From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 01:20:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE5001065693; Tue, 1 Dec 2009 01:20:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9AB448FC19; Tue, 1 Dec 2009 01:20:45 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB11Kj2S087486; Tue, 1 Dec 2009 01:20:45 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB11Kjm9087476; Tue, 1 Dec 2009 01:20:45 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 1 Dec 2009 01:20:45 GMT Message-Id: <200912010120.nB11Kjm9087476@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Officer To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 01:20:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, A short time ago a "local root" exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root. Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues -- in short, use at your own risk (even more than usual). The patch is at http://people.freebsd.org/~cperciva/rtld.patch and has SHA256 hash ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 I expect a full security advisory concerning this issue will go out on Wednesday December 2nd. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAksUbjcACgkQFdaIBMps37LP9ACgljaYCfgVuhD2gd9Natpq4H/9 i48An1mgl+Mih+AWN7J9KZ1rsiEU31IZ =MPXj -----END PGP SIGNATURE----- -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 04:55:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93BCE1065670 for ; Tue, 1 Dec 2009 04:55:45 +0000 (UTC) (envelope-from bryan@xzibition.com) Received: from secure.xzibition.com (secure.xzibition.com [216.243.161.148]) by mx1.freebsd.org (Postfix) with ESMTP id 1C1298FC19 for ; Tue, 1 Dec 2009 04:55:44 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=xzibition.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=jr18ia BcGaTHm8irob6kbvj69UFT/PFLq8tMq5AMmCme/v/7SHCfMU3VJdmlOuYxsaGtvO Padu3KyP0zLzSfU+NpUFWaZGsehhceOT1xaEgPLjhDswDfaw4kZFz4o5v1AeLEix AdhV/DV5TAuthZHMVI1yYJlbHiyO8qgbY18FA= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=xzibition.com; h= message-id:date:from:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; s=sweb; bh= It9yzBvj5VUGcPEZ9beiWAqORaN6sEMYcvPd/mqM5Zo=; b=x73C7Lw5zGR2UK8O DYkI79E+oSfUuIwQs/0tlMtdLAFwQtZPh+yuHpB4OVhVrH4/4PlraPZpUV1Ay65M oSuTzLr7X1rjIZR89/KMauTa8o62eqvPPmRkbUEzZIzDzXXJAxc/zLTPtpsSotdj +KxtdnEZERm671wKnrEJC+M27hg= Received: (qmail 62009 invoked from network); 30 Nov 2009 22:29:01 -0600 Received: from unknown (HELO ?192.168.101.100?) (bryan@shatow.net@76.212.160.224) by sweb.xzibition.com with ESMTPA; 30 Nov 2009 22:29:01 -0600 Message-ID: <4B149B8A.80100@xzibition.com> Date: Mon, 30 Nov 2009 22:28:58 -0600 From: Bryan Drewery User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: cperciva@freebsd.org References: <200912010120.nB11Koo2088364@freefall.freebsd.org> In-Reply-To: <200912010120.nB11Koo2088364@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 04:55:45 -0000 Colin, Thank you so much for alerting us and providing a temporary patch. I had a user attempt to use the public exploit today, but due to /tmp being noexec, it failed. Luckily I caught him before he modified the script to work though. Now I am patched and can sleep tonight :) Thanks, Bryan FreeBSD Security Officer wrote: > Hi all, > > A short time ago a "local root" exploit was posted to the full-disclosure > mailing list; as the name suggests, this allows a local user to execute > arbitrary code as root. > > Normally it is the policy of the FreeBSD Security Team to not publicly > discuss security issues until an advisory is ready, but in this case > since exploit code is already widely available I want to make a patch > available ASAP. Due to the short timeline, it is possible that this > patch will not be the final version which is provided when an advisory > is sent out; it is even possible (although highly doubtful) that this > patch does not fully fix the issue or introduces new issues -- in short, > use at your own risk (even more than usual). > > The patch is at > http://people.freebsd.org/~cperciva/rtld.patch > and has SHA256 hash > ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 > > I expect a full security advisory concerning this issue will go out on > Wednesday December 2nd. From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 05:22:53 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AB081068654 for ; Tue, 1 Dec 2009 05:22:11 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id A236B8FC17 for ; Tue, 1 Dec 2009 05:22:10 +0000 (UTC) Received: from anne-o1dpaayth1.