From owner-freebsd-security@FreeBSD.ORG Mon Apr 17 21:29:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C996B16A404 for ; Mon, 17 Apr 2006 21:29:10 +0000 (UTC) (envelope-from noah@allresearch.com) Received: from allresearch.com (silvermanwine.com [38.144.36.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8568943D72 for ; Mon, 17 Apr 2006 21:29:05 +0000 (GMT) (envelope-from noah@allresearch.com) Received: by allresearch.com (Postfix, from userid 99) id 949E411AC72; Mon, 17 Apr 2006 14:29:05 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on allresearch.com X-Spam-Level: X-Spam-Status: No, score=-102.4 required=5.0 tests=AWL, BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.1.0 Received: from [10.0.0.140] (unknown [70.89.253.38]) by allresearch.com (Postfix) with ESMTP id C637011AC7E for ; Mon, 17 Apr 2006 14:29:04 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v749.3) Content-Transfer-Encoding: 7bit Message-Id: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Noah Silverman Date: Mon, 17 Apr 2006 14:29:03 -0700 X-Mailer: Apple Mail (2.749.3) Subject: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2006 21:29:10 -0000 Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. When I install this firewall configuration, I'm locked out of the box. An inspection of the logs shows that rule 499 is being triggered by an attempted incoming connection. Can anybody help? Also, would it be better to upgrade to ipfw2?? If so, how do I do that? Thanks, -N From owner-freebsd-security@FreeBSD.ORG Mon Apr 17 21:45:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB64116A402 for ; Mon, 17 Apr 2006 21:45:20 +0000 (UTC) (envelope-from noah@allresearch.com) Received: from allresearch.com (allresearch.com [38.144.36.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F2AC43D45 for ; Mon, 17 Apr 2006 21:45:20 +0000 (GMT) (envelope-from noah@allresearch.com) Received: by allresearch.com (Postfix, from userid 99) id 2328811AC62; Mon, 17 Apr 2006 14:23:01 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on allresearch.com X-Spam-Level: X-Spam-Status: No, score=-102.4 required=5.0 tests=AWL, BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.1.0 Received: from [10.0.0.140] (unknown [70.89.253.38]) by allresearch.com (Postfix) with ESMTP id 6E16111AC30 for ; Mon, 17 Apr 2006 14:23:00 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v749.3) Content-Transfer-Encoding: 7bit Message-Id: <9C1A3A84-BB1E-41E8-8BB4-5BEAEA54B499@allresearch.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Noah Silverman Date: Mon, 17 Apr 2006 14:22:59 -0700 X-Mailer: Apple Mail (2.749.3) Subject: IPFW Problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2006 21:45:20 -0000 Hi, I have a system with a 4.11 Kernel. Unless I'm doing something very wrong, there seems to be something odd with ipfw. Take the following rules: ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- state ipfw add 00299 deny log all from any to any out via bge0 ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit src-addr 2 ipfw add 00499 deny log all from any to any in via bge0 In theory, this should allow in SSH and nothing else. When I install this firewall configuration, I'm locked out of the box. An inspection of the logs shows that rule 499 is being triggered by an attempted incoming connection. Can anybody help? Also, would it be better to upgrade to ipfw2?? If so, how do I do that? Thanks, -N From owner-freebsd-security@FreeBSD.ORG Mon Apr 17 22:29:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC99F16A402 for ; Mon, 17 Apr 2006 22:29:15 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BF5443D45 for ; Mon, 17 Apr 2006 22:29:15 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id B8FC45D82; Mon, 17 Apr 2006 18:29:14 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r+4jsU+kx+pV; Mon, 17 Apr 2006 18:29:13 -0400 (EDT) Received: from [199.103.21.238] (pan.codefab.com [199.103.21.238]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id E998D5C3C; Mon, 17 Apr 2006 18:29:13 -0400 (EDT) In-Reply-To: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 17 Apr 2006 18:29:13 -0400 To: Noah Silverman X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freeBSD List List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2006 