-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:03 Security Advisory FreeBSD, Inc. Topic: bash1 creates insecure temporary files Category: ports Module: bash1 Announced: 2001-01-15 Affects: Ports collection prior to the correction date. Corrected: 2000-11-29 Credits: Various FreeBSD only: NO I. Background bash is an enhanced bourne-like shell. II. Problem Description The bash port, versions prior to the correction date, creates insecure temporary files when the '<<' operator is used, by using a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker. Therefore the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with). This is the same vulnerability as that described in advisory 00:76 relating to the tcsh/csh shells. The bash1 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 are vulnerable to this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the victim invokes the '<<' operator in bash1 (e.g. from within a shell script). If you have not chosen to install the bash1 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the bash1 port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the bash1 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/bash-1.14.7.tgz NOTE: Due to an oversight the package version was not updated after the security fix was applied, so be sure to install a package created after the correction date. 3) download a new port skeleton for the bash1 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOmN6SVUuHi5z0oilAQERhgQAqW3ZEBCxXC2lZvqypspSwjPdc6kU3eQm gUNMdrk6BZX2Pj8t8q+xK9rHasyXw2fkPeZ93EvBHhOa4p5l5UARhCllNS628LAJ Vk3zalfHKtZIO1bCq16R5NpyQ1zh+QB9mPnl9q8KINyO0gEUtq0n3LKgr7yr74tN 2TC9j+g5GhU= =RLhf -----END PGP SIGNATURE-----