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id WAA03022; Mon, 30 Nov 2009 22:22:06 -0700 (MST) Message-Id: <200912010522.WAA03022@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 30 Nov 2009 22:21:51 -0700 To: freebsd-security@freebsd.org, FreeBSD Security Advisories From: Brett Glass In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Tue, 01 Dec 2009 06:47:34 +0000 Cc: Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 05:22:53 -0000 At 06:20 PM 11/30/2009, FreeBSD Security Officer wrote: >A short time ago a "local root" exploit was posted to the full-disclosure >mailing list; as the name suggests, this allows a local user to execute >arbitrary code as root. Yargh. Thank you for catching this. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 07:52:37 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05D4E106566B for ; Tue, 1 Dec 2009 07:52:37 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A44DC8FC1B for ; Tue, 1 Dec 2009 07:52:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=ib3IanGjaT/xTDdMGLFGdoN8LxjkA0XUcOSw8ZZj+kY=; b=WQSbp8anZnxW5h61qraehBDcCBxl28S9BDGxlpDlx0hprM/2llZlwyzfu5UZFb2bPYif46D/wB/4FMNfWwHMdhnkl5l3hbWIZlADPCoWEMPbYnnT0tfn/rtl7zyYVGLrKxT01CS9kyHv2o4CaygQPH/807AL3KNahtWc97oY08TWaCjf+mwrYVmNF7sXNjA7cnxPFMMq41BO9j0GS9OequlcWLh7WtvR6b4BWRObrogth8M5KGzfPgrTVJ+CA4JeNrapUnhcG25Gdcldu74vxNRFwPmfgv80+5GCmnD3BfZpC98npnMoOn6NIyf3Z/TfWWruq7cqM0R4tEMz8XbHxw==; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NFNXH-0006dl-EQ; Tue, 01 Dec 2009 10:52:35 +0300 Date: Tue, 1 Dec 2009 10:52:33 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: FreeBSD Security Advisories Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 07:52:37 -0000 Colin, *, good day. Tue, Dec 01, 2009 at 01:20:45AM +0000, FreeBSD Security Officer wrote: > A short time ago a "local root" exploit was posted to the full-disclosure > mailing list; as the name suggests, this allows a local user to execute > arbitrary code as root. > > [...] > > The patch is at > http://people.freebsd.org/~cperciva/rtld.patch > and has SHA256 hash > ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 Just to ease other's life: for 7.1 (and 7.0, but it seems to be at EoL now, so there is already no support for it), one should use another patch: ----- http://codelabs.ru/fbsd/patches/vulns/freebsd-7.0-rtld-unsetenv.diff SHA256 (freebsd-7.0-rtld-unsetenv.diff) = e5ebbea24073bf644d3bc0c1ba37674a387af656b4c7e583a564a83598930897 SHA1 (freebsd-7.0-rtld-unsetenv.diff) = 24a79be52be0ea00ed0ea279f25efbf597f9c850 ----- Actually, every system that has rtld.c with r190323 or lower, should use this variant -- clearing of LD_ELF_HINTS_PATH was introduced only in r190324. By the way, if people are using NO_DYNAMIC_ROOT and all setuid executables come from the system itself (no sudo and other stuff from ports or manual installations), such system is obviously safe from this issue -- no dynamic loading takes place. I don't mean that people with such systems shouldn't upgrade, but they probably can do it with a least urgency. Thanks for posting the patch! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 09:01:10 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CAD2106568D; Tue, 1 Dec 2009 09:01:10 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id DA7BB8FC1B; Tue, 1 Dec 2009 09:01:09 +0000 (UTC) Received: by bwz5 with SMTP id 5so3258597bwz.3 for ; Tue, 01 Dec 2009 01:01:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=cJj/wb54qCXOOxJjtqYXiJKX2nzpGKIvWzzIJmcL7zU=; b=xupaaqseiVtX9JJP4C3sAHO1weeYnTnO7qfNg5N9oF+jRL6LaF5LnD6IxhBnCivvAa ryFO7+5k+3+GfhruMzfDawg5Xyn9KoQK+W5TcKSOAuipL87CiVlCPAhlfUH4kppOkSEv sbQAovjkXP99CT4zY0ilgz+wJ/lRMn/DD33bg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Kd3AofPSnZ7sYI7K+tJqeIeklVzfnsn7gm5Vd5boNDxfhITb/UWVBjTYZL8zXXbdfT UjJ5XH/vrdAbIgrk5R2C1Kw9mXKDZZt0HBAjDjy5qiSqKJClWenL/PaOeYAE0OaZmmL3 /fN/+CuapcyIDxz9m4PJVHW2Q4ffz8Bsm2OMg= MIME-Version: 1.0 Received: by 10.204.10.19 with SMTP id n19mr3697334bkn.19.1259658068771; Tue, 01 Dec 2009 01:01:08 -0800 (PST) In-Reply-To: <4B149B8A.80100@xzibition.com> References: <200912010120.nB11Koo2088364@freefall.freebsd.org> <4B149B8A.80100@xzibition.com> Date: Tue, 1 Dec 2009 09:01:08 +0000 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Bryan Drewery Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security , cperciva Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 09:01:10 -0000 yeah noexec /tmp is nice cat /tmp/shellscript | bash same with executables It is good against level0 kiddies and bots On Tue, Dec 1, 2009 at 4:28 AM, Bryan Drewery wrote: > Colin, > > Thank you so much for alerting us and providing a temporary patch. I had > a user attempt to use the public exploit today, but due to /tmp being > noexec, it failed. Luckily I caught him before he modified the script to > work though. Now I am patched and can sleep tonight :) > > Thanks, > Bryan > > FreeBSD Security Officer wrote: > > Hi all, > > > > A short time ago a "local root" exploit was posted to the full-disclosure > > mailing list; as the name suggests, this allows a local user to execute > > arbitrary code as root. > > > > Normally it is the policy of the FreeBSD Security Team to not publicly > > discuss security issues until an advisory is ready, but in this case > > since exploit code is already widely available I want to make a patch > > available ASAP. Due to the short timeline, it is possible that this > > patch will not be the final version which is provided when an advisory > > is sent out; it is even possible (although highly doubtful) that this > > patch does not fully fix the issue or introduces new issues -- in short, > > use at your own risk (even more than usual). > > > > The patch is at > > http://people.freebsd.org/~cperciva/rtld.patch > > and has SHA256 hash > > ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 > > > > I expect a full security advisory concerning this issue will go out on > > Wednesday December 2nd. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- the sun shines for all http://l1xl1x.blogspot.com From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 11:48:13 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC9711065672 for ; Tue, 1 Dec 2009 11:48:13 +0000 (UTC) (envelope-from a.huth@tmr.net) Received: from bo-uwka-srv01.de.tmr.net (bo-uwka-srv01.de.tmr.net [212.23.146.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8782A8FC13 for ; Tue, 1 Dec 2009 11:48:13 +0000 (UTC) Received: from localhost (localhost.de.tmr.net [127.0.0.1]) by bo-uwka-srv01.de.tmr.net (Postfix) with ESMTP id 24C6D1DEEFB for ; Tue, 1 Dec 2009 12:16:28 +0100 (CET) Received: from bo-uwka-srv01.de.tmr.net ([127.0.0.1]) by localhost (bo-uwka-srv01.de.tmr.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 24297-01-57 for ; Tue, 1 Dec 2009 12:16:28 +0100 (CET) Received: from localhost (bo-stwhv-fw02.de.tmr.net [212.23.140.253]) by bo-uwka-srv01.de.tmr.net (Postfix) with ESMTP id E56641DEEF7 for ; Tue, 1 Dec 2009 12:16:27 +0100 (CET) Date: Tue, 1 Dec 2009 12:16:27 +0100 From: Alex Huth To: freebsd-security@freebsd.org Message-ID: <20091201111627.GC4920@borusse.borussiapark> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Predence: first-class Priority: normal X-Editor: VIM - Vi IMproved 7.1 (2007 May 12, compiled Oct 17 2008 18:11:28) X-Operating-System: Linux 2.6.26-2-686 i686 GNU/Linux X-Mailer: Mutt 1.5.18 (2008-05-17) User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 11:48:13 -0000 * Eygene Ryabinkin schrieb: > Colin, *, good day. > > Tue, Dec 01, 2009 at 01:20:45AM +0000, FreeBSD Security Officer wrote: > > A short time ago a "local root" exploit was posted to the full-disclosure > > mailing list; as the name suggests, this allows a local user to execute > > arbitrary code as root. I am new to patching systems, so forgive "stupid" questions. We have some 6.1 systems. Are or will there be a patch for them or are they not involved in this problem? I am new to patching systems, so forgive me any stupid questions. We have some 6.1 and 6.3 systems. Are or will there be patches fro them or are they not involved in this problem? How do i apply such a patch? With freebsd-update? As far as i know is this tool only for systems >= 6.3 or? Thx Alex From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 12:06:44 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D101106568D for ; Tue, 1 Dec 2009 12:06:44 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id E81FB8FC08 for ; Tue, 1 Dec 2009 12:06:43 +0000 (UTC) Received: from carton-rouge.local (p579F8DE5.dip.t-dialin.net [87.159.141.229]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MWOFC-1NeJYP1Mk6-00XkmR; Tue, 01 Dec 2009 12:53:47 +0100 Message-ID: <4B1503CB.3080405@nruns.com> Date: Tue, 01 Dec 2009 12:53:47 +0100 From: Jan Muenther User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Alex Huth References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201114845.359731A828F@mailv.nruns.com> In-Reply-To: <20091201114845.359731A828F@mailv.nruns.