Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap

Wed, 19 Jun 2013 13:27:49 -0700 

Attached are proposed debdiffs for an upload to wheezy-security, based
on the version currently in wheezy.

The versioning scheme for the last security upload (with +deb70.$n)
looks a bit weird to me (and it has lower value than the next changelog
entry).  So I also attach a second debdiff, proposing a different form.

Please could someone with the necessary access, open a security.d.o RT
ticket asking permission to upload whichever one of these, and for a DSA
to be issued?

Thanks!
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog     2013-05-01 13:59:20.000000000 +0100
+++ kfreebsd-9-9.0/debian/changelog     2013-06-19 20:49:15.000000000 +0100
@@ -1,3 +1,17 @@
+kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
+
+  * Upload for wheezy-security
+
+ -- Steven Chamberlain <ste...@pyro.eu.org>  Wed, 19 Jun 2013 20:36:54 +0100
+
+kfreebsd-9 (9.0-12) unstable; urgency=high
+
+  * Team upload.
+  * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
+    Privilege escalation via mmap (Closes: #712664)
+
+ -- Steven Chamberlain <ste...@pyro.eu.org>  Tue, 18 Jun 2013 13:20:50 +0100
+
 kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
 
   * Upload for wheezy-security
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 
kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch   1970-01-01 
01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch   2013-06-19 
20:49:15.000000000 +0100
@@ -0,0 +1,28 @@
+Description:
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file. [13:06]
+ (CVE-2013-2171)
+Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc
+Bug-Debian: http://bugs.debian.org/712664
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=251902
+
+Index: kfreebsd-9-9.0/sys/vm/vm_map.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c        2011-07-06 21:06:44.000000000 
+0100
++++ kfreebsd-9-9.0/sys/vm/vm_map.c     2013-06-18 13:39:13.104790989 +0100
+@@ -3704,6 +3704,12 @@
+               vm_map_unlock_read(map);
+               return (KERN_PROTECTION_FAILURE);
+       }
++      if ((fault_typea & VM_PROT_COPY) != 0 &&
++          (entry->max_protection & VM_PROT_WRITE) == 0 &&
++          (entry->eflags & MAP_ENTRY_COW) == 0) {
++              vm_map_unlock_read(map);
++              return (KERN_PROTECTION_FAILURE);
++      }
+ 
+       /*
+        * If this page is not pageable, we have to get it for all possible
diff -Nru kfreebsd-9-9.0/debian/patches/series 
kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series        2013-05-01 13:21:35.000000000 
+0100
+++ kfreebsd-9-9.0/debian/patches/series        2013-06-19 20:49:15.000000000 
+0100
@@ -9,6 +9,7 @@
 svn239447_SCTP_DoS.patch
 SA-12_08.linux.patch
 SA-13_05.nfsserver.patch
+SA-13_06.mmap.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog     2013-05-01 13:59:20.000000000 +0100
+++ kfreebsd-9-9.0/debian/changelog     2013-06-19 21:12:56.000000000 +0100
@@ -1,3 +1,11 @@
+kfreebsd-9 (9.0-12~deb7u1) wheezy-security; urgency=high
+
+  * Team upload.
+  * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
+    Privilege escalation via mmap (Closes: #712664)
+
+ -- Steven Chamberlain <ste...@pyro.eu.org>  Tue, 18 Jun 2013 13:20:50 +0100
+
 kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
 
   * Upload for wheezy-security
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 
kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch   1970-01-01 
01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch   2013-06-19 
20:49:15.000000000 +0100
@@ -0,0 +1,28 @@
+Description:
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file. [13:06]
+ (CVE-2013-2171)
+Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc
+Bug-Debian: http://bugs.debian.org/712664
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=251902
+
+Index: kfreebsd-9-9.0/sys/vm/vm_map.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c        2011-07-06 21:06:44.000000000 
+0100
++++ kfreebsd-9-9.0/sys/vm/vm_map.c     2013-06-18 13:39:13.104790989 +0100
+@@ -3704,6 +3704,12 @@
+               vm_map_unlock_read(map);
+               return (KERN_PROTECTION_FAILURE);
+       }
++      if ((fault_typea & VM_PROT_COPY) != 0 &&
++          (entry->max_protection & VM_PROT_WRITE) == 0 &&
++          (entry->eflags & MAP_ENTRY_COW) == 0) {
++              vm_map_unlock_read(map);
++              return (KERN_PROTECTION_FAILURE);
++      }
+ 
+       /*
+        * If this page is not pageable, we have to get it for all possible
diff -Nru kfreebsd-9-9.0/debian/patches/series 
kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series        2013-05-01 13:21:35.000000000 
+0100
+++ kfreebsd-9-9.0/debian/patches/series        2013-06-19 20:49:15.000000000 
+0100
@@ -9,6 +9,7 @@
 svn239447_SCTP_DoS.patch
 SA-12_08.linux.patch
 SA-13_05.nfsserver.patch
+SA-13_06.mmap.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Reply via email to