aboutsummaryrefslogtreecommitdiff
path: root/share/security/advisories/FreeBSD-SA-00:58.chpass.asc
diff options
context:
space:
mode:
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:58.chpass.asc')
-rw-r--r--share/security/advisories/FreeBSD-SA-00:58.chpass.asc111
1 files changed, 0 insertions, 111 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:58.chpass.asc b/share/security/advisories/FreeBSD-SA-00:58.chpass.asc
deleted file mode 100644
index a30972e547..0000000000
--- a/share/security/advisories/FreeBSD-SA-00:58.chpass.asc
+++ /dev/null
@@ -1,111 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-
-=============================================================================
-FreeBSD-SA-00:58 Security Advisory
- FreeBSD, Inc.
-
-Topic: chpass family contains local root vulnerability
-
-Category: core
-Module: chfn/chpass/chsh/ypchfn/ypchpass/ypchsh/passwd
-Announced: 2000-10-30
-Credits: Problem fixed during internal auditing.
- Vulnerability pointed out by: caddis <caddis@DISSENSION.NET>
-Affects: FreeBSD 3.x (all releases), FreeBSD 4.0-RELEASE,
- FreeBSD 4.0-STABLE prior to the correction date
-Corrected: 2000/07/20 (FreeBSD 4.0-STABLE)
- 2000/10/04 (FreeBSD 3.5.1-STABLE)
-FreeBSD only: NO
-
-I. Background
-
-ch{fn,pass,sh} are utilities for changing user "finger" information,
-passwords, and login shell, respectively. The yp* variants perform the
-analogous changes on a NIS account.
-
-II. Problem Description
-
-A "format string vulnerability" was discovered in code used by the
-vipw utility during an internal FreeBSD code audit in July 2000. The
-vipw utility does not run with increased privileges and so it was
-believed at the time that it did not represent a security
-vulnerability. However it was not realised that this code is also
-shared with other utilities -- namely chfn, chpass, chsh, ypchfn,
-ypchpass, ypchsh and passwd -- which do in fact run setuid root.
-
-Therefore, the problem may be exploited by unprivileged local users to
-gain root access to the local machine.
-
-All versions of FreeBSD prior to the correction date including 4.0 and
-3.5.1 are vulnerable to this problem, but it was fixed in the 4.x
-branch prior to the release of FreeBSD 4.1.
-
-III. Impact
-
-Local users can obtain root privileges on the local machine.
-
-IV. Workaround
-
-Remove the setuid bit on the following utilities. This has the
-side-effect that non-root users cannot change their finger
-information, passwords, or login shells.
-
-# chflags noschg /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh
-# chmod u-s /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh
-# chflags noschg /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh
-# chmod u-s /usr/bin/ypchfn /usr/bin/ypchpass /usr/bin/ypchsh
-# chflags noschg /usr/bin/passwd
-# chmod u-s /usr/bin/passwd
-
-V. Solution
-
-One of the following:
-
-1) Upgrade your vulnerable FreeBSD system to 4.1-RELEASE,
-4.1.1-RELEASE, 4.1.1-STABLE or 3.5.1-STABLE after the respective
-correction dates.
-
-2) Apply the patch below and recompile the respective files:
-
-Either save this advisory to a file, or download the patch and
-detached PGP signature from the following locations, and verify the
-signature using your PGP utility.
-
-ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/vipw.patch
-ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/vipw.patch.asc
-
-Execute the following commands as root:
-
-# cd /usr/src/usr.sbin/vipw
-# patch -p < /path/to/patch_or_advisory
-# make depend && make all install
-# cd /usr/src/usr.bin/chpass/
-# make depend && make all install
-# cd /usr/src/usr.bin/passwd/
-# make depend && make all install
-
-Patch for vulnerable systems:
-
- --- pw_util.c 1999/08/28 01:20:31 1.17
- +++ pw_util.c 2000/07/12 00:49:40 1.18
- @@ -250,7 +250,7 @@
- extern int _use_yp;
- #endif /* YP */
- if (err)
- - warn(name);
- + warn("%s", name);
- #ifdef YP
- if (_use_yp)
- warnx("NIS information unchanged");
-
-
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.0.4 (FreeBSD)
-Comment: For info see http://www.gnupg.org
-
-iQCVAwUBOf3/FFUuHi5z0oilAQEAhAQApmUnWU8Se8V6rAsy98jJLBXp11mmCnaB
-lVPve0SjOEhTjYVOfLEslDIPECP1WNrO3Ep/FiczhoTVrMBzWjh74XIGaiDbRxEy
-UDWh/cQhAaEmy/KPwraoPas6T2lsJ9brBu5LycKQj/F2SMYCNQOQ3UK4rmXqmf+z
-jAqmmerfaPo=
-=YNNN
------END PGP SIGNATURE-----