From owner-freebsd-announce Fri Jul 12 13:46:15 2002 Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D91F37B401; Fri, 12 Jul 2002 13:46:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA52D43E67; Fri, 12 Jul 2002 13:46:02 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6CKk2JU099849; Fri, 12 Jul 2002 13:46:02 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6CKk2x4099848; Fri, 12 Jul 2002 13:46:02 -0700 (PDT) Date: Fri, 12 Jul 2002 13:46:02 -0700 (PDT) Message-Id: <200207122046.g6CKk2x4099848@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:29 Security Advisory The FreeBSD Project Topic: Buffer overflow in tcpdump when handling NFS packets Category: contrib Module: tcpdump Announced: 2002-07-12 Credits: dwmw2@redhat.com Affects: All releases prior to and including 4.6-RELEASE FreeBSD 4.6-STABLE prior to the correction date Corrected: 2002-07-05 13:24:57 UTC (RELENG_4) 2002-07-12 13:29:47 UTC (RELENG_4_6) 2002-07-12 13:31:10 UTC (RELENG_4_5) 2002-07-12 13:31:44 UTC (RELENG_4_4) FreeBSD only: NO I. Background The tcpdump utility is used to capture and examining network traffic. II. Problem Description Versions of tcpdump up to and including 3.7.1 contain a buffer overflow that may be triggered by badly formed NFS packets, and possibly other types of packets. III. Impact It is not currently known whether this buffer overflow is exploitable. If it were, an attacker could inject specially crafted packets into the network which, when processed by tcpdump, could lead to arbitrary code execution with the privileges of the user running tcpdump (typically `root'). IV. Workaround There is no workaround, other than not using tcpdump. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6-RELEASE-p2, 4.5-RELEASE-p8, or 4.4-RELEASE-p15). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:29/tcpdump.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:29/tcpdump.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/contrib/tcpdump/interface.h RELENG_4 1.4.2.3 RELENG_4_6 1.4.2.1.6.1 RELENG_4_5 1.4.2.1.4.1 RELENG_4_4 1.4.2.1.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPS8+yFUuHi5z0oilAQGEaAQApQpuobpvrYILjiJh9Zvfnupop9aDuQ/G 9RvnGVv0ZXrKtD8aRiP3JrjouGvZm9WLqXsXlnf0wmTXdWWg5ibjuJK/gDtdiqjA iuZvq5Rx+IKD33pZpAocg74zIv3nDYv1S+3ndJXtYcSFw7EnC4QHu3mFrZK81RcQ 6LpcUuxVTl8= =hQ/2 -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri Jul 12 13:46:24 2002 Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C84537B407; Fri, 12 Jul 2002 13:46:14 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EAA243E42; Fri, 12 Jul 2002 13:46:13 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6CKkDJU099891; Fri, 12 Jul 2002 13:46:13 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6CKkDbO099889; Fri, 12 Jul 2002 13:46:13 -0700 (PDT) Date: Fri, 12 Jul 2002 13:46:13 -0700 (PDT) Message-Id: <200207122046.g6CKkDbO099889@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:30 Security Advisory The FreeBSD Project Topic: Users may trace previously privileged processes Category: core Module: ktrace Announced: 2002-07-12 Credits: Theo DeRaadt Darren Reed Affects: All releases prior to and including 4.6-RELEASE FreeBSD 4.6-STABLE prior to the correction date Corrected: 2002-07-05 22:36:38 UTC (RELENG_4) 2002-07-11 16:47:41 UTC (RELENG_4_6) 2002-07-11 16:47:55 UTC (RELENG_4_5) 2002-07-11 16:56:05 UTC (RELENG_4_4) FreeBSD only: NO I. Background The ktrace utility is a debugging tool that allows users to trace system calls, I/O, and file system lookup operations executed by or on behalf of a process and its children. Since this could potentially reveal sensitive information, the kernel will normally only allow a user to trace his or her own processes, and will immediately stop tracing a process that gains special privileges, for instance by executing a setuid or setgid binary. The ktrace utility depends on the KTRACE kernel option, which is enabled by default. II. Problem Description If a process that had special privileges were to abandon them, it would become possible for the owner of that process to trace it. However, that process might still possess and / or communicate sensitive information that it had obtained before abandoning its privileges, which would then be revealed to the tracing user. III. Impact In theory, local users on systems where ktrace is enabled through the KTRACE kernel option might obtain sensitive information, such as password files or authentication keys. No specific utility is currently known to be vulnerable to this particular problem. IV. Workaround Recompile the kernel without the KTRACE option, and reboot. V. Solution The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:30/ktrace.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:30/ktrace.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/sys/kern/kern_ktrace.c RELENG_4 1.35.2.6 RELENG_4_6 1.35.2.5.4.1 RELENG_4_5 1.35.2.5.2.1 RELENG_4_4 1.35.2.4.4.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPS8+qFUuHi5z0oilAQH+XwQAlGxDecckzp1md5S3S3JfLSkvI3vMHzTw nezUkanQ+2M65kj3QUzDnhv+jR0KpgAXCfMIVFUekb+rO8fbxbVygyWZH3T501F/ 5nhoNGwkbTVdjY9x34dSOvVJHNUZ0zn9Y+aQiC5msK4ZyI2GFdrH/Kfa1Ubh7H6z w1/J3NNJ5Bs= =z5iy -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message