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1/iPsESUo8h86K2Ym3YELmTeN2GVLpM6iCj/Ht Wim6yHvmkqLhJ1+17HQnXWMwplRbCrYO1kKKMdQANir7UVhTU5 oh64AOSnPmjDd24K88HUCeoH6ojteZ+ Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 12:06:44 -0000 Hi, > I am new to patching systems, so forgive "stupid" questions. We have some 6.1 > systems. Are or will there be a patch for them or are they not involved in > this problem? > > I am new to patching systems, so forgive me any stupid questions. We have some > 6.1 and 6.3 systems. Are or will there be patches fro them or are they not > involved in this problem? > > How do i apply such a patch? With freebsd-update? As far as i know is this > tool only for systems >= 6.3 or? > Patches are patches for the source code, so you'll have to apply them with the patch(1) program and then re-compile. I'd be greatly surprised if the affected code looked different in 6.x. The bug itself is fairly interesting actually, if only for the reason that it displays what can happen if you don't check return values - other prime example of this causing security issues that I can think of off the top of my head are Windows impersonation bugs. stealth wrote this up: http://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/ Maybe that sheds some light. Cheers, Jan From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 12:26:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B85C106568B for ; Tue, 1 Dec 2009 12:26:55 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [IPv6:2001:718:1e03:a01::a]) by mx1.freebsd.org (Postfix) with ESMTP id 1A79E8FC1F for ; Tue, 1 Dec 2009 12:26:54 +0000 (UTC) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.14.3/8.14.3) with ESMTP id nB1CQqHB052962 for ; Tue, 1 Dec 2009 13:26:53 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <4B150B8C.90402@obluda.cz> Date: Tue, 01 Dec 2009 13:26:52 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090908 SeaMonkey/1.1.18 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201114845.359731A828F@mailv.nruns.com> <4B1503CB.3080405@nruns.com> In-Reply-To: <4B1503CB.3080405@nruns.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 12:26:55 -0000 Jan Muenther napsal/wrote, On 12/01/09 12:53: > I'd be greatly surprised if the affected code looked different in 6.x. True, affected code is same. But unsetenv() "return" 'void' on 6.x, so the code can't be patched the same way as in 7.x/8.x/HEAD We need something like if (getenv(...) != NULL ) { unsetenv(...); if (getenv(...) != NULL ) ABORT - BROKEN ENVIRONMENT } Dan From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 07:10:07 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75488106566C for ; Tue, 1 Dec 2009 07:10:07 +0000 (UTC) (envelope-from rudy@monkeybrains.net) Received: from ape.monkeybrains.net (mail.monkeybrains.net [208.69.40.9]) by mx1.freebsd.org (Postfix) with ESMTP id 5DDD18FC16 for ; Tue, 1 Dec 2009 07:10:07 +0000 (UTC) Received: from [10.17.45.149] (adsl-75-63-19-18.dsl.pltn13.sbcglobal.net [75.63.19.18]) (authenticated bits=0) by ape.monkeybrains.net (8.14.3/8.14.3) with ESMTP id nB16nOhB058041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 30 Nov 2009 22:49:24 -0800 (PST) (envelope-from rudy@monkeybrains.net) Message-ID: <4B14BC6D.4020309@monkeybrains.net> Date: Mon, 30 Nov 2009 22:49:17 -0800 From: Rudy Rucker User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <1259283983.92302.23.camel@neo.cse.buffalo.edu> <20091127030601.CAB2C1CC0E@ptavv.es.net> <20091127055757.GA75657@thought.org> <20091127083304.GA8618@slackbox.xs4all.nl> <20091129193018.GA87743@thought.org> <20091129194728.00007891@unknown> <20091130215403.GA94638@thought.org> In-Reply-To: <20091130215403.GA94638@thought.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.1 at pita.monkeybrains.net X-Virus-Status: Clean X-Mailman-Approved-At: Tue, 01 Dec 2009 12:40:27 +0000 Cc: cperciva@freebsd.org Subject: rtld.patch -- effects on running system. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 07:10:07 -0000 Regarding patch here: http://lists.freebsd.org/pipermail/freebsd-security/2009-December/005369.html I am trying to patch running systems and find some interesting behavior... This Process: cd /usr/src/libexec/rtld-elf/ fetch http://people.freebsd.org/~cperciva/rtld.patch patch < rtld.patch make make install ls -l /libexec/ld-elf.so.1 Causes lots of things to freeze up or crash (example: apache / mysql). Restarting those services gets them back online. :) For example: /usr/local/etc/rc.d/mysql restart Now, how do I go about updating /libexec/ld-elf32.so.1 (I am on an amd64 box, FreeBSD 7.x)? Rudy From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 13:12:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 949301065672 for ; Tue, 1 Dec 2009 13:12:06 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 57D258FC0A for ; Tue, 1 Dec 2009 13:12:05 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 6D8F46D41B; Tue, 1 Dec 2009 13:12:03 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id DF0E4844A1; Tue, 1 Dec 2009 14:12:02 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Alex Huth References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201111627.GC4920@borusse.borussiapark> Date: Tue, 01 Dec 2009 14:12:02 +0100 In-Reply-To: <20091201111627.GC4920@borusse.borussiapark> (Alex Huth's message of "Tue, 1 Dec 2009 12:16:27 +0100") Message-ID: <86skbuet3x.