-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2018-002 ================================= Topic: Local DoS in virecover Version: NetBSD-current: source prior to Sat, November 4th 2017 NetBSD 7.1.1: not affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Local Denial of Service Fixed: NetBSD-current: Sat, November 4th 2017 NetBSD-6-0 branch: Sun, November 5th 2017 NetBSD-6-1 branch: Sun, November 5th 2017 NetBSD-6 branch: Sun, November 5th 2017 NetBSD-7-0 branch: Sun, November 5th 2017 NetBSD-7-1 branch: Sun, November 5th 2017 NetBSD-7 branch: Sun, November 5th 2017 NetBSD-8 branch: Sun, November 5th 2017 Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An error in the virecover script allows an unprivileged user to delete any files in the root / directory. Technical Details ================= The virecover shell script used file globbing without arranging for whitespace within filenames to be preserved. Instead of treating a filename containing a space as is, it will treat the file as two files. For example, by placing "/var/tmp/virecover/vi. netbsd", virecover will treat it as two files: /var/tmp/virecover/vi. and netbsd. As virecover attempts to delete the recovered files, it will delete files in its current working directory (the root directory). This allows an unprivileged user to delete any file within the root directory. Solutions and Workarounds ========================= Disabling virecover: # echo "virecover=NO" >> /etc/rc.conf Updating nvi: FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0 external/bsd/nvi/dist/common/recover.c 1.9 1.5.22.1 1.5.6.1 1.5.18.1 1.5.10.1 external/bsd/nvi/usr.bin/recover/virecover 1.3 1.1.22.1 1.1.6.1 1.1.18.1 1.1.10.1 FILE netbsd-6 netbsd-6-1 netbsd-6-0 dist/nvi/common/recover.c 1.3.10.1 1.3.24.1 1.3.16.1 usr.bin/nvi/recover/virecover 1.1.22.1 1.1.36.1 1.1.28.1 for netbsd-7, -7-0, -7-1, netbsd-8, HEAD: $ cd src $ cvs update -d -P -r VERSION external/bsd/nvi/dist/common/recover.c $ cvs update -d -P -r VERSION external/bsd/nvi/usr.bin/recover/virecover $ cd external/bsd/nvi $ make USETOOLS=no # make install USETOOLS=no for netbsd-6, -6-0, -6-1: $ cd src $ cvs update -d -P -r VERSION dist/nvi/common/recover.c $ cvs update -d -P -r VERSION usr.bin/nvi/recover/virecover $ cd usr.bin/nvi $ make USETOOLS=no # make install USETOOLS=no Thanks To ================ Maya Rashish for noticing the issue, Christos Zoulas and Robert Elz for deploying the fix. Revision History ================ 2018-01-02 Initial release 2018-03-09 Note that NetBSD 7.1 is affected but 7.1.1 is not. Note the date that fixes were applied to netbsd-7-1. More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJaov4xAAoJEAZJc6xMSnBu8ZwQAMxtlMzEkQmJX4KhvEuwNneZ nKGhsjUN/Y/hcWfC9ShFMmKObgm+2c+clRBAu3QdNl7ZYisKF2bEg0bBWd6Vh8tg 7vTCv2SCWKUSPOhEwXWLKDkhgz0wuBy0LujFSyQJjU171GIfTLXU3MyytwGrBkol VEi6VUo9d2F5fY/c7icNUNH4VoeDVHntTjOPoiQLZpRNbPJ6HX0sl1DyAJmWYqeN qCXM+Ox9l0zwVzIsognXIDhl8f2jRFOD0LkV9eA3i424NJD3BHlukdX0zmkwUPXr QqzrKWkjj+LexEGE5G7lFCJ4HrZw8Xx40uz8PKKCQ+22Aa/rpl0wJ5jt/vaeyCEE 5Ka5XGjV+AH8fq6Gl3BI4o7K01NTjkSiiXsQKyRLa5571ue2iDoow5AePjbkLPOz rfVKvNoTFMP+6tP4PobLaR6xlhFjzS2M9CciDMWjqEjpp+Ada/FekLModf/chXju 72CpZvmwabHivSp01Kt9ZFcMN0u414qcW8dn5RxNUpYjaldkIc9A0Ua4eJxYKP2J k1ALvZQyjj8x2JMQrHqy9fuBdAWZoRWRXpyslox1n6zpkGWx6othS2YdbIgdH92H rMryObRMthWE4X0FuXjo8yYyMuY+X+s+VrevGOLyBQb2gp54g1e5Z0u6xDMA2R9p 8b/Hv18ubUp705SO8c/D =RIFm -----END PGP SIGNATURE-----