errata30.html

<!doctype html>
<html lang=en id=errata>
<meta charset=utf-8>

<title>OpenBSD 3.0 Errata</title>
<meta name="description" content="the OpenBSD CD errata page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/errata30.html">

<!--
			IMPORTANT REMINDER
	IF YOU ADD A NEW ERRATUM, MAIL THE PATCH TO TECH AND ANNOUNCE
-->


<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
3.0 Errata
</h2>
<hr>

For errata on a certain release, click below:<br>
<a href="errata20.html">2.0</a>,
<a href="errata21.html">2.1</a>,
<a href="errata22.html">2.2</a>,
<a href="errata23.html">2.3</a>,
<a href="errata24.html">2.4</a>,
<a href="errata25.html">2.5</a>,
<a href="errata26.html">2.6</a>,
<a href="errata27.html">2.7</a>,
<a href="errata28.html">2.8</a>,
<a href="errata29.html">2.9</a>,
<a href="errata31.html">3.1</a>,
<a href="errata32.html">3.2</a>,
<a href="errata33.html">3.3</a>,
<a href="errata34.html">3.4</a>,
<a href="errata35.html">3.5</a>,
<a href="errata36.html">3.6</a>,
<br>
<a href="errata37.html">3.7</a>,
<a href="errata38.html">3.8</a>,
<a href="errata39.html">3.9</a>,
<a href="errata40.html">4.0</a>,
<a href="errata41.html">4.1</a>,
<a href="errata42.html">4.2</a>,
<a href="errata43.html">4.3</a>,
<a href="errata44.html">4.4</a>,
<a href="errata45.html">4.5</a>,
<a href="errata46.html">4.6</a>,
<a href="errata47.html">4.7</a>,
<a href="errata48.html">4.8</a>,
<a href="errata49.html">4.9</a>,
<a href="errata50.html">5.0</a>,
<a href="errata51.html">5.1</a>,
<a href="errata52.html">5.2</a>,
<br>
<a href="errata53.html">5.3</a>,
<a href="errata54.html">5.4</a>,
<a href="errata55.html">5.5</a>,
<a href="errata56.html">5.6</a>,
<a href="errata57.html">5.7</a>,
<a href="errata58.html">5.8</a>,
<a href="errata59.html">5.9</a>,
<a href="errata60.html">6.0</a>,
<a href="errata61.html">6.1</a>,
<a href="errata62.html">6.2</a>,
<a href="errata63.html">6.3</a>,
<a href="errata64.html">6.4</a>,
<a href="errata65.html">6.5</a>,
<a href="errata66.html">6.6</a>,
<a href="errata67.html">6.7</a>,
<a href="errata68.html">6.8</a>,
<br>
<a href="errata69.html">6.9</a>,
<a href="errata70.html">7.0</a>,
<a href="errata71.html">7.1</a>,
<a href="errata72.html">7.2</a>,
<a href="errata73.html">7.3</a>,
<a href="errata74.html">7.4</a>,
<a href="errata75.html">7.5</a>,
<a href="errata76.html">7.6</a>.
<hr>

<p>
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch contains usage instructions.
All the following patches are also available in one
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0.tar.gz">tar.gz file</a>
for convenience.

<p>
Patches for supported releases are also incorporated into the
<a href="stable.html">-stable branch</a>.

<hr>

<ul>

<li id="hosts">
<strong>001: INSTALL ISSUE: November 12, 2001</strong>
&nbsp; <i>All architectures</i><br>
A small bug in the installation script causes the <code>/etc/hosts</code> file to
be incorrectly formed.<br>
The resulting file contains a line which reads like:<p>
<code>&nbsp;&nbsp;&nbsp;#.#.#.# hostname. hostname</code>
<p>
This line should actually read something like:<p>
<code>&nbsp;&nbsp;&nbsp;#.#.#.# hostname.domainname.com hostname</code>
<p>
To correct this problem, simply edit the file and insert the domainname in
the required place.
<p>