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 13:12:06 -0000 Alex Huth writes: > I am new to patching systems, so forgive "stupid" questions. We have > some 6.1 systems. Are or will there be a patch for them or are they > not involved in this problem? Support for 6.1 ended one and a half years ago (almost to the day), so no to the first part of your question. As to the second: yes, 6.1 is most likely affected. There is a good chance (but no guarantee) that the patch for 6.3 will apply cleanly on 6.1. The security advisory will contain instructions on how to apply and deploy the patch. > How do i apply such a patch? With freebsd-update? As far as i know is > this tool only for systems >=3D 6.3 or? freebsd-update will work on 6.3 since 6.3 is still supported (until the end of January). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 13:14:59 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C560106566B; Tue, 1 Dec 2009 13:14:59 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id BCAD78FC13; Tue, 1 Dec 2009 13:14:58 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 0CD9E6D41B; Tue, 1 Dec 2009 13:14:57 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id C03F2844A1; Tue, 1 Dec 2009 14:14:57 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Rudy Rucker References: <1259283983.92302.23.camel@neo.cse.buffalo.edu> <20091127030601.CAB2C1CC0E@ptavv.es.net> <20091127055757.GA75657@thought.org> <20091127083304.GA8618@slackbox.xs4all.nl> <20091129193018.GA87743@thought.org> <20091129194728.00007891@unknown> <20091130215403.GA94638@thought.org> <4B14BC6D.4020309@monkeybrains.net> Date: Tue, 01 Dec 2009 14:14:57 +0100 In-Reply-To: <4B14BC6D.4020309@monkeybrains.net> (Rudy Rucker's message of "Mon, 30 Nov 2009 22:49:17 -0800") Message-ID: <86ocmiesz2.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, cperciva@freebsd.org Subject: Re: rtld.patch -- effects on running system. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 13:14:59 -0000 Rudy Rucker writes: > Causes lots of things to freeze up or crash (example: apache / > mysql).=20 That's... strange. I'm sure there is a good explanation, though. I would just reboot the system after applying the patch. > Now, how do I go about updating /libexec/ld-elf32.so.1 (I am on an > amd64 box, FreeBSD 7.x)? # make buildworld && make installworld && shutdown -r now new world DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 14:36:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F986106566C for ; Tue, 1 Dec 2009 14:36:47 +0000 (UTC) (envelope-from vasim@resume-bank.ru) Received: from mail.resume-bank.ru (mail.resume-bank.ru [217.65.6.28]) by mx1.freebsd.org (Postfix) with SMTP id A16998FC12 for ; Tue, 1 Dec 2009 14:36:46 +0000 (UTC) Received: (qmail 6258 invoked by uid 0); 1 Dec 2009 17:09:59 +0300 Received: from unknown (HELO fb4e97440cc340b) (217.65.14.16) by mail.resume-bank.ru with SMTP; 1 Dec 2009 17:09:59 +0300 Message-ID: <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b> From: "Vasim Valejev" To: Date: Tue, 1 Dec 2009 17:09:57 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: base64 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3598 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 Subject: LD_PRELOAD temporary patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 14:36:47 -0000 SSd2ZSB1c2VkIHRoYXQgcGF0Y2ggdG8gY2xvc2UgdGhlIGhvbGUuIFRoaXMgcGF0Y2ggaXMgdGVt cG9yYXJ5IGFuZCBkb2Vzbid0IGZpeCByZWFsIHRyb3VibGUgbWFrZXIgLSBwcm9ibGVtIGluIG5l dyB2ZXJzaW9uIGluIGdldGVudigpIChhZnRlciA2LjMgaXQgZ290IGNoYW5nZWQgdG8gc29tZXRo aW5nIG1vbnN0cm91cyBhbmQgbm9uLXdvcmtpbmcgcmlnaHQgaWYgZW52aXJvbm1lbnQgaGFzIG9u bHkgb25lIHZhcmlhYmxlKSwgaG9wZSBpdCB3aWxsIGdldCBmaXhlZCBzb29uLg0KDQoqKiogcnRs ZC5jLm9yaWcgVHVlIERlYyAgMSAxNjo1NToxMyAyMDA5DQotLS0gcnRsZC5jICAgICAgVHVlIERl YyAgMSAxNjo1NTo1NSAyMDA5DQoqKioqKioqKioqKioqKioNCioqKiAzNTcsMzc0ICoqKioNCiAg ICAgICAqIGlzIGNhbGxlZC4gIElmIGFueSBjaGlsZCBwcm9jZXNzIGNhbGxzIHNldHVpZCgyKSB3 ZSBkbyBub3Qgd2FudCBhbnkNCiAgICAgICAqIGZ1dHVyZSBwcm9jZXNzZXMgdG8gaG9ub3IgdGhl IHBvdGVudGlhbGx5IHVuLXNhZmUgdmFyaWFibGVzLg0KICAgICAgICovDQogICAgICBpZiAoIXRy dXN0KSB7DQogICAgICAgICAgdW5zZXRlbnYoTERfICJQUkVMT0FEIik7DQogICAgICAgICAgdW5z ZXRlbnYoTERfICJMSUJNQVAiKTsNCiAgICAgICAgICB1bnNldGVudihMRF8gIkxJQlJBUllfUEFU