22:29:15 -0000 On Apr 17, 2006, at 5:29 PM, Noah Silverman wrote: [ ...redirected to freebsd-questions... ] > Take the following rules: > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup > limit src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > > In theory, this should allow in SSH and nothing else. > > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection. You don't have a check-state rule anywhere, so you either need to add one or a rule to pass established traffic to and from port 22. > Can anybody help? > > Also, would it be better to upgrade to ipfw2?? If so, how do I do > that? Add: options IPFW2 ...to your kernel config file and rebuild the kernel (and world also, probably). -- -Chuck From owner-freebsd-security@FreeBSD.ORG Tue Apr 18 00:45:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AACCB16A402 for ; Tue, 18 Apr 2006 00:45:29 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30314.mail.mud.yahoo.com (web30314.mail.mud.yahoo.com [68.142.201.232]) by mx1.FreeBSD.org (Postfix) with SMTP id 34B2743D45 for ; Tue, 18 Apr 2006 00:45:29 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 84185 invoked by uid 60001); 18 Apr 2006 00:45:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=4THCoFPr9hit8uZl96aaEveH+e+LMb337St+3CGhY0cBuNRKUTl8U/9tST1Namix85XwAE/GOtGEOOo5K5ASGMz8GbJ2cXDDhRflirw+/5zCfBQ55Ezuixnb8jiELTk7RBqrSg8c4eNjEvYlFza9kXitA1lUVpMR01AqHnUJobE= ; Message-ID: <20060418004528.84183.qmail@web30314.mail.mud.yahoo.com> Received: from [213.54.73.231] by web30314.mail.mud.yahoo.com via HTTP; Mon, 17 Apr 2006 17:45:28 PDT Date: Mon, 17 Apr 2006 17:45:28 -0700 (PDT) From: "R. B. Riddick" To: Noah Silverman , freebsd-security@freebsd.org In-Reply-To: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 00:45:29 -0000 --- Noah Silverman wrote: > Take the following rules: > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup keep- > state > ipfw add 00299 deny log all from any to any out via bge0 > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit > src-addr 2 > ipfw add 00499 deny log all from any to any in via bge0 > I think rule 430 needs a keep-state, because u do not have a rule, that allows out-going ssh packets for established tcp connections. In addition to the before-mentioned "check-state" in the beginning u would need a "keep-state" in rule 430... > When I install this firewall configuration, I'm locked out of the > box. An inspection of the logs shows that rule 499 is being > triggered by an attempted incoming connection. > Hmm... That's strange... What about rule 299? There should be something about rule 299 in the logs... Maybe I am wrong... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue Apr 18 02:28:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 294F416A463; Tue, 18 Apr 2006 02:28:31 +0000 (UTC) (envelope-from devin@spamcop.net) Received: from mail.distalzou.net (203.141.139.231.user.ad.il24.net [203.141.139.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 595FB43D9C; Tue, 18 Apr 2006 02:27:35 +0000 (GMT) (envelope-from devin@spamcop.net) Received: from plexi.pun-pun.prv ([192.168.7.29] helo=plexi) by mail.distalzou.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FVfuj-0005K4-MM; Tue, 18 Apr 2006 11:26:01 +0900 Date: Tue, 18 Apr 2006 11:26:01 +0900 (JST) From: Tod McQuillin X-X-Sender: devin@plexi.pun-pun.prv To: freeBSD List In-Reply-To: <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> Message-ID: <20060418112439.O8203@plexi.pun-pun.prv> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Noah Silverman Subject: Re: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 02:28:32 -0000 On Mon, 17 Apr 2006, Charles Swiger wrote: > Add: > > options IPFW2 > > ...to your kernel config file and rebuild the kernel (and world also, > probably). Yes, you need to rebuild the userland too, which means you also need IPFW2=true in /etc/make.conf before you build world. -- Tod From owner-freebsd-security@FreeBSD.ORG Tue Apr 18 09:29:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8491116A400; Tue, 18 Apr 2006 09:29:09 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C25D43D6B; Tue, 18 Apr 2006 09:29:07 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k3I9Swa3069471; Tue, 18 Apr 2006 12:28:58 