From owner-freebsd-security@FreeBSD.ORG Mon Mar 26 18:07:58 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF75B16A407 for ; Mon, 26 Mar 2007 18:07:57 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx1.freebsd.org (Postfix) with ESMTP id 5519F13C48C for ; Mon, 26 Mar 2007 18:07:57 +0000 (UTC) (envelope-from rjohanne@piper.hamline.edu) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l2QJ6vQO025213; Mon, 26 Mar 2007 13:07:20 -0600 (CST) Date: Mon, 26 Mar 2007 13:07:16 -0500 (CDT) From: Robert Johannes X-X-Sender: rjohanne@wnk.hamline.edu To: Tom Judge In-Reply-To: <45F8B01A.50106@tomjudge.com> Message-ID: References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> <45F8B01A.50106@tomjudge.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2007 18:07:58 -0000 On Thu, 15 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >> >> Ok, I have done quite a bit of work since my last email, but I still don't >> see visible progress. I did rebuild world and the kernel with the NAT-T >> patches/support that you recommended. I have been playing around with >> ipsec e.t.c. >> >> I have created an esp tunnel between my two sites, and I am sending some >> ping traffic to the remote end, but the packets don't seem to get through. >> Here's a snippet of what I see on tcpdump: >> >> 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ >> length 64 (ipip-proto-4) >> 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ >> length 64 (ipip-proto-4) > > Firstly have you set your DSL routers up to nat the ipencap protocol back to > your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP > payload, so you will probably need a prity advanced router to do this). The > packets you see here are not protected by IPSEC they are just plain old > IPENCAP packets. If they where IPSEC packets I would expect to see ESP as > the protocol and not see the encapsulated packet header (Again when you get > IPSEC working you are going to need to NAT these packets to your freebsd > boxes.) You are right that the dsl routers I have can't nat the ipencap protocol (or perhaps I just don't know how to configure them to.) I have configured them to do port forwarding of the 4500 port(NAT-T) to the freebsd vpn servers, and that works because I can do a tcpdump on that port and see traffic coming in from the internet, by simply telneting to that port. So, I don't have ipsec working. How do I debug ipsec to see where I am failing? >>> From what I can tell, the kernel knows that it is to send the ping request >> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 >> and 201.240.165.191. But, there's no request from the other end. Doing a >> tcpdump on the other side (192.168.0.254), nothing is coming in. I have >> also done a ping from the latter machine to the former, but with exactly >> the same problem. Nothing seems to get to the other end. >> >> The tunnel is not using racoon yet. I figure that I should be able to see >> some traffic going back and forth before I use racoon to manage keys. The >> tunnel was created by the following lines on one host, and reversed on the >> other: >> >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec >> esp/tunnel/190.41.95.135-201.240.151.15/require; >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec >> esp/tunnel/201.240.151.15-190.41.95.135/require; >> >> If any one can shed some more light on this, I would appreciate it. >> > > From what I can see your /etc/ipsec.conf should look like this: > > spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > These rules may be wrong but your tunnel seems to be an IP protocol 4 payload > which is ipencap (see /etc/protocols). > > Hope this helps. Yes, this helps me know where I am at. I don't have ipsec working, just plain-old ipencap, which is what I am trying to by-pass to begin with because my routers can't handle nating ipencap. So, in order to get ipsec and NAT-T working, which I did all the patch work to get NAT-T support, it is not enough to have the above entries in /etc/ipsec.conf? What else do I need to do? Must I configure racoon as well, otherwise ipsec doesn't work? And if I do get ipsec working, how do I know, because I have not seen any log entries related to ipsec, except for the ones at bootup {WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant IPsec: Initialized Security Association Processing.