From owner-freebsd-security-notifications Tue Apr 16 14: 3:55 2002 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 196E937B416; Tue, 16 Apr 2002 14:03:49 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3GL3nP44384; Tue, 16 Apr 2002 14:03:49 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Tue, 16 Apr 2002 14:03:49 -0700 (PDT) Message-Id: <200204162103.g3GL3nP44384@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:20.syncache Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:20 Security Advisory FreeBSD, Inc. Topic: syncache/syncookies denial of service Category: core Module: net Announced: 2002-04-16 Credits: Alan Judge Dima Ruban Affects: FreeBSD 4.5-RELEASE FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC FreeBSD 4.5-STABLE prior to the correction date Corrected: 2002-02-20 16:48:49 UTC (RELENG_4) 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1) FreeBSD only: YES I. Background The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are features of the TCP/IP stack intended to improve resistance to a class of denial of service attacks known as SYN floods. II. Problem Description Two related problems with syncache were triggered when syncookies were implemented. 1) When a SYN was accepted via a syncookie, it used an uninitialized pointer to find the TCP options for the new socket. This pointer may be a null pointer, which will cause the machine to crash. 2) A syncache entry is created when a SYN arrives on a listen socket. If the application which created the listen socket was killed and restarted --- and therefore recreated the listen socket with a different inpcb --- an ACK (or duplicate SYN) which later arrived and matched the existing syncache entry would cause a reference to the old inpcb pointer. Depending on the pointer's contents, this might result in a system crash. Because syncache/syncookies support was added prior to the release of FreeBSD 4.5-RELEASE, no other releases are affected. III. Impact Legitimate TCP/IP traffic may cause the machine to crash. IV. Workaround The first issue described may be worked around by disabling syncookies using sysctl. Issue the following command as root: # sysctl -w net.inet.tcp.syncookies=0 However, there is no workaround for the second issue. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5 security branch dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc This patch has been verified to apply to 4.5-RELEASE only. Verify the detached PGP signature using your PGP utility. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision Branch - ------------------------------------------------------------------------- src/sys/conf/newvers.sh RELENG_4_5 1.44.2.20.2.2 src/sys/netinet/tcp_syncache.c RELENG_4 1.5.2.5 RELENG_4_5 1.5.2.4.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPLw9nVUuHi5z0oilAQFwpAP9EJludFfmQfMWU4supMdZ1K//qeqgtJVn XrEX3TZjqOxRSnlzUUibbO2agnW7yCd8i2Qq0/3KyvMrcS4qSLmcvhQPsZxc26Bx Xakz3uvCRIA0XlpJAd/HirsdPHQ94q0JMdnx6C1kW+EMQzM/0KKLpVNsdnFopy0m mtPNSZRYgHk= =9qwI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Apr 17 12:23:53 2002 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DC55837B41A; Wed, 17 Apr 2002 12:23:42 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3HJNg958905; Wed, 17 Apr 2002 12:23:42 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 17 Apr 2002 12:23:42 -0700 (PDT) Message-Id: <200204171923.g3HJNg958905@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:21.tcpip Security Advisory FreeBSD, Inc. Topic: routing table memory leak Category: core Module: net Announced: 2002-04-17 Credits: Jayanth Vijayaraghavan Ruslan Ermilov Affects: FreeBSD 4.5-RELEASE FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC and prior to the correction date Corrected: 2002-03-22 16:54:19 UTC (RELENG_4) 2002-04-15 17:12:08 UTC (RELENG_4_5) FreeBSD only: YES I. Background The TCP/IP stack's routing table records information about how to reach various destinations. The first time a TCP connection is established with a particular host, a so-called "cloned route" entry for that host is automatically derived from one of the predefined routes and added to the table. Each entry has a reference count that indicates how many existing connections use that entry; when the reference count reaches zero, the entry is removed from the table. II. Problem Description A bug was introduced into ip_output() wherein the processing of an ICMP echo reply message would cause a reference count on a routing table entry to never be decremented. Thus, memory allocated for the routing table entry was never deallocated. III. Impact This bug could be exploited to effect a remote denial of service attack. An attacker could cause new routing table entries (for example, by taking advantage of TCP's route cloning behavior) and then utilize this bug to cause the route entry to never be deallocated. In this fashion, the target system's memory can be exhausted. IV. Workaround Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo messages. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or the RELENG_4_5 security branch dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [4.5-RELEASE, 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- sys/netinet/ip_icmp.c RELENG_4 1.39.2.16 RELENG_4_5 1.39.2.14.2.1 sys/netinet/ip_mroute.c RELENG_4 1.56.2.4 RELENG_4_5 1.56.2.3.2.1 sys/netinet/ip_output.c RELENG_4 1.99.2.29 RELENG_4_5 1.99.2.24.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W IFu9kJLMhMA= =qsYz -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Thu Apr 18 11:25:29 2002 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7B81137B41E; Thu, 18 Apr 2002 11:25:22 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3IIPMb78993; Thu, 18 Apr 2002 11:25:22 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Thu, 18 Apr 2002 11:25:22 -0700 (PDT) Message-Id: <200204181825.g3IIPMb78993@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED] Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:18 Security Advisory FreeBSD, Inc. Topic: zlib double-free Category: core, ports Module: zlib Announced: 2002-03-18 Credits: Matthias Clasen Owen Taylor Affects: All released versions of FreeBSD FreeBSD 4.5-STABLE prior to the correction date Various ports using or including zlib Corrected: 2002-02-24 23:12:48 UTC (RELENG_4) 2002-02-24 23:22:57 UTC (RELENG_4_5) 2002-02-24 23:23:58 UTC (RELENG_4_4) 2002-02-24 23:24:46 UTC (RELENG_4_3) CVE: CAN-2002-0059 FreeBSD only: NO 0. Revision History v1.0 2002-04-20 Initial release v1.1 2002-04-25 Corrected ZFREE location in kernel patch Corrected deflate window size check I. Background zlib is a compression library used by numerous applications to provide data compression/decompression routines. II. Problem Description A programming error in zlib may cause segments of dynamically allocated memory to be released more than once (double-freed). If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data may cause the zlib routines to attempt to free memory multiple times. Unlike some implementations of malloc(3)/free(3), the malloc(3) and free(3) routines used in FreeBSD (aka phkmalloc, written by Poul-Henning Kamp ), are not vulnerable to this type of bug. From the author: Most mallocs keep their housekeeping data right next to the allocated range. This gives rise to all sorts of unpleassant situations if programs stray outside the dotted line, free(3) things twice or free(3) modified pointers. phkmalloc(3) does not store housekeeping next to allocated data, and in particular it has code that detects and complains about exactly this kind of double free. When attempting to double-free an area of memory, phkmalloc will issue a warning: progname in free(): error: chunk is already free and may call abort(3) if the malloc flag 'A' is used. III. Impact If an attacker is able to pass a specially-crafted block of invalid compressed data to an application that utilizes zlib, the attempt to decompress the data may cause incorrect operation of the application, including possibly crashing the application. Also, the malloc implementation will issue warnings and, if the `A' malloc option is used, cause the application to abort(3). In short, an attacker may cause a denial of service in applications utilizing zlib. IV. Workaround To prevent affected programs from aborting, remove the 'A' from the malloc flags. To check which malloc flags are in use, issue the following commands: # ls -l /etc/malloc.conf # echo $MALLOC_OPTIONS A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable means that no malloc flags are in use. See the malloc(3) man page for more information. V. Solution [FreeBSD 4.x base system] 1) Upgrade your vulnerable system to 4.5-STABLE or to one of the RELENG_4_4 or RELENG_4_5 security branches dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: For FreeBSD 4.x systems that have the previous zlib patch applied: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch.asc For FreeBSD 4.x systems that do not have the previous zlib patch applied: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to all FreeBSD 4.x versions. # cd /usr/src # patch -p < /path/to/patch # cd lib/libz # make depend && make all install Then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. [ports] Various ports may statically link zlib or contain their own versions of zlib that have not been corrected by updating the FreeBSD libz. Efforts are underway to identify and correct these ports. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libz/deflate.c RELENG_4 1.5.2.1 RELENG_4_5 1.5.8.1 RELENG_4_4 1.5.6.1 RELENG_4_3 1.5.4.1 src/lib/libz/infblock.c RELENG_4 1.1.1.4.6.1 RELENG_4_5 1.1.1.4.12.1 RELENG_4_4 1.1.1.4.10.1 RELENG_4_3 1.1.1.4.8.1 src/sys/net/zlib.c RELENG_4 1.10.2.3 RELENG_4_5 1.10.8.2 RELENG_4_4 1.10.6.2 RELENG_4_3 1.10.4.2 - ------------------------------------------------------------------------- VII. References The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0059 to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPL7ZU1UuHi5z0oilAQFBSAQAjR7ddnCz9WUySoE3wxUtrrEyp5ZGw0cW 8PNIdu78zLdBYwAMr02ZPht+3tb1E3ycshO+MLhtW05SrDWPd5KIy6nk03AOjgB9 aKPs+B2NKN84W3udAtHaGYWL24ef8PJFJnna05oAiuXHrkCyHbMIB11RJ86ZJx3u 4DHKy14D8lE= =EeE6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message