COMMAND

    libmytinfo (ncurses)

SYSTEMS AFFECTED

    FreeBSD 3.x before 2000-04-25

PROBLEM

    Following is based  on FreeBSD Security  Advisory.  libmytinfo  is
    part of ncurses, a  text-mode display library.   libmytinfo allows
    users  to  specify  an  alternate  termcap  file  or entry via the
    TERMCAP  environment  variable,  however   this  is  not   handled
    securely and contains a overflowable buffer inside the library.

    This is  a security  vulnerability for  binaries which  are linked
    against libmytinfo and which are  setuid or setgid (i.e. run  with
    elevated privileges).   It may  also be  a vulnerability  in other
    more obscure situations  where a user  can exert control  over the
    environment with which an ncurses binary is run by another user.

    FreeBSD  3.x  and  earlier  versions  use  a  very old, customized
    version of ncurses which  is difficult to update  without breaking
    backwards-compatibility.   The update  was made  for FreeBSD  4.0,
    but it is unlikely that 3.x will be updated.  However, the ncurses
    source is currently being audited for further vulnerabilities.

    Certain  setuid/setgid  third-party  software  (including  FreeBSD
    ports/packages)  may  be  vulnerable  to  a local exploit yielding
    privileged  resources,   such  as   network  sockets,   privileged
    filesystem access, or outright privileged shell access  (including
    root access).   FreeBSD 4.0 and  above are NOT  vulnerable to this
    problem.

SOLUTION

    Remove  any  setuid  or  setgid  binary  which  is  linked against
    libmytinfo  (including  statically  linked),  or  remove set[ug]id
    privileges  from   the  file   as  appropriate.    The   following
    instructions will  identify the  binaries installed  on the system
    which are candidates for  removal or removal of  file permissions.
    Since there may  be other as  yet undiscovered vulnerabilities  in
    libmytinfo it  may be  wise to  perform this  audit regardless  of
    whether or  not you  upgrade your  system as  described below.  In
    particular, see the note regarding static linking below.

    Of course, it is possible that some of the identified files may be
    required for the correct operation of your local system, in  which
    case there is no clear  workaround except for limiting the  set of
    users who  may run  the binaries,  by an  appropriate use  of user
    groups and removing the "o+x" file permission bit.

        1) Download the 'libfind.sh' script from
           ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh

        2) Verify the md5 checksum and compare to the value below:
           # /sbin/md5 libfind.sh
           MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b

        3) Run the libfind script against your system:
           # sh libfind.sh /

           This will  scan  your  entire  system  for setuid or setgid
           binaries which are linked against libmytinfo. Each returned
           binary should be examined (e.g. with  'ls -l' and/or  other
           tools) to  determine  what  security  risk it poses to your
           local environment, e.g. whether it can be run by  arbitrary
           local users  who  may  be  able  to  exploit  it  to   gain
           privileges.

        4) Remove the binaries,  or reduce their file  permissions, as
           appropriate.

    Solution  is  to  upgrade  your  FreeBSD  3.x system to 3.4-STABLE
    after the  correction date,  or patch  your present  system source
    code and rebuild. Then run the libfind script as instructed  above
    and  identify  any  statically-linked  binaries (those reported as
    "STATIC" by the libfind  script). These should either  be removed,
    recompiled, or have privileges  restricted to secure them  against
    this  vulnerability  (since  statically-linked  binaries  will not
    be affected by recompiling the shared libmytinfo library).

    To patch your  present system: save  the patch below  into a file,
    and execute the following commands as root:

        cd /usr/src/lib/libmytinfo
        patch < /path/to/patch/file
        make all
        make install

    Patches for 3.x systems before the resolution date:

    Index: findterm.c
    ===================================================================
    RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v
    retrieving revision 1.3
    diff -u -r1.3 findterm.c
    --- findterm.c	1997/08/13 01:21:36	1.3
    +++ findterm.c	2000/04/25 16:58:19
    @@ -242,7 +242,7 @@
 			    } else {
 				    s = path->file;
 				    d = buf;
    -				while(*s != '\0' && *s != ':')
    +				while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1)
 					    *d++ = *s++;
 				    *d = '\0';
 				    if (_tmatch(buf, name)) {
    @@ -259,7 +259,7 @@
 			    } else {
 				    s = path->file;
 				    d = buf;
    -				while(*s != '\0' && *s != ',')
    +				while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1)
 					    *d++ = *s++;
 				    *d = '\0';
 				    if (_tmatch(buf, name)) {