Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
Jason Hellenthal jh...@dataix.net writes: Sorry but this security advisory has nothing to do with your misconfiguration of your system. Perhaps you should read the updated advisory before shooting Richard down in flames. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
As far as I can see the bug mentioned in the above advisory is not fully fixed. When logged in to a FreeBSD 8.2 machine with freshly updated /usr/src (world and kernel) [made on Wed Nov 16] via an XDMCP session, acroread says No protocol specified (acroread:2908): Gtk-WARNING **: cannot open display: pc200404.maths.tcd.ie:0.0 Logged in to the same host via ssh -Y , I have DISPLAY set to something like localhost:10.0 and acroread does launch. It also launches on the console X display. I would be happy with pointers as to a fix for this. Yours, Richard Timoney -- Richard M. Timoney (richa...@maths.tcd.ie) Tel. +353-1-896 1196 School of Mathematics, Trinity College, Dublin 2, Ireland WWW http://www.maths.tcd.ie/~richardt FAX +353-1-896 2282 ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
Sorry but this security advisory has nothing to do with your misconfiguration of your system. On Sun, Nov 20, 2011 at 11:18:33PM +, Richard M. Timoney wrote: As far as I can see the bug mentioned in the above advisory is not fully fixed. When logged in to a FreeBSD 8.2 machine with freshly updated /usr/src (world and kernel) [made on Wed Nov 16] via an XDMCP session, acroread says No protocol specified (acroread:2908): Gtk-WARNING **: cannot open display: pc200404.maths.tcd.ie:0.0 Logged in to the same host via ssh -Y , I have DISPLAY set to something like localhost:10.0 and acroread does launch. It also launches on the console X display. I would be happy with pointers as to a fix for this. Yours, Richard Timoney -- Richard M. Timoney (richa...@maths.tcd.ie) Tel. +353-1-896 1196 School of Mathematics, Trinity College, Dublin 2, Ireland WWW http://www.maths.tcd.ie/~richardt FAX +353-1-896 2282 ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2011-10-04 19:07:38 UTC (RELENG_7, 7.4-STABLE) 2011-10-04 19:07:38 UTC (RELENG_7_4, 7.4-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_7_3, 7.3-RELEASE-p8) 2011-10-04 19:07:38 UTC (RELENG_8, 8.2-STABLE) 2011-10-04 19:07:38 UTC (RELENG_8_2, 8.2-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_8_1, 8.1-RELEASE-p6) 2011-10-04 19:07:38 UTC (RELENG_9, 9.0-RC1) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2011-09-28 Initial release. v1.1 2011-10-04 Updated patch to add linux emulation bug fix. I. Background UNIX-domain sockets, also known as local sockets, are a mechanism for interprocess communication. They are similar to Internet sockets (and utilize the same system calls) but instead of relying on IP addresses and port numbers, UNIX-domain sockets have addresses in the local file system address space. FreeBSD contains linux emulation support via system call translation in order to make it possible to use certain linux applications without recompilation. II. Problem Description When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. Linux uses a larger socket address structure for UNIX-domain sockets than FreeBSD, and the FreeBSD's linux emulation code did not translate UNIX-domain socket addresses into the correct size of structure. III. Impact A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges (gain root), escape from a jail, or to bypass security mechanisms in other ways. The patch provided with the initial version of this advisory exposed the pre-existing bug in FreeBSD's linux emulation code, resulting in attempts to use UNIX sockets from linux applications failing. The most common instance where UNIX sockets were used by linux applications is in the context of the X windowing system, including the widely used linux flash web browser plugin. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch.asc NOTE: The patch distributed at the time of the original advisory fixed the security vulnerability but exposed the pre-existing bug in the linux emulation subsystem. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the additional changes required to fix the newly-exposed linux emulation bug: # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/kern/uipc_usrreq.c 1.206.2.13 src/sys/compat/linux/linux_socket.c 1.74.2.15 RELENG_7_4 src/UPDATING
FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2011-10-04 19:07:38 UTC (RELENG_7, 7.4-STABLE) 2011-10-04 19:07:38 UTC (RELENG_7_4, 7.4-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_7_3, 7.3-RELEASE-p8) 2011-10-04 19:07:38 UTC (RELENG_8, 8.2-STABLE) 2011-10-04 19:07:38 UTC (RELENG_8_2, 8.2-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_8_1, 8.1-RELEASE-p6) 2011-10-04 19:07:38 UTC (RELENG_9, 9.0-RC1) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2011-09-28 Initial release. v1.1 2011-10-04 Updated patch to add linux emulation bug fix. I. Background UNIX-domain sockets, also known as local sockets, are a mechanism for interprocess communication. They are similar to Internet sockets (and utilize the same system calls) but instead of relying on IP addresses and port numbers, UNIX-domain sockets have addresses in the local file system address space. FreeBSD contains linux emulation support via system call translation in order to make it possible to use certain linux applications without recompilation. II. Problem Description When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. Linux uses a larger socket address structure for UNIX-domain sockets than FreeBSD, and the FreeBSD's linux emulation code did not translate UNIX-domain socket addresses into the correct size of structure. III. Impact A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges (gain root), escape from a jail, or to bypass security mechanisms in other ways. The patch provided with the initial version of this advisory exposed the pre-existing bug in FreeBSD's linux emulation code, resulting in attempts to use UNIX sockets from linux applications failing. The most common instance where UNIX sockets were used by linux applications is in the context of the X windowing system, including the widely used linux flash web browser plugin. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch.asc NOTE: The patch distributed at the time of the original advisory fixed the security vulnerability but exposed the pre-existing bug in the linux emulation subsystem. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the additional changes required to fix the newly-exposed linux emulation bug: # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/kern/uipc_usrreq.c 1.206.2.13 src/sys/compat/linux/linux_socket.c 1.74.2.15 RELENG_7_4 src/UPDATING
Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
On 10/04/11 20:15, FreeBSD Security Advisories wrote: = FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. snip IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. Does this affect a default FreeBSD install? I believe linux emulation support is disabled by default? Mark ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
On 04/10/2011 21:38, Mark Duller wrote: On 10/04/11 20:15, FreeBSD Security Advisories wrote: = FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. snip IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. Does this affect a default FreeBSD install? I believe linux emulation support is disabled by default? Ish. Sort of. The default system contains the linux.ko loadable module which is not loaded by default, but would be caused to automatically load into the kernel by installing one of the linux_base ports. Nothing needs to be re-compiled in order to enable linux compat, and it doesn't even require a reboot, but it does require root privileges to kldload the module. The underlying unix domain socket vulnerability affected all released and development versions of FreeBSD up to the point where the advisory was first issued. If you'ld applied the patches from the original advisory then you should already be secure. If your system definitely doesn't run any linux binaries and never will do, then the additional bits in the revised patch won't do anything for you. However, without the additional changes any linux applications that try to use unix domain sockets will crash. This doesn't result in any additional security exposure, but it certainly won't endear your users to you. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
