From owner-freebsd-security@FreeBSD.ORG Mon Apr 11 13:45:36 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D6716A4CF for ; Mon, 11 Apr 2005 13:45:36 +0000 (GMT) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id BED8743D46 for ; Mon, 11 Apr 2005 13:45:35 +0000 (GMT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dirg.bris.ac.uk with esmtp (Exim 4.50) id 1DKzEK-0002DT-PG for freebsd-security@freebsd.org; Mon, 11 Apr 2005 14:45:34 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.50) id 1DKzEJ-0006oD-Ue; Mon, 11 Apr 2005 14:45:32 +0100 Date: Mon, 11 Apr 2005 14:45:31 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: -2.8 X-Spam-Level: -- Subject: /etc/rc.bsdextended: am I misunderstanding this..? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2005 13:45:36 -0000 Can someone clear something up for me? [[[ # For apache to read user files, the ruleadd must give # it permissions by default. #### ${CMD} add subject uid 80 object not uid 80 mode rxws; ${CMD} add subject gid 80 object not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the filesystem? Similarly: mailnull, majordomo, bin, etc, appear to get "elevated" privileges via this file and mac_bsdextended. [[[ #### # For cyrus: ${CMD} add subject uid 60 object not uid 60 mode rxws; ${CMD} add subject gid 60 object not gid 60 mode rxws; ]]] Cyrus is a "black box" mail server: the cyrus user normally winds up owning anything that the IMAP server needs to touch. [[[ # For the nobody account: ${CMD} add subject uid 65534 object not uid 65534 mode rxws; ${CMD} add subject gid 65534 object not gid 65534 mode rxws; ]]] ... and doesn't this (almost, no "a" flag) completely negate the point of the nobody account in the first instance? Not quite getting it, jan -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/ I shave with Occam's Razor. From owner-freebsd-security@FreeBSD.ORG Mon Apr 11 15:37:08 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA41E16A4CE for ; Mon, 11 Apr 2005 15:37:08 +0000 (GMT) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id E810343D39 for ; Mon, 11 Apr 2005 15:37:07 +0000 (GMT) (envelope-from jilles@stack.nl) Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132]) by mailhost.stack.nl (Postfix) with ESMTP id F22EA1F0C2; Mon, 11 Apr 2005 17:37:06 +0200 (CEST) Received: by turtle.stack.nl (Postfix, from userid 1677) id DD0E91DAC1; Mon, 11 Apr 2005 17:37:06 +0200 (CEST) Date: Mon, 11 Apr 2005 17:37:06 +0200 From: Jilles Tjoelker To: Jan Grant Message-ID: <20050411153706.GA62233@stack.nl> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 5.3-RELEASE-p5 i386 User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: /etc/rc.bsdextended: am I misunderstanding this..? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2005 15:37:08 -0000 On Mon, Apr 11, 2005 at 02:45:31PM +0100, Jan Grant wrote: > Can someone clear something up for me? > [[[ > # For apache to read user files, the ruleadd must give > # it permissions by default. > #### > ${CMD} add subject uid 80 object not uid 80 mode rxws; > ${CMD} add subject gid 80 object not gid 80 mode rxws; > ]]] > Doesn't the above mean that an apache user (eg, user-supplied CGI > process, PHP script, etc) has the ability to read (and write!) anything > in the filesystem? MAC restrictions apply in addition to normal restrictions, i.e. an access is allowed only if both the normal filesystem permissions and ugidfw permit it. -- Jilles Tjoelker From owner-freebsd-security@FreeBSD.ORG Tue Apr 12 21:33:31 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36ED116A4CE for ; Tue, 12 Apr 2005 21:33:31 +0000 (GMT) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0A4B43D46 for ; Tue, 12 Apr 2005 21:33:30 +0000 (GMT) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 47107153882; Tue, 12 Apr 2005 11:33:30 -1000 (HST) Date: Tue, 12 Apr 2005 11:33:30 -1000 From: Clifton Royston To: freebsd-security@freebsd.org Message-ID: <20050412213328.GC1953@lava.net> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2i Subject: Will 5.4 be an "Extended Life" release? