COMMAND

    healthd

SYSTEMS AFFECTED

    Ports collection before 2000-03-25

PROBLEM

    Following is  based on  FreeBSD Security  Advisory.   healthd is a
    small  utility  for  monitoring  the  temperature,  fan  speed and
    voltage levels of certain  motherboards.  healthd v0.3  installs a
    utility  which  is  setuid  root  in  order  to monitor the system
    status.   This utility  contains a  trivial buffer  overflow which
    allows an  unprivileged local  user to  obtain root  privileges on
    the system.

    The healthd port is not installed  by default, nor is it "part  of
    FreeBSD" as  such: it  is part  of the  FreeBSD ports  collection,
    which   contains   over   3200   third-party   applications  in  a
    ready-to-install  format.  The   ports  collection  shipped   with
    FreeBSD 4.0 contains  this problem since  it was discovered  after
    the release.

    FreeBSD makes  no claim  about the  security of  these third-party
    applications, although an effort is underway to provide a security
    audit of the most security-critical ports.

    A  local  user  can  obtain   root  privileges  by  exploiting   a
    vulnerability in the healthd utility.   If you have not chosen  to
    install  the  healthd  port/package,  then  your  system  is   not
    vulnerable.

SOLUTION

    - Remove the healthd port, if you you have installed it
    - Upgrade your entire ports collection and rebuild the healthd port
    - Reinstall a new package dated after the correction date, obtained from:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/healthd-0.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/sysutils/healthd-0.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-3-stable/sysutils/healthd-0.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/healthd-0.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/sysutils/healthd-0.3.tgz

    - download a new port skeleton for the healthd port from:

        http://www.freebsd.org/ports/

    and use it to rebuild the port.