From owner-freebsd-announce Mon May 22 22:27: 2 2000 Delivered-To: freebsd-announce@freebsd.org Received: from vnode.vmunix.com (vnode.vmunix.com [209.112.4.20]) by hub.freebsd.org (Postfix) with ESMTP id 4A87A37BAC1 for ; Mon, 22 May 2000 22:26:52 -0700 (PDT) (envelope-from chrisc@vmunix.com) Received: by vnode.vmunix.com (Postfix, from userid 1005) id 66708F; Tue, 23 May 2000 01:26:51 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by vnode.vmunix.com (Postfix) with ESMTP id 5C79949A10 for ; Tue, 23 May 2000 01:26:51 -0400 (EDT) Date: Tue, 23 May 2000 01:26:51 -0400 (EDT) From: Chris Coleman To: announce@freebsd.org Subject: FreeBSD Real Quick Newsletter Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD Real-Quick(TM) News Letter. Things Happening in FreeBSD. Presented by Daemon News ------------------------------------------------------------------------- BSDCon 2000 May 12, 2000 We are pleased to announce BSDCon 2000, the second annual BSD Conference and Expo! If you are a BSD user, this is the event you don't want to miss. There will be BSD-related tutorials, talks, demos, discussions, and exhibitor booths. Many BSD users and developers from all over the world will be present to share ideas, find common interest points, and develop new ideas--as a single community. All BSD users are welcome and encouraged to attend and participate. Pricing information is as follows: Conference (Oct. 18-20): $495 Tutorial 1 (Oct. 14-15): $495 Tutorial 2 (Oct. 16-17): $495 Room rates at the Hyatt: $129 US per night There is a $50 early-bird discount off each if you register before September 1, 2000. Any registrations after September 1, 2000 will be charged full price. Hope to see you there! MORE: http://daily.daemonnews.org/view_story.php3?story_id=906 LINK: http://www.bsdcon.com/ ------------------------------------------------------------------------- The Slashdot DDOS: What happened? May 17, 2000 Slashdot posted a brief description of what happened during a DDOS attack against them last week. Nice to see FreeBSD come to the rescue. MORE: http://daily.daemonnews.org/view_story.php3?story_id=923 LINK: http://slashdot.org/article.pl?sid=00/05/17/1318233&mode=thread ------------------------------------------------------------------------- ICS Unveils First Distribution of Open Motif May 16, 2000 Integrated Computer Solutions, Inc. (ICS), the leading commercial supplier of Motif products and support, announced the immediate availability of Open Motif Everywhere, the first distribution of Open Motif for open systems. This announcement occurs concurrently with the announcement by The Open Group(TM) that it is making Open Motif, the industry standard toolkit for user interfaces on UNIX systems, freely available for open source operating systems such as Linux and FreeBSD. Open Motif Everywhere has been tested on the following distributions: Corel (Intel), FreeBSD (Intel), Linux PPC 2000 (PPC), Mandrake (Intel), Red Hat (Intel, Sparc, Alpha), Slackware (Intel), Storm 2000 (Intel), SuSE (Intel), and TurboLinux (Intel). MORE: http://daily.daemonnews.org/view_story.php3?story_id=922 LINK: http://biz.yahoo.com/bw/000515/ma_integra_2.html ------------------------------------------------------------------------- Open Source 3d Game engine. May 16, 2000 Why should windows users have all the good games? Crystal Space is an open-source 3D game engine. Any good games for BSD on the horizon? MORE: http://daily.daemonnews.org/view_story.php3?story_id=920 LINK: http://www.oreillynet.com/pub/a/linux/2000/05/16/crystal3d.html ------------------------------------------------------------------------- Source Wars Goes Hi-Res! May 03, 2000 Source Wars has always been drawn in Millions of Colors, and when we put it on the web, we have rendered it into 256 colors to keep the file size down. Almost the entire time, we have been