$&(B.

# killall -KILL rwhod
# /usr/sbin/rwhod


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:29,v 1.1 2001/03/14 00:07:31 hrs Exp $

----Next_Part(Wed_Mar_14_09:10:57_2001_571)----