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 21:33:31 -0000 In the next month or two I've got to upgrade a number of servers that are currently on an EOL'd version of 4-STABLE. I foresee that I'll have very limited time to do full OS upgrades on these systems in the coming several years, so I want to make sure I bring them onto an extended-life branch. Right now 4.11 has the furthest projected EOL date (Jan 31 2007), and the projected EOL for 5.3 is several months sooner (Oct 31 2006) according to If 5.4 is expected to be an extended-life branch, I would consider moving them up to 5.4 instead, to get a leap on current technology. Has that decision been made yet? -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect "I'm gonna tell my son to grow up pretty as the grass is green And whip-smart as the English Channel's wide..." -- 'Whip-Smart', Liz Phair From owner-freebsd-security@FreeBSD.ORG Tue Apr 12 22:08:32 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 321E316A4CE for ; Tue, 12 Apr 2005 22:08:32 +0000 (GMT) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB9DE43D48 for ; Tue, 12 Apr 2005 22:08:31 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr8so.prod.shaw.ca (pd3mr8so-qfe3.prod.shaw.ca [10.0.141.24])2004))freebsd-security@freebsd.org; Tue, 12 Apr 2005 16:07:36 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd3mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IEU0042HTGOPU50@pd3mr8so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 12 Apr 2005 16:07:36 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) freebsd-security@freebsd.org; Tue, 12 Apr 2005 16:07:36 -0600 (MDT) Date: Tue, 12 Apr 2005 15:07:26 -0700 From: Colin Percival In-reply-to: <20050412213328.GC1953@lava.net> To: Clifton Royston Message-id: <425C469E.3010400@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.91.0.0 References: <20050412213328.GC1953@lava.net> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050406) cc: freebsd-security@freebsd.org Subject: Re: Will 5.4 be an "Extended Life" release? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 22:08:32 -0000 Clifton Royston wrote: > In the next month or two I've got to upgrade a number of servers that > are currently on an EOL'd version of 4-STABLE. I foresee that I'll > have very limited time to do full OS upgrades on these systems in the > coming several years, so I want to make sure I bring them onto an > extended-life branch. My personal recommendation is to put them on FreeBSD 5.3 right now, and to move up to 5.4 when it is released. Minor version upgrades are really easy in FreeBSD -- once I had downloaded the ISO image, it took me all of five minutes to upgrade from FreeBSD 5.3 to 5.4-BETA1. (I have detailed instructions online on doing the 4.8->4.11 upgrade, and I'll put similar instructions online about the 5.3->5.4 upgrade once 5.4 is released.) > If 5.4 is expected to be an extended-life branch, I would consider > moving them up to 5.4 instead, to get a leap on current technology. > Has that decision been made yet? No. The decision will be made around a week after the release, when the security team takes over the branch from the release engineering team. That said, we're currently leaning towards not making 5.4 an extended support branch -- but this will depend largely upon how many more releases there are from the 5.x branch. We are committed to providing extended support for the last release from any major branch, so if you install 5.x now and can perform minor-version upgrades (again, neither difficult nor time consuming) then you can expect security support until at least the second half of 2007. Colin Percival From owner-freebsd-security@FreeBSD.ORG Tue Apr 12 22:12:52 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC84B16A4CE; Tue, 12 Apr 2005 22:12:52 +0000 (GMT) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A8B643D45; Tue, 12 Apr 2005 22:12:52 +0000 (GMT) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 67B4A153882; Tue, 12 Apr 2005 12:12:51 -1000 (HST) Date: Tue, 12 Apr 2005 12:12:51 -1000 From: Clifton Royston To: Colin Percival Message-ID: <20050412221249.GF1953@lava.net> Mail-Followup-To: Colin Percival , freebsd-security@freebsd.org References: <20050412213328.GC1953@lava.net> <425C469E.3010400@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <425C469E.3010400@freebsd.org> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Will 5.4 be an "Extended Life" release? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 22:12:52 -0000 On Tue, Apr 12, 2005 at 03:07:26PM -0700, Colin Percival wrote: > Clifton Royston wrote: > > In the next month or two I've got to upgrade a number of servers that > > are currently on an EOL'd version of 4-STABLE. I foresee that I'll > > have very limited time to do full OS upgrades on these systems in the > > coming several years, so I want to make sure I bring them onto an > > extended-life branch. > > My personal recommendation is to put them on FreeBSD 5.3 right now, and > to move up to 5.4 when it is released. Minor version upgrades are really > easy in FreeBSD -- once I had downloaded the ISO image, it took me all of > five minutes to upgrade from FreeBSD 5.3 to 5.4-BETA1. (I have detailed > instructions online on doing the 4.8->4.11 upgrade, and I'll put similar > instructions online about the 5.3->5.4 upgrade once 5.4 is released.) Thanks very much for your prompt and well thought out response! I think I'll go with your recommendation. -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect "I'm gonna tell my son to grow up pretty as the grass is green And whip-smart as the English Channel's wide..." -- 'Whip-Smart', Liz Phair From owner-freebsd-security@FreeBSD.ORG Fri Apr 15 01:58:07 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 354D516A4D0; Fri, 15 Apr 2005 01:58:07 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DBB243D5D; Fri, 15 Apr 2005 01:58:06 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j3F1w5U7068629; Fri, 15 Apr 2005 01:58:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j3F1w5J4068627; Fri, 15 Apr 2005 01:58:05 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 15 Apr 2005 01:58:05 GMT Message-Id: <200504150158.j3F1w5J4068627@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-05:04.ifconf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2005 01:58:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:04.ifconf Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in ifconf() Category: core Module: sys_net Announced: 2005-04-15 Credits: Ilja van Sprundel Affects: All FreeBSD 4.x releases All FreeBSD 5.x releases prior to 5.4-RELEASE Corrected: 2005-04-15 01:51:44 UTC (RELENG_5, 5.4-STABLE) 2005-04-15 01:52:03 UTC (RELENG_5_4, 5.4-RELEASE) 2005-04-15 01:52:25 UTC (RELENG_5_3, 5.3-RELEASE-p9) 2005-04-15 01:52:40 UTC (RELENG_4, 4.11-STABLE) 2005-04-15 01:52:57 UTC (RELENG_4_11, 4.11-RELEASE-p3) 2005-04-15 01:53:14 UTC (RELENG_4_10, 4.10-RELEASE-p8) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce a list of the existing network interfaces and copy it into a buffer provided by the user process. II. Problem Description In generating the list of network interfaces, the kernel writes into a portion of a buffer without first zeroing it. As a result, the prior contents of the buffer will be disclosed to the calling process. III. Impact Up to 12 bytes of kernel memory may be disclosed to the user process. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No known workaround. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch.asc [FreeBSD 5.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/net/if.c 1.85.2.29 RELENG_4_11 src/UPDATING 1.73.2.91.2.4 src/sys/conf/newvers.sh 1.44.2.39.2.7 src/sys/net/if.c 1.85.2.28.2.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.9 src/sys/conf/newvers.sh 1.44.2.34.2.10 src/sys/net/if.c 1.85.2.25.2.1 RELENG_5 src/sys/net/if.c 1.199.2.15 RELENG_5_4 src/UPDATING 1.342.2.24.2.3 src/sys/net/if.c 1.199.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.12 src/sys/conf/newvers.sh 1.62.2.15.2.14 src/sys/net/if.c 1.199.2.7.2.3 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:04.ifconf.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCXx8LFdaIBMps37IRAgEiAKCYfnAMPrVe72OPJMWtzMNrYmlPNgCfXRNe RYDaRrNgFPGsFWTuVujelco= =xLuH -----END PGP SIGNATURE-----