} Thanks for your responses. robert > > Tom > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Tue Mar 27 04:30:27 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D86916A400 for ; Tue, 27 Mar 2007 04:30:27 +0000 (UTC) (envelope-from info@plot.uz) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id DD74413C459 for ; Tue, 27 Mar 2007 04:30:26 +0000 (UTC) (envelope-from info@plot.uz) Received: by ug-out-1314.google.com with SMTP id 71so1806168ugh for ; Mon, 26 Mar 2007 21:30:25 -0700 (PDT) Received: by 10.66.250.17 with SMTP id x17mr289665ugh.1174969824828; Mon, 26 Mar 2007 21:30:24 -0700 (PDT) Received: from plot.uz ( [83.221.182.175]) by mx.google.com with ESMTP id 30sm1239906ugf.2007.03.26.21.30.21; Mon, 26 Mar 2007 21:30:24 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000001004.msg for ; Tue, 27 Mar 2007 09:31:49 +0500 Delivered-To: info@plot.uz Received: by 10.100.94.19 with SMTP id r19cs1064319anb; Mon, 26 Mar 2007 11:07:59 -0700 (PDT) Received: by 10.90.56.14 with SMTP id e14mr7194940aga.1174932479327; Mon, 26 Mar 2007 11:07:59 -0700 (PDT) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx.google.com with ESMTP id 34si38724558nza.2007.03.26.11.07.58; Mon, 26 Mar 2007 11:07:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of rjohanne@piper.hamline.edu designates 138.192.2.101 as permitted sender) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l2QJ6vQO025213; Mon, 26 Mar 2007 13:07:20 -0600 (CST) Date: Mon, 26 Mar 2007 13:07:16 -0500 (CDT) X-X-Sender: rjohanne@wnk.hamline.edu To: Tom Judge In-Reply-To: <45F8B01A.50106@tomjudge.com> Message-ID: References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> <45F8B01A.50106@tomjudge.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Return-Path: rjohanne@piper.hamline.edu X-Envelope-From: rjohanne@piper.hamline.edu X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Spam-Processed: plot.uz, Tue, 27 Mar 2007 09:31:50 +0500 From: Robert Johannes X-Mailman-Approved-At: Tue, 27 Mar 2007 04:32:06 +0000 Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 04:30:27 -0000 On Thu, 15 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >> >> Ok, I have done quite a bit of work since my last email, but I still don't >> see visible progress. I did rebuild world and the kernel with the NAT-T >> patches/support that you recommended. I have been playing around with >> ipsec e.t.c. >> >> I have created an esp tunnel between my two sites, and I am sending some >> ping traffic to the remote end, but the packets don't seem to get through. >> Here's a snippet of what I see on tcpdump: >> >> 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ >> length 64 (ipip-proto-4) >> 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ >> length 64 (ipip-proto-4) > > Firstly have you set your DSL routers up to nat the ipencap protocol back to > your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP > payload, so you will probably need a prity advanced router to do this). The > packets you see here are not protected by IPSEC they are just plain old > IPENCAP packets. If they where IPSEC packets I would expect to see ESP as > the protocol and not see the encapsulated packet header (Again when you get > IPSEC working you are going to need to NAT these packets to your freebsd > boxes.) You are right that the dsl routers I have can't nat the ipencap protocol (or perhaps I just don't know how to configure them to.) I have configured them to do port forwarding of the 4500 port(NAT-T) to the freebsd vpn servers, and that works because I can do a tcpdump on that port and see traffic coming in from the internet, by simply telneting to that port. So, I don't have ipsec working. How do I debug ipsec to see where I am failing? >>> From what I can tell, the kernel knows that it is to send the ping request >> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 >> and 201.240.165.191. But, there's no request from the other end. Doing a >> tcpdump on the other side (192.168.0.254), nothing is coming in. I have >> also done a ping from the latter machine to the former, but with exactly >> the same problem. Nothing seems to get to the other end. >> >> The tunnel is not using racoon yet. I figure that I should be able to see >> some traffic going back and forth before I use racoon to manage keys. The >> tunnel was created by the following lines on one host, and reversed on the >> other: >> >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec >> esp/tunnel/190.41.95.135-201.240.151.15/require; >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec >> esp/tunnel/201.240.151.15-190.41.95.135/require; >> >> If any one can shed some more light on this, I would appreciate it. >> > > From what I can see your /etc/ipsec.conf should look like this: > > spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > These rules may be wrong but your tunnel seems to be an IP protocol 4 payload > which is ipencap (see /etc/protocols). > > Hope this helps. Yes, this helps me know where I am at. I don't have ipsec working, just plain-old ipencap, which is what I am trying to by-pass to begin with because my routers can't handle nating ipencap. So, in order to get ipsec and NAT-T working, which I did all the patch work to get NAT-T support, it is not enough to have the above entries in /etc/ipsec.conf? What else do I need to do? Must I configure racoon as well, otherwise ipsec doesn't work? And if I do get ipsec working, how do I know, because I have not seen any log entries related to ipsec, except for the ones at bootup {WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant IPsec: Initialized Security Association Processing.