SCIpOw0KICAgICAgICAgIHVuc2V0ZW52KExEXyAiTElCTUFQX0RJU0FCTEUiKTsNCiAgICAgICAg ICB1bnNldGVudihMRF8gIkRFQlVHIik7DQogICAgICB9DQotICAgICBsZF9kZWJ1ZyA9IGdldGVu dihMRF8gIkRFQlVHIik7DQotICAgICBsaWJtYXBfZGlzYWJsZSA9IGdldGVudihMRF8gIkxJQk1B UF9ESVNBQkxFIikgIT0gTlVMTDsNCi0gICAgIGxpYm1hcF9vdmVycmlkZSA9IGdldGVudihMRF8g IkxJQk1BUCIpOw0KLSAgICAgbGRfbGlicmFyeV9wYXRoID0gZ2V0ZW52KExEXyAiTElCUkFSWV9Q QVRIIik7DQotICAgICBsZF9wcmVsb2FkID0gZ2V0ZW52KExEXyAiUFJFTE9BRCIpOw0KICAgICAg ZGFuZ2Vyb3VzX2xkX2VudiA9IGxpYm1hcF9kaXNhYmxlIHx8IChsaWJtYXBfb3ZlcnJpZGUgIT0g TlVMTCkgfHwNCiAgICAgICAgKGxkX2xpYnJhcnlfcGF0aCAhPSBOVUxMKSB8fCAobGRfcHJlbG9h ZCAhPSBOVUxMKTsNCiAgICAgIGxkX3RyYWNpbmcgPSBnZXRlbnYoTERfICJUUkFDRV9MT0FERURf T0JKRUNUUyIpOw0KLS0tIDM1NywzNzkgLS0tLQ0KICAgICAgICogaXMgY2FsbGVkLiAgSWYgYW55 IGNoaWxkIHByb2Nlc3MgY2FsbHMgc2V0dWlkKDIpIHdlIGRvIG5vdCB3YW50IGFueQ0KICAgICAg ICogZnV0dXJlIHByb2Nlc3NlcyB0byBob25vciB0aGUgcG90ZW50aWFsbHkgdW4tc2FmZSB2YXJp YWJsZXMuDQogICAgICAgKi8NCisgICAgIGxkX3ByZWxvYWQgPSBnZXRlbnYoTERfICJQUkVMT0FE Iik7DQorICAgICBsaWJtYXBfb3ZlcnJpZGUgPSBnZXRlbnYoTERfICJMSUJNQVAiKTsNCisgICAg IGxkX2xpYnJhcnlfcGF0aCA9IGdldGVudihMRF8gIkxJQlJBUllfUEFUSCIpOw0KKyAgICAgbGli bWFwX2Rpc2FibGUgPSBnZXRlbnYoTERfICJMSUJNQVBfRElTQUJMRSIpICE9IE5VTEw7DQorICAg ICBsZF9kZWJ1ZyA9IGdldGVudihMRF8gIkRFQlVHIik7DQogICAgICBpZiAoIXRydXN0KSB7DQor ICAgICAgICAgbGRfcHJlbG9hZCA9IE5VTEw7DQorICAgICAgICAgbGlibWFwX292ZXJyaWRlID0g TlVMTDsNCisgICAgICAgICBsZF9saWJyYXJ5X3BhdGggPSBOVUxMOw0KKyAgICAgICAgIGxpYm1h cF9kaXNhYmxlID0gMDsNCisgICAgICAgICBsZF9kZWJ1ZyA9IE5VTEw7DQogICAgICAgICAgdW5z ZXRlbnYoTERfICJQUkVMT0FEIik7DQogICAgICAgICAgdW5zZXRlbnYoTERfICJMSUJNQVAiKTsN CiAgICAgICAgICB1bnNldGVudihMRF8gIkxJQlJBUllfUEFUSCIpOw0KICAgICAgICAgIHVuc2V0 ZW52KExEXyAiTElCTUFQX0RJU0FCTEUiKTsNCiAgICAgICAgICB1bnNldGVudihMRF8gIkRFQlVH Iik7DQogICAgICB9DQogICAgICBkYW5nZXJvdXNfbGRfZW52ID0gbGlibWFwX2Rpc2FibGUgfHwg KGxpYm1hcF9vdmVycmlkZSAhPSBOVUxMKSB8fA0KICAgICAgICAgIChsZF9saWJyYXJ5X3BhdGgg IT0gTlVMTCkgfHwgKGxkX3ByZWxvYWQgIT0gTlVMTCk7DQogICAgICBsZF90cmFjaW5nID0gZ2V0 ZW52KExEXyAiVFJBQ0VfTE9BREVEX09CSkVDVFMiKTsNCg== From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 16:00:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5692106566B for ; Tue, 1 Dec 2009 16:00:19 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 8D40B8FC12 for ; Tue, 1 Dec 2009 16:00:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=JUiZO050xwIkjg8S+P/W/ht8+juGpbSySSIimpDuBj0=; b=OtVpIVSQZf5OFTxbj2+0syU3z1LMLo0+uRsea4relET/YIOady1uCzFJkk5wKG3nEtss71n9FIOuWKgT3qtB2068DRA7A2XH0HSGKX9UDImiSY+hNwNjDU/8lD63ddGu4giXw/39N46wqMyHCv5lwk8R/HXTnJGdUrOdelWsLUHAEgPYcFwwhlZBZtp+mjmcV2+rNyP6h4SJq8CDS4pjK4gRiioSWSeLl2uMJHW1iMHD23TjA3X+4raesHHodm3lLUeNxldAvkAebOt7UGbFaX4lB5BVVz1oPPA9Znc/yHMOcl/jCyOMpyWv1jOdgwiRqmZYRfwjpoy5poD5iGHNlQ==; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NFV9G-00079m-KT; Tue, 01 Dec 2009 19:00:18 +0300 Date: Tue, 1 Dec 2009 19:00:16 +0300 From: Eygene Ryabinkin To: Vasim Valejev Message-ID: <2l7ppaOshvDTrwINE81EpiKZPIo@HdC2pNlxoZEC2oqxdWvElH3kUBc> References: <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ieNMXl1Fr3cevapt" Content-Disposition: inline In-Reply-To: <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b> Sender: rea-fbsd@codelabs.ru X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: LD_PRELOAD temporary patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 16:00:20 -0000 --ieNMXl1Fr3cevapt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Good evening. Tue, Dec 01, 2009 at 05:09:57PM +0300, Vasim Valejev wrote: > I've used that patch to close the hole. This patch is temporary and > doesn't fix real trouble maker - problem in new version in getenv() If you're talking about rtld-elf local root, then the real issue is that return values of unsetenv() are not checked and unsetenv() could fail, thus leaving LD_PRELOAD and friends left unmodified. > (after 6.3 it got changed to something monstrous and non-working right > if environment has only one variable), Sorry, what do you mean by this? Does the attached script print 'VAR = variable' for you as it does for me on 8.0-BETA2 (and undoubtly, on 8.0)? If yes then getenv() works properly with a single environment variable. Perhaps you meant something else? -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # --ieNMXl1Fr3cevapt-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 16:05:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AA02106568F for ; Tue, 1 Dec 2009 16:05:30 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2A9CD8FC15 for ; Tue, 1 Dec 2009 