<li id="sshd">
<strong>002: SECURITY FIX: November 12, 2001</strong>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.0/sshd.8">sshd(8)</a>
is being upgraded from OpenSSH 3.0 to OpenSSH 3.0.2 to fix a few problems:
<p>
<ul>
<li>A security hole that may allow an attacker to partially authenticate
if -- and only if -- the administrator has enabled KerberosV.
<br>
By default, OpenSSH KerberosV support only becomes active after KerberosV
has been properly configured.
<p>
<li>An excessive memory clearing bug (which we believe to be unexploitable)
also exists, but since this may cause daemon crashes, we are providing a
patch as well.
<p>
<li>A vulnerability in environment passing in the <code>UseLogin</code>
<i>sshd</i> option
<p>
<li>Various other non-critical fixes.
</ul>
<p>
Effectively an upgrade of OpenSSH 3.0 to OpenSSH 3.0.2.
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/002_ssh2.patch">
A source code patch exists which remedies this problem.</a>
This is the second version of this patch.
<p>

<li id="sparc64cd">
<strong>003: RELIABILITY FIX: November 12, 2001</strong>
<br>
Access to a CD drive on the PCI ultrasparc machines results in a continuous stream
of bogus interrupt messages, causing great user anguish.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/sparc64/003_sparc64cd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="hifn">
<strong>004: RELIABILITY FIX: November 12, 2001</strong>
<br>
Hifn7751 based cards may stop working on certain motherboards due to
DMA errors.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/i386/004_hifn.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="altivec">
<strong>005: RELIABILITY FIX: November 12, 2001</strong>
<br>
Execution of Altivec instructions will crash the kernel.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/macppc/005_altivec.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="pf">
<strong>006: SECURITY FIX: November 13, 2001</strong>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.0/pf.4">pf(4)</a>
was incapable of dealing with certain ipv6 icmp packets, resulting in a crash.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/006_pf.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="vi.recover">
<strong>007: SECURITY FIX: November 13, 2001</strong>
&nbsp; <i>All architectures</i><br>
A security issue exists in the vi.recover script that may allow an attacker
to remove arbitrary zero-length files, regardless of ownership.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/007_recover.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="lpd">
<strong>008: SECURITY FIX: November 28, 2001</strong>
&nbsp; <i>All architectures</i><br>
A security issue exists in the lpd daemon that may allow an attacker
to create arbitrary new files in the root directory.  Only machines
with line printer access (ie: listed in either /etc/hosts.lpd or
/etc/hosts.equiv) may be used to mount an attack and the attacker
must have root access on the machine.  OpenBSD does not start lpd
in the default installation.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/008_lpd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="macppcinstall">
<strong>009: INSTALLATION FIX: December 11, 2001</strong>
<br>
The 3.0 CD2 was created with an error which means that the instructions
for booting this architecture will not work.  Instead, to boot the
CD, press Option-Command-O-F during power up to get into OpenFirmware
and then type:
<br>
<code>boot cd:,OFWBOOT /3.0/macppc/bsd.rd</code>
<p>