} Thanks for your responses. robert > > Tom > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Mar 29 14:46:10 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 629ED16A402 for ; Thu, 29 Mar 2007 14:46:10 +0000 (UTC) (envelope-from thomas@bsdunix.ch) Received: from conversation.bsdunix.ch (ns1.bsdunix.ch [82.220.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id 257EE13C4BD for ; Thu, 29 Mar 2007 14:46:10 +0000 (UTC) (envelope-from thomas@bsdunix.ch) Received: from localhost (localhost.bsdunix.ch [127.0.0.1]) by conversation.bsdunix.ch (Postfix) with ESMTP id F19665CDE for ; Thu, 29 Mar 2007 16:23:14 +0200 (CEST) X-Virus-Scanned: by amavisd-new at mail.bsdunix.ch Received: from conversation.bsdunix.ch ([127.0.0.1]) by localhost (conversation.bsdunix.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 16lTBawte2eS for ; Thu, 29 Mar 2007 16:22:59 +0200 (CEST) Received: from [212.101.1.83] (bert.mlan.solnet.ch [212.101.1.83]) (using SSLv3 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by conversation.bsdunix.ch (Postfix) with ESMTP id 1F9585CB5 for ; Thu, 29 Mar 2007 16:22:59 +0200 (CEST) From: Thomas Vogt To: freebsd-security@freebsd.org Content-Type: text/plain Date: Thu, 29 Mar 2007 16:22:58 +0200 Message-Id: <1175178178.80069.31.camel@bert.mlan.solnet.ch> Mime-Version: 1.0 X-Mailer: Evolution 2.10.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 29 Mar 2007 16:16:56 +0000 Subject: Integer underflow in the "file" program before 4.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 14:46:10 -0000 Hello http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 "Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow." Is FreeBSD 5.x/6.x affected too? It looks the System has file 4.12. The port has 4.20. Regards, Thomas -- Terry Lambert: "It is not unix's job to stop you from shooting your foot. If you so choose to do so, then it is UNIX's job to deliver Mr. Bullet to Mr Foot in the most efficient way it knows." From owner-freebsd-security@FreeBSD.ORG Thu Mar 29 21:02:55 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3AAEA16A405 for ; Thu, 29 Mar 2007 21:02:55 +0000 (UTC) (envelope-from runixd@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id 9A02D13C469 for ; Thu, 29 Mar 2007 21:02:54 +0000 (UTC) (envelope-from runixd@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so630409ugh for ; Thu, 29 Mar 2007 14:02:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=ldWMT7uejrqPvBqAdJX1JNSN15wcDbFh1El4gW+08xbn5EkOt7BXuUhi+zgk89cygCk0PlXy9wN7DiVjm9/19rOBy89eicvUjAvD3d5o6fbRe5UTzqLFX69uavThZq319YAyiw10XjCIZHRVuU/g/CDckrqrQT37N58Wpgdn8hY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ZZCPfcf+pW3+IiL63A3ANTzhpd1DDOpJSTHLzkdCGL4GGnmrB1yD7oBc5+mPSwmrAA6TWDvqZO0Qn8nBoMaF4ovcYmZFSou9QlA8LZ0FLPM0bAL8iSj7MXsuFJA+FqnAIgZIxQeP66luNAiUD82WDS+uNu7jjjTtGcNlClJ/EW4= Received: by 10.78.131.8 with SMTP id e8mr573760hud.1175200463025; Thu, 29 Mar 2007 13:34:23 -0700 (PDT) Received: by 10.78.11.4 with HTTP; Thu, 29 Mar 2007 13:34:22 -0700 (PDT) Message-ID: Date: Thu, 29 Mar 2007 21:34:22 +0100 From: Igor To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: nx-bit and TPM X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 21:02:55 -0000 Hello, I'm was looking through handbook and wikipedia and it appears FreeBSD doesn't support hardware (nor software) nx bit. There also doesn't seem to be any support for TPM (Trusted Platform Module). I was wondering if it is due to a general lack of interest and/or personal preference (gcc?) or are there other issues. The reason I'm asking is I'm currently doing a MSc degree in Information Security and was looking into optionally implementing both of the above for FreeBSD as part of my thesis. I would appreciate any input regarding usefulness of such thing. Regards, Igor. From owner-freebsd-security@FreeBSD.ORG Thu Mar 29 22:00:42 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8B8D516A401 for ; Thu, 29 Mar 2007 22:00:42 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 4E08813C44C for ; Thu, 29 Mar 2007 22:00:42 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 3C2392084; Thu, 29 Mar 2007 23:36:26 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id B4084207E; Thu, 29 Mar 2007 23:36:25 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id AC926A1075; Thu, 29 Mar 2007 23:36:24 +0200 (CEST) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: Igor References: Date: Thu, 29 Mar 2007 23:36:24 +0200 In-Reply-To: (runixd@gmail.com's message of "Thu, 29 Mar 2007 21:34:22 +0100") Message-ID: <86648johpj.fsf@dwp.