Subject: *READ THIS* snapshot fixes security hole *READ THIS*
To: None <current-users@NetBSD.ORG, netbsd-users@NetBSD.ORG, port-i386@NetBSD.ORG>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: port-i386
Date: 08/29/1995 06:58:41
Re the recent 8LGM advisory about a severe security hole involving a buffer
overrun in syslog(3) on essentially all modern Unix and Unix-like systems --

By 9AM a set of -current binaries for the i386 should be available which fix
the specific problem the 8LGM advisory addresses, and one other related
problem which we noticed while reading the code after receiving the 8LGM
advisory.  You can get them from ftp.wasabi.com.

Be aware that some of us who've looked at the problem think there may well be
some number of similar problems elsewhere in libc and in other libraries; these
problems, if they exist, are probably in a great number of other operating
systems as well.  I'll be preparing binary snapshots as other holes are found
and fixed, and making source patches available.

I will try to make a (somewhat awkward) binary patch kit for NetBSD/i386 1.0
available as well, probably by a bit later this morning.

Perry Metzger should be sending a (unpretty) patch to libc/gen/syslog.c to
this list either as I write this or sometime soon; we hope that the core
team will integrate it as soon as they're awake. :-)  Applying this patch and
doing a *complete* build and install will fix your problem; you could also
try to just rebuild libc and any statically-linked executables that use
syslog(), but that's likely to be confusing and you _don't_ want to screw up.

You can get the binaries from ftp.wasabi.com.  This is *not* any kind of
official core team snapshot or release, and anything that's broken is my
fault.  I'm doing this snapshot to try to help other NetBSD users avoid
getting burned -- the 8LGM advisory is not an explicit how-to, but a quick
examination of the code is all that's really needed to see how to exploit this
hole.

Many thanks to John Hawkinson at MIT, Perry Metzger (like me, at Wasabi) and
Eric Volpe and Alexis Rosen at Panix for the skull sweat to come up with the
syslog.c patch and make sure it works.  No thanks at all to programmers who
shove external data through sprintf() and friends -- !

Thor

P.S. Anyone distributing statically-linked binaries should relink them ASAP.
     packages containing statically-linked binaries should probably get pulled
     from the FTP site until their creators can relink them or ensure that they
     don't use syslog(3).