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 18 Apr 2006 12:28:58 +0300 (EEST) From: Dmitry Pryanishnikov To: Tod McQuillin In-Reply-To: <20060418112439.O8203@plexi.pun-pun.prv> Message-ID: <20060418120032.P36630@atlantis.atlantis.dp.ua> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <3BE1F863-F59D-49EC-A9D4-AEF6D89C5ABD@mac.com> <20060418112439.O8203@plexi.pun-pun.prv> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, freeBSD List , Noah Silverman Subject: Re: IPFW Problems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 09:29:09 -0000 Hello! On Tue, 18 Apr 2006, Tod McQuillin wrote: >> Add: >> >> options IPFW2 >> >> ...to your kernel config file and rebuild the kernel (and world also, >> probably). > > Yes, you need to rebuild the userland too, which means you also need > IPFW2=true in /etc/make.conf before you build world. It's absolutely necessary, after installation of the new kernel with 'options IPFW2', to add 'IPFW2=true' in /etc/make.conf and rebuild+reinstall _at least_ /sbin/ipfw, then /usr/lib/libalias.* and /sbin/natd (which depends on libalias), e.g. cd /usr/src/sbin/ipfw make obj && make depend all install cd /usr/src/lib/libalias make obj && make depend all install cd /usr/src/sbin/natd make obj && make depend all install (note that natd doesn't depend on IPFW2, but links against libalias which does, so sequence libalias -> natd is critical). I haven't found other parts of base OS in RELENG_4 which depend on IPFW2, though I can miss something. Also every custom utility which utilizes must also be recompiled with IPFW2 defined and rebuilt (and those using libalias must be rebuilt). Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Wed Apr 19 07:11:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04D7516A403; Wed, 19 Apr 2006 07:11:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3443843D4C; Wed, 19 Apr 2006 07:11:28 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3J7BSYO027875; Wed, 19 Apr 2006 07:11:28 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3J7BSQ3027873; Wed, 19 Apr 2006 07:11:28 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 19 Apr 2006 07:11:28 GMT Message-Id: <200604190711.k3J7BSQ3027873@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:14.fpu X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Apr 2006 07:11:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:14.fpu Security Advisory The FreeBSD Project Topic: FPU information disclosure Category: core Module: sys Announced: 2006-04-19 Credits: Jan Beulich Affects: All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE) 2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE) 2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7) 2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE) 2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14) 2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29) 2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE) 2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17) 2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23) CVE Name: CVE-2006-1056 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The floating-point unit (FPU) of i386 and amd64 processors is derived from the original 8087 floating-point co-processor. As a result, the FPU contains the same debugging registers FOP, FIP, and FDP which store the opcode, instruction address, and data address of the instruction most recently executed by the FPU. On processors implementing the "SSE" instruction set, a new pair of instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used for saving and restoring the FPU state. These new instructions also save and restore the contents of the additional registers used by SSE instructions. II. Problem Description On "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred. This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches. III. Impact On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information. IV. Workaround No workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc [FreeBSD 5.x and 6.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/isa/npx.c 1.80.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.18 src/sys/conf/newvers.sh 1.44.2.39.2.21 src/sys/i386/isa/npx.c 1.80.2.3.14.