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: nx-bit and TPM X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 22:00:42 -0000 Igor writes: > I'm was looking through handbook and wikipedia and it appears FreeBSD > doesn't support hardware (nor software) nx bit. > There also doesn't seem to be any support for TPM (Trusted Platform Modul= e). I believe NX support was never implemented because Intel's version of AMD64 didn't support it. As for TPM, I don't see the point. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Mar 29 22:52:46 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5FC4516A405 for ; Thu, 29 Mar 2007 22:52:46 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id 48E6813C4C1 for ; Thu, 29 Mar 2007 22:52:46 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay7.apple.com (relay7.apple.com [17.128.113.37]) by mail-out4.apple.com (8.13.8/8.13.8) with ESMTP id l2TM8VEP013475; Thu, 29 Mar 2007 15:08:31 -0700 (PDT) Received: from relay7.apple.com (unknown [127.0.0.1]) by relay7.apple.com (Symantec Mail Security) with ESMTP id 2133130435; Thu, 29 Mar 2007 15:08:31 -0700 (PDT) X-AuditID: 11807125-ae661bb00000538d-15-460c38df0c6b Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay7.apple.com (Apple SCV relay) with ESMTP id 0ABD93005F; Thu, 29 Mar 2007 15:08:31 -0700 (PDT) In-Reply-To: <86648johpj.fsf@dwp.des.no> References: <86648johpj.fsf@dwp.des.no> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <790D20BF-A432-454A-B203-AD7A901B1309@mac.com> Content-Transfer-Encoding: quoted-printable From: Chuck Swiger Date: Thu, 29 Mar 2007 15:08:30 -0700 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-security@freebsd.org, Igor Subject: Re: nx-bit and TPM X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 22:52:46 -0000 On Mar 29, 2007, at 2:36 PM, Dag-Erling Sm=F8rgrav wrote: >> I'm was looking through handbook and wikipedia and it appears FreeBSD >> doesn't support hardware (nor software) nx bit. >> There also doesn't seem to be any support for TPM (Trusted =20 >> Platform Module). > > I believe NX support was never implemented because Intel's version of > AMD64 didn't support it. As for TPM, I don't see the point. Intel supports the same capability in newer revisions of their EM64T =20 CPUs, but they call it the "XD" bit instead (for eXecute Disabled). =20 There's a reasonable set of documentation here: http://en.wikipedia.org/wiki/NX_bit#FreeBSD --=20 -Chuck From owner-freebsd-security@FreeBSD.ORG Fri Mar 30 09:01:03 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9834B16A481; Fri, 30 Mar 2007 09:01:03 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 4DD6113C45E; Fri, 30 Mar 2007 09:01:03 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5EE52.dip.t-dialin.net [84.165.238.82]) by redbull.bpaserver.net (Postfix) with ESMTP id B3B542E060; Fri, 30 Mar 2007 10:03:21 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id AF4BD5B4817; Fri, 30 Mar 2007 10:03:18 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id l2U83IU9032999; Fri, 30 Mar 2007 10:03:18 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Fri, 30 Mar 2007 10:03:18 +0200 Message-ID: <20070330100318.wbqww1rilcksskok@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 30 Mar 2007 10:03:18 +0200 From: Alexander Leidinger To: Dag-Erling =?utf-8?b?U23DuHJncmF2?= References: <86648johpj.fsf@dwp.des.no> In-Reply-To: <86648johpj.fsf@dwp.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.564, required 8, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, MIME_8BIT_HEADER 0.30) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Fri, 30 Mar 2007 11:45:35 +0000 Cc: arch@freebsd.org, freebsd-security@freebsd.org, amd64@freebsd.org, Igor Subject: Re: nx-bit and TPM X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Mar 2007 09:01:03 -0000 Quoting Dag-Erling Sm=C3=B8rgrav (from Thu, 29 Mar 2007 =20 23:36:24 +0200): > Igor writes: >> I'm was looking through handbook and wikipedia and it appears FreeBSD >> doesn't support hardware (nor software) nx bit. >> There also doesn't seem to be any support for TPM (Trusted Platform Modul= e). > > I believe NX support was never implemented because Intel's