-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
      OUTSIDE ADVISORY REDISTRIBUTION

17 July 1996 18:00 GMT                           Number: ERS-OAR-E01-1996:003.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from FreeBSD, Inc..  Contact
information for FreeBSD, Inc. is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

=============================================================================
 FreeBSD-SA-96:16              Security Advisory
 Revised: Fri Jul 12 09:32:53 PDT 1996        FreeBSD, Inc.

 Topic:    security vulnerability in rdist

 Category:  core
 Module:  rdist
 Announced:  1996-07-12
 Affects:  FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current
 Corrected:  2.1-stable and 2.2-current as of 1996-07-11
 Source:  4.4BSD (lite)
 FreeBSD only:  no

 Patches:  ftp://freebsd.org/pub/CERT/patches/SA-96:16/
 Reference:  [8lgm]-Advisory-26.UNIX.rdist.20-3-1996

 =============================================================================

 I.   Background    

     A bug was found in the BSD rdist utility which can allow
     an unprivileged local user to gain unauthorized access.
     This problem is present in all source code and binary
     distributions of FreeBSD version 2.x released before 1996-07-12.

     rdist has been the subject of security vulnerabilities in the past.
     This is a newly discovered vulnerability not related to previous
     race conditions fixed in rdist.


 II.  Problem Description

     rdist creates an error message based on a user provided string,        
     without checking bounds on the buffer used.  This buffer is            
     on the stack, and can therefore be used to execute arbitrary           
     instructions.


 III. Impact

     This vulnerability can allow a local user to obtain superuser
     privileges.  It may only be exploited by users with a valid
     account on the local system.  It is present in almost all BSD
     derived operating systems with a "setuid" rdist program.


 IV. Workaround

     The rdist program must be setuid root to function properly.
     This vulnerability can be eliminated by making rdist not
     executable by unprivileged users.  Since this limits the
     usefulness of the program, a software update is advised.

     This workaround will work for all versions of FreeBSD affected
     by this problem.

     As root, execute the commands:

  # chflags noschg /usr/bin/rdist
  # chmod u-s,go-rx /usr/bin/rdist

     then verify that the setuid permissions of the files have been
     removed.  The permissions array should read "-r-x------" as
     shown here:

  # ls -l /usr/bin/rdist
  -r-x------  1 root  bin  49152 Jun 16 10:46 rdist


 V. Solution(s)

     Apply the available via FTP from the patch directory noted
     at the top of this message.  Recompile, and reinstall the
     rdist program.  This patch is known to apply to all
     FreeBSD 2.x systems, it has not been tested with FreeBSD 1.x.

     The [8lgm] organization correctly points out that this program
     does not have a particularly good security "history."  While
     the patch for this vulnerability does solve this particular
     problem, it's not clear if other security issues involving rdist
     will appear in the future.

     Administrators should consider whether it is appropriate to
     remove the standard rdist program and upgrade to rdist
     version 6, which is available as a FreeBSD port.

     FreeBSD, Inc. has not replaced the standard BSD rdist with
     the newer code because the new rdist is not protocol-compatible
     with the original version.


 =============================================================================
 FreeBSD, Inc.

 Web Site:      http://www.freebsd.org/
 Confidential contacts:    security-officer@freebsd.org
 PGP Key:      ftp://freebsd.org/pub/CERT/public_key.asc
 Security notifications:  security-notifications@freebsd.org
 Security public discussion:  security@freebsd.org

 Notice: Any patches in this document may not apply cleanly due to
         modifications caused by digital signature or mailer software.
         Please reference the URL listed at the top of this document
         for original copies of all patches if necessary.
=============================================================================

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMe1AkvWDLGpfj4rlAQHNqAP9GqBrDgSEV/mlMIJGrGJfXkGc7tb3qJOm
wWMtmwDPNm/riyWiKCDAbpTox/iIAKRy7N4VfQ3/anZ7vXsBTHHdN+OaO4CSZrG4
EMUF/RvrrvFTjMoCFwwV/mf7GS/Bg8wAmp6vwL9242XfoyMyWvE/tAPpc5UBXpv8
e0uybiOtAQk=
=4mZa
-----END PGP SIGNATURE-----