COMMAND

    periodic

SYSTEMS AFFECTED

    FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to 2000-11-11

PROBLEM

    David Lary found following.  periodic is a program to run periodic
    system functions.   A vulnerability  was inadvertently  introduced
    into periodic that caused temporary files with insecure file names
    to be used in the system's temporary directory.  This may allow  a
    malicious local user to cause arbitrary files on the system to  be
    corrupted.

    By default, periodic is normally called by cron for daily, weekly,
    and monthly maintenance.   Because these scripts  run as root,  an
    attacker may potentially corrupt any file on the system.

    FreeBSD   4.1-STABLE   after   2000-09-20,   4.1.1-RELEASE,    and
    4.1.1-STABLE prior  to the  correction date  are vulnerable.   The
    problem was corrected prior to the release of FreeBSD 4.2.

    Malicious local users can cause  arbitrary files on the system  to
    be corrupted.

SOLUTION

    Do  not  allow  periodic  to  be  used  in  untrusted   multi-user
    environments.   Disable  the  normal  periodic  system maintenance
    scripts by either commenting-out or removing the periodic  entries
    in /etc/crontab.

    Patch:

        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch