From owner-freebsd-security@FreeBSD.ORG Mon Nov 27 16:18:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8F0A316A575 for ; Mon, 27 Nov 2006 16:18:00 +0000 (UTC) (envelope-from michael@fastmail.ca) Received: from mail.fastmail.ca (mail.fastmail.ca [216.126.79.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 512CC43EDF for ; Mon, 27 Nov 2006 16:07:13 +0000 (GMT) (envelope-from michael@fastmail.ca) Received: by mail.fastmail.ca (Postfix, from userid 0) id 1DE97861514; Mon, 27 Nov 2006 11:07:57 -0500 (EST) Received: from 24.200.32.9 by fastmail.ca with HTTP; Mon, 27 Nov 2006 16:07:56 +0000 (UTC) In-Reply-To: <20061125120036.4D7F216A5FC@hub.freebsd.org> To: freebsd-security@freebsd.org Date: Mon, 27 Nov 2006 16:07:56 +0000 (UTC) From: "Michael Richards" X-Fastmail-IP: [24.200.32.9] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Message-Id: <20061127160757.1DE97861514@mail.fastmail.ca> X-Fastmail-Scanner: Found to be clean X-MailScanner-From: michael@fastmail.ca Cc: lboehne@damogran.de Subject: Re: freebsd-security Digest, Vol 187, Issue 4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Nov 2006 16:18:01 -0000 > [It's just a panic] > I was so transfixed on Josh stating that the attacker could as well > just mount a filesystem with suid root binaries and how that would be > more useful than a buffer overflow in the filesystem driver. I totally > missed the fact that we were talking about two bugs where the kernel > deliberately called panic() ;). > > So in this case I'd agree that the panic() is undesirable, but not > really a security issue. In the past we have considered remote DOS type attacks to be a security issue. In this case people discount it saying if the user has physical access then it's game over anyway. Althought not as serious as privilege escalation bugs I would have to say that mounting a user's USB drive shouldn't allow the system to crash. How about something to force a fsck before allowing the mount? Would that always catch it? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians From owner-freebsd-security@FreeBSD.ORG Tue Nov 28 16:45:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 69C6516A47E for ; Tue, 28 Nov 2006 16:45:48 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64E1843E61 for ; Tue, 28 Nov 2006 16:39:16 +0000 (GMT) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5E2EC.dip.t-dialin.net [84.165.226.236]) by redbull.bpaserver.net (Postfix) with ESMTP id C7C882E238; Tue, 28 Nov 2006 17:38:39 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id EE0E05B4C6C; Tue, 28 Nov 2006 17:38:17 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id kASGcHeF081769; Tue, 28 Nov 2006 17:38:17 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 28 Nov 2006 17:38:17 +0100 Message-ID: <20061128173817.r4bbex3h7kkg4ok8@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 28 Nov 2006 17:38:17 +0100 From: Alexander Leidinger To: Michael Richards References: <20061127160757.1DE97861514@mail.fastmail.ca> In-Reply-To: <20061127160757.1DE97861514@mail.fastmail.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-15.364, required 6, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, SMILEY -0.50) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 28 Nov 2006 17:01:05 +0000 Cc: freebsd-security@freebsd.org, lboehne@damogran.de Subject: Re: freebsd-security Digest, Vol 187, Issue 4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 16:45:48 -0000 Quoting Michael Richards (from Mon, 27 Nov 2006 =20 16:07:56 +0000 (UTC)): >> [It's just a panic] >> I was so transfixed on Josh stating that the attacker could as well >> just mount a filesystem with suid root binaries and how that would be >> more useful than a buffer overflow in the filesystem driver. I totally >> missed the fact that we were talking about two bugs where the kernel >> deliberately called panic() ;). >> >> So in this case I'd agree that the panic() is undesirable, but not >> really a security issue. > > In the past we have considered remote DOS type attacks to be a security > issue. In this case people discount it saying if the user has physical > access then it's game over anyway. Althought not as serious as privilege As you said, this is not a remote attack. A local DOS is not nice and =20 should be fixed if feasible, but is not something we typically give as =20 high a priority as major security problems. > escalation bugs I would have to say that mounting a user's USB drive > shouldn't allow the system to crash. How about something to force a fsck > before allowing the mount? Would that always catch it? Maybe you fail to see how large the problem is: no filesystem we have =20 so far has enough protections for this kind of problems. Doing a fsck =20 may be a solution for a lot of possible problems in such a case, but - you don't want to force a fsck of a multi-GB USB harddisk, the user will run away to another OS until it is finished - you shift the problem to a FS where we don't have a fsck for (FAT comes to mind) Bye, Alexander. --=20 Love -- the last of the serious diseases of childhood. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Tue Nov 28 17:22:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5009216A504; Tue, 28 Nov 2006 17:22:09 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3424543D9F; Tue, 28 Nov 2006 17:18:09 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1Gp6al-000Cg3-Uu; Tue, 28 Nov 2006 20:18:00 +0300 Message-ID: <456C6F30.2090904@FreeBSD.org> Date: Tue, 28 Nov 2006 20:17:36 +0300 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.8 (X11/20061113) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: naddy@FreeBSD.org Subject: GNU Tar vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 17:22:09 -0000 Please, note: http://secunia.com/advisories/23115/ A port maintainer CC'ed. -- Dixi. Sem. From owner-freebsd-security@FreeBSD.ORG Tue Nov 28 19:33:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D7DC416A5A9; Tue, 28 Nov 2006 19:33:55 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [216.148.227.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2EE843CEF; Tue, 28 Nov 2006 19:33:48 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219]) by comcast.net (rwcrmhc13) with ESMTP id <20061128193351m1300bp62fe>; Tue, 28 Nov 2006 19:33:52 +0000 From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 28 Nov 2006 13:33:32 -0600 User-Agent: KMail/1.9.4 References: <456C6F30.2090904@FreeBSD.org> In-Reply-To: <456C6F30.2090904@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611281333.32259.josh@tcbug.org> Cc: Sergey Matveychuk Subject: Re: GNU Tar vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 19:33:56 -0000 On Tuesday 28 November 2006 11:17, Sergey Matveychuk wrote: > Please, note: http://secunia.com/advisories/23115/ > > A port maintainer CC'ed. This is one of those things where the impact is hard to determine because the link doesn't really give much info. Ok, you can overwrite arbitrary files.....ANY file? Or just files that the user running gtar has write access to? If it's the first case then that's huge. If it's the second case then who really cares. -- Thanks, Josh Paetzel From owner-freebsd-security@FreeBSD.ORG Tue Nov 28 19:56:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B764016A47B for ; Tue, 28 Nov 2006 19:56:20 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id B82F043EF5 for ; Tue, 28 Nov 2006 19:51:08 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1Gp8z1-000GuN-II; Tue, 28 Nov 2006 22:51:11 +0300 Message-ID: <456C9318.4070702@FreeBSD.org> Date: Tue, 28 Nov 2006 22:50:48 +0300 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.8 (X11/20061113) MIME-Version: 1.0 To: Josh Paetzel References: <456C6F30.2090904@FreeBSD.org> <200611281333.32259.josh@tcbug.org> In-Reply-To: <200611281333.32259.josh@tcbug.org> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: GNU Tar vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 19:56:20 -0000 Josh Paetzel wrote: > On Tuesday 28 November 2006 11:17, Sergey Matveychuk wrote: >> Please, note: http://secunia.com/advisories/23115/ >> >> A port maintainer CC'ed. > > This is one of those things where the impact is hard to determine > because the link doesn't really give much info. Ok, you can > overwrite arbitrary files.....ANY file? Or just files that the user > running gtar has write access to? If it's the first case then that's > huge. If it's the second case then who really cares. > I'm sure it's the second case. I think it should care root mostly. But any users dislike too if there is a chance to lost their .login, .bashrc etc. An exploit is available on SecurityFocus. -- Dixi. Sem. From owner-freebsd-security@FreeBSD.ORG Tue Nov 28 20:53:58 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13ADF16A509; Tue, 28 Nov 2006 20:53:58 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.200.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA12243CEC; Tue, 28 Nov 2006 20:51:16 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219]) by comcast.net (sccrmhc13) with ESMTP id <2006112820504101300arjdne>; Tue, 28 Nov 2006 20:50:41 +0000 From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 28 Nov 2006 14:50:21 -0600 User-Agent: KMail/1.9.4 References: <456C6F30.2090904@FreeBSD.org> <200611281333.32259.josh@tcbug.org> <456C9318.4070702@FreeBSD.org> In-Reply-To: <456C9318.4070702@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611281450.21471.josh@tcbug.org> Cc: Sergey Matveychuk Subject: Re: GNU Tar vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 20:53:58 -0000 On Tuesday 28 November 2006 13:50, Sergey Matveychuk wrote: > Josh Paetzel wrote: > > On Tuesday 28 November 2006 11:17, Sergey Matveychuk wrote: > >> Please, note: http://secunia.com/advisories/23115/ > >> > >> A port maintainer CC'ed. > > > > This is one of those things where the impact is hard to determine > > because the link doesn't really give much info. Ok, you can > > overwrite arbitrary files.....ANY file? Or just files that the > > user running gtar has write access to? If it's the first case > > then that's huge. If it's the second case then who really cares. > > I'm sure it's the second case. > I think it should care root mostly. But any users dislike too if > there is a chance to lost their .login, .bashrc etc. > > An exploit is available on SecurityFocus. hrmm....didn't really think this one through. I was looking at it from the 'you have a local user who would want to root your box using this' perspective. Looking at it from a different viewpoint, say, 'you have someone who would like to do mean things from remote by providing you with corrupt tar archives' puts a different spin on it altogether. -- Thanks, Josh Paetzel