From security-advisories@freebsd.org Wed Jan 31 21:39:55 2001 From: FreeBSD Security Advisories To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 29 Jan 2001 13:19:19 -0800 Subject: [BUGTRAQ] FreeBSD Security Advisory: FreeBSD-SA-01:13.sort -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:13 Security Advisory FreeBSD, Inc. Topic: sort uses insecure temporary files Category: core Module: sort Announced: 2001-01-29 Credits: Discovered during internal auditing Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5-STABLE prior to the correction date. Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE) 2001-01-01 (FreeBSD 3.5-STABLE) FreeBSD only: NO I. Background sort(1) is a program to sort lines of text. It is externally maintained, contributed software which is included in FreeBSD by default. II. Problem Description During internal auditing, sort(1) was found to use easily predictable temporary file names. It does create these temporary files correctly such that they cannot be "subverted" by a symlink attack, but the program will abort if the temporary filename chosen is already in use. This allows an attacker to cause the sort(1) command to abort, which may have a cascade effect on other scripts which make use of it (such as system management and reporting scripts). For example, it may be possible to use this failure mode to hide the reporting of malicious system activity which would otherwise be detected by a management script. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Attackers can cause the operation of sort(1) to fail, possibly disrupting aspects of system operation. IV. Workaround None appropriate. V. Solution One of the following: Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.1.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/gnu/usr.bin/sort # patch -p < /path/to/patch # make depend && make all install [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/gnu/usr.bin/sort # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXd6VUuHi5z0oilAQF0XAP/d2M9nevTRLhEqTzutYfj2Whxxm1P8HgW 1hRPi3n3r9I7m9cBCjree6N33CRJoa0pdKovL5OgC04AWdRSKhfVHsLJYQz41Vi2 tfqfZCTdhCWmwx9TGeVek9Pk3OrUIwhfzg+YBqX+ioQYaenB+25FHK1cigmXdeWp UZWDyGlrmyM= =vOx+ -----END PGP SIGNATURE-----