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.24 src/sys/conf/newvers.sh 1.44.2.34.2.25 src/sys/i386/isa/npx.c 1.80.2.3.12.1 RELENG_5 src/sys/amd64/amd64/fpu.c 1.154.2.2 src/sys/i386/isa/npx.c 1.152.2.4 RELENG_5_4 src/UPDATING 1.342.2.24.2.23 src/sys/conf/newvers.sh 1.62.2.18.2.19 src/sys/amd64/amd64/fpu.c 1.154.2.1.2.1 src/sys/i386/isa/npx.c 1.152.2.3.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.32 src/sys/conf/newvers.sh 1.62.2.15.2.34 src/sys/amd64/amd64/fpu.c 1.154.4.1 src/sys/i386/isa/npx.c 1.152.4.1 RELENG_6 src/sys/amd64/amd64/fpu.c 1.157.2.1 src/sys/i386/isa/npx.c 1.162.2.2 RELENG_6_1 src/UPDATING 1.416.2.22.2.1 src/sys/conf/newvers.sh 1.69.2.11.2.1 src/sys/amd64/amd64/fpu.c 1.157.6.1 src/sys/i386/isa/npx.c 1.162.2.1.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.12 src/sys/conf/newvers.sh 1.69.2.8.2.8 src/sys/amd64/amd64/fpu.c 1.157.4.1 src/sys/i386/isa/npx.c 1.162.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc VIII. Acknowledgements The FreeBSD Security Team would like to thank AMD, and Richard Brunner specifically, for responding promptly to this issue and providing an extensive response analyzing the problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEReGUFdaIBMps37IRAnmUAJ4lsl3bpH6duA5u/wssIa01o98BlwCgleWn a1vJCiLwkkfqHtmBDKxaQ+A= =4yls -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Apr 19 17:38:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A21116A400 for ; Wed, 19 Apr 2006 17:38:05 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A585943D49 for ; Wed, 19 Apr 2006 17:38:04 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr8so.prod.shaw.ca (pd2mr8so-qfe3.prod.shaw.ca [10.0.141.11]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IXZ005HBCYO3K70@l-daemon> for freebsd-security@freebsd.org; Wed, 19 Apr 2006 11:37:37 -0600 (MDT) Received: from pn2ml3so.prod.shaw.ca ([10.0.121.147]) by pd2mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IXZ004Y6CYOC6H0@pd2mr8so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 19 Apr 2006 11:37:36 -0600 (MDT) Received: from [192.168.0.60] ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IXZ0033RCYOFE50@l-daemon> for freebsd-security@freebsd.org; Wed, 19 Apr 2006 11:37:36 -0600 (MDT) Date: Wed, 19 Apr 2006 10:37:36 -0700 From: Colin Percival In-reply-to: <200604190711.k3J7BSQ3027873@freefall.freebsd.org> To: freebsd-security@freebsd.org Message-id: <44467560.4090207@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200604190711.k3J7BSQ3027873@freefall.freebsd.org> User-Agent: Thunderbird 1.5 (X11/20060416) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:14.fpu X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Apr 2006 17:38:05 -0000 FreeBSD Security Advisories wrote: > FreeBSD-SA-06:14.fpu Security Advisory > The FreeBSD Project > Topic: FPU information disclosure More details can be found in AMD's response at http://security.freebsd.org/advisories/FreeBSD-SA-06:14-amd.txt Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Apr 20 20:48:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F1B716A404 for ; Thu, 20 Apr 2006 20:48:56 +0000 (UTC) (envelope-from skye@f4.ca) Received: from seattle.f4.ca (seattle.f4.ca [216.127.61.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDB6143D48 for ; Thu, 20 Apr 2006 20:48:55 +0000 (GMT) (envelope-from skye@f4.ca) Received: from c-67-168-115-129.hsd1.wa.comcast.net ([67.168.115.129] helo=[192.168.2.3]) by seattle.f4.ca with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.42) id 1FWg58-0000ok-Mx for freebsd-security@freebsd.org; Thu, 20 Apr 2006 13:48:55 -0700 Mime-Version: 1.0 (Apple Message framework v749.3) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Skye Poier Date: Thu, 20 Apr 2006 13:49:01 -0700 X-Mailer: Apple Mail (2.749.3) X-Antivirus-Scanner: Cleared by Exiscan & ClamAV X-Spam-Score: ----- Subject: Script to strip chroot passwd file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 20:48:56 -0000 Hello BSDers, I'm running Apache in a chroot jail with suPHP. It needs an /etc/ passwd in the chroot so that suPHP can setuid to the owner of the PHP script, but there's nothing that requires the passwords to be valid. Does anyone have a script strips passwords out of master.passwd, sets all shells to nologin, etc and writes it to the chroot etc dir? I've looked around