y off-by-one error in realpath(3)

Contributed by jose on 2003-08-04 from the protect-your-stack-protector dept.

Todd Miller has posted a notice to the security-announce mailing list about a new bug in OpenBSD: An off-by-one error exists in the C library function realpath(3). This is the same bug that was recently found in the wu-ftpd ftpd server by Janusz Niewiadomski and Janusz Niewiadomski.
The OpenBSD ftp daemon does not use realpath(3) in a way that could be exploited, however a number of other system binaries also use the function. It is not currently known whether or not this bug results in an exploitable security hole on OpenBSD. Since the bug led to an exploitable hole in wu-ftpd, it is entirely possible that some program using realpath(3) under OpenBSD may be vulnerable to attack. For OpenBSD 3.3 and higher, the ProPolice stack protector should provide some protection from this bug, but this cannot be guaranteed.
This bug has been fixed in OpenBSD-current as well as the 3.2 and 3.3 -stable branches. Patches are available for OpenBSD 3.2 and 3.3.
Patch for OpenBSD 3.2: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch
Patch for OpenBSD 3.3: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch
For versions of OpenBSD prior to 3.2, users may simply fetch the current revision of realpath.c from: ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c then rebuild and install libc with the new realpath.c.

For more details, see the description of the wu-ftpd fp_realpath bug: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

Make sure you're up to date!

(Comments are closed)

Comments

By Anonymous Coward () on 2003-08-04 14:16

"Note that programs that are linked statically will not pick up the change unless they are rebuilt. This includes the contents of /bin and /sbin."

So after I follow the rest of the instructions in the patch, what else do I need to do?
Comments
1. By Norbert P. Copones () norbert at feu-nrmf.ph on 2003-08-04 14:33 mailto:norbert at feu-nrmf.ph
  
  you may also recompile some statically linked 3rd party application (e.g. in the ports) that uses realpath and restart the dynamically linked apps that uses realpath.
  Comments
  1. By Anonymous Coward () on 2003-08-04 14:49
    
    Right, but my question was really how do I recompile the statically linked stuff in /bin and /sbin.
    
    Comments
    
    By maricel madayag () on 2003-08-04 14:54
    
    go to their src dir and make obj & make depend & make & make install or better do a make build.
    
    By Anonymous Coward () on 2003-08-04 18:18
    
    There's a patch page on the OpenBSD website that gives detailed instructions on how to do this. I've put all of these steps into a few shell scripts so I have things like CVS get and update placed in shell scripts for getting or updating my OpenBSD source tree. I've also got a couple more scripts that automate the build and release process for me.
    
    http://www.openbsd.org/stable.html
    
    You might also want to look at the AnonCVS page on how you can update your source tree with CVS:
    
    http://www.openbsd.org/anoncvs.html
    
    Note that you'll need to change the tag name as their examples use OPENBSD_3_2 for the tag name but for 3.3 you'd use OPENBSD_3_3 instead. I only patch my source from the "stable" branch as I don't have the time to test stuff on "current".
2. By schubert () on 2003-08-04 15:38 http://schubert.cx/
  
  bin/mv
  bin/systrace
  sbin/isakmpd
  sbin/mount
  sbin/mount_*
  sbin/mountd
  sbin/umount
  
  are your statically linked binaries in base that use realpath()
  Comments
  1. By Anonymous Coward () on 2003-08-04 16:39
    
    What about ssh/d?
    
    Comments
    
    By tedu () on 2003-08-04 20:07
    
    is it statically linked?
    is it statically linked?
    is it statically linked?
    
    Comments
    
    By Mr. Kotter () on 2003-08-04 20:57
    
    Oh! Oh! I know!
    
    No.
    No.
    No.
  2. By Anonymous Coward () on 2003-08-04 16:43
    
    What about ssh/d?
    
    Comments
    
    By Anonymous Coward () on 2003-08-05 00:49
    
    nothing statical, nor dynamically linked to s/hole
    $ ldd `which sshd` `which ssh`
    /usr/sbin/sshd:
    -lkrb
    -lkafs
    -lasn1
    -lkrb
    -lcrypto
    -lutil
    -lz
    -ldes
    -lc
    /usr/bin/ssh:
    -lkrb
    -lasn1
    -lkrb
    -lkafs
    -lcrypto
    -lz
    -ldes
    -lc
  3. By Anonymous Coward () on 2003-08-04 16:47
    
    What about ssh/d?
    
