Security Update 2003-08-14 Released

← Back to Stories (view on slashdot.org)

Security Update 2003-08-14 Released

Posted by pudge on Thursday August 14, 2003 @09:43AM from the if-you-can-read-this-you-are-not-in-nyc dept.

Delta-9 writes "Today, Apple released Security Update 2003-08-14, which 'addresses a potential vulnerability in the fb_realpath() function which could allow a local or remote user to gain unauthorized root privileges to a system.'" It's on Software Update, and will likely soon appear on the support downloads page.

6 of 63 comments (clear)

Min score:

Reason:

Sort:

Good work Apple by wyvern5 · 2003-08-14 09:46 · Score: 5, Interesting

Nice to see Apple is responding more quickly to security problems. I didn't even hear about this through my regular channels until after I had seen the update in Software Update.

--
-- Apple: Where Microsoft wants to go today.
Re:Some info about the vulnerability by Anonymous Coward · 2003-08-14 10:29 · Score: 5, Informative

The FTP server included with Jaguar and Panther is lukemftpd, not wu-ftpd.

But that's okay. Don't let the facts get in the way of your skreed. Carry on.
Ok, people. I'm really sorry. by remahl · 2003-08-14 10:53 · Score: 5, Informative

It looks like I jumped the gun on this...On several levels...

First, wu-ftpd is not the ftp server in Mac OS X. lukemftpd is.

Second, the most relevant advisory is not the quoted one, but this one (which previously appeared on Slashdot): FreeBSD-SA-03:08.realpath.
As the name implies, the bug originates from FreeBSD, and potentially leaves a long list of programs vulnerable (listed in the advisory).

This means that the problem is broader than my original message anticipated. It means that other remote services may be vulnerable, including sftp.
Thanks to the anonymous user who brought my attention to my (pretty bad) mistake.

Please spread this information instead of the wrongful information in the parent post. Mod parent down.
Re:Some info about the vulnerability by Klaruz · 2003-08-14 10:55 · Score: 4, Informative

No, apple didn't use wu-ftpd, give them some credit, they used lukemftpd. Originally from netbsd I believe.

The realpath() function from bsd calculates the length of a resolved directory path. The problem is an off by one error. It actually affects more than than just an ftp deamon since it's a library function, just like the gzip vulnerabilty a while ago. See the sans report for more info.

3 days from disclosure to security update is pretty good though.
Re:Some info about the vulnerability by zpok · 2003-08-14 12:35 · Score: 5, Insightful

The advisory was posted some full two weeks ago, meaning that Apple was not as quick to respond as they normally are.

The East Coast has reverted to the stone age, my Windows machine is insulting me, but there's Apple with another Security Update for a *potential* weakness...

Damn, you've got to admire their timing ;-)

--
I think, therefore I am...I think.
Re:Reboot Reqired (sigh) by mkldev · 2003-08-15 06:32 · Score: 4, Interesting

I tend to ignore the request to reboot and simply force-quit the installer, then continue working until it is convenient to reboot (which may or may not be that day). The only exception is when I'm installing a new device driver. To make the device driver usable, I do a "sudo kill -HUP xxx" where xxx is the PID of kextd.
In the case of a security update that changes libraries, though, it's prudent to reboot, or at least shut down any daemon processes and restart them.... Anything newly launched will be bound to the new library, but anything already running will continue using the old one, hence any program that uses the buggy function needs to be restarted. A reboot is certainly the easiest way. :-)

--
120 character sigs suck. Make it 250.