but not found anything. If it strips out certain UID ranges, and watches the master file's modification time so it can be run out of cron as well, even better! If no such thing exists, I'll write one and share it with the group if there's interest. Thanks, Skye From owner-freebsd-security@FreeBSD.ORG Fri Apr 21 10:08:57 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3754616A404 for ; Fri, 21 Apr 2006 10:08:57 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA46743D55 for ; Fri, 21 Apr 2006 10:08:55 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (kvenmb@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k3LA8k62095975 for ; Fri, 21 Apr 2006 12:08:51 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k3LA8ket095974; Fri, 21 Apr 2006 12:08:46 +0200 (CEST) (envelope-from olli) Date: Fri, 21 Apr 2006 12:08:46 +0200 (CEST) Message-Id: <200604211008.k3LA8ket095974@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Fri, 21 Apr 2006 12:08:51 +0200 (CEST) X-Mailman-Approved-At: Fri, 21 Apr 2006 12:02:23 +0000 Cc: Subject: Re: Script to strip chroot passwd file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Apr 2006 10:08:57 -0000 Skye Poier wrote: > I'm running Apache in a chroot jail with suPHP. It needs an /etc/ > passwd in the chroot so that suPHP can setuid to the owner of the PHP > script, but there's nothing that requires the passwords to be valid. > > Does anyone have a script strips passwords out of master.passwd, sets > all shells to nologin, etc and writes it to the chroot etc dir? That's pretty easy to do. ETCDIR=/your/chroot/etc SRCPWD=/etc/master.passwd DSTPWD=$ETCDIR/master.passwd AWKCMD='{ $2="*"; $10="/usr/sbin/nologin"; print; }' awk -F: -v OFS=: "$AWKCMD" $SRCPWD > $DSTPWD pwd_mkdb -p -d $ETCDIR $DSTPWD > I've > looked around but not found anything. If it strips out certain UID > ranges, Just add a filter to the awk command, e.g. to get only UIDs from 100 to 65000: AWKCMD='$3 >= 100 && $3 <= 65000 {$2="*"; $10="/usr/sbin/nologin"; print}' > and watches the master file's modification time so it can be > run out of cron as well, even better! I think it's not a good idea to do such things out of cron. I'd rather do it manually (immediately) whenever the master file is changed. But if you really want, it's not difficult either. Just wrap the awk and pwd_mkdb lines in an "if" statement: ETCDIR=/your/chroot/etc SRCPWD=/etc/master.passwd DSTPWD=$ETCDIR/master.passwd if [ -n "$(find $SRCPWD -newer $DSTPWD)" ]; then AWKCMD=... awk -F: -v OFS=: "$AWKCMD" $SRCPWD > $DSTPWD pwd_mkdb -p -d $ETCDIR $DSTPWD fi > If no such thing exists, I'll write one and share it with the group > if there's interest. I guess the problem is that everybody wants or needs his own special features, so everyone ends up writing his own script anyway. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "If you think C++ is not overly complicated, just what is a protected abstract virtual base pure virtual private destructor, and when was the last time you needed one?" -- Tom Cargil, C++ Journal From owner-freebsd-security@FreeBSD.ORG Fri Apr 21 22:02:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE72F16A411; Fri, 21 Apr 2006 22:02:19 +0000 (UTC) (envelope-from wtsai@hifn.com) Received: from outbound2-cpk-R.bigfish.com (outbound-cpk.frontbridge.com [207.46.163.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A25243D53; Fri, 21 Apr 2006 22:02:15 +0000 (GMT) (envelope-from wtsai@hifn.com) Received: from outbound2-cpk.bigfish.com (localhost.localdomain [127.0.0.1]) by outbound2-cpk-R.bigfish.com (Postfix) with ESMTP id B0C5B70A7AD; Fri, 21 Apr 2006 22:01:36 +0000 (UTC) Received: from mail27-cpk-R.bigfish.com (unknown [192.168.21.1]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by outbound2-cpk.bigfish.com (Postfix) with ESMTP id ABA9370A7AA; Fri, 21 Apr 2006 22:01:36 +0000 (UTC) Received: from mail27-cpk.bigfish.com (localhost.localdomain [127.0.0.1]) by mail27-cpk-R.bigfish.com (Postfix) with ESMTP id 5FCB1451D26; Fri, 21 Apr 2006 22:01:36 +0000 (UTC) X-BigFish: VP Received: by mail27-cpk (MessageSwitch) id 1145656896358187_1660; Fri, 21 Apr 2006 22:01:36 +0000 (UCT) Received: from sjcxch03.tbu.com (mailman1.hifn.com [208.10.194.50]) by mail27-cpk.bigfish.com (Postfix) with ESMTP id 2F9AD45128E; Fri, 21 Apr 2006 22:01:34 +0000 (UTC) Received: from sjcxch02.tbu.com ([192.168.1.250]) by sjcxch03.tbu.