current-users: NetBSD Security Advisory 2000-015

Subject: NetBSD Security Advisory 2000-015
To: None <netbsd-announce@netbsd.org>
From: None <security-officer@netbsd.org>
List: current-users
Date: 10/26/2000 19:34:27
-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-015
                 =================================

Topic:		format-string bugs in passwd/libutil
Version:	all releases up to and including 1.4.2
Severity:	local root compromise possible
Fixed:		2000/10/03 in -current and netbsd-1-5 branches
		2000/10/04 in netbsd-1-4 branch.
		fix will be in the 1.4.3 and 1.5 releases

Abstract
========

The pw_error() function of the system libutil library, used by several
programs including the setuid passwd program, was vulnerable to a
format string attack.


Technical Details
=================

pw_error passed its first argument to the warn(3) function, which
interprets its first argument as a format string.  in certain
circumstances, passwd(1) passes a value derived from untrusted user
input to pw_error().


Solutions and Workarounds
=========================

The problem was fixed in NetBSD-current on 2000/10/03; systems running
NetBSD-current dated from before that date should be upgraded to
NetBSD-current dated 2000/10/04 or later.  The two active release
branches were both fixed by 2000/10/05.

Systems running releases older than NetBSD 1.4 should be upgraded to
NetBSD 1.4.2 before applying the fixes described here.

Systems running 1.4.2 should apply the following patch to
lib/libutil/passwd.c usign the patch(1), and rebuild and reinstall the
"libutil" library.  On systems which do not support shared libraries,
you should then rebuild and reinstall the "passwd" command.

- --- lib/libutil/passwd.c    1999/12/04 20:00:55     1.15.2.1
+++ lib/libutil/passwd.c    2000/10/04 14:11:02     1.15.2.2
@@ -319,7 +319,7 @@
        int err, eval;
 {
        if (err)
- -               warn(name);
+               warn("%s", name);
 
        warnx("%s: unchanged", _PATH_MASTERPASSWD);
        pw_abort();

Revision History
================

	20001024	Initial draft of advisory.


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-015.txt,v 1.3 2000/10/26 15:22:01 sommerfeld Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOfhMIT5Ru2/4N2IFAQFsPQP+P0d5nzIuDDlXFeS/8Oksb91uGaGoPrZl
sd2JASfLXcgPAemQVLzuAqNsJwxjcDpKlwvbDUrySSrvi4FxJ8scjlUl4g7XCf3G
MfY/NqB2bfoLJIUv3PT3Vx/bHi5rYodu4uqopXQZwWg/PfmXEa0LRgDk/UOuxoNC
+yq0nhXqsOE=
=iNoz
-----END PGP SIGNATURE-----