16:05:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=lmDxlL0I/DKEiq23fjzb8sGez2YpJGDJNl6ivLL2ArI=; b=Hny8Q/6U9roqX51/RB4xRhkNbZOcQ4z0opzGpXmA3A75LsRqecF2rxCy0w+hZWMjm29iYB2S6h/damMuZygAZ/ANRRbMn3xM2Q8F3nNUTB+X+1bI/bhAA3nN9x+J7VmhN2eBTCk0pyQZKnQPehOFOhzKMukiQT4gN3ZKUZRduH3aFVSoObEPaITQnzO72zDtIUuShRoEj4PfvxL16wbAsFn/DNqniSe3wsha0ZSKuac2vqSOGuegFNRnLNrLe8/gpLbdouU6dH87AM0bJV74tvAxV6ZZf84F3J+VaS2ZVBu6cJXijtsFF6TdtBtN4v/6fFtULvr5UixjTjAsHPY3DQ==; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NFVEH-0007kf-AY; Tue, 01 Dec 2009 19:05:29 +0300 Date: Tue, 1 Dec 2009 19:05:27 +0300 From: Eygene Ryabinkin To: Vasim Valejev Message-ID: References: <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b> <2l7ppaOshvDTrwINE81EpiKZPIo@HdC2pNlxoZEC2oqxdWvElH3kUBc> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="RpqchZ26BWispMcB" Content-Disposition: inline In-Reply-To: <2l7ppaOshvDTrwINE81EpiKZPIo@HdC2pNlxoZEC2oqxdWvElH3kUBc> Sender: rea-fbsd@codelabs.ru X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: LD_PRELOAD temporary patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 16:05:30 -0000 --RpqchZ26BWispMcB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Tue, Dec 01, 2009 at 07:00:16PM +0300, Eygene Ryabinkin wrote: > Sorry, what do you mean by this? Does the attached script print 'VAR = > variable' for you as it does for me on 8.0-BETA2 (and undoubtly, on > 8.0)? If yes then getenv() works properly with a single environment > variable. Perhaps you meant something else? Attached wrong version of the script, sorry. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # --RpqchZ26BWispMcB-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 16:37:13 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3547B1065693 for ; Tue, 1 Dec 2009 16:37:13 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [IPv6:2001:718:1e03:a01::a]) by mx1.freebsd.org (Postfix) with ESMTP id B757C8FC12 for ; Tue, 1 Dec 2009 16:37:12 +0000 (UTC) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.14.3/8.14.3) with ESMTP id nB1Gb98r089702 for ; Tue, 1 Dec 2009 17:37:11 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <4B154635.2050209@obluda.cz> Date: Tue, 01 Dec 2009 17:37:09 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090908 SeaMonkey/1.1.18 MIME-Version: 1.0 To: freebsd security References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201111627.GC4920@borusse.borussiapark> <86skbuet3x.fsf@ds4.des.no> In-Reply-To: <86skbuet3x.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 16:37:13 -0000 Dag-Erling Sm=C3=B8rgrav napsal/wrote, On 12/01/09 14:12: > As to the second: yes, 6.1 is most likely affected. Probably no. The older algorithm used in 6.1 looks like ----------------- if (trusted) { variable =3D getenv(NAME); .... ----------------- The affected algorithm looks like: ----------------- if (!trusted) { unsetenv(NAME); ... }; variable =3D getenv(NAME); ----------------- As far as I know such change has been MFCed into 6.3, 6.4, 7.x but not=20 into 6.1. So 6.1 should not be affected by this bug (but remain=20 vulnerable to problem that triggered the change of old algorithm to new).= Dan From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 16:59:57 2009 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A77371065692 for ; Tue, 1 Dec 2009 16:59:57 +0000 (UTC) (envelope-from scf@FreeBSD.org) Received: from mail.farley.org (mail.farley.org [IPv6:2001:470:1f0f:20:2::11]) by mx1.freebsd.org (Postfix) with ESMTP id 52C188FC19 for ; Tue, 1 Dec 2009 16:59:57 +0000 (UTC) Received: from thor.farley.org (HPooka@thor.farley.org [IPv6:2001:470:1f0f:20:1::5]) by mail.farley.org (8.14.3/8.14.3) with ESMTP id nB1GxuXu052434; Tue, 1 Dec 2009 10:59:56 -0600 (CST) (envelope-from scf@FreeBSD.org) Date: Tue, 1 Dec 2009 10:59:56 -0600 (CST) From: "Sean C. Farley" To: Dan Lukes In-Reply-To: <4B154635.2050209@obluda.cz> Message-ID: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201111627.GC4920@borusse.borussiapark> <86skbuet3x.fsf@ds4.des.no> <4B154635.2050209@obluda.cz> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="56599777-1565117765-1259686796=:68765" X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.farley.org Cc: freebsd security Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 16:59:57 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --56599777-1565117765-1259686796=:68765 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT On Tue, 1 Dec 2009, Dan Lukes wrote: > Dag-Erling Smørgrav napsal/wrote, On 12/01/09 14:12: >> As to the second: yes, 6.1 is most likely affected. > > Probably no. > > The older algorithm used in 6.1 looks like > ----------------- > if (trusted) { > variable = getenv(NAME); > .... > ----------------- > > The affected algorithm looks like: > ----------------- > if (!trusted) { > unsetenv(NAME); > ... > }; > variable = getenv(NAME); > ----------------- > > As far as I know such change has been MFCed into 6.3, 6.4, 7.x but not > into 6.1. So 6.1 should not be affected by this bug (but remain > vulnerable to problem that triggered the change of old algorithm to > new). That is correct. 