diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-96:13.comsat.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-96:13.comsat.asc | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-96:13.comsat.asc b/share/security/advisories/FreeBSD-SA-96:13.comsat.asc new file mode 100644 index 0000000000..73699a140d --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-96:13.comsat.asc @@ -0,0 +1,141 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-96:13 Security Advisory + FreeBSD, Inc. + +Topic: unauthorized mail reading via comsat + +Category: core +Module: comsat +Announced: 1996-06-05 +Affects: All FreeBSD versions +Corrected: 2.1-stable and 2.2-current as of 1996-06-04 +FreeBSD only: yes + +Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:13/ + +============================================================================= + +I. Background + + FreeBSD made an extension to the comsat daemon to support + e-mail in alternate locations. A bug was found in this + extension which allows an unprivileged local user to read + portions of other users' mail. + + This problem is present in all source code and binary + distributions of FreeBSD released before 1996-06-03. + + +II. Problem Description + + The comsat daemon does not properly set privileges before + attempting to read mail files for display on a user terminal. + + +III. Impact + + The comsat daemon may be used to read portions of files + in /var/mail that would not normally be accessible to a + particular user. This ability is limited to the /var/mail + directory hierarchy. + + This vulnerability can only be exploited by users with a valid + account on the local system. + + +IV. Workaround + + One may simply disable the comsat daemon in /etc/inetd.conf. + This will disable asynchronous notification of received mail + (biff messages). This workaround will suffice for + all versions of FreeBSD affected by this problem. + + As root, edit the file /etc/inetd.conf and change the line + + comsat dgram udp wait root /usr/libexec/comsat comsat + + to read + + #comsat dgram udp wait root /usr/libexec/comsat comsat + + and then reboot the system or restart the inetd daemon and kill + off any active comsat daemons. + +V. Solution + + The following patch fixes the permissions problem. It should + apply cleanly to all FreeBSD 2.x systems. It has not been tested + with FreeBSD 1.x but this change, if applied by hand, should work. + + --- comsat.c Mon Jun 3 09:07:49 1996 + +++ comsat.c Mon Jun 3 09:17:11 1996 + @@ -73,7 +73,7 @@ + time_t lastmsgtime; + int nutmp, uf; + + -void jkfprintf __P((FILE *, char[], off_t)); + +void jkfprintf __P((FILE *, char[], char[], off_t)); + void mailfor __P((char *)); + void notify __P((struct utmp *, char[], off_t, int)); + void onalrm __P((int)); + @@ -238,15 +238,16 @@ + cr, name, (int)sizeof(hostname), hostname, + folder ? cr : "", folder ? "to " : "", folder ? file : "", + cr, cr); + - jkfprintf(tp, file, offset); + + jkfprintf(tp, name, file, offset); + (void)fclose(tp); + _exit(0); + } + + void + -jkfprintf(tp, name, offset) + +jkfprintf(tp, user, file, offset) + register FILE *tp; + - char name[]; + + char user[]; + + char file[]; + off_t offset; + { + register char *cp, ch; + @@ -256,10 +257,10 @@ + char line[BUFSIZ]; + + /* Set effective uid to user in case mail drop is on nfs */ + - if ((p = getpwnam(name)) != NULL) + + if ((p = getpwnam(user)) != NULL) + (void) setuid(p->pw_uid); + + - if ((fi = fopen(name, "r")) == NULL) + + if ((fi = fopen(file, "r")) == NULL) + return; + + (void)fseek(fi, offset, L_SET); + + +============================================================================= +FreeBSD, Inc. + +Web Site: http://www.freebsd.org/ +Confidential contacts: security-officer@freebsd.org +PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc +Security notifications: security-notifications@freebsd.org +Security public discussion: security@freebsd.org + +Notice: Any patches in this document may not apply cleanly due to + modifications caused by digital signature or mailer software. + Please reference the URL listed at the top of this document + for original copies of all patches if necessary. +============================================================================= + +-----BEGIN PGP SIGNATURE----- +Version: 2.6.2 + +iQCVAwUBMeXtDFUuHi5z0oilAQG7zAP/ZfgIUqi+yBcLTBhoRh0bAeB9GJNlppF/ +rqLtJUdBpDTELjjdE21b+510Uv3j1n9/xKiXgcFRcyV0BuUTyJGA+KbOHAuy5EjZ +3AyoIHC3bAhydQIvDYl9N3RbaH/xbmG4MZoXtIxI7peo+FbMWwRCsDCjjMggk8x1 +s69nLC+n2iw= +=xA6e +-----END PGP SIGNATURE----- |