[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.55.0308041127330.14851@mail.securityfocus.com>
Date: Mon, 4 Aug 2003 11:33:43 -0600 (MDT)
From: Dave Ahmad <da@...urityfocus.com>
To: bugtraq@...urityfocus.com
Subject: Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3)
Originally reported as affecting only WU-FTPD. It seems that the bug
is in code borrowed from the BSD C library. NetBSD, FreeBSD and OpenBSD
announcements attached.
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.
Return-Path: <owner-security-announce+M37@...nbsd.org>
Delivered-To: da@...urityfocus.com
Received: (qmail 20390 invoked by alias); 4 Aug 2003 17:23:27 -0000
Received: from openbsd.cs.colorado.edu (128.138.192.83)
by mail.securityfocus.com with SMTP; 4 Aug 2003 17:23:27 -0000
Received: from openbsd.org (localhost.cs.colorado.edu [127.0.0.1])
by openbsd.cs.colorado.edu (8.12.9/8.12.9) with ESMTP id h74HQ9A4002552;
Mon, 4 Aug 2003 11:26:47 -0600 (MDT)
Received: from xerxes.courtesan.com (courtesan.com [206.168.103.86])
by openbsd.cs.colorado.edu (8.12.9/8.12.9) with ESMTP id h74H36Pq006015
(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=FAIL)
for <security-announce@...nbsd.org>; Mon, 4 Aug 2003 11:03:11 -0600 (MDT)
Received: from xerxes.courtesan.com (IDENT:millert@...alhost.courtesan.com [127.0.0.1])
by xerxes.courtesan.com (8.12.10.Beta2/8.12.10.Beta2) with ESMTP id h74H36co022239
for <security-announce@...nbsd.org>; Mon, 4 Aug 2003 11:03:06 -0600 (MDT)
Message-Id: <200308041703.h74H36co022239@...xes.courtesan.com>
To: security-announce@...nbsd.org
Subject: off-by-one error in realpath(3)
Date: Mon, 04 Aug 2003 11:03:06 -0600
From: "Todd C. Miller" <Todd.Miller@...rtesan.com>
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Loop: security-announce@...nbsd.org
Precedence: list
Sender: owner-security-announce@...nbsd.org
[ this version has some typos fixed ]
An off-by-one error exists in the C library function realpath(3).
This is the same bug that was recently found in the wu-ftpd ftpd
server by Janusz Niewiadomski and Janusz Niewiadomski.
The OpenBSD ftp daemon does not use realpath(3) in a way that could
be exploited, however a number of other system binaries also use
the function. It is not currently known whether or not this bug
results in an exploitable security hole on OpenBSD. Since the bug
led to an exploitable hole in wu-ftpd, it is entirely possible that
some program using realpath(3) under OpenBSD may be vulnerable to
attack. For OpenBSD 3.3 and higher, the ProPolice stack protector
should provide some protection from this bug, but this cannot be
guaranteed.
This bug has been fixed in OpenBSD-current as well as the 3.2 and
3.3 stable branches. Patches are available for OpenBSD 3.2 and 3.3.
Patch for OpenBSD 3.2:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch
Patch for OpenBSD 3.3:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch
For versions of OpenBSD prior to 3.2, users may simply fetch
the current revision of realpath.c from:
ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c
then rebuild and install libc with the new realpath.c.
For more details, see the description of the wu-ftpd fp_realpath bug:
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
View attachment "FreeBSD-SA-03:08.realpath" of type "TEXT/PLAIN" (12819 bytes)
View attachment "NetBSD-SA2003-011.txt.asc" of type "TEXT/PLAIN" (6334 bytes)
Powered by blists - more mailing lists