csua.org/u/3u1 -> lists.freebsd.org/pipermail/freebsd-security-notifications/2003-August/000006.html
The realpath function is part of the FreeBSD Standard C Library. Problem Description An off-by-one error exists in a portion of realpath that computes the length of the resolved pathname. As a result, if the resolved path name is exactly 1024 characters long and contains at least two directory separators, the buffer passed to realpath will be overwritten by a single NUL byte. Impact Applications using realpath MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. The impact on an individual application is highly dependent upon the source of the pathname passed to realpath, the position of the output buffer on the stack, the architecture on which the application is running, and other factors. Within the FreeBSD base system, several applications use realpath. Two applications which are negatively impacted are: lukemftpd, an alternative FTP server: realpath is used to process the MLST and MLSD commands. The vulnerability may be exploitable, leading to code execution with superuser privileges. It is not built or installed by default in any other release. This vulnerability may be exploitable, leading to code execution with the privileges of the authenticated user. These applications have not been audited, and may or may not be vulnerable. OpenSSH's sftp-server may be disabled by editing /etc/ssh/sshd_config and commenting out the following line by inserting a #' as the first character: Subsystem sftp /usr/libexec/sftp-server lukemftpd may be replaced by the default ftpd. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD.
|