keeping high-res .png files in hopes of making the high res version available. I have finally written the code necessary, and uploaded all the .png files. So, if you don't mind the wait, or have high speed internet, take a look at Source Wars as it was really meant to be seen. MORE: http://daily.daemonnews.org/view_story.php3?story_id=883 LINK: http://darby.daemonnews.org/episode.php3?ShowWeek=1&Res=HIGH ------------------------------------------------------------------------- FreeBSD Committers pass the 200 mark! May 16, 2000 There are now more than 200 members of the FreeBSD Committers team. Follow the link for the full scoop on the latest additions. MORE: http://daily.daemonnews.org/view_story.php3?story_id=919 LINK: http://people.freebsd.org/~wes/committers.html ------------------------------------------------------------------------- Install FreeBSD 4.0 in seven easy steps May 16, 2000 This is actually the start of a regular series of articles focusing on FreeBSD. MORE: http://daily.daemonnews.org/view_story.php3?story_id=914 LINK: http://www.techrepublic.com/article.jhtml?id=r00220000516eje01.htm ------------------------------------------------------------------------- Newbies Corner: What to do after you have installed FreeBSD for the first time. Several things they usually leave out of the documentation. MORE: http://www.daemonnews.org/200005/newbies.html ------------------------------------------------------------------------- Chris Coleman Daemon News Oreilly Networks -- Open Source Editor http://www.daemonnews.org http://www.oreilynet.com This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri May 26 10:33:14 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4DB1C37BE94; Fri, 26 May 2000 10:32:23 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000526173223.4DB1C37BE94@hub.freebsd.org> Date: Fri, 26 May 2000 10:32:23 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:19 Security Advisory FreeBSD, Inc. Topic: local users can prevent all processes from exiting Category: core Module: kernel Announced: 2000-05-26 Credits: Peter Wemm Affects: 386BSD-derived OSes, including all versions of FreeBSD, NetBSD and OpenBSD. Corrected: 2000-05-01 FreeBSD only: NO Patch: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:19/semconfig.patch I. Background System V IPC is a set of interfaces for providing inter-process communication, in the form of shared memory segments, message queues and semaphores. These are managed in user-space by ipcs(1) and related utilities. II. Problem Description An undocumented system call is incorrectly exported from the kernel without access-control checks. This operation causes the acquisition in the kernel of a global semaphore which causes all processes on the system to block during exit() handling, thereby preventing any process from exiting until the corresponding "unblock" system call is issued. This operation was intended for use only by ipcs(1) to atomically sample the state of System V IPC resources on the system (i.e., to ensure that resources are not allocated or deallocated during the process of sampling itself). In the future, this functionality may be reimplemented as a sysctl() node. III. Impact An unprivileged local user can cause every process on the system to hang during exiting. In other words, after the system call is issued, no process on the system will be able to exit completely until another user issues the "unblock" call or the system is rebooted. This is a denial-of-service attack. IV. Workaround None available. V. Solution Upgrade to FreeBSD 2.1.7.1-STABLE, 2.2.8-STABLE, 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the correction date. Alternatively, apply the following patch and rebuild the kernel and the src/usr.bin/ipcs utility. This patch removes the semconfig() syscall. It has been tested to apply cleanly against 3.4-RELEASE, 3.4-STABLE, 4.0-RELEASE and 4.0-STABLE systems. 