    Comments
    
    By Anonymous Coward () on 2003-08-04 17:29
    
    Please ask a 4th time.
    
    Comments
    
    By Anonymous Coward () on 2003-08-04 20:06
    
    Yup, the 4th time always works.
By psygnosis () on 2003-08-04 14:24

i think this is the one commited by brad smith on the 3_3 branch last 2003/08/02 20:17:03 and commited by millert on the -current. am i right?

Rename rootd to needslash and invert its value. This fixes the check for ENAMETOOLONG, though since we use strlcpy() and strlcat() this is not a big deal. Problem found by vincent@
Comments
1. By tedu () on 2003-08-04 20:10
  
  that would be the one.
By Anonymous Coward () on 2003-08-04 14:41

According to OpenBSD's patch page for 3.2, the 014 patch is for sendmail. So there shouldn't be a 014_realpath.patch. And when I click on the link to it, I get a "FILE NOT FOUND" error.
Comments
1. By ycel () on 2003-08-04 14:44
  
  it's obviously 015_realpath.patch
2. By jose () on 2003-08-04 15:04 http://monkey.org/~jose/
  
  fixed. todd's first mail had a couple of typos, i didn't catch that one.
  Comments
  1. By Anonymous Coward () on 2003-08-04 17:57
    
    "This is the same bug that was recently found in the wu-ftpd ftpd server by Janusz Niewiadomski and Janusz Niewiadomski."
    
    ???
By Anonymous Coward () on 2003-08-04 17:24

MicroBSD fixed that two years ago
Comments
1. By Anonymous Coward () on 2003-08-04 17:47
  
  then why didn't they contribute the fix back to the community two years ago?
  Comments
  1. By Wijnand () on 2003-08-04 18:04 http://NedBSD.nl
    
    Well, it looks to me the whole project was selfish, so why should they give something back then?
    
    Comments
    
    By Anonymous Coward () on 2003-08-04 18:10
    
    Hello, anybody at home? It's a joke
    
    Comments
    
    By Wijnand () on 2003-08-04 18:24 http://NedBSD.nl
    
    Sure, I am
    
    By Anonymous Coward () on 2003-08-05 00:22
    
    ...home...?
    
    (looks around)
    
    Who are you? What's that? Why am I here?
    
    What's my name?
  2. By Anonymous Coward () on 2003-08-05 05:27
    
    Because this is BSD and not GNU, plus they were a bunch of leet wannabee kidz who thought they could claim others code as their own.
    
    Theives are often not very giving.
By BigOpenBSDFan () on 2003-08-04 20:03

125 days without a security patch.
~2500 days with one remote root hole

Them're numbers the others would love to have.

Huzzah OpenBSD!

-DaFan
Comments
1. By Anonymous Coward () on 2003-08-05 04:46
  
  bash$ w
  9:40AM up 121 days, 16:52, 1 user, load averages: 0.12, 0.09, 0.08
  
  howwaaaa!!!
  :-)
  Comments
  1. By Andy () on 2003-08-06 03:16
    
    Whenever I see those 2 or 3 digits uptimes, I always wonder : am I the only one who puts his computer in the bedroom (due to the lack of space in my appartment) and therefore has to shut it down every night, when it's time to go to bed ? Don't you guys have scary electricity bills at the end of the month ?
    I know it's off topic but I just wanted to know ...
    
    Comments
    
    By Shane () on 2003-08-06 03:57
    
    I always wonder : am I the only one who puts his computer in the bedroom (due to the lack of space in my appartment) and therefore has to shut it down every night, when it's time to go to bed ?
    
    I put to bed my: OpenBSD firewall, OpenBSD server and Sun Ultra 10 (OpenBSD/Solaris 9).
    
    Sometimes also Linux/OpenBSD/Win2k P3, OSX/OpenBSD iBook. All up, I have 22 computers including 68k, PPC, x86 and SPARC.
    
    If only I had a life!!
    
    By Anonymous Coward () on 2003-08-06 04:17
    
    Well have a look at your hardware. If you can't sleep because of noise, does the box have more cooling fans than it actually needs? Old HDs starting to get a bit noisy?
    