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 21 Apr 2006 15:01:32 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 21 Apr 2006 15:01:31 -0700 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Crypto hw acceleration for openssl Thread-Index: AcZljyWQd3+CSNY9Rzy14g5zE4GT6Q== From: "Winston Tsai" To: , X-OriginalArrivalTime: 21 Apr 2006 22:01:32.0677 (UTC) FILETIME=[26781350:01C6658F] X-Mailman-Approved-At: Fri, 21 Apr 2006 22:18:55 +0000 Cc: Subject: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Apr 2006 22:02:19 -0000 I got roughly the same performance results when I use the openssl speed test with and without a hifn 7956 cryto card Here's what I did: After the card is plugged in, kldload hifn; kldload cryptodev; I got the message: hifn0 mem 0xfc8f0000-0xfc8f7ffff, 0xfc8f0000-0xfc8f7ffff, 0xfc8f0000-0xfc8f7ffff irg 28 at device 3.0 on pci1 hifn0: Hifn 7956, rev 0, 32KB dram, pll=3D0x800 Then I ran: Openssl speed des-cbc And got the following result: 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 43251.97k 44919.41k 45342.43k 45506.13k 45579.98k Then I did kldunload hifn; kldunload cryptodev and ran the same test again, and got 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 43108.10k 44917.96k 45460.88k 45532.15k 45566.26k Version of FreeBSD is 5.3-RELEASE. I believe both crypto and cryptodev drivers are supported since v5.0. =20 My understanding is that openssl will detect the presence of an accelerator card and use it (via \dev\crypto) instead of the crypto library. Did I miss something here? TIA, Winston From owner-freebsd-security@FreeBSD.ORG Sat Apr 22 13:08:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5D0216A408; Sat, 22 Apr 2006 13:08:13 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54EE943D5A; Sat, 22 Apr 2006 13:08:07 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 1C8685E75; Sat, 22 Apr 2006 09:08:07 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ER+i3A86+Yuq; Sat, 22 Apr 2006 09:08:05 -0400 (EDT) Received: from [192.168.1.3] (pool-68-160-235-217.ny325.east.verizon.net [68.160.235.217]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id F0EA65C9C; Sat, 22 Apr 2006 09:08:04 -0400 (EDT) Message-ID: <444A2ABF.6030903@mac.com> Date: Sat, 22 Apr 2006 09:08:15 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Winston Tsai References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-drivers@freebsd.org Subject: Re: Crypto hw acceleration for openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-drivers@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2006 13:08:14 -0000 Hi, Winston-- Winston Tsai wrote: [ ...followups set to just one group... ] > Openssl speed des-cbc > And got the following result: > 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > 43251.97k 44919.41k 45342.43k 45506.13k 45579.98k > Then I did kldunload hifn; kldunload cryptodev and ran the same test > again, and got > 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > 43108.10k 44917.96k 45460.88k 45532.15k 45566.26k > > Version of FreeBSD is 5.3-RELEASE. I believe both crypto and cryptodev > drivers are supported since v5.0. You might need to try "openssl speed des-cbc -engine cryptodev" in order to have OpenSSL actually try to use the HiFN crypto card. You might also have to fiddle with openssl itself, since the openssl binary that ships with the system seems to prefer to use the CPU even when you tell it to use hardware via the /dev/crypto interface. [1] Possibly "cd /usr/ports/security/openssl && make install" might give you another openssl binary to try that would work better. Given the domain of your email address, you might have better insight about how to improve FreeBSD's support of HiFN hardware :-), and we would be happy to adapt any such improvements. -- -Chuck [1]: I've heard rumors to the effect that the setup costs for accessing the crypto hardware acceleration are fairly high and that using hardware crypto is a win mostly only for big operations like 1024-bit RSA or DSA key operations, that ~1GHz CPUs or faster tend to handle session-level crypto (ie, your 48-/56-/128-bit DES or 3DES, or now perhaps 128/256-bit AES) faster by themselves.