1) Save this advisory as a file, and run the following commands as root: # cd /usr/src # patch -p < /path/to/advisory # cd usr.bin/ipcs # make all install 2) Rebuild and reinstall the kernel and kernel modules as described in the FreeBSD handbook (see: http://www.freebsd.org/handbook/kernelconfig.html for more information) 3) Reboot the system Patches for FreeBSD systems before the resolution date: --- sys/kern/syscalls.master 2000/01/19 06:01:07 1.72 +++ sys/kern/syscalls.master 2000/05/01 11:15:10 1.72.2.1 @@ -342,7 +342,7 @@ 221 STD BSD { int semget(key_t key, int nsems, int semflg); } 222 STD BSD { int semop(int semid, struct sembuf *sops, \ u_int nsops); } -223 STD BSD { int semconfig(int flag); } +223 UNIMPL NOHIDE semconfig 224 STD BSD { int msgctl(int msqid, int cmd, \ struct msqid_ds *buf); } 225 STD BSD { int msgget(key_t key, int msgflg); } --- sys/kern/init_sysent.c 2000/01/19 06:02:29 1.79 +++ sys/kern/init_sysent.c 2000/05/01 11:15:56 1.79.2.1 @@ -243,7 +243,7 @@ { 4, (sy_call_t *)__semctl }, /* 220 = __semctl */ { 3, (sy_call_t *)semget }, /* 221 = semget */ { 3, (sy_call_t *)semop }, /* 222 = semop */ - { 1, (sy_call_t *)semconfig }, /* 223 = semconfig */ + { 0, (sy_call_t *)nosys }, /* 223 = semconfig */ { 3, (sy_call_t *)msgctl }, /* 224 = msgctl */ { 2, (sy_call_t *)msgget }, /* 225 = msgget */ { 4, (sy_call_t *)msgsnd }, /* 226 = msgsnd */ --- sys/kern/syscalls.c 2000/01/19 06:02:29 1.71 +++ sys/kern/syscalls.c 2000/05/01 11:15:56 1.71.2.1 @@ -230,7 +230,7 @@ "__semctl", /* 220 = __semctl */ "semget", /* 221 = semget */ "semop", /* 222 = semop */ - "semconfig", /* 223 = semconfig */ + "#223", /* 223 = semconfig */ "msgctl", /* 224 = msgctl */ "msgget", /* 225 = msgget */ "msgsnd", /* 226 = msgsnd */ --- sys/kern/sysv_ipc.c 2000/02/29 22:58:59 1.13 +++ sys/kern/sysv_ipc.c 2000/05/01 11:15:56 1.13.2.1 @@ -107,15 +107,6 @@ semsys(p, uap) struct proc *p; struct semsys_args *uap; -{ - sysv_nosys(p, "SYSVSEM"); - return nosys(p, (struct nosys_args *)uap); -}; - -int -semconfig(p, uap) - struct proc *p; - struct semconfig_args *uap; { sysv_nosys(p, "SYSVSEM"); return nosys(p, (struct nosys_args *)uap); --- sys/kern/sysv_sem.c 2000/04/02 08:47:08 1.24.2.1 +++ sys/kern/sysv_sem.c 2000/05/01 11:15:56 1.24.2.2 @@ -26,8 +26,6 @@ int semget __P((struct proc *p, struct semget_args *uap)); struct semop_args; int semop __P((struct proc *p, struct semop_args *uap)); -struct semconfig_args; -int semconfig __P((struct proc *p, struct semconfig_args *uap)); #endif static struct sem_undo *semu_alloc __P((struct proc *p)); @@ -38,7 +36,7 @@ /* XXX casting to (sy_call_t *) is bogus, as usual. */ static sy_call_t *semcalls[] = { (sy_call_t *)__semctl, (sy_call_t *)semget, - (sy_call_t *)semop, (sy_call_t *)semconfig + (sy_call_t *)semop }; static int semtot = 0; @@ -47,8 +45,6 @@ static struct sem_undo *semu_list; /* list of active undo structures */ int *semu; /* undo structure pool */ -static struct proc *semlock_holder = NULL; - void seminit(dummy) void *dummy; @@ -87,64 +83,12 @@ } */ *uap; { - while (semlock_holder != NULL && semlock_holder != p) - (void) tsleep((caddr_t)&semlock_holder, (PZERO - 4), "semsys", 0); - if (uap->which >= sizeof(semcalls)/sizeof(semcalls[0])) return (EINVAL); return ((*semcalls[uap->which])(p, &uap->a2)); } /* - * Lock or unlock the entire semaphore facility. - * - * This will probably eventually evolve into a general purpose semaphore - * facility status enquiry mechanism (I don't like the "read /dev/kmem" - * approach currently taken by ipcs and the amount of info that we want - * to be able to extract for ipcs is probably beyond what the capability - * of the getkerninfo facility. - * - * At the time that the current version of semconfig was written, ipcs is - * the only user of the semconfig facility. It uses