Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Oct 1996 20:46:14 -0600 (MDT)
From:      Marc Slemko <marcs@znep.com>
To:        Jason Downs <downsj@teeny.org>
Cc:        freebsd-bugs@freefall.freebsd.org, freebsd-security@freebsd.org
Subject:   Re: bin/1805: Bug in ftpd 
Message-ID:  <Pine.BSF.3.95.961014202639.4318L-100000@alive.ampr.ab.ca>
In-Reply-To: <199610150130.SAA09758@threadway.teeny.org>

next in thread | previous in thread | raw e-mail | index | archive | help
[Jason's message was only sent to -bugs; I'm ccing it to -security too
because there was discussion there]

Jason's fix from the OpenBSD source tree follows.  

Since ftpd uses getpwnam which calls endpwent when it is done, the only
other programs that we would need to worry about are those that call
getpwent(3), and there shouldn't be many (if any) programs that do that
and are exploitable.


Index: src/lib/libc/db/hash/hash_buf.c
===================================================================
RCS file: /cvs/src/lib/libc/db/hash/hash_buf.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -c -r1.3 -r1.4
*** hash_buf.c	1996/08/19 08:20:35	1.3
--- hash_buf.c	1996/10/14 22:17:27	1.4
***************
*** 35,41 ****
   */
  
  #if defined(LIBC_SCCS) && !defined(lint)
! static char rcsid[] = "$OpenBSD: hash_buf.c,v 1.3 1996/08/19 08:20:35 tholo Exp $";
  #endif /* LIBC_SCCS and not lint */
  
  /*
--- 35,41 ----
   */
  
  #if defined(LIBC_SCCS) && !defined(lint)
! static char rcsid[] = "$OpenBSD: hash_buf.c,v 1.4 1996/10/14 22:17:27 downsj Exp $";
  #endif /* LIBC_SCCS and not lint */
  
  /*
***************
*** 331,338 ****
  		}
  		/* Check if we are freeing stuff */
  		if (do_free) {
! 			if (bp->page)
  				free(bp->page);
  			BUF_REMOVE(bp);
  			free(bp);
  			bp = LRU;
--- 331,340 ----
  		}
  		/* Check if we are freeing stuff */
  		if (do_free) {
! 			if (bp->page) {
! 				(void)memset(bp->page, 0, hashp->BSIZE);
  				free(bp->page);
+ 			}
  			BUF_REMOVE(bp);
  			free(bp);
  			bp = LRU;



On Mon, 14 Oct 1996, Jason Downs wrote:

> In message <199610141820.LAA14810@freefall.freebsd.org>,
> 	Marc Slemko writes:
> >The following reply was made to PR bin/1805; it has been noted by GNATS.
> >
> >From: Marc Slemko <marcs@znep.com>
> >To: rkozak@bdk.lublin.pl
> >Cc: freebsd-gnats-submit@freebsd.org
> >Subject: Re: bin/1805: Bug in ftpd
> >Date: Mon, 14 Oct 1996 12:11:11 -0600 (MDT)
> >
> > On Mon, 14 Oct 1996 rkozak@bdk.lublin..pl wrote:
> > 
> > > While user is connected to server via ftp, the process ftpd is owned
> > > by this user. When ftpd is abnormally termineted (e.g. kill -11 <ftpd-id>)
> > > the memory image of this process is writed to file ftpd.core in home dir.
> > > This file contain encrypted passwords all users on this machine.
> > 
> > That isn't nice.  I don't think it will contain the passwords of all the
> > users, just a certain subset of them.  This also a problem with older
> > versions of wuftpd, but the latest beta seems to be fine, although I'm not
> > sure if that is just a fluke or by design. There are several possible
> > fixes, but for those that need a temporary fix ASAP, a workaround follows. 
> > There should be no security problems with this, but there could be
> > something I'm missing.
> 
> I don't think disabling core dumps is a very clean or effective fix for this
> problem.  a.) the problem is potentially wide spread, and b.) is caused by
> the design (limitations) of the DB library.
> 
> The problem was killed by making essentially a one line change in the OpenBSD 
> source tree.  A slight performance hit is exchanged for greater overall 
> security.
> 
> 
> -- 
> Jason Downs		   (503) 256-8535 -/- (503) 952-3749
> downsj@teeny.org  --> teeny.org: Free Software for a Free Internet <--
> 			     http://www.teeny.org/
> 	     OpenBSD: The BSD with a soul.  http://www.openbsd.org/
> 
> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961014202639.4318L-100000>