COMMAND

    libedit

SYSTEMS AFFECTED

    those using libedit

PROBLEM

    Following is based on a  FreeBSD Security Advisory.  libedit  is a
    library  of  routines  for  providing  command editing and history
    retrieval   for   interactive   command-oriented   programs.   Tim
    Vanderhoek found this originally.

    libedit  incorrectly  reads  an  ".editrc"  file  in  the  current
    directory if it exists,  in order to specify  configurable program
    behaviour.  However it does  not check for ownership of  the file,
    so  an  attacker  can  cause  a  libedit  application  to  execute
    arbitrary  key  rebindings  and  exercise terminal capabilities by
    creating an .editrc  file in a  directory from which  another user
    executes a libedit  binary (e.g. root  running ftp(1) from  /tmp).
    This  can  be  used  to  fool  the user into unknowingly executing
    program  commands  which  may  compromise  system  security.   For
    example, ftp(1)  includes the  ability to  escape to  a shell  and
    execute a command, which can be done under libedit control.

    The supplied patch  removes this behaviour  and causes libedit  to
    only search for  its configuration file  in the home  directory of
    the  user,  if  it  exists  and  the  binary  is  not running with
    increased privileges (i.e. setuid or setgid).

    An attacker can cause a user to execute arbitrary commands  within
    a program which is run from a directory to which the attacker  has
    write access, potentially leading  to system compromise if  run as
    a privileged user (such as root).

SOLUTION

    FreeBSD  3.5-RELEASE  is  not  affected  by  this   vulnerability,
    although 4.0-RELEASE is affected since the problem was  discovered
    after it was released.

    Do not interactively run utilities which link against libedit from
    directories which can be written  to by other users.   To identify
    utilities  which  link  dynamically  against libedit, download the
    libfind tool and detached PGP signature as follows:

        # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh
        # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc

    Verify the  detached signature  using your  PGP utility.   Run the
    libfind.sh tool as root, as follows:

        # sh libfind.sh libedit /

    Note  that  it  is  not  feasible  to  locate utilities which link
    statically  against  libedit  since  there  are  no common strings
    embedded in such binaries.   However the following is believed  to
    be a complete  list of statically  and dynamically linked  FreeBSD
    system utilities which link against the library:

        /bin/sh
        /sbin/fsdb
        /usr/bin/ftp
        /usr/sbin/cdcontrol
        /usr/sbin/lpc
        /usr/sbin/nslookup
        /usr/sbin/pppctl

    Because libedit is not a portable library in common use there  are
    unlikely to be  many FreeBSD ports  which link statically  against
    it:  no such ports are known at this time.

    Solution is one of the following:

        1) Upgrade your vulnerable system to a version dated after the
           correction date (2000-05-22)
        2) Save  the advisory  into a  file or  download the patch and
           detached PGP signature:

        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc

           Verify the detached PGP  signature using your PGP  utility.
           Apply the patch and rebuild as follows:

           # cd /usr/src/lib/libedit
           # patch -p < /path/to/patch/or/advisory

           and rebuild your system as described FreeBSD Handbook.

--- el.c	1999/08/20 01:17:12	1.6
+++ el.c	2000/05/22 05:55:22	1.7
@@ -290,13 +294,10 @@
     char *ptr, path[MAXPATHLEN];

     if (fname == NULL) {
-	fname = &elpath[1];
-	if ((fp = fopen(fname, "r")) == NULL) {
-	    if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
-		return -1;
-	    (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath);
-	    fname = path;
-	}
+	if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
+	    return -1;
+	(void) snprintf(path, sizeof(path), "%s%s", ptr, elpath);
+	fname = path;
     }

     if ((fp = fopen(fname, "r")) == NULL)