COMMAND

    mopd

SYSTEMS AFFECTED

    OpenBSD 2.7, NetBSD 1.4.2, FreeBSD

PROBLEM

    Matt  Power  found  following.   The  mopd (Maintenance Operations
    Protocol loader daemon) implementation  in OpenBSD 2.7 and  NetBSD
    1.4.2 includes  a step  in which  the daemon  receives a file name
    from a client elsewhere on the  network.  Matt found one point  at
    which the client can overflow a buffer in the server by sending  a
    long file name.   Also, he found  two points at  which the  server
    uses the client-supplied  file name directly  as part of  a format
    string  in  a  syslog(3)   function  call  (this  is   potentially
    problematic if the file name contains any % characters).

    Matt  reported  these  issues  to  the OpenBSD and NetBSD security
    contact addresses at  00:04 UTC on  29 June 2000.   He received  a
    reply from  the OpenBSD  project at  00:15 UTC  on 29  June, and a
    reply from the NetBSD Project at 03:05 UTC on 29 June.

    There are other versions of mopd that you might possibly be using.
    Download locations include

        ftp://ftp.redhat.com/pub/redhat/powertools/6.2/i386/SRPMS/mopd-linux-2.5.3-4.src.rpm
        ftp://ftp.stacken.kth.se/pub/OS/NetBSD/mopd/mopd-linux-2.5.3.tar.gz
        ftp://linux-vax.sourceforge.net/pub/linux-vax/tools/misc/mopd-linux.tar.gz

    Matt suspects that currently all of these are vulnerable versions.
    To check  for the  buffer-overflow problem  yourself, look  at the
    function mopProcessDL in  the file process.c.   Older versions  of
    the  code  declare  a  17-character  buffer  named pfile, and rely
    directly on a value of tmpc (an unsigned char value obtained  over
    the network from the client)  to determine how much data  to write
    into  this  buffer,  regardless  of  whether the buffer is smaller
    than  tmpc.    To  check   for  the   syslog  problem,   look  for
    "syslog(LOG_INFO, line);".

SOLUTION

    An OpenBSD 2.7 security advisory was issued on 5 July - see

        http://www.openbsd.org/security.html#27
        http://www.openbsd.org/errata.html#mopd

    Patches for NetBSD have also been written -- you may wish to  look
    at

        http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c

    For FreBSD, deinstall  the old package  and install a  new package
    dated after the correction date, obtained from:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mopd-1.2b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mopd-1.2b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mopd-1.2b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mopd-1.2b.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/mopd-1.2b.tgz

    For RedHat:

        ftp://updates.redhat.com/powertools/6.2/sparc/mopd-linux-2.5.3-15.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/mopd-linux-2.5.3-15.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/mopd-linux-2.5.3-15.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/SRPMS/mopd-linux-2.5.3-15.src.rpm

    Conectiva Linux does not ship mopd.