From owner-doc-jp@jp.FreeBSD.org Sun Dec 16 15:40:17 2001
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id fBG6eHx82396;
	Sun, 16 Dec 2001 15:40:17 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id fBG6eG682391
	for <doc-jp@jp.FreeBSD.org>; Sun, 16 Dec 2001 15:40:16 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.hrslab.yi.org (p5126-ip02funabasi.chiba.ocn.ne.jp [61.214.4.126])
	by eos.ocn.ne.jp (OCN) with ESMTP id PAA23760
	for <doc-jp@jp.FreeBSD.org>; Sun, 16 Dec 2001 15:40:14 +0900 (JST)
Received: from localhost (alph.hrslab.yi.org [192.168.0.10])
	by mail.hrslab.yi.org (8.9.3/3.7W/DomainMaster) with ESMTP id PAA40718
	for <doc-jp@jp.FreeBSD.org>; Sun, 16 Dec 2001 15:38:57 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Date: Sun, 16 Dec 2001 15:34:49 +0900 (JST)
Message-Id: <20011216.153449.59651818.hrs@eos.ocn.ne.jp>
To: doc-jp@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200112111700.fBBH0vC72090@freefall.freebsd.org>
References: <200112111700.fBBH0vC72090@freefall.freebsd.org>
X-Mailer: Mew version 2.0 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Sun_Dec_16_15:34:49_2001_818)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010331
X-Sequence: doc-jp 8563
Subject: [doc-jp 8563] Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd
Errors-To: owner-doc-jp@jp.FreeBSD.org
Sender: owner-doc-jp@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Sun_Dec_16_15:34:49_2001_818)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 01:66 $B$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

----Next_Part(Sun_Dec_16_15:34:49_2001_818)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="01:66"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-01:66 (2001-12-11)
 * thttpd port contains remotely vulnerability
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 11 Dec 2001 09:00:57 -0800 (PST)
  Message-Id: <200112111700.fBBH0vC72090@freefall.freebsd.org>
  X-Sequence: announce-jp 865

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$*$h$S(B, $B%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O(B, $BJ8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$(B.


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-01:66                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	thttpd port $B$K$*$1$k%j%b!<%H$+$i0-MQ2DG=$J%;%-%e%j%F%#>e$N<eE@(B
                (thttpd port contains remotely vulnerability)

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	thttpd
$B9pCNF|(B:		2001-12-11
$B%/%l%8%C%H(B:	GOBBLES SECURITY
$B1F6AHO0O(B:	$B=$@5F|0JA0$N(B Ports Collection
$B=$@5F|(B:		2001-11-22 00:10:56 UTC
FreeBSD $B$K8GM-$+(B:	no


I.   $BGX7J(B - Background

thttpd is a simple, small, portable, fast, and secure HTTP server.

thttpd $B$OC1=c$G>.$5$/(B, $B0\?"@-$KM%$l$?9bB.$G%;%-%e%"$J(B HTTP $B%5!<%P$G$9(B.


II.  $BLdBj$N>\:Y(B - Problem Description

In auth_check(), there is an off-by-one error in computing the amount
of memory needed for storing a NUL terminated string.  Specifically, a
stack buffer of 500 bytes is used to store a string of up to 501 bytes
including the terminating NUL.

auth_check() $B4X?t$K$*$1$k(B NUL $B=*C<J8;z$N3JG<$KI,MW$J%a%b%jNN0h$N(B
$B7W;;$K$O(B, $B0l$D0c$$(B (off-by-one) $B%(%i!<$,4^$^$l$F$$$^$9(B.  $B6qBNE*$K$O(B,
$B=*C<J8;z(B NUL $B$r4^$`(B 501 $B%P%$%H$NJ8;zNs$r3JG<$9$k$N$K(B, 500 $B%P%$%H$N(B
$B%9%?%C%/%P%C%U%!$,;HMQ$5$l$^$9(B.


