COMMAND

    mount_union / mount_msdos (vfsload)

SYSTEMS AFFECTED

    FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current

PROBLEM

    A bug was  found in the  vfsload(3) library call  that affects all
    versions of  FreeBSD from  2.0 through  2.2-CURRENT that  caused a
    system  vulnerability.   This  problem  is  present  in all source
    code  and  binary  distributions  of  FreeBSD version 2.x released
    before 1996-05-18.

    The  FreeBSD  project  is  aware   of  active  exploits  of   this
    vulnerability.

    All FreeBSD users  are encouraged to  use the workaround  provided
    until they  can update  their operating  system to  a version with
    this vulnerability fixed.

    The  mount_union  and  mount_msdos  programs invoke another system
    utility in an insecure fashion while setuid root.

    The  problem  could  allow   local  users  to  gain   unauthorized
    permissions.

    This vulnerability  can only  be exploited  by users  with a valid
    account on the local system.

SOLUTION

    Update operating system sources and binaries to FreeBSD 2.1-stable
    or FreeBSD  2.2-current as  distributed later  than 1996-05-18  or
    if  you  are  currently  running  2.1  or later, you may apply the
    solution patches available  at the URL  listed at the  top of this
    message.

    The OS updates  fix the actual  problem in the  vfsload(3) library
    routine.   Once  the  vfsload()  library  routine  is  fixed,  the
    workaround listed below  is not necessary  to solve this  problem.
    However,  an  additional  stability  problem  has  come  to  light
    (ref.  FreeBSD   SA-96:10)  so   the  FreeBSD   project   suggests
    using both the setuid workaround and the solution for best results.

    This vulnerability can quickly  and easily be limited  by removing
    the setuid  permission bit  from the  mount_union and  mount_msdos
    program.  This  workaround will work  for all versions  of FreeBSD
    affected by this problem.

    As root, execute the command:

        % chmod u-s /sbin/mount_union /sbin/mount_msdos

    then verify  that the  setuid permissions  of the  files have been
    removed.   The  permissions  array  should  read  "-r-xr-xr-x"  as
    shown here:

   % ls -l /sbin/mount_union /sbin/mount_msdos
     -r-xr-xr-x  1 root  bin  151552 Apr 26 04:41 /sbin/mount_msdos
     -r-xr-xr-x  1 root  bin   53248 Apr 26 04:40 /sbin/mount_union