From owner-freebsd-security@FreeBSD.ORG Wed Jul 29 00:48:35 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 993BC1065670; Wed, 29 Jul 2009 00:48:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 848A58FC14; Wed, 29 Jul 2009 00:48:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6T0mZBZ001218; Wed, 29 Jul 2009 00:48:35 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6T0mZnk001216; Wed, 29 Jul 2009 00:48:35 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jul 2009 00:48:35 GMT Message-Id: <200907290048.n6T0mZnk001216@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:12.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 00:48:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:12.bind Security Advisory The FreeBSD Project Topic: BIND named(8) dynamic update message remote DoS Category: contrib Module: bind Announced: 2009-07-29 Credits: Matthias Urlichs Affects: All supported versions of FreeBSD Corrected: 2009-07-28 23:59:22 UTC (RELENG_7, 7.2-STABLE) 2009-07-29 00:14:14 UTC (RELENG_7_2, 7.2-RELEASE-p3) 2009-07-29 00:14:14 UTC (RELENG_7_1, 7.1-RELEASE-p7) 2009-07-29 00:13:47 UTC (RELENG_6, 6.4-STABLE) 2009-07-29 00:14:14 UTC (RELENG_6_4, 6.4-RELEASE-p6) 2009-07-29 00:14:14 UTC (RELENG_6_3, 6.3-RELEASE-p12) CVE Name: CVE-2009-0696 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . NOTE: Due to this issue being accidentally disclosed early, updated binaries are yet not available via freebsd-update at the time this advisory is being published. Email will be sent to the freebsd-security mailing list when the binaries are available via freebsd-update. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. Dynamic update messages may be used to update records in a master zone on a nameserver. II. Problem Description When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. III. Impact An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. IV. Workaround No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/bind9/bin/named/update.c 1.1.1.2.2.5 RELENG_6_4 src/UPDATING 1.416.2.40.2.10 src/sys/conf/newvers.sh 1.69.2.18.2.12 src/contrib/bind9/bin/named/update.c 1.1.1.2.2.3.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.17 src/sys/conf/newvers.sh 1.69.2.15.2.16 src/contrib/bind9/bin/named/update.c 1.1.1.2.2.2.2.1 RELENG_7 src/contrib/bind9/bin/named/update.c 1.1.1.5.2.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.6 src/sys/conf/newvers.sh 1.72.2.11.2.7 src/contrib/bind9/bin/named/update.c 1.1.1.5.2.2.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.10 src/sys/conf/newvers.sh 1.72.2.9.2.11 src/contrib/bind9/bin/named/update.c 1.1.1.5.2.1.4.1 HEAD src/contrib/bind9/bin/named/update.c 1.4 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- head/ r195936 stable/6/ r195934 releng/6.4/ r195935 releng/6.3/ r195935 stable/7/ r195933 releng/7.2/ r195935 releng/7.1/ r195935 - ------------------------------------------------------------------------- VII. References https://www.isc.org/node/474 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:12.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFKb5koFdaIBMps37IRAglLAKCFGXI+MAsksnK5TZB/8L3UFhPS1gCgl7q5 6fCpOeBcf7f83dVfKRDVF0I= =akJW -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jul 29 16:34:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id D94991065673 for ; Wed, 29 Jul 2009 16:34:30 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 8B7A71541DC for ; Wed, 29 Jul 2009 16:34:30 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: (qmail 27110 invoked from network); 29 Jul 2009 16:34:30 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 29 Jul 2009 16:34:30 -0000 Message-ID: <4A707A16.5080309@freebsd.org> Date: Wed, 29 Jul 2009 09:34:30 -0700 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090715) MIME-Version: 1.0 To: freebsd security X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD Update bits for FreeBSD-SA-09:12.