---

Home Infrastructure

FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit

By

Date: Wed, 5 Jul 2000 16:02:39 -0700
From: FreeBSD Security Advisories security-advisories@freebsd.org

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit

—–BEGIN PGP SIGNED MESSAGE—–

FreeBSD-SA-00:24                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          libedit reads config file from current directory

Category:       core
Module:         libedit
Announced:      2000-07-05
Affects:        All versions of FreeBSD prior to the correction date
Credits:        Tim Vanderhoek 
Vendor status:  Notified
Corrected:      2000-05-22
FreeBSD only:   NO

I. Background

libedit is a library of routines for providing command editing
and history retrieval for interactive command-oriented
programs.

II. Problem Description

libedit incorrectly reads an “.editrc” file in the current
directory if it exists, in order to specify configurable program
behaviour. However it does not check for ownership of the file, so
an attacker can cause a libedit application to execute arbitrary
key rebindings and exercise terminal capabilities by creating an
.editrc file in a directory from which another user executes a
libedit binary (e.g. root running ftp(1) from /tmp). This can be
used to fool the user into unknowingly executing program commands
which may compromise system security. For example, ftp(1) includes
the ability to escape to a shell and execute a command, which can
be done under libedit control.

The supplied patch removes this behaviour and causes libedit to
only search for its configuration file in the home directory of the
user, if it exists and the binary is not running with increased
privileges (i.e. setuid or setgid).

FreeBSD 3.5-RELEASE is not affected by this vulnerability,
although 4.0-RELEASE is affected since the problem was discovered
after it was released.

III. Impact

An attacker can cause a user to execute arbitrary commands
within a program which is run from a directory to which the
attacker has write access, potentially leading to system compromise
if run as a privileged user (such as root).

IV. Workaround

Do not interactively run utilities which link against libedit
from directories which can be written to by other users.

To identify utilities which link dynamically against libedit,
download the libfind tool and detached PGP signature as
follows:

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh

# fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc

Verify the detached signature using your PGP utility.

Run the libfind.sh tool as root, as follows:

# sh libfind.sh libedit /

Note that it is not feasible to locate utilities which link
statically against libedit since there are no common strings
embedded in such binaries. However the following is believed to be
a complete list of statically and dynamically linked FreeBSD system
utilities which link against the library:

/bin/sh
/sbin/fsdb
/usr/bin/ftp
/usr/sbin/cdcontrol
/usr/sbin/lpc
/usr/sbin/nslookup
/usr/sbin/pppctl

Because libedit is not a portable library in common use there
are unlikely to be many FreeBSD ports which link statically against
it: no such ports are known at this time.

V. Solution

One of the following:

1) Upgrade your vulnerable system to a version dated after the
correction date.

2) Save the advisory into a file or download the patch and
detached PGP signature:

# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch

# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc

Verify the detached PGP signature using your PGP utility.

Apply the patch and rebuild as follows:

# cd /usr/src/lib/libedit
# patch -p < /path/to/patch/or/advisory

and rebuild your system as described in

http://www.freebsd.org/handbook/makeworld.html

    --- el.c    1999/08/20 01:17:12     1.6
    +++ el.c    2000/05/22 05:55:22     1.7
    @@ -290,13 +294,10 @@
         char *ptr, path[MAXPATHLEN];

         if (fname == NULL) {
    -   fname = &elpath[1];
    -   if ((fp = fopen(fname, "r")) == NULL) {
    -       if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
    -           return -1;
    -       (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath);
    -       fname = path;
    -   }
    +   if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
    +       return -1;
    +   (void) snprintf(path, sizeof(path), "%s%s", ptr, elpath);
    +   fname = path;
         }

         if ((fp = fopen(fname, "r")) == NULL)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWGmz1UuHi5z0oilAQF1rwP/QhuVAAmc1873YHkhTS8kMTPR63HoIlkc
8VRgf0PU6Z3AObVq6fjt3ZikCUXf7d8NhiTqRdL1Cb/Koai56yP+E5Fqbt2U5JCC
cNbWIlI8NYKxAybgOsx+9EJGSnGfrjjjvxG6MguwcyJ+W1DS3M41mDzv8C1hdpqw
/QAi9qToH+Q=
=TlZc
-----END PGP SIGNATURE-----

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.