III. $B1F6AHO0O(B - Impact

Due to the location of the affected buffer on the stack, this bug
can be exploited using ``The poisoned NUL byte'' technique (see
references).  A remote attacker can hijack the thttpd process,
obtaining whatever privileges it has.  By default, the thttpd process
runs as user `nobody'.

$B1F6A$r<u$1$k%P%C%U%!$O%9%?%C%/>e$K$"$k$?$a(B, $B$3$N%P%0$O(B
$B!VFGF~$j(B NUL $B%P%$%H(B (the poisoned NUL byte)$B!W$N<jK!(B ($B;29M;qNA$r(B
$B;2>H$N$3$H(B) $B$rMQ$$$F0-MQ$9$k$3$H$,2DG=$G$9(B.
$B967b<T$O%j%b!<%H$+$i(B thttpd $B%W%m%;%9$r>h$C<h$j(B, $B$=$N%W%m%;%9$N;}$D(B
$B$"$i$f$k8"8B$r<j$KF~$l$k$3$H$,$G$-$^$9(B.  $BI8=`@_Dj$G$O(B,
thttpd $B%W%m%;%9$O(B `nobody' $B%f!<%6$N8"8B$GF0:n$7$^$9(B.


IV.  $B2sHrJ}K!(B - Workaround

1) Deinstall the thttpd port/package if you have it installed.
1) thttpd $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O(B,
   $B$=$l$r%7%9%F%`$+$i:o=|$7$^$9(B.


V.   $B2r7h:v(B - Solution

1) Upgrade your entire ports collection and rebuild the port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7(B thttpd $B$N(B port $B$r:F9=C[$9$k(B.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
2) $B8E$$(B ($BLuCm(B: thttpd $B$N(B) package $B$r%7%9%F%`$+$i:o=|$7(B,
   $B=$@5F|0J9_$K:n@.$5$l$??7$7$$(B package $B$r0J2<$N>l=j$+$i(B
   $B<hF@$7$F%$%s%9%H!<%k$9$k(B.

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/thttpd-2.22.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/thttpd-2.22.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
$B8=;~E@$G$O(B alpha $B%"!<%-%F%/%A%cMQ$N(B package $B$O<+F0@8@.$5$l$F$$$^$;$s(B.
$B$3$l$O(B, $B9=C[$N$?$a$N%^%7%s%j%=!<%9$,ITB-$7$F$$$k$?$a$G$9(B.

3) Download a new port skeleton for the thttpd port from:
3) thttpd $B$N?7$7$$(B port $B%9%1%k%H%s$r0J2<$N>l=j$+$i%@%&%s%m!<%I$7(B,
   $B$=$l$r;H$C$F(B port $B$r:F9=C[$9$k(B.

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
4) $B>e5-(B (3) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$&(B.
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9(B.
   $B$^$?(B, portcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9(B.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
$B<!$NI=$O(B, FreeBSD Ports Collection $B$K4^$^$l$F$$$k(B,
$B=$@5$5$l$?%U%!%$%k$=$l$>$l$N%j%S%8%g%sHV9f$G$9(B.

Path                                                             Revision
$B%Q%9L>(B                                                       $B%j%S%8%g%sHV9f(B
- -------------------------------------------------------------------------
ports/www/thttpd/Makefile                                            1.23
ports/www/thttpd/distinfo                                            1.20
ports/www/thttpd/files/patch-fdwatch.c                            removed
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://www.securityfocus.com/archive/1/241310>
<URL:http://www.securityfocus.com/archive/1/10884>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9(B.  $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9(B.  

$B$?$@$7(B, $BK]Lu<T$*$h$S(B doc-jp $B$O(B, $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$(B.  $BF|K\8lLu$K$D$$$F$N$40U8+(B, $B$4MWK>(B,
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9(B.

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
$B$=$l$>$lCV$-49$($F$/$@$5$$(B.

$BB>$NCO0h$r4^$`(B, $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B,

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9(B.

$hrs: announce-jp/FreeBSD-SA/01:66,v 1.2 2001/12/16 06:17:45 hrs Exp $

----Next_Part(Sun_Dec_16_15:34:49_2001_818)----