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 16:34:31 -0000 Hi all, The freebsd-update bits for FreeBSD-SA-09:12.bind are now on the mirrors for systems running FreeBSD/{i386, amd64} {6.3, 6.4, 7.1, 7.2}-RELEASE. The bits for 8.0-BETA{1, 2} are still building and will be up later today. Sorry about the delay -- it takes approximately 24 hours to build all of the bits on the hardware we're currently using, and as the advisory mentioned, this issue was accidentally disclosed early, so we didn't have a chance to build all the freebsd-update bits ahead of time. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Thu Jul 30 06:53:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 5026C1065673 for ; Thu, 30 Jul 2009 06:53:11 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 0C75E1A415C for ; Thu, 30 Jul 2009 06:53:10 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: (qmail 2352 invoked from network); 30 Jul 2009 06:53:10 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2009 06:53:10 -0000 Message-ID: <4A714356.8060705@freebsd.org> Date: Wed, 29 Jul 2009 23:53:10 -0700 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090715) MIME-Version: 1.0 To: freebsd security References: <4A707A16.5080309@freebsd.org> In-Reply-To: <4A707A16.5080309@freebsd.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: security-officer@freebsd.org Subject: Re: FreeBSD Update bits for FreeBSD-SA-09:12.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 06:53:11 -0000 I wrote: > The freebsd-update bits for FreeBSD-SA-09:12.bind are now on the mirrors > for > systems running FreeBSD/{i386, amd64} {6.3, 6.4, 7.1, 7.2}-RELEASE. The > bits > for 8.0-BETA{1, 2} are still building and will be up later today. The bits for 8.0-BETA{1, 2} are now on the freebsd-update mirrors, too. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Thu Jul 30 15:15:04 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2018B106564A for ; Thu, 30 Jul 2009 15:15:04 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 137898FC13 for ; Thu, 30 Jul 2009 15:15:03 +0000 (UTC) (envelope-from marquis@roble.com) Date: Thu, 30 Jul 2009 07:58:17 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20090730120034.CD75610656CE@hub.freebsd.org> References: <20090730120034.CD75610656CE@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Message-Id: <20090730145817.C45772B2157@mx5.roble.com> Subject: DNS probe sources X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 15:15:04 -0000 These source addresses are likely spoofed, but am still curious whether other FreeBSD admins saw a preponderance of DNS probes originating from Microsoft corp subnets ahead of the recent ISC bind vulnerability announcement? Roger Marquis Jul 28 16:51:23 PDT named[...]: client 94.245.67.253#10546: query (cache) 'output.txt/A/IN' denied Jul 28 16:51:23 PDT named[...]: client 94.245.67.253#10543: query (cache) 'output.txt/A/IN' denied Jul 28 16:51:18 PDT named[...]: client 94.245.67.253#10546: query (cache) 'output.txt/A/IN' denied Jul 28 16:51:18 PDT named[...]: client 94.245.67.253#10543: query (cache) 'output.txt/A/IN' denied Jul 28 16:51:13 PDT named[...]: client 94.245.67.253#10546: query (cache) 'output.txt/A/IN' denied Jul 28 16:51:13 PDT named[...]: client 94.245.67.253#10543: query (cache) 'output.txt/A/IN' denied Jul 28 16:51:08 PDT named[...]: client 94.245.67.253#10370: query (cache) '>/A/IN' denied Jul 28 16:51:08 PDT named[...]: client 94.245.67.253#10366: query (cache) '>/A/IN' denied Jul 28 16:51:03 PDT named[...]: client 94.245.67.253#10370: query (cache) '>/A/IN' denied Jul 28 16:51:03 PDT named[...]: client 94.245.67.253#10366: query (cache) '>/A/IN' denied Jul 28 16:50:58 PDT named[...]: client 94.245.67.253#10370: query (cache) '>/A/IN' denied Jul 28 16:50:58 PDT named[...]: client 94.245.67.253#10366: query (cache) '>/A/IN' denied Jul 28 07:25:45 PDT named[...]: client 207.46.57.240#37973: query (cache) 'output.txt/A/IN' denied Jul 28 07:25:45 PDT named[...]: client 207.46.57.240#37959: query (cache) '>/A/IN' denied ... Jul 27 23:24:47 PDT named[...]: client 94.245.67.253#55561: query (cache) 'output.txt/A/IN' denied Jul 27 23:24:32 PDT named[...]: client 94.245.67.253#55354: query (cache) '>/A/IN' denied Jul 27 15:10:33 PDT named[...]: client 207.46.57.240#17255: query (cache) 'output.txt/A/IN' denied Jul 27 15:10:33 PDT named[...]: client 207.46.57.240#17242: query (cache) '>/A/IN' denied ... Jul 24 07:21:22 PDT named[...]: client 94.245.67.253#15828: query (cache) 'output.txt/A/IN' denied Jul 24 07:21:07 PDT named[...]: client 94.245.67.253#15637: query (cache) '>/A/IN' denied Jul 24 06:10:30 PDT named[...]: client 207.46.57.240#59717: query (cache) 'output.txt/A/IN' denied Jul 24 06:10:30 PDT named[...]: client 207.46.57.240#59707: query (cache) '>/A/IN' denied ... From owner-freebsd-security@FreeBSD.ORG Thu Jul 30 22:02:03 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5211A106566B for ; Thu, 30 Jul 2009 22:02:03 +0000 (UTC) (envelope-from reichert@numachi.com) Received: from meisai.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.freebsd.org (Postfix) with SMTP id C38328FC13 for ; Thu, 30 Jul 2009 22:02:02 +0000 (UTC) (envelope-from reichert@numachi.com) Received: (qmail 74493 invoked by uid 1001); 30 Jul 2009 21:35:21 -0000 Date: Thu, 30 Jul 2009 17:35:20 -0400 From: Brian Reichert To: Roger Marquis Message-ID: <20090730213520.GC2506@numachi.com> References: <20090730120034.CD75610656CE@hub.freebsd.org> <20090730145817.C45772B2157@mx5.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090730145817.C45772B2157@mx5.roble.com> User-Agent: Mutt/1.5.9i Cc: freebsd-security@freebsd.org Subject: Re: DNS probe sources X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 22:02:03 -0000 On Thu, Jul 30, 2009 at 07:58:17AM -0700, Roger Marquis wrote: > These source addresses are likely spoofed, but am still curious whether > other FreeBSD admins saw a preponderance of DNS probes originating from > Microsoft corp subnets ahead of the recent ISC bind vulnerability > announcement? Running djbdns here... > > Roger Marquis > -- Brian Reichert 55 Crystal Ave. #286 Daytime number: (603) 434-6842 Derry NH 03038-1725 USA BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Thu Jul 30 23:51:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A6F11065673 for ; Thu, 30 Jul 2009 23:51:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id C43588FC1E for ; Thu, 30 Jul 2009 23:51:27 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 434B55C027 for ; Fri, 31 Jul 2009 07:51:26 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 12BC955CD9AC; Fri, 31 Jul 2009 07:51:26 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id iwW7MdkmzD5P; Fri, 31 Jul 2009 07:50:22 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-62.dsl.pltn13.sbcglobal.net [76.237.33.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id EAD3755CD9A9; Fri, 31 Jul 2009 07:50:10 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=TNv8amiwlytxSkXVJNqPxFSdwOfuJAGlFFUJIazqihjoXhSEWGwbU8QKMZzzfAFZY jEed5trWwWC/kYDJ0ZrDQ== Message-ID: <4A7231A1.2050104@delphij.net> Date: Thu, 30 Jul 2009 16:49:53 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: rea-fbsd@codelabs.ru References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------090909090002070501050501" Cc: rrl , freebsd-security@freebsd.org, d@delphij.net Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 23:51:28 -0000 This is a multi-part message in MIME format. --------------090909090002070501050501 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Eygene, Eygene Ryabinkin wrote: [...] > But the place with the memcpy() should be patched too. Two reasons: > > - suffix could not (yet) overflow PATH_MAX, but filename + suffix -- > can; > > - I am really worried about the usage of memcpy with underflow; > I had tried to study the reasons for it via NetBSD CVS, but > it just appeared one day and the reason for going to > 'outfile - suffixes[0].ziplen - 1' (with .gz its outfile - 4) > are unknown; I am still taking this as the programming error. > > So, unless you know why we're underflowing the passed pointer, > the memcpy block should be patched too, for future safety and > code correctness. Sorry for the late response. I am busy recently. After carefully investigating the code, I have the following observations: - The usage of memcpy() here is wrong. It's definitely a bug. - The intention of it seems to be to make a pathname that fits into MAXPATHLEN, say, if we have /very/long/name which makes /very/long/name.gz longer than MAXPATHLEN, it might truncate it into, i.e. /very/long/n.gz instead. I feel really uncomfortable for the latter case, we should stop for that case instead of proceeding further. Having checked with GNU's gzip, it looks like that they arbitrarily set an upper limit of the suffix length to 30. This is unrelated to the memcpy bug but let's address it here as well. My revised patch would make the memcpy into a fatal errx, and reduce the allowed suffix length to 30 to match GNU behavior. Please let me know if this version looks better, I'll propose it to re@ and commit if they approved it. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpyMaAACgkQi+vbBBjt66DLngCgv+VoeLsZN1NM5qFHX5hc0lPM 5WgAnjTeMukfn8akGrDpz8ozDDG/7AdV =7ywC -----END PGP SIGNATURE----- --------------090909090002070501050501 Content-Type: text/plain; name="gzip.c-S-underflow.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gzip.c-S-underflow.diff" Index: gzip.c =================================================================== --- gzip.c (revision 195945) +++ gzip.c (working copy) @@ -150,6 +150,8 @@ }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "FreeBSD gzip 20090621"; #ifndef SMALL @@ -372,6 +374,8 @@ case 'S': len = strlen(optarg); if (len != 0) { + if (len >= SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1236,8 +1240,7 @@ /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, - suffixes[0].zipped, suffixes[0].ziplen + 1); + errx(1, "Path name too long"); #ifndef SMALL if (check_outfile(outfile) == 0) { --------------090909090002070501050501-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 31 05:29:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4466A1065673 for ; Fri, 31 Jul 2009 05:29:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id DF7418FC0C for ; Fri, 31 Jul 2009 05:29:25 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=N3KSaBiQmC62XJrV6cq9eYSxgy0wBU1aX8/u6+r/O1gzxBEljSGZnpmzrZVXDmhWiLrtECpnWQPk9ggsxrYmuE93Pv1VMPmQD+nh/0j7ZKymP/8EAzWyYxaX3BVkf0XHLLf4K2cNi+tdVoIJMOQ7eV1VFWlQ7WbXh4IR3zxrjVg=; Received: from amnesiac.at.no.dns (ppp91-78-117-58.pppoe.mtu-net.ru [91.78.117.58]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MWkgF-0007pP-Uq; Fri, 31 Jul 2009 09:29:24 +0400 Date: Fri, 31 Jul 2009 09:29:21 +0400 From: Eygene Ryabinkin To: d@delphij.net Message-ID: <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <4A7231A1.2050104@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A7231A1.2050104@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 05:29:26 -0000 Xin, good day. Thu, Jul 30, 2009 at 04:49:53PM -0700, Xin LI wrote: > Having checked with GNU's gzip, it looks like that they arbitrarily set > an upper limit of the suffix length to 30. This is unrelated to the > memcpy bug but let's address it here as well. My revised patch would > make the memcpy into a fatal errx, and reduce the allowed suffix length > to 30 to match GNU behavior. > > Please let me know if this version looks better, I'll propose it to re@ > and commit if they approved it. Yes, this patch looks much better, thanks! One thing: I would expand the error message here: > + if (len >= SUFFIX_MAXLEN) > + errx(1, "incorrect suffix: '%s'", optarg); say to > + errx(1, "incorrect suffix: '%s': too long", optarg); I will be better, since the reason of incorrectness will be stated: it is not very obvious why the suffix like '.barrhmumbojombofromthemightyuserwhoseemtogonecompletelymad' isn't acceptable ;)) -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Fri Jul 31 05:44:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07D931065675 for ; Fri, 31 Jul 2009 05:44:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6B2018FC0A for ; Fri, 31 Jul 2009 05:44:27 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id E8D495C024 for ; Fri, 31 Jul 2009 13:44:25 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 6996155CD9B1; Fri, 31 Jul 2009 13:44:25 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id SR-PzuQrkTVy; Fri, 31 Jul 2009 13:43:31 +0800 (CST) Received: from charlie.delphij.net (c-67-188-2-183.hsd1.ca.comcast.net [67.188.2.183]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 00FEB55CD8BC; Fri, 31 Jul 2009 13:43:24 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=T4K3+PW6NUzYpMSNPyYf2CKRa6tnsEtc6tip1qnn5tpz1FTXT9jLOuOrgvVGCmp4t 0cQG03tlvLsElRvSrBz9Q== Message-ID: <4A72846B.60604@delphij.net> Date: Thu, 30 Jul 2009 22:43:07 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: rea-fbsd@codelabs.ru References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <4A7231A1.2050104@delphij.net> <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> In-Reply-To: <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------070900060800030902060506" Cc: rrl , freebsd-security@freebsd.org, d@delphij.net Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 05:44:28 -0000 This is a multi-part message in MIME format. --------------070900060800030902060506 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, After talking with Matthew Green (the author of NetBSD) it seems that it would be more reasonable to fix the bug itself than breaking upon receipt. Here is the patch. Regarding to the suffix prompt, give me some time to think about it. At the beginning I just matched GNU gzip's behavior, but they cover when the -S is specified when decompressing, which we don't care about, so it might be reasonable for us to explicitly say it's too long. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpyhGoACgkQi+vbBBjt66Bk3wCfT0w2DQipG05hksUv9r/CPioo s4IAni8otQHmNOxticY23JqzevzsDeBL =JzTo -----END PGP SIGNATURE----- --------------070900060800030902060506 Content-Type: text/plain; name="gzip.c-S-underflow-revised.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gzip.c-S-underflow-revised.diff" Index: gzip.c =================================================================== --- gzip.c (revision 195945) +++ gzip.c (working copy) @@ -150,6 +150,8 @@ }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "FreeBSD gzip 20090621"; #ifndef SMALL @@ -372,6 +374,8 @@ case 'S': len = strlen(optarg); if (len != 0) { + if (len > SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1236,7 +1240,7 @@ /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, + memcpy(outfile + outsize - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); #ifndef SMALL --------------070900060800030902060506-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 31 06:52:10 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65A9A1065674 for ; Fri, 31 Jul 2009 06:52:10 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 186A58FC21 for ; Fri, 31 Jul 2009 06:52:09 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=i87JIIGs3kfx8WeDoIuI//Sl4dK1pWnVrj7USOgwFUEfB9m9fUhxDgNm0XvStT4zBDYZqGvTSVG+g6YYOq830xYxVe0CXt2uSohju+sfQEEiEvW3M+McWxI/ViYmXm45OydmUMO/wk1KelYXe6sPMCpQyL3JvjLprn/b6JQ/1qw=; Received: from amnesiac.at.no.dns (ppp91-78-117-58.pppoe.mtu-net.ru [91.78.117.58]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MWlyK-000H5B-7N; Fri, 31 Jul 2009 10:52:08 +0400 Date: Fri, 31 Jul 2009 10:52:06 +0400 From: Eygene Ryabinkin To: d@delphij.net Message-ID: References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <4A7231A1.2050104@delphij.net> <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> <4A72846B.60604@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A72846B.60604@delphij.net> Sender: rea-fbsd@codelabs.ru Cc: rrl , freebsd-security@freebsd.org Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 06:52:10 -0000 Xin, Thu, Jul 30, 2009 at 10:43:07PM -0700, Xin LI wrote: > After talking with Matthew Green (the author of NetBSD) it seems that it > would be more reasonable to fix the bug itself than breaking upon > receipt. Here is the patch. You'll probably want to check that (outsize - suffixes[0].ziplen - 1) is greater than zero. Like this: ----- if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) { size_t sfx_start = outsize - suffixes[0] - 1; if (sfx_start > 0) { memcpy(outfile + sfx_start, suffixes[0].zipped, suffixes[0].ziplen + 1); } else { errx(1, "Can't insert suffix: name buffer is too short"); } } ----- Just now we can garantee that 'outsize' will fit any suffix because of the suffix length check, but when Someone (TM) will modify the code, this could no longer be true and a bug will arise again. So it is better to check this locally and fail loudly if we can't make it happen. I should say that transforming the "/long-path/foo.gz" (that is expected) into "/long-path/f.gz" isn't quite obvious for the end-user. But if the absence of such a transformation will break anything that relies on this behaviour (I can't think about any usages of this behaviour, but who knows), then the code should keep it. What were Mattew's arguments for keeping the old behaviour? -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Fri Jul 31 08:02:33 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63FF3106566B for ; Fri, 31 Jul 2009 08:02:33 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id C5FF68FC1B for ; Fri, 31 Jul 2009 08:02:32 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 009895C024 for ; Fri, 31 Jul 2009 16:02:31 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id C66C755CD9AD; Fri, 31 Jul 2009 16:02:31 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id OTGOsGsV7zhu; Fri, 31 Jul 2009 16:01:48 +0800 (CST) Received: from charlie.delphij.net (c-67-188-2-183.hsd1.ca.comcast.net [67.188.2.183]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id BB92655CD9AC; Fri, 31 Jul 2009 16:01:41 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=DBFgQvQk8q8rcgaPjMXhadb7M4aixNlHak9ROZcAkJ8H4/hk5iTX9OHEy2ez+6TQ4 62yO+O52ieluwEBuwGQ1Q== Message-ID: <4A72A4D3.1070902@delphij.net> Date: Fri, 31 Jul 2009 01:01:23 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: rea-fbsd@codelabs.ru References: <20090708193339.GA4836@minerva.freedsl.mg> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <4A7231A1.2050104@delphij.net> <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> <4A72846B.60604@delphij.net> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: rrl , freebsd-security@freebsd.org, d@delphij.net Subject: Re: gzip memory corruption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 08:02:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Xin, > > Thu, Jul 30, 2009 at 10:43:07PM -0700, Xin LI wrote: >> After talking with Matthew Green (the author of NetBSD) it seems that it >> would be more reasonable to fix the bug itself than breaking upon >> receipt. Here is the patch. > > You'll probably want to check that (outsize - suffixes[0].ziplen - 1) > is greater than zero. Like this: [...] > Just now we can garantee that 'outsize' will fit any suffix because of > the suffix length check, but when Someone (TM) will modify the code, > this could no longer be true and a bug will arise again. So it is > better to check this locally and fail loudly if we can't make it happen. We should probably add an assertion here (e.g. assert outsize > suffixes[0].ziplen]), but no, I don't think it's the right thing to re-check already sanitized input, it is not a good practice for production code to check the same thing everywhere, it's something that should happen during development and testing phase, these should be assertions IMHO. > I should say that transforming the "/long-path/foo.gz" (that is > expected) into "/long-path/f.gz" isn't quite obvious for the end-user. > But if the absence of such a transformation will break anything that > relies on this behaviour (I can't think about any usages of this > behaviour, but who knows), then the code should keep it. What were > Mattew's arguments for keeping the old behaviour? Because GNU gzip do the truncation instead of reporting an error (I think the original intention for the memcpy was to match this behavior as well). There are even worse cases for the problem you have raised, for instance truncating /long/p/a/t/h.gz to /long/p/a/.gz . But for now I think the underflow issue is more serious than that, and it would be probably a better idea if we address the stack underflow now, and have a clear mind to re-think about how we should do it. There is undergoing plan to replace gzip with something more efficient as well, on the other hand. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpypNIACgkQi+vbBBjt66BVlQCdHJC1upV+z29Ex4pb86uDBoPc PwsAni2t0pwuptNuP1uKKyX5LhjSSOKl =Rf8c -----END PGP SIGNATURE-----