Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
From: Jacques A. Vidrine (nectar_at_FreeBSD.org)
Date: 08/04/03
- Previous message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath"
- In reply to: Peter Jeremy: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath"
- Next in thread: Benjamin Lewis: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Aug 2003 16:00:17 -0500 To: Eugene Grosbein <eugen@grosbein.pp.ru>, Christoph Moench-Tegeder <cmt@rz.uni-karlsruhe.de>, Peter Jeremy <PeterJeremy@optushome.com.au>
On Mon, Aug 04, 2003 at 04:37:22PM +0800, Eugene Grosbein wrote:
> FreeBSD Security Advisories wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > =============================================================================
> > FreeBSD-SA-03:08.realpath Security Advisory
> > The FreeBSD Project
> >
> > Topic: Single byte buffer overflow in realpath(3)
>
> Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo.
> Please MFC to RELENG_4 too.
RELENG_4 does not currently suffer from the bug, because it has a
different realpath implementation.
On Mon, Aug 04, 2003 at 10:50:19AM +0200, Christoph Moench-Tegeder wrote:
> : Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> : and 5.0-RELEASE
> : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less
> by accident.
Right, that was a new realpath implementation from -CURRENT.
On Mon, Aug 04, 2003 at 08:11:30PM +1000, Peter Jeremy wrote:
> On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:
> >Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> > and 5.0-RELEASE
> > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> ...
> >V. Solution
> >
> >1) Upgrade your vulnerable system to 4.8-STABLE
> >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
> >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
> >dated after the respective correction dates.
>
> I found the reference to RELENG_5_1 in the "Solutions" section but no
> reference to 5.1-RELEASE in the "Affects" section somewhat confusing.
I don't understand how to be more clear. 5.1-RELEASE is not affected,
so of course it is not listed in `Affects'.
> This is compounded by the failure to mention RELENG_5_0 in the
> "Solutions" section.
RELENG_5_1, RELENG_4_8, and RELENG_4_7 are the currently supported
security branches, so that is why they are listed in the `Solution'
section. RELENG_5_0 is not a currently supported security branch,
and I would not recommend that anyone upgrade to an old security
branch. Please see the table at http://www.freebsd.org/security/ or
my announcement in this forum dated July 14.
> I gather that 5.1-RELEASE is not vulnerable due
> to the realpath() rewrite in 1.14.
That's correct, 5.1-RELEASE is not vulnerable, which is why it is not
listed in the `Affects' section.
> May I suggest that in future, when a release is not vulnerable due to
> code rewrites or similar, this fact be explicitly mentioned. IMHO,
> it's far better to err on the side of caution when dealing with
> security issues.
Thank you for the suggestion. Would you care to post _exactly_ what
wording you think would be better? I cannot think of a way to do so
without being redundant or misleading. I have no desire to add a
``Not affected:'' line. Especially at times when we have two -STABLE
branches (as we will soon for 4.x and 5.x), it will be common that
there is a bug in one release but not another higher-numbered one.
I think that if one takes the `Affects' lines (and the rest of the
advisory) at face value, without second-guessing, that it is crystal
clear what versions of FreeBSD are affected. But of course I would
:-)
Cheers,
-- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath"
- In reply to: Peter Jeremy: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath"
- Next in thread: Benjamin Lewis: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
