diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-96:13.comsat.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-96:13.comsat.asc | 141 |
1 files changed, 0 insertions, 141 deletions
diff --git a/share/security/advisories/FreeBSD-SA-96:13.comsat.asc b/share/security/advisories/FreeBSD-SA-96:13.comsat.asc deleted file mode 100644 index 73699a140d..0000000000 --- a/share/security/advisories/FreeBSD-SA-96:13.comsat.asc +++ /dev/null @@ -1,141 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-96:13 Security Advisory - FreeBSD, Inc. - -Topic: unauthorized mail reading via comsat - -Category: core -Module: comsat -Announced: 1996-06-05 -Affects: All FreeBSD versions -Corrected: 2.1-stable and 2.2-current as of 1996-06-04 -FreeBSD only: yes - -Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:13/ - -============================================================================= - -I. Background - - FreeBSD made an extension to the comsat daemon to support - e-mail in alternate locations. A bug was found in this - extension which allows an unprivileged local user to read - portions of other users' mail. - - This problem is present in all source code and binary - distributions of FreeBSD released before 1996-06-03. - - -II. Problem Description - - The comsat daemon does not properly set privileges before - attempting to read mail files for display on a user terminal. - - -III. Impact - - The comsat daemon may be used to read portions of files - in /var/mail that would not normally be accessible to a - particular user. This ability is limited to the /var/mail - directory hierarchy. - - This vulnerability can only be exploited by users with a valid - account on the local system. - - -IV. Workaround - - One may simply disable the comsat daemon in /etc/inetd.conf. - This will disable asynchronous notification of received mail - (biff messages). This workaround will suffice for - all versions of FreeBSD affected by this problem. - - As root, edit the file /etc/inetd.conf and change the line - - comsat dgram udp wait root /usr/libexec/comsat comsat - - to read - - #comsat dgram udp wait root /usr/libexec/comsat comsat - - and then reboot the system or restart the inetd daemon and kill - off any active comsat daemons. - -V. Solution - - The following patch fixes the permissions problem. It should - apply cleanly to all FreeBSD 2.x systems. It has not been tested - with FreeBSD 1.x but this change, if applied by hand, should work. - - --- comsat.c Mon Jun 3 09:07:49 1996 - +++ comsat.c Mon Jun 3 09:17:11 1996 - @@ -73,7 +73,7 @@ - time_t lastmsgtime; - int nutmp, uf; - - -void jkfprintf __P((FILE *, char[], off_t)); - +void jkfprintf __P((FILE *, char[], char[], off_t)); - void mailfor __P((char *)); - void notify __P((struct utmp *, char[], off_t, int)); - void onalrm __P((int)); - @@ -238,15 +238,16 @@ - cr, name, (int)sizeof(hostname), hostname, - folder ? cr : "", folder ? "to " : "", folder ? file : "", - cr, cr); - - jkfprintf(tp, file, offset); - + jkfprintf(tp, name, file, offset); - (void)fclose(tp); - _exit(0); - } - - void - -jkfprintf(tp, name, offset) - +jkfprintf(tp, user, file, offset) - register FILE *tp; - - char name[]; - + char user[]; - + char file[]; - off_t offset; - { - register char *cp, ch; - @@ -256,10 +257,10 @@ - char line[BUFSIZ]; - - /* Set effective uid to user in case mail drop is on nfs */ - - if ((p = getpwnam(name)) != NULL) - + if ((p = getpwnam(user)) != NULL) - (void) setuid(p->pw_uid); - - - if ((fi = fopen(name, "r")) == NULL) - + if ((fi = fopen(file, "r")) == NULL) - return; - - (void)fseek(fi, offset, L_SET); - - -============================================================================= -FreeBSD, Inc. - -Web Site: http://www.freebsd.org/ -Confidential contacts: security-officer@freebsd.org -PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc -Security notifications: security-notifications@freebsd.org -Security public discussion: security@freebsd.org - -Notice: Any patches in this document may not apply cleanly due to - modifications caused by digital signature or mailer software. - Please reference the URL listed at the top of this document - for original copies of all patches if necessary. -============================================================================= - ------BEGIN PGP SIGNATURE----- -Version: 2.6.2 - -iQCVAwUBMeXtDFUuHi5z0oilAQG7zAP/ZfgIUqi+yBcLTBhoRh0bAeB9GJNlppF/ -rqLtJUdBpDTELjjdE21b+510Uv3j1n9/xKiXgcFRcyV0BuUTyJGA+KbOHAuy5EjZ -3AyoIHC3bAhydQIvDYl9N3RbaH/xbmG4MZoXtIxI7peo+FbMWwRCsDCjjMggk8x1 -s69nLC+n2iw= -=xA6e ------END PGP SIGNATURE----- |