version of > AMD64 didn't support it. As for TPM, I don't see the point. This should not stop us in using it on amd64 if available. I think one =20 of the problem was/is the lack of time/man-power. So if someone comes =20 up with a good (enough) implementation which works on our supported =20 hardware, I don't think it will be rejected. Regarding TPM: there are good an bad uses for it. As our policy is to =20 provide possibilities and not to force policies on our users, I don't =20 see a reason why we will not incorporate good code regarding this. I =20 also think that we don't have it, as nobody needed it or wasn't =20 allowed to contribute code. But all this is better suited for arch@ I think (or maybe amd64@ in =20 case of NX). Bye, Alexander. --=20 "If a camel flies, no one laughs if it doesn't get very far." =09=09-- Paul White http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Sat Mar 31 05:41:08 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D88016A401 for ; Sat, 31 Mar 2007 05:41:08 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 22ACA13C448 for ; Sat, 31 Mar 2007 05:41:07 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 6A1AA2D48A0; Sat, 31 Mar 2007 05:41:05 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 1778511434; Sat, 31 Mar 2007 07:41:04 +0200 (CEST) Date: Sat, 31 Mar 2007 07:41:04 +0200 From: "Simon L. Nielsen" To: Thomas Vogt Message-ID: <20070331054103.GA982@zaphod.nitro.dk> References: <1175178178.80069.31.camel@bert.mlan.solnet.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1175178178.80069.31.camel@bert.mlan.solnet.ch> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: Integer underflow in the "file" program before 4.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2007 05:41:08 -0000 On 2007.03.29 16:22:58 +0200, Thomas Vogt wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 > "Integer underflow in the file_printf function in the "file" program > before 4.20 allows user-assisted attackers to execute arbitrary code via > a file that triggers a heap-based buffer overflow." > > Is FreeBSD 5.x/6.x affected too? It looks the System has file 4.12. The > port has 4.20. Hey, While I haven't confirmed FreeBSD is vulnerable, I assume that is the case. In any case, we (The FreeBSD Security Team) are working on this isuse. -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Sat Mar 31 06:14:03 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 809DA16A405 for ; Sat, 31 Mar 2007 06:14:03 +0000 (UTC) (envelope-from gabor@FreeBSD.org) Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7]) by mx1.freebsd.org (Postfix) with ESMTP id 3C8EC13C480 for ; Sat, 31 Mar 2007 06:14:03 +0000 (UTC) (envelope-from gabor@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) by server.t-hosting.hu (Postfix) with ESMTP id 3E84E9F2639; Sat, 31 Mar 2007 07:53:00 +0200 (CEST) X-Virus-Scanned: amavisd-new at t-hosting.hu Received: from server.t-hosting.hu ([127.0.0.1]) by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ehoYbkXSShhi; Sat, 31 Mar 2007 07:52:57 +0200 (CEST) Received: from [192.168.2.186] (catv-50635cb6.catv.broadband.hu [80.99.92.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.t-hosting.hu (Postfix) with ESMTP id 400C29F2576; Sat, 31 Mar 2007 07:52:57 +0200 (CEST) Message-ID: <460DF730.4080803@FreeBSD.org> Date: Sat, 31 Mar 2007 07:52:48 +0200 From: Gabor Kovesdan User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: "Simon L. Nielsen" References: <1175178178.80069.31.camel@bert.mlan.solnet.ch> <20070331054103.GA982@zaphod.nitro.dk> In-Reply-To: <20070331054103.GA982@zaphod.nitro.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 31 Mar 2007 11:28:25 +0000 Cc: freebsd-security@freebsd.org, Thomas Vogt Subject: Re: Integer underflow in the "file" program before 4.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Mar 2007 06:14:03 -0000 Simon L. Nielsen schrieb: > On 2007.03.29 16:22:58 +0200, Thomas Vogt wrote: > > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 >> "Integer underflow in the file_printf function in the "file" program >> before 4.20 allows user-assisted attackers to execute arbitrary code via >> a file that triggers a heap-based buffer overflow." >> >> Is FreeBSD 5.x/6.x affected too? It looks the System has file 4.12. The >> port has 4.20. >> > > Hey, > > While I haven't confirmed FreeBSD is vulnerable, I assume that is the > case. In any case, we (The FreeBSD Security Team) are working on this > isuse. > > In any case, I'd also be happy to see the base file upgraded, since the current one has some known issues. E.g. it coredumps sometimes when using from amavisd-new, while the newer version from ports works well. Gabor