[LWN Logo]

Date:         Tue, 9 May 2000 12:20:49 -0700
From: FreeBSD Security Officer <security-officer@FREEBSD.ORG>
Subject:      FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:17                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          Buffer overflow in libmytinfo may yield increased
		privileges with third-party software.

Category:       core
Module:         libmytinfo
Announced:      2000-05-09
Affects:        FreeBSD 3.x before the correction date.
Corrected:      2000-04-25
FreeBSD only:   Yes

Patches:        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch

I.   Background

libmytinfo is part of ncurses, a text-mode display library.

II.  Problem Description

libmytinfo allows users to specify an alternate termcap file or entry
via the TERMCAP environment variable, however this is not handled
securely and contains a overflowable buffer inside the library.

This is a security vulnerability for binaries which are linked against
libmytinfo and which are setuid or setgid (i.e. run with elevated
privileges). It may also be a vulnerability in other more obscure
situations where a user can exert control over the environment with
which an ncurses binary is run by another user.

FreeBSD 3.x and earlier versions use a very old, customized version of
ncurses which is difficult to update without breaking
backwards-compatibility. The update was made for FreeBSD 4.0, but it
is unlikely that 3.x will be updated. However, the ncurses source is
currently being audited for further vulnerabilities.

III. Impact

Certain setuid/setgid third-party software (including FreeBSD
ports/packages) may be vulnerable to a local exploit yielding
privileged resources, such as network sockets, privileged filesystem
access, or outright privileged shell access (including root access).

No program in the FreeBSD base system is believed to be vulnerable to
the bug.

FreeBSD 4.0 and above are NOT vulnerable to this problem.

IV.  Workaround

Remove any setuid or setgid binary which is linked against libmytinfo
(including statically linked), or remove set[ug]id privileges from the
file as appropriate.

The following instructions will identify the binaries installed on the
system which are candidates for removal or removal of file
permissions. Since there may be other as yet undiscovered
vulnerabilities in libmytinfo it may be wise to perform this audit
regardless of whether or not you upgrade your system as described in
section V below. In particular, see the note regarding static linking
in section V.

Of course, it is possible that some of the identified files may be
required for the correct operation of your local system, in which case
there is no clear workaround except for limiting the set of users who
may run the binaries, by an appropriate use of user groups and
removing the "o+x" file permission bit.

1) Download the 'libfind.sh' script from

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh

e.g. with the fetch(1) command:

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh
Receiving libfind.sh (460 bytes): 100%
460 bytes transferred in 0.0 seconds  (394.69 Kbytes/s)
#

2) Verify the md5 checksum and compare to the value below:

# /sbin/md5 libfind.sh
MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b

3) Run the libfind script against your system:

# sh libfind.sh /

This will scan your entire system for setuid or setgid binaries which
are linked against libmytinfo. Each returned binary should be examined
(e.g. with 'ls -l' and/or other tools) to determine what security risk
it poses to your local environment, e.g. whether it can be run by
arbitrary local users who may be able to exploit it to gain
privileges.

4) Remove the binaries, or reduce their file permissions, as appropriate.

V.   Solution

Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction
date, or patch your present system source code and rebuild. Then run
the libfind script as instructed in section IV and identify any
statically-linked binaries (those reported as "STATIC" by the
libfind script). These should either be removed, recompiled, or have
privileges restricted to secure them against this vulnerability (since
statically-linked binaries will not be affected by recompiling the
shared libmytinfo library).

To patch your present system: save the patch below into a file, and
execute the following commands as root:

cd /usr/src/lib/libmytinfo
patch < /path/to/patch/file
make all
make install

Patches for 3.x systems before the resolution date:

  Index: findterm.c
  ===================================================================
  RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v
  retrieving revision 1.3
  diff -u -r1.3 findterm.c
  --- findterm.c	1997/08/13 01:21:36	1.3
  +++ findterm.c	2000/04/25 16:58:19
  @@ -242,7 +242,7 @@
   			} else {
   				s = path->file;
   				d = buf;
  -				while(*s != '\0' && *s != ':')
  +				while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1)
   					*d++ = *s++;
   				*d = '\0';
   				if (_tmatch(buf, name)) {
  @@ -259,7 +259,7 @@
   			} else {
   				s = path->file;
   				d = buf;
  -				while(*s != '\0' && *s != ',')
  +				while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1)
   					*d++ = *s++;
   				*d = '\0';
   				if (_tmatch(buf, name)) {

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBORc3NFUuHi5z0oilAQGcaAP6Ar4+mNTHR/qXUJ+MFIVy+AQHFDwpYq5f
KgBpCRzgKVZs/zfsQ+LwC1vCHzusftTK0lEd//2pfGZHt3ln0eD1s6qt+Q6+ZJBE
MYYiXvqoBL1ob2Ahts6uEUs/vbMb4bCbEmMCn4ad2iU+neKH9a81Lk3frIaJjAVK
8/6vW7wH9W4=
=NDsR
-----END PGP SIGNATURE-----