-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2003-003 ================================= Topic: Buffer Overflow in file(1) Version: NetBSD-current: source prior to February 27, 2003 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected Severity: Inducing a user to run file(1) could execute code as the user Amavis antivirus users are remotely vulnerable Fixed: NetBSD-current: February 26, 2003 NetBSD-1.6 branch: March 8, 2003 (1.6.1 includes the fix) NetBSD-1.5 branch: March 9, 2003 (1.5.4 includes the fix) Abstract ======== If file(1) is run over a specially constructed ELF file, an exploitable stack overflow occurs and attackers can gain the privileges of the user running file(1). NOTE: Users of the Amavis antivirus scanner are remotely vulnerable to this overflow, because Amavis runs file over data to be scanned. An attacker will be able to gain the privileges of the uid which runs Amavis. Most mailservers execute scripts as the userid of the mail recipient, so any user whose mail is scanned by Amavis could have their account compromised. Technical Details ================= A buffer overflow has been found in the file(1) program. If a user were to run file(1) over a specially doctored ELF file, arbitrary code would be executed as a result. Thus, if an attacker can somehow induce a user to run file(1) over a file the attacker controls, the attacker may gain any system privileges the victim possesses. See iDEFENSE Security Advisory 03.04.03 http://www.idefense.com/advisory/03.04.03.txt Solutions and Workarounds ========================= If you use Amavis antivirus, upgrade file(1) as shown below immediately. If you are unable to do this immediately, you may wish to disable Amavis, or stop accepting incoming mail until you have updated file(1). For this Advisory, NetBSD Security-Officer is providing binary patches for NetBSD-1.6. This is the first NetBSD Advisory to include a binary patch option. Please share any feedback you have on the experience with security-officer@netbsd.org Binary patch instructions are included in the NetBSD-1.6 section below. The following instructions describe how to upgrade your file(1) binaries by updating your source tree and rebuilding and installing a new version of file(1). * NetBSD-current: Systems running NetBSD-current dated from before 2003-02-27 should be upgraded to NetBSD-current dated 2003-02-27 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD) to the respective revisions: src/usr.bin/file/readelf.c: 1.17 src/usr.bin/file/softmagic.c: 1.31 To update from CVS, re-build, and re-install file: # cd src # cvs update -d -A -P usr.bin/file # cd usr.bin/file # make cleandir dependall # make install * NetBSD 1.6: The binary distribution of NetBSD 1.6 is vulnerable. * Binary patch: To apply the binary patch, perform the following steps, replacing ARCH with the NetBSD architecture you are running (i.e. i386): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-003-file/netbsd-1-6/ARCH-file.tgz cd / && tar xzvf /path/to/ARCH-file.tgz The tar file will extract a new copy of /usr/bin/file, overwriting the vulnerable binary. * Source patch: Systems running NetBSD 1.6 sources dated from before 2003-03-09 should be upgraded from NetBSD 1.6 sources dated 2003-03-09 or later. NetBSD 1.6.1 will include the fix. The following files need to be updated from the netbsd-1-6 CVS branch to the respective revisions: src/usr.bin/file/readelf.c: 1.13.2.1 src/usr.bin/file/softmagic.c: 1.26.2.1 To update from CVS, re-build, and re-install file: # cd src # cvs update -d -r netbsd-1-6 -P usr.bin/file # cd usr.bin/file # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: The binary distribution of NetBSD 1.5.3 is vulnerable. Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2003-03-10 should be upgraded from NetBSD 1.5.* sources dated 2003-03-10 or later. The following files need to be updated from the netbsd-1-5 CVS branch to the respective revisions: src/usr.bin/file/readelf.c: 1.6.4.3 src/usr.bin/file/softmagic.c: 1.18.4.2 To update from CVS, re-build, and re-install file: # cd src # cvs update -d -r netbsd-1-5 -P usr.bin/file # cd usr.bin/file # make cleandir dependall # make install Thanks To ========= Lubomir Sedlacik and Antti Kantee, for drawing our attention to the problem. Christos Zoulas, for aiding in the solution and with this advisory. Chuck Yerkes, for pointing out the Amavis use of file(1) Revision History ================ 2003-03-12 Initial release 2003-03-12 Update with Amavis information 2003-03-13 Update Amavis information, add Binary Patch More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2003-003.txt,v 1.14 2003/03/19 21:54:50 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPnjngD5Ru2/4N2IFAQFpNQP/d1Ja+ptBa4hP8WoI+Kb9bzKs1oZwAIIo EV/nJD996saKGc60aLKnk1Yz7RNXU5IC/szcYSrgcgbLvoICoWsC+Gtn0P+66fS6 1muJu9Q0WLBHRWlZTYRs2y8UxcUxYC1A/x7kR14TrA0eY+mGU6Jw7n8IqRHdtAyL Cwo3Ulnbt6Y= =cLul -----END PGP SIGNATURE-----