diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-09:07.libc.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-09:07.libc.asc | 156 |
1 files changed, 0 insertions, 156 deletions
diff --git a/share/security/advisories/FreeBSD-SA-09:07.libc.asc b/share/security/advisories/FreeBSD-SA-09:07.libc.asc deleted file mode 100644 index a73538b5cc..0000000000 --- a/share/security/advisories/FreeBSD-SA-09:07.libc.asc +++ /dev/null @@ -1,156 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-09:07.libc Security Advisory - The FreeBSD Project - -Topic: Information leak in db(3) - -Category: core -Module: libc -Announced: 2009-04-22 -Credits: Jaakko Heinonen, Xin LI -Affects: All supported versions of FreeBSD. -Corrected: 2009-04-11 15:19:26 UTC (RELENG_7, 7.2-PRERELEASE) - 2009-04-22 14:07:14 UTC (RELENG_7_1, 7.1-RELEASE-p5) - 2009-04-22 14:07:14 UTC (RELENG_7_0, 7.0-RELEASE-p12) - 2009-04-11 15:21:11 UTC (RELENG_6, 6.4-STABLE) - 2009-04-22 14:07:14 UTC (RELENG_6_4, 6.4-RELEASE-p4) - 2009-04-22 14:07:14 UTC (RELENG_6_3, 6.3-RELEASE-p10) - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit <URL:http://security.FreeBSD.org/>. - -I. Background - -FreeBSD's C library (libc) contains code for creating and accessing -Berkeley DB 1.85 database files. Such databases are used extensively -in FreeBSD; for example, the system password files (/etc/passwd and -/etc/master.passwd) are normally accessed via their database files -(/etc/pwd.db and /etc/spwd.db). - -II. Problem Description - -Some data structures used by the database interface code are not properly -initialized when allocated. - -III. Impact - -Programs using the db(3) interface to create Berkeley database files may -"leak" sensitive information into database files. If those files can be -read by other users, this may result in the disclosure of sensitive -information such as login credentials. - -IV. Workaround - -No workaround is available, but systems without untrusted local users are -probably not affected (since remote attackers will in most cases not be -able to read such database files). - -V. Solution - -Perform one of the following: - -1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the -RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch -dated after the correction date. - -2) To patch your present system: - -The following patches have been verified to apply to FreeBSD 6.3, 6.4, -7.0, and 7.1 systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -# fetch http://security.FreeBSD.org/patches/SA-09:07/libc.patch -# fetch http://security.FreeBSD.org/patches/SA-09:07/libc.patch.asc - -b) Execute the following commands as root: - -# cd /usr/src -# patch < /path/to/patch -# cd /usr/src/lib/libc -# make obj && make depend && make && make install - -NOTE: On the amd64 platform, the above procedure will not update the -lib32 (i386 compatibility) libraries. On amd64 systems where the i386 -compatibility libraries are used, the operating system should instead -be recompiled as described in -<URL:http://www.FreeBSD.org/handbook/makeworld.html> - -NOTE: System administrators may wish to rebuild any system database files -which were created prior to applying this patch in case they contain -sensitive information. - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -CVS: - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_6 - src/lib/libc/db/btree/bt_split.c 1.7.2.1 - src/lib/libc/db/btree/bt_open.c 1.11.14.1 - src/lib/libc/db/hash/hash_buf.c 1.7.14.1 - src/lib/libc/db/mpool/mpool.c 1.12.2.1 - src/lib/libc/db/README 1.1.40.1 -RELENG_6_4 - src/UPDATING 1.416.2.40.2.8 - src/sys/conf/newvers.sh 1.69.2.18.2.10 - src/lib/libc/db/btree/bt_split.c 1.7.12.2 - src/lib/libc/db/hash/hash_buf.c 1.7.26.2 - src/lib/libc/db/mpool/mpool.c 1.12.12.2 -RELENG_6_3 - src/UPDATING 1.416.2.37.2.15 - src/sys/conf/newvers.sh 1.69.2.15.2.14 - src/lib/libc/db/btree/bt_split.c 1.7.10.1 - src/lib/libc/db/hash/hash_buf.c 1.7.24.1 - src/lib/libc/db/mpool/mpool.c 1.12.10.1 -RELENG_7 - src/lib/libc/db/btree/bt_split.c 1.8.2.1 - src/lib/libc/db/btree/bt_open.c 1.12.2.1 - src/lib/libc/db/hash/hash_buf.c 1.8.2.1 - src/lib/libc/db/mpool/mpool.c 1.13.2.1 - src/lib/libc/db/README 1.1.50.1 -RELENG_7_1 - src/UPDATING 1.507.2.13.2.8 - src/sys/conf/newvers.sh 1.72.2.9.2.9 - src/lib/libc/db/btree/bt_split.c 1.8.6.2 - src/lib/libc/db/hash/hash_buf.c 1.8.6.2 - src/lib/libc/db/mpool/mpool.c 1.13.6.2 -RELENG_7_0 - src/UPDATING 1.507.2.3.2.16 - src/sys/conf/newvers.sh 1.72.2.5.2.16 - src/lib/libc/db/btree/bt_split.c 1.8.4.1 - src/lib/libc/db/hash/hash_buf.c 1.8.4.1 - src/lib/libc/db/mpool/mpool.c 1.13.4.1 -- ------------------------------------------------------------------------- - -Subversion: - -Branch/path Revision -- ------------------------------------------------------------------------- -stable/6/ r190940 -releng/6.4/ r191381 -releng/6.3/ r191381 -stable/7/ r190939 -releng/7.1/ r191381 -releng/7.0/ r191381 -- ------------------------------------------------------------------------- - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-SA-09:07.libc.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (FreeBSD) - -iEYEARECAAYFAknvJlkACgkQFdaIBMps37JcyACggmDk96JTy3G5gGlzMlNuVsV7 -s5wAoIT2G2c3T6bYa7GeftWLpGGFo2Rp -=rdqD ------END PGP SIGNATURE----- |