From owner-freebsd-security-notifications@FreeBSD.ORG Wed Dec 6 09:33:33 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 822F716A47C; Wed, 6 Dec 2006 09:33:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C7D943CD5; Wed, 6 Dec 2006 09:32:30 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB69XEEr083088; Wed, 6 Dec 2006 09:33:14 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB69XErN083086; Wed, 6 Dec 2006 09:33:14 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Dec 2006 09:33:14 GMT Message-Id: <200612060933.kB69XErN083086@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 09:33:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:25.kmem Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in firewire(4) Category: core Module: sys_dev Announced: 2006-12-06 Credits: Rodrigo Rubira Branco Affects: All FreeBSD releases. Corrected: 2006-12-06 09:13:51 UTC (RELENG_6, 6.2-STABLE) 2006-12-06 09:14:23 UTC (RELENG_6_2, 6.2-RC2) 2006-12-06 09:14:59 UTC (RELENG_6_1, 6.1-RELEASE-p11) 2006-12-06 09:15:40 UTC (RELENG_6_0, 6.0-RELEASE-p16) 2006-12-06 09:16:17 UTC (RELENG_5, 5.5-STABLE) 2006-12-06 09:16:41 UTC (RELENG_5_5, 5.5-RELEASE-p9) 2006-12-06 09:17:09 UTC (RELENG_4, 4.11-STABLE) 2006-12-06 09:18:02 UTC (RELENG_4_11, 4.11-RELEASE-p26) CVE Name: CVE-2006-6013 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The firewire(4) driver provides support for IEEE 1394 ("FireWire") interfaces. This driver provides some of its functionality via the ioctl(2) system call. II. Problem Description In the FW_GCROM ioctl, a signed integer comparison is used instead of an unsigned integer comparison when computing the length of a buffer to be copied from the kernel into the calling application. III. Impact A user in the "operator" group can read the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available, but systems without IEEE 1394 ("FireWire") interfaces are not vulnerable. (Note that systems with IEEE 1394 interfaces are affected regardless of whether any devices are attached.) Note also that FreeBSD does not have any non-root users in the "operator" group by default; systems on which no users have been added to this group are therefore also not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:25/kmem.patch # fetch http://security.FreeBSD.org/patches/SA-06:25/kmem.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/dev/firewire/fwdev.c 1.2.4.17 RELENG_4_11 src/UPDATING 1.73.2.91.2.27 src/sys/conf/newvers.sh 1.44.2.39.2.30 src/sys/dev/firewire/fwdev.c 1.2.4.16.4.1 RELENG_5 src/sys/dev/firewire/fwdev.c 1.44.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.9 src/sys/conf/newvers.sh 1.62.2.21.2.11 src/sys/dev/firewire/fwdev.c 1.44.2.1.4.1 RELENG_6 src/sys/dev/firewire/fwdev.c 1.46.2.2 RELENG_6_2 src/UPDATING 1.416.2.29.2.1 src/sys/dev/firewire/fwdev.c 1.46.2.1.6.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.13 src/sys/conf/newvers.sh 1.69.2.11.2.13 src/sys/dev/firewire/fwdev.c 1.46.2.1.4.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.21 src/sys/conf/newvers.sh 1.69.2.8.2.17 src/sys/dev/firewire/fwdev.c 1.46.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6013 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:25.kmem.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFdo1QFdaIBMps37IRAj4vAJ4vzhNk4MBkhAxsmeIAA0UgnXXOwACfY+Oe WhWIJLjTgqq+T3ZpySyRCNo= =FbZj -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Dec 6 09:33:40 2006 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AB3B716A417; Wed, 6 Dec 2006 09:33:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0113D43D62; Wed, 6 Dec 2006 09:32:36 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB69XK84083130; Wed, 6 Dec 2006 09:33:20 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB69XK2P083128; Wed, 6 Dec 2006 09:33:20 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Dec 2006 09:33:20 GMT Message-Id: <200612060933.kB69XK2P083128@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:26.gtar X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 09:33:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:26.gtar Security Advisory The FreeBSD Project Topic: gtar name mangling symlink vulnerability Category: contrib Module: contrib_tar Announced: 2006-12-06 Credits: Teemu Salmela Affects: FreeBSD 4.x and 5.x releases Corrected: 2006-12-06 09:16:17 UTC (RELENG_5, 5.5-STABLE) 2006-12-06 09:16:41 UTC (RELENG_5_5, 5.5-RELEASE-p9) 2006-12-06 09:17:09 UTC (RELENG_4, 4.11-STABLE) 2006-12-06 09:18:02 UTC (RELENG_4_11, 4.11-RELEASE-p26) CVE Name: CVE-2006-6097 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background GNU tar (gtar) is a utility to create and extract "tape archives", commonly known as tar files. GNU tar is included in FreeBSD 4.x as /usr/bin/tar, and in FreeBSD 5.x as /usr/bin/gtar. II. Problem Description Symlinks created using the "GNUTYPE_NAMES" tar extension can be absolute due to lack of proper sanity checks. III. Impact If an attacker can get a user to extract a specially crafted tar archive the attacker can overwrite arbitrary files with the permissions of the user running gtar. If file system permissions allow it, this may allow the attacker to overwrite important system file (if gtar is being run as root), or important user configuration files such as .tcshrc or .bashrc, which would allow the attacker to run arbitrary commands. IV. Workaround Use "bsdtar", which is the default tar implementation in FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available in the FreeBSD Ports Collection as ports/archivers/libarchive. V. Solution NOTE: The solution described below causes GNU tar to exit with an error when handling an archive with GNUTYPE_NAMES entries. The FreeBSD Security Team does not consider this to be a significant regression, since GNUTYPE_NAMES has not been used for many years and is not supported by other archival software such as libarchive(3); but the original (insecure) behaviour can be retained by running GNU tar with the newly added --allow-name-mangling option. Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, or 5-STABLE, or to the RELENG_5_5 or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11 and 5.5 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:26/gtar.patch # fetch http://security.FreeBSD.org/patches/SA-06:26/gtar.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/tar # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/tar/src/common.h 1.2.2.2 src/contrib/tar/src/extract.c 1.4.2.4 src/contrib/tar/src/tar.c 1.2.2.3 RELENG_4_11 src/UPDATING 1.73.2.91.2.27 src/sys/conf/newvers.sh 1.44.2.39.2.30 src/contrib/tar/src/common.h 1.2.2.1.10.1 src/contrib/tar/src/extract.c 1.4.2.3.8.1 src/contrib/tar/src/tar.c 1.2.2.2.6.1 RELENG_5 src/contrib/tar/src/common.h 1.2.10.1 src/contrib/tar/src/extract.c 1.6.8.1 src/contrib/tar/src/tar.c 1.3.4.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.9 src/sys/conf/newvers.sh 1.62.2.21.2.11 src/contrib/tar/src/common.h 1.2.22.1 src/contrib/tar/src/extract.c 1.6.20.1 src/contrib/tar/src/tar.c 1.3.16.1 - ------------------------------------------------------------------------- VII. References http://marc.theaimsgroup.com/?l=full-disclosure&m=116414883029517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:26.gtar.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFdo1YFdaIBMps37IRAsqUAKCFRV7yICNP8NyC/3+uHUTOKDrxWQCeIJ5a HsY0N8aR6FoEiFYV/y5fO4k= =0/ws -----END PGP SIGNATURE-----