Date: 01 February 2001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.045 -- FreeBSD-SA-01:13.sort
sort uses insecure temporary files
1 February 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sort
Vendor: FreeBSD
Operating System: FreeBSD
BSD
Unix
Impact: Reduced Security
Denial of Service
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:13 Security Advisory
FreeBSD, Inc.
Topic: sort uses insecure temporary files
Category: core
Module: sort
Announced: 2001-01-29
Credits: Discovered during internal auditing
Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases
prior to 4.2), FreeBSD 3.5-STABLE prior to the
correction date.
Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE)
2001-01-01 (FreeBSD 3.5-STABLE)
FreeBSD only: NO
I. Background
sort(1) is a program to sort lines of text. It is externally
maintained, contributed software which is included in FreeBSD by
default.
II. Problem Description
During internal auditing, sort(1) was found to use easily predictable
temporary file names. It does create these temporary files correctly
such that they cannot be "subverted" by a symlink attack, but the
program will abort if the temporary filename chosen is already in use.
This allows an attacker to cause the sort(1) command to abort, which
may have a cascade effect on other scripts which make use of it (such
as system management and reporting scripts). For example, it may be
possible to use this failure mode to hide the reporting of malicious
system activity which would otherwise be detected by a management
script.
All released versions of FreeBSD prior to the correction date including
FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable. The problem was
corrected prior to the release of FreeBSD 4.2.
III. Impact
Attackers can cause the operation of sort(1) to fail, possibly
disrupting aspects of system operation.
IV. Workaround
None appropriate.
V. Solution
One of the following:
Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE,
4.2-RELEASE, or 4.2-STABLE after the correction date.
To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
[FreeBSD 4.1.1 base system]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/gnu/usr.bin/sort
# patch -p < /path/to/patch
# make depend && make all install
[FreeBSD 3.5.1 base system]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch.asc
Verify the detached PGP signature using your PGP utility.
# cd /usr/src/gnu/usr.bin/sort
# patch -p < /path/to/patch
# make depend && make all install
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBOnXd6VUuHi5z0oilAQF0XAP/d2M9nevTRLhEqTzutYfj2Whxxm1P8HgW
1hRPi3n3r9I7m9cBCjree6N33CRJoa0pdKovL5OgC04AWdRSKhfVHsLJYQz41Vi2
tfqfZCTdhCWmwx9TGeVek9Pk3OrUIwhfzg+YBqX+ioQYaenB+25FHK1cigmXdeWp
UZWDyGlrmyM=
=vOx+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOnlTqSh9+71yA2DNAQG8jgQAmj1jdUfpfnBJ3afRsTFy0D4ko/pBo+RH
zipIcC0N9iBsb66oe8UBYpNUA6kxEHRbtwbqP8NQpgUgB2Qli3C43IfS8oOmkNzY
wKYQDhxLilGcOY5v5gjVdOfA82gxkyFNVoMBm04iQBuyY1CsROy07Dh6KLwcoFIG
5rFLW+WIbOM=
=uxcP
-----END PGP SIGNATURE-----
|