6.x should not be affected. The security issue exists with the combination of the getenv() to unsetenv() change in rtld.c and the addition of the new env code. The unsetenv() in 6.x would not stop if environ was corrupted. Sean -- scf@FreeBSD.org --56599777-1565117765-1259686796=:68765-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 17:10:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D549D10656D4 for ; Tue, 1 Dec 2009 17:10:11 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id 60CD28FC0C for ; Tue, 1 Dec 2009 17:10:11 +0000 (UTC) Received: from adidas.hexon-nijmegen.nl (gw.hexon-nijmegen.nl [82.93.241.107]) by mulgore.hexon-is.nl (8.14.1/8.14.1) with ESMTP id nB1GbOTe011277; Tue, 1 Dec 2009 17:37:24 +0100 Received: from [10.0.0.142] (HENK.hexon-nijmegen.nl [10.0.0.142]) by adidas.hexon-nijmegen.nl (8.14.3/8.14.3) with ESMTP id nB1GbN52002402; Tue, 1 Dec 2009 17:37:23 +0100 Message-ID: <4B15463F.406@quis.cx> Date: Tue, 01 Dec 2009 17:37:19 +0100 From: Jille Timmermans User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: rea-fbsd@codelabs.ru References: <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b> <2l7ppaOshvDTrwINE81EpiKZPIo@HdC2pNlxoZEC2oqxdWvElH3kUBc> In-Reply-To: <2l7ppaOshvDTrwINE81EpiKZPIo@HdC2pNlxoZEC2oqxdWvElH3kUBc> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: nB1GbOTe011277 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx X-Hexon-MailScanner-Watermark: 1260290248.00086@KF+8p8wI7U33tWrwur9lVQ Cc: freebsd-security@freebsd.org, Vasim Valejev Subject: Re: LD_PRELOAD temporary patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:10:11 -0000 Eygene Ryabinkin schreef: > Good evening. > > Tue, Dec 01, 2009 at 05:09:57PM +0300, Vasim Valejev wrote: > >> I've used that patch to close the hole. This patch is temporary and >> doesn't fix real trouble maker - problem in new version in getenv() >> > > If you're talking about rtld-elf local root, then the real issue > is that return values of unsetenv() are not checked and unsetenv() > could fail, thus leaving LD_PRELOAD and friends left unmodified. > Isn't the real issue that unsetenv() works differently from getenv() ? If they both said 'your environment is crappy' there wouldn't have been a problem, would it ? If I'm correct, rtld isn't that wrong: It seems like a sane assumption to me that if you can't delete it, you can't retreive it either. (There are exceptions to this rule, like problems with freeing the memory, but that isn't a problem in this case) -- Jille > >> (after 6.3 it got changed to something monstrous and non-working right >> if environment has only one variable), >> > > Sorry, what do you mean by this? Does the attached script print 'VAR = > variable' for you as it does for me on 8.0-BETA2 (and undoubtly, on > 8.0)? If yes then getenv() works properly with a single environment > variable. Perhaps you meant something else? > > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 17:41:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 683EE106566C for ; Tue, 1 Dec 2009 17:41:06 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id D64228FC13 for ; Tue, 1 Dec 2009 17:41:05 +0000 (UTC) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id KAA10851 for ; Tue, 1 Dec 2009 10:24:34 -0700 (MST) Message-Id: <200912011724.KAA10851@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 01 Dec 2009 10:23:00 -0700 To: freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <200912010522.WAA03022@lariat.net> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:41:06 -0000 Everyone: I don't know if it's a coincidence, but I doubt it is: Since the announcement of the rtld bug, we've seen a precipitous increase in the number of SSH password guessing attacks on our systems. Apparently, the folks who are mounting the attacks (usually via botnets) have realized that if they get into user shell account on an unpatched system, they have effectively broken root. It would be wise for all FreeBSD system administrators to set AllowUsers as restrictively as possible in sshd_config, and also (because the attacks can take a great toll on servers in terms of CPU and other resources) consider other changes to "armor" their systems against SSH attacks. It may be time, in fact, to consider implementing single packet authentication as the default in SSH servers and as a built-in feature in SSH clients. (Does anