NetBSD Security Advisory 2018-002: Local DoS in virecover
2 January, 2018 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2018-002
=================================
Topic: Local DoS in virecover
Version: NetBSD-current: source prior to Sat, November 4th 2017
NetBSD 7.0 - 7.02: affected
NetBSD 6.1 - 6.1.5: affected
NetBSD 6.0 - 6.0.6: affected
Severity: Local Denial of Service
Fixed: NetBSD-current: Sat, November 4th 2017
NetBSD-6-0 branch: Sun, November 5th 2017
NetBSD-6-1 branch: Sun, November 5th 2017
NetBSD-6 branch: Sun, November 5th 2017
NetBSD-7-0 branch: Sun, November 5th 2017
NetBSD-7 branch: Sun, November 5th 2017
NetBSD-8 branch: Sun, November 5th 2017
Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An error in the virecover script allows an unprivileged user to delete
any files in the root / directory.
Technical Details
=================
The virecover shell script used file globbing without arranging for
whitespace within filenames to be preserved.
Instead of treating a filename containing a space as is, it will treat
the file as two files.
For example, by placing "/var/tmp/virecover/vi. netbsd", virecover will
treat it as two files: /var/tmp/virecover/vi. and netbsd.
As virecover attempts to delete the recovered files, it will delete files
in its current working directory (the root directory).
This allows an unprivileged user to delete any file within the root
directory.
Solutions and Workarounds
=========================
Disabling virecover:
# echo "virecover=NO" >> /etc/rc.conf
Updating nvi:
FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0
external/bsd/nvi/dist/common/recover.c
1.9 1.5.22.1 1.5.6.1 1.5.18.1 1.5.10.1
external/bsd/nvi/usr.bin/recover/virecover
1.3 1.1.22.1 1.1.6.1 1.1.18.1 1.1.10.1
FILE netbsd-6 netbsd-6-1 netbsd-6-0
dist/nvi/common/recover.c
1.3.10.1 1.3.24.1 1.3.16.1
usr.bin/nvi/recover/virecover
1.1.22.1 1.1.36.1 1.1.28.1
for netbsd-7, -7-0, -7-1, netbsd-8, HEAD:
$ cd src
$ cvs update -d -P -r VERSION external/bsd/nvi/dist/common/recover.c
$ cvs update -d -P -r VERSION external/bsd/nvi/usr.bin/recover/virecover
$ cd external/bsd/nvi
$ make USETOOLS=no
# make install USETOOLS=no
for netbsd-6, -6-0, -6-1:
$ cd src
$ cvs update -d -P -r VERSION dist/nvi/common/recover.c
$ cvs update -d -P -r VERSION usr.bin/nvi/recover/virecover
$ cd usr.bin/nvi
$ make USETOOLS=no
# make install USETOOLS=no
Thanks To
================
Maya Rashish for noticing the issue, Christos Zoulas and Robert Elz for
deploying the fix.
Revision History
================
2018-01-02 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJaS7+UAAoJEAZJc6xMSnBuqhgQAJHCyUMeylnsOUGi0SzsZ/G9
kzQVGSir6+U+yKGaEFM5xkuRUoQFOVxCcHo9GXxY5EvxfF3rsYoW6MORzkn5DXAs
Yup1HMb5impVdGruED7ubFI155EjLtlI03S3fqgOChH0g1aWwtfP0PlqC1iMl7mp
Ygyo7UZEJNOsrAM28WqW5LHQPNVG2q92yl16UwP6UWH8MoydnjCj4WuQ4/D161bQ
xFDNgxruxt3R3RqwBnVIPYBRTlxM9xPGpW/dNngc+rVoiyRD3+XzcEvhemY2Eccx
Gqp2ohQl+q8rDzKnS2pv+wNdQlgXZVkg5XrfWkP52JBTdAojAfeNP9cWlOoV9ggZ
nFzjHnURkodRwosE8AWuJ+aquokqUMtec48NNKVIaRK/LPuJQLz/CWdiM5V0xwqY
0WSK5Yvgl3aM5FwFpWFo78RE3Pl18FaJuqMN3XYWhDuBXLZW7raQK0KXQuWC+E72
PgRqqDU2YswGV3Gt2xbBh74SBnedjwppffNCenSdxjZHjfpFLGr1sS/JGBj/UG1m
RfxAA7mbogE/yEjWXLyt8H+y78Id6Ck9rWiKTFUKBXJw7qw05opdewJDsZrOsw6T
40iydSOLl1ahr/Ke2Mu8/B09MUyt8MMrrmthnhoXQr9a2R9iR1fDFxfboocOVCfn
BHDNhoPO+m+GSApcBd7p
=MHk1
-----END PGP SIGNATURE-----