it to ensure that the - * semaphore facility data structures remain static while it fishes around - * in /dev/kmem. - */ - -#ifndef _SYS_SYSPROTO_H_ -struct semconfig_args { - semconfig_ctl_t flag; -}; -#endif - -int -semconfig(p, uap) - struct proc *p; - struct semconfig_args *uap; -{ - int eval = 0; - - switch (uap->flag) { - case SEM_CONFIG_FREEZE: - semlock_holder = p; - break; - - case SEM_CONFIG_THAW: - semlock_holder = NULL; - wakeup((caddr_t)&semlock_holder); - break; - - default: - printf("semconfig: unknown flag parameter value (%d) - ignored\n", - uap->flag); - eval = EINVAL; - break; - } - - p->p_retval[0] = 0; - return(eval); -} - -/* * Allocate a new sem_undo structure for a process * (returns ptr to structure or NULL if no more room) */ @@ -873,17 +817,6 @@ register struct sem_undo **supptr; int did_something; - /* - * If somebody else is holding the global semaphore facility lock - * then sleep until it is released. - */ - while (semlock_holder != NULL && semlock_holder != p) { -#ifdef SEM_DEBUG - printf("semaphore facility locked - sleeping ...\n"); -#endif - (void) tsleep((caddr_t)&semlock_holder, (PZERO - 4), "semext", 0); - } - did_something = 0; /* @@ -898,7 +831,7 @@ } if (suptr == NULL) - goto unlock; + return; #ifdef SEM_DEBUG printf("proc @%08x has undo structure with %d entries\n", p, @@ -955,14 +888,4 @@ #endif suptr->un_proc = NULL; *supptr = suptr->un_next; - -unlock: - /* - * If the exiting process is holding the global semaphore facility - * lock then release it. - */ - if (semlock_holder == p) { - semlock_holder = NULL; - wakeup((caddr_t)&semlock_holder); - } } --- sys/sys/sem.h 1999/12/29 04:24:46 1.20 +++ sys/sys/sem.h 2000/05/01 11:15:58 1.20.2.1 @@ -163,13 +163,5 @@ * Process sem_undo vectors at proc exit. */ void semexit __P((struct proc *p)); - -/* - * Parameters to the semconfig system call - */ -typedef enum { - SEM_CONFIG_FREEZE, /* Freeze the semaphore facility. */ - SEM_CONFIG_THAW /* Thaw the semaphore facility. */ -} semconfig_ctl_t; #endif /* _KERNEL */ --- sys/sys/syscall-hide.h 2000/01/19 06:02:31 1.65 +++ sys/sys/syscall-hide.h 2000/05/01 11:15:58 1.65.2.1 @@ -191,7 +191,6 @@ HIDE_BSD(__semctl) HIDE_BSD(semget) HIDE_BSD(semop) -HIDE_BSD(semconfig) HIDE_BSD(msgctl) HIDE_BSD(msgget) HIDE_BSD(msgsnd) --- sys/sys/syscall.h 2000/01/19 06:02:31 1.69 +++ sys/sys/syscall.h 2000/05/01 11:15:59 1.69.2.1 @@ -196,7 +196,6 @@ #define SYS___semctl 220 #define SYS_semget 221 #define SYS_semop 222 -#define SYS_semconfig 223 #define SYS_msgctl 224 #define SYS_msgget 225 #define SYS_msgsnd 226 --- sys/sys/syscall.mk 2000/01/19 06:07:34 1.23 +++ sys/sys/syscall.mk 2000/05/01 11:15:59 1.23.2.1 @@ -148,7 +148,6 @@ __semctl.o \ semget.o \ semop.o \ - semconfig.o \ msgctl.o \ msgget.o \ msgsnd.o \ --- sys/sys/sysproto.h 2000/01/19 06:02:31 1.59 +++ sys/sys/sysproto.h 2000/05/01 11:16:00 1.59.2.1 @@ -662,9 +662,6 @@ struct sembuf * sops; char sops_[PAD_(struct sembuf *)]; u_int nsops; char nsops_[PAD_(u_int)]; }; -struct semconfig_args { - int flag; char flag_[PAD_(int)]; -}; struct msgctl_args { int msqid; char msqid_[PAD_(int)]; int cmd; char cmd_[PAD_(int)]; @@ -1158,7 +1155,6 @@ int __semctl __P((struct proc *, struct __semctl_args *)); int semget __P((struct proc *, struct semget_args *)); int semop __P((struct proc *, struct semop_args *)); -int semconfig __P((struct proc *, struct semconfig_args *)); int msgctl __P((struct proc *, struct msgctl_args *)); int msgget __P((struct proc *, struct msgget_args *)); int msgsnd __P((struct proc *, struct msgsnd_args *)); --- usr.bin/ipcs/ipcs.c 1999/12/29 05:05:32 1.12 +++ usr.bin/ipcs/ipcs.c 2000/05/01 10:51:37 1.12.2.1 @@ -56,7 +56,6 @@ struct shminfo shminfo; struct shmid_ds *shmsegs; -int semconfig __P((int,...)); void usage __P((void)); static struct nlist symbols[] = { @@ -420,11 +419,6 @@ seminfo.semaem); } if (display & SEMINFO) { - if (semconfig(SEM_CONFIG_FREEZE) != 0) { - perror("semconfig"); - fprintf(stderr, - "Can't lock semaphore facility - winging it...