<li id="ipip">
<strong>010: RELIABILITY FIX: December 13, 2001</strong>
&nbsp; <i>All architectures</i><br>
Systems running with IP-in-IP encapsulation can be made to crash by
malformed packets.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/010_ipip.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sudo">
<strong>011: SECURITY FIX: January 17, 2002</strong>
&nbsp; <i>All architectures</i><br>
If the Postfix sendmail replacement is installed on a system an
attacker may be able to gain root privileges on the local host via
sudo(8) which runs the mailer as root with an environment inherited
from the invoking user.  While this is a bug in sudo it is not
believed to be possible to exploit when sendmail (the mailer that
ships with OpenBSD) is the mailer.  As of version 1.6.5, sudo passes
the mailer an environment that is not subject to influence from the
invoking user.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/011_sudo.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="ptrace">
<strong>012: SECURITY FIX: January 21, 2002</strong>
&nbsp; <i>All architectures</i><br>
A race condition between the ptrace(2) and execve(2) system calls allows
an attacker to modify the memory contents of suid/sgid processes which
could lead to compromise of the super-user account.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/012_ptrace.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="syspipe">
<strong>013: RELIABILITY FIX: February 4, 2002</strong>
&nbsp; <i>All architectures</i><br>
The wrong filedescriptors are released when pipe(2) failed.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/013_syspipe.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="openssh">
<strong>014: SECURITY FIX: March 8, 2002</strong>
&nbsp; <i>All architectures</i><br>
A local user can gain super-user privileges due to an off-by-one check
in the channel forwarding code of OpenSSH.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/014_openssh.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="zlib">
<strong>015: RELIABILITY FIX: March 13, 2002</strong>
&nbsp; <i>All architectures</i><br>
Under some circumstances the zlib compression library can free dynamically
allocated memory twice.  This is not a security issue on OpenBSD since the BSD
<a href="https://man.openbsd.org/OpenBSD-3.0/free.3">free(3)</a>
function detects this.
There is also a kernel zlib component that may be used by pppd and IPsec.
The feasibility of attacking the kernel this way is currently unknown.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/015_zlib.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="approval">
<strong>016: SECURITY FIX: March 19, 2002</strong>
&nbsp; <i>All architectures</i><br>
Under certain conditions, on systems using YP with netgroups in the password
database, it is possible for the
<a href="https://man.openbsd.org/OpenBSD-3.0/rexecd.8">rexecd(8)</a>
and
<a href="https://man.openbsd.org/OpenBSD-3.0/rshd.8">rshd(8)</a>
daemons to execute the shell from a different user's password entry.
Due to a similar problem,
<a href="https://man.openbsd.org/OpenBSD-3.0/atrun.8">atrun(8)</a>
may change to the wrong home directory when running
<a href="https://man.openbsd.org/OpenBSD-3.0/at.1">at(1)</a>
jobs.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/016_approval.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="isakmpd">
<strong>017: RELIABILITY FIX: March 26, 2002</strong>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.0/isakmpd.8">isakmpd(8)</a>
will crash when receiving a zero length IKE packet due to a too-late length check.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/017_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="mail">
<strong>018: SECURITY FIX: April 11, 2002</strong>
&nbsp; <i>All architectures</i><br>
<a href="https://man.openbsd.org/OpenBSD-3.0/mail.1">mail(1)</a>
will process tilde escapes even in non-interactive mode.
This can lead to a local root compromise.
<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sshafs">
<strong>019: SECURITY FIX: April 22, 2002</strong>
&nbsp; <i>All architectures</i><br>
A local user can gain super-user privileges due to a buffer overflow
in <a href="https://man.openbsd.org/OpenBSD-3.0/sshd.8">sshd(8)</a>
if AFS has been configured on the system or if
KerberosTgtPassing or AFSTokenPassing has been enabled
in the sshd_config file.  Ticket and token passing is not enabled
by default.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sudo2">
<strong>020: SECURITY FIX: April 25, 2002</strong>
&nbsp; <i>All architectures</i><br>
A bug in <a href="https://man.openbsd.org/OpenBSD-3.0/sudo.8">sudo(8)</a> may allow an attacker to corrupt the heap by specifying a custom prompt.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/020_sudo.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="fdalloc2">
<strong>021: SECURITY FIX: May 8, 2002</strong>
&nbsp; <i>All architectures</i><br>
A race condition exists where an attacker could fill the file descriptor
table and defeat the kernel's protection of fd slots 0, 1, and 2 for a
setuid or setgid process.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/021_fdalloc2.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="httpd">
<strong>022: SECURITY FIX: June 19, 2002</strong>
&nbsp; <i>All architectures</i><br>
A buffer overflow can occur during the interpretation of chunked
encoding in the http daemon, leading to possible remote crash or exploit.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/022_httpd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="modssl">
<strong>023: SECURITY FIX: June 24, 2002</strong>
&nbsp; <i>All architectures</i><br>
A buffer overflow can occur in the .htaccess parsing code in mod_ssl httpd
module, leading to possible remote crash or exploit.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/023_mod_ssl.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="sshdauth">
<strong>024: SECURITY FIX: June 24, 2002</strong>
&nbsp; <i>All architectures</i><br>
All versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation
error that can result in an integer overflow and privilege escalation.
This problem is fixed in <a href="https://www.openssh.com/openbsd.html">OpenSSH
3.4</a>, and a patch for the vulnerable releases is available as part of the
<a href="https://www.openssh.com/txt/preauth.adv">security advisory</a>.
<p>