    With regards to the power bill, again check the specs of the box. 9 cooling fans in a Pentium 100 case? 10 HDs? 800 watt power supplies - make sure the hardware isn't overkill for what you are actually using the box for.
    
    Maybe get a better case that runs cooler, and you can reduce the fans. Seagate HDs (Barracuda IV, V) virtually make no noise at all, unless you put your ear on the HD.
    
    If you are talking about more than one box, apply above to all.
    
    Comments
    
    By rankor_industries () on 2003-08-06 15:51
    
    I've also found that replacing your retail boxed fan or standard alumnimum heatsink/fan combo with a copper heatsink/fan combo can really help with the noise as well. The copper allows the fan to spin at a much slower speed to do the same job.
    
    IIRC the last time I 'upgraded' my cpu to the copper heatsink it was about $10-$15 from some online parts site.
    
    Now the wife just bitches about the LEDs being on all the time. But what is a computer setup without LEDs??? Sigh, time to pull the jumpers I suppose.
    
    By Tet () on 2003-08-06 07:05
    
    No, the electricity bill is fine. I have 9 machines running 24x7. They make a bit of noise, but not too much. For the desktop machines, I turn the monitors off when they're not in use, which is by far the biggest power consumer. Without that, they really don't draw enough power to make a big impact on the bill.
    
    By Mike Ray () mray@sfobug.org on 2003-08-08 17:39 http://host.sfobug.org/~mray
    
    I have simply learned to live with the noise of my PIII. You can work on making them quieter by replacing the fans, etc.
    
    And as far as electricity goes, one machine isn't that bad. You just have to skip a few coffees/beers/pizza a month ;-)
  2. By Anonymous Coward () on 2003-08-06 19:34
    
    bah, i live in california, where the power outages come at least once a month, longest uptime I have ever got was 40 days :
2. By Georg () w@nein.de on 2003-08-08 01:50 mailto:w@nein.de
  
  You kidz are even more trollish than linuxoidz. The announcement was for FreeBSD first, and it ran the same amount of days with no sec-patching since May.
  And btw, original poster has a good sense of humour: printing the same Polish name twice since most illiterates won't see any difference no matter what.
  
  Quit this "no vulnerabilities for so many days/years" bs and try to really differentiate yourself aside from forking and repackaging. So far OpenBSD means only one thing: elevated loss of man-hours, on par with Red Hat Linux.
By solarce () on 2003-08-04 20:58

Are there binary patches available?
Comments
1. By Anonymous Coward () on 2003-08-04 21:12
  
  Because of statistic compiled bins (see also www.nedbsd.nl) you'll have to recompile a lot - including ports
  Comments
  1. By Anonymous Coward () on 2003-08-05 00:07
    
    find / -type f -print0 | xargs -0 file | grep "static"
2. By Gerardo Santana G�mez Garrido () santana at openbsd.org.mx on 2003-08-04 21:22 http://www.openbsd.org.mx/~santana/
  
  You can build yours: http://www.openbsd.org.mx/~santana/binpatch.html
  
  I'll make a binary patch available anyways. Note that this will not be an official binary patch.
3. By Brandon Bowman () solarce@fallingsnow.net on 2003-08-04 22:11 http://www.solarce.com
  
  I am just curious why you are using the nickname 'solarce' considering I have been using it actively for about four years, I can be found on freenode, slacknet, efnet, and oftc by this nickname. I also own the domain solarce.com, I'd appreciate it if you'd take to using another nickname so as to not cause any confusion, considering one of the channels on freenode that I idle in is #openbsd and I am known by a couple people as was asked today if the comment I am replying was from myself, which it is not.
  
  Thanks and Regards,
  
  Brandon Bowman
  --solarce@fallingsnow.net
  Comments
  1. By m03 () on 2003-08-05 00:16
    
    Offtopic, are you the same Solarce that hangs out in #gah on freenode?
    
    Comments
    
    By Brandon Bowman () solarce@fallingsnow.net on 2003-08-05 16:02 http://www.solarce.com
    
    Yes, m03, I am that very "solarce".
By Arrigo Tr () on 2003-08-05 07:03
By Arrigo Triulzi () on 2003-08-05 07:07 http://www.alchemistowl.org/arrigo

If you follow Todd's recommendation for OpenBSD <3.2 (download realpath.c, rebuild libc) everything works fine.