\n"); - } kvm_read(kd, symbols[X_SEMA].n_value, &sema, sizeof(sema)); xsema = malloc(sizeof(struct semid_ds) * seminfo.semmni); kvm_read(kd, (u_long) sema, xsema, sizeof(struct semid_ds) * seminfo.semmni); @@ -470,8 +464,6 @@ printf("\n"); } } - - (void) semconfig(SEM_CONFIG_THAW); printf("\n"); } -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOS60U1UuHi5z0oilAQHsmQP/aCL1lV5RiVnP9Cm6AE6NU6o3pqFLKQWa RIeGgjOHJ8ctkQQj3ljECh49eCsdYKSGYkPzFlPg2ikgRylcjQDo+pakLB3IUuEE X+bSvyaayM5yF+v2pLj7FgarcvxsbattzL8WcHcNMWAJ5wCyceh85/8bsUdVyEJm Qw17BQPDPcU= =hKnq -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri May 26 10:40:57 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 514AE37BF77; Fri, 26 May 2000 10:40:39 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:20.krb5 Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000526174039.514AE37BF77@hub.freebsd.org> Date: Fri, 26 May 2000 10:40:39 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:20 Security Advisory FreeBSD, Inc. Topic: krb5 port contains remote and local root exploits. Category: ports Module: krb5 Announced: 2000-05-26 Credits: Jeffrey I. Schiller Affects: Ports collection prior to the correction date Corrected: 2000-05-17 Vendor status: Patch released FreeBSD only: NO I. Background MIT Kerberos 5 is an implementation of the Kerberos 5 protocol which is available in the FreeBSD ports collection as the security/krb5 port. FreeBSD also includes separately-developed Kerberos 4 and 5 implementations from KTH, which are optionally installed as part of the base system (KTH Heimdal, the Kerberos 5 implementation, is currently considered "experimental" software). II. Problem Description The MIT Kerberos 5 port, versions 1.1.1 and earlier, contains several remote and local buffer overflows which can lead to root compromise. Note that the implementations of Kerberos shipped in the FreeBSD base system are separately-developed software to MIT Kerberos and are believed not to be vulnerable to these problems. However, a very old release of FreeBSD dating from 1997 (FreeBSD 2.2.5) did ship with a closely MIT-derived Kerberos implementation ("eBones") and may be vulnerable to attacks of the kind described here. Any users still using FreeBSD 2.2.5 and who have installed the optional Kerberos distribution are urged to upgrade to 2.2.8-STABLE or later. Note however that FreeBSD 2.x is no longer an officially supported version, nor are security fixes always provided. The krb5 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3300 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local or remote users can obtain root access on the system running krb5. If you have not chosen to install the krb5 port, then your system is not vulnerable to this problem. IV. Workaround Due to the nature of the vulnerability there are several programs and network services which are affected. If recompiling the port is not practical, please see the MIT Kerberos advisory for suggested workarounds (including the disabling or adjustment of services and removal of setuid permissions on vulnerable binaries). The advisory can be found at the following location: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt V. Solution 1) Upgrade your entire ports collection and rebuild the krb5 port. A package is not provided for this port for export control reasons. 2) download a new port skeleton for the krb5 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOS626lUuHi5z0oilAQHUWAP+LqSso3fDe+k7/6EJMc5iH9JgbrD2JARh mQOV6m9qUgZbcaEc9oUrsEJIurFGGukCAbGA82dPHGWpNFzbzL3pXgqcswVvHIqV qoZuzLyLV5+1NaurwovmXD2hQH56Cgaa+N4byxuxs+cnIbfJNF8DEYjhnPqVHc9l sP0RelxSDuk= =yPXe -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message