-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2018-002
=================================
Topic: Local DoS in virecover
Version: NetBSD-current: source prior to Sat, November 4th 2017
NetBSD 7.1.1: not affected
NetBSD 7.1: affected
NetBSD 7.0 - 7.0.2: affected
NetBSD 6.1 - 6.1.5: affected
NetBSD 6.0 - 6.0.6: affected
Severity: Local Denial of Service
Fixed: NetBSD-current: Sat, November 4th 2017
NetBSD-6-0 branch: Sun, November 5th 2017
NetBSD-6-1 branch: Sun, November 5th 2017
NetBSD-6 branch: Sun, November 5th 2017
NetBSD-7-0 branch: Sun, November 5th 2017
NetBSD-7-1 branch: Sun, November 5th 2017
NetBSD-7 branch: Sun, November 5th 2017
NetBSD-8 branch: Sun, November 5th 2017
Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An error in the virecover script allows an unprivileged user to delete
any files in the root / directory.
Technical Details
=================
The virecover shell script used file globbing without arranging for
whitespace within filenames to be preserved.
Instead of treating a filename containing a space as is, it will treat
the file as two files.
For example, by placing "/var/tmp/virecover/vi. netbsd", virecover will
treat it as two files: /var/tmp/virecover/vi. and netbsd.
As virecover attempts to delete the recovered files, it will delete files
in its current working directory (the root directory).
This allows an unprivileged user to delete any file within the root
directory.
Solutions and Workarounds
=========================
Disabling virecover:
# echo "virecover=NO" >> /etc/rc.conf
Updating nvi:
FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0
external/bsd/nvi/dist/common/recover.c
1.9 1.5.22.1 1.5.6.1 1.5.18.1 1.5.10.1
external/bsd/nvi/usr.bin/recover/virecover
1.3 1.1.22.1 1.1.6.1 1.1.18.1 1.1.10.1
FILE netbsd-6 netbsd-6-1 netbsd-6-0
dist/nvi/common/recover.c
1.3.10.1 1.3.24.1 1.3.16.1
usr.bin/nvi/recover/virecover
1.1.22.1 1.1.36.1 1.1.28.1
for netbsd-7, -7-0, -7-1, netbsd-8, HEAD:
$ cd src
$ cvs update -d -P -r VERSION external/bsd/nvi/dist/common/recover.c
$ cvs update -d -P -r VERSION external/bsd/nvi/usr.bin/recover/virecover
$ cd external/bsd/nvi
$ make USETOOLS=no
# make install USETOOLS=no
for netbsd-6, -6-0, -6-1:
$ cd src
$ cvs update -d -P -r VERSION dist/nvi/common/recover.c
$ cvs update -d -P -r VERSION usr.bin/nvi/recover/virecover
$ cd usr.bin/nvi
$ make USETOOLS=no
# make install USETOOLS=no
Thanks To
================
Maya Rashish for noticing the issue, Christos Zoulas and Robert Elz for
deploying the fix.
Revision History
================
2018-01-02 Initial release
2018-03-09 Note that NetBSD 7.1 is affected but 7.1.1 is not.
Note the date that fixes were applied to netbsd-7-1.
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and
http://www.NetBSD.org/Security/.
Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJaov4xAAoJEAZJc6xMSnBu8ZwQAMxtlMzEkQmJX4KhvEuwNneZ
nKGhsjUN/Y/hcWfC9ShFMmKObgm+2c+clRBAu3QdNl7ZYisKF2bEg0bBWd6Vh8tg
7vTCv2SCWKUSPOhEwXWLKDkhgz0wuBy0LujFSyQJjU171GIfTLXU3MyytwGrBkol
VEi6VUo9d2F5fY/c7icNUNH4VoeDVHntTjOPoiQLZpRNbPJ6HX0sl1DyAJmWYqeN
qCXM+Ox9l0zwVzIsognXIDhl8f2jRFOD0LkV9eA3i424NJD3BHlukdX0zmkwUPXr
QqzrKWkjj+LexEGE5G7lFCJ4HrZw8Xx40uz8PKKCQ+22Aa/rpl0wJ5jt/vaeyCEE
5Ka5XGjV+AH8fq6Gl3BI4o7K01NTjkSiiXsQKyRLa5571ue2iDoow5AePjbkLPOz
rfVKvNoTFMP+6tP4PobLaR6xlhFjzS2M9CciDMWjqEjpp+Ada/FekLModf/chXju
72CpZvmwabHivSp01Kt9ZFcMN0u414qcW8dn5RxNUpYjaldkIc9A0Ua4eJxYKP2J
k1ALvZQyjj8x2JMQrHqy9fuBdAWZoRWRXpyslox1n6zpkGWx6othS2YdbIgdH92H
rMryObRMthWE4X0FuXjo8yYyMuY+X+s+VrevGOLyBQb2gp54g1e5Z0u6xDMA2R9p
8b/Hv18ubUp705SO8c/D
=RIFm
-----END PGP SIGNATURE-----