You then need to redo the static binaries with:

cd /usr/src/bin
make clean && make && make install
cd /usr/src/sbin
make clean && make && make install

In theory you don't need the make clean as you only need to relink with libc but I had an issue with wsconsctl so I decided to go for the full thing (in any case it is such a small set of files that even my Pentium 233MMX managed in next to no time after libc...).
Comments
1. By Re: OpenBSD<3.2 & static binaries< () on 2003-08-05 08:03
 
 I thought /bin and /sbin would be build from /usr/src/usr.bin and usr.sbin. Am I wrong? Where is the difference between (s)bin and usr.(s)bin?
 Comments
 1. By Re: OpenBSD<3.2 & static binaries< () on 2003-08-05 09:48
 
 I thought /bin and /sbin would be build from /usr/src/usr.bin and usr.sbin. Am I wrong?
 Yes, you are wrong. Look in your /usr/src/ or on http://www.openbsd.org/cgi-bin/cvsweb/src/ and note the bin, sbin, usr.bin, and usr.sbin directories.
 Where is the difference between (s)bin and usr.(s)bin?
 hier(7) will help some, but basically /bin and /sbin have statically linked bins and /usr/* has dynamically linked bins.
 2. By Arrigo Triulzi () on 2003-08-05 10:07 http://www.alchemistowl.org/arrigo
 
 Traditionally (as in "historically"), binaries in /bin and /sbin are statically linked so that if the only filesystem you manage to boot is / you have all the important tools without any dynamic library dependencies.
 
 This is still upheld in *BSD and amongst commercial systems Tru64 Unix (ex- OSF/1). Solaris is a notable exception to this rule.
 
 This is why there is a separate usr.bin and usr.sbin hierarchy under /usr/src.
2. By Re: OpenBSD<3.2 & static binaries< () on 2003-08-05 09:46
 
 I followed your directions. /bin updated fine, but I'm having problems with wsconsctl in /sbin. All the other stuff seems to compile fine, but wsconsctl gives me this message...
 
 # cd /usr/src/sbin
 # make clean && make && make install
 
 ....
 
 ===> wsconsctl
 cc -O2 -I. -c display.c
 cc -O2 -I. -c keyboard.c
 cc -O2 -I. -c keysym.c
 keysym.c:44: keysym.h: No such file or directory
 *** Error code 1
 
 Stop in /usr/src/sbin/wsconsctl.
 *** Error code 1
 
 Stop in /usr/src/sbin.
 Comments
 1. By Re: OpenBSD<3.2 & static binaries< () on 2003-08-05 09:56
 
 I threw in a make depend and it worked.
3. By Arrigo Triulzi () on 2003-08-05 10:08 http://www.alchemistowl.org/arrigo
 
 To get around a build failure with wsconsctl you need to explicitly do a
 
 make depend
 
 so the build chain becomes
 
 make clean && make depend && make && make install
 
 Apologies for not writing it explicitly.
 Comments
 1. By Re: OpenBSD<3.2 & static binaries (wsc () on 2003-08-05 22:15
 
 Hey thanks for the information. The make depend is the trick. I was able to get it right in one try with your excellent instructions;-)
By iwaki007 () on 2003-08-05 08:37

It's been so long since I've patch my obsd box that I've nearly forgotten how to do it!
By slacker_max () on 2003-08-05 10:29

And we can see the same patch at NetBSD.
Comments
1. By tedu () on 2003-08-06 01:08
  
  i can't
  Comments
  1. By Andy () on 2003-08-06 03:19
    
    It affects NetBSD too (look in the advisories) but not FreeBSD.
    
    Comments
    
    By Anonymous Coward () on 2003-08-06 07:26
    
    > It affects NetBSD too (look in the advisories) but not FreeBSD.
    
    Right? ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpath.asc
By Anonymous Coward () on 2003-08-06 01:10

... "recently found in the wu-ftpd ftpd server by Janusz Niewiadomski and Janusz Niewiadomski" ...

Janusz Niewiadomski and Janusz Niewiadomski?

Is that a stupid joke?

Maybe patch is also a stupid joke?
Comments
1. By Anonymous Coward () on 2003-08-06 01:44
  
  and you are a stupid jerk
2. By Anonymous Coward () on 2003-08-05 23:53
  
  It's called a typo.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]