<li id="resolver">
<strong>025: SECURITY FIX: June 25, 2002</strong>
&nbsp; <i>All architectures</i><br>
A potential buffer overflow in the DNS resolver has been found.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/025_resolver.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="ktrace">
<strong>026: SECURITY FIX: June 27, 2002</strong>
&nbsp; <i>All architectures</i><br>
The kernel would let any user <a href="https://man.openbsd.org/OpenBSD-3.0/ktrace.2">ktrace(2)</a> set[ug]id processes.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/026_ktrace.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="isakmpd2">
<strong>027: RELIABILITY FIX: July 5, 2002</strong>
&nbsp; <i>All architectures</i><br>
Receiving IKE payloads out of sequence can cause
<a href="https://man.openbsd.org/OpenBSD-3.0/isakmpd.8">isakmpd(8)</a> to crash.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/027_isakmpd.patch">
A source code patch exists which remedies this problem.</a>
<br>
This is the second version of the patch.
<p>

<li id="pppd">
<strong>028: SECURITY FIX: July 29, 2002</strong>
&nbsp; <i>All architectures</i><br>
A race condition exists in the
<a href="https://man.openbsd.org/OpenBSD-3.0/pppd.8">pppd(8)</a>
daemon which may cause it to alter the file permissions of an arbitrary file.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/028_pppd.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="xdr">
<strong>029: SECURITY FIX: July 29, 2002</strong>
&nbsp; <i>All architectures</i><br>
A buffer overflow can occur in the
<a href="https://man.openbsd.org/OpenBSD-3.0/xdr_array.3">xdr_array(3)</a>
RPC code, leading to possible remote crash.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/029_xdr.patch">
A source code patch exists which remedies this problem.</a>
<br>
This is the second version of the patch.
<p>

<li id="ssl">
<strong>030: SECURITY FIX: July 30, 2002</strong>
&nbsp; <i>All architectures</i><br>
Several remote buffer overflows can occur in the SSL2 server and SSL3 client of the
<a href="https://man.openbsd.org/OpenBSD-3.0/ssl.8">ssl(8)</a>
library, as in the ASN.1 parser code in the
<a href="https://man.openbsd.org/OpenBSD-3.0/crypto.3">crypto(3)</a>
library, all of them being potentially remotely exploitable.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/030_ssl.patch">
A source code patch exists which remedies this problem.</a>
<br>
This is the second version of the patch.
<p>

<li id="scarg">
<strong>031: SECURITY FIX: August 11, 2002</strong>
&nbsp; <i>All architectures</i><br>
An insufficient boundary check in the
<a href="https://man.openbsd.org/OpenBSD-3.0/select.2">select(2)</a>
system call allows an attacker to overwrite kernel memory and execute arbitrary
code in kernel context.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/031_scarg.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="kerntime">
<strong>032: SECURITY FIX: October 7, 2002</strong>
&nbsp; <i>All architectures</i><br>
Incorrect argument checking in the
<a href="https://man.openbsd.org/OpenBSD-3.0/setitimer.2">setitimer(2)</a> system call may allow an attacker to write to kernel memory.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/032_kerntime.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="kadmin">
<strong>033: SECURITY FIX: October 21, 2002</strong>
&nbsp; <i>All architectures</i><br>
A buffer overflow can occur in the
<a href="https://man.openbsd.org/OpenBSD-3.0/kadmind.8">kadmind(8)</a>
daemon, leading to possible remote crash or exploit.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/033_kadmin.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="smrsh">
<strong>034: SECURITY FIX: November 6, 2002</strong>
&nbsp; <i>All architectures</i><br>
An attacker can bypass the restrictions imposed by sendmail's restricted shell,
<a href="https://man.openbsd.org/OpenBSD-3.0/smrsh.8">smrsh(8)</a>,
and execute arbitrary commands with the privileges of his own account.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/034_smrsh.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="kernresource">
<strong>035: SECURITY FIX: November 6, 2002</strong>
&nbsp; <i>All architectures</i><br>
Incorrect argument checking in the
<a href="https://man.openbsd.org/OpenBSD-3.0/getrlimit.2">getrlimit(2)</a>
system call may allow an attacker to crash the kernel.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/035_kernresource.patch">
A source code patch exists which remedies this problem.</a>
<p>

<li id="named">
<strong>036: SECURITY FIX: November 14, 2002</strong>
&nbsp; <i>All architectures</i><br>
A buffer overflow in
<a href="https://man.openbsd.org/OpenBSD-3.0/named.8">named(8)</a>
could allow an attacker to execute code with the privileges of named.
On OpenBSD, named runs as a non-root user in a chrooted environment
which mitigates the effects of this bug.<br>
<a href="https://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch">
A source code patch exists which remedies this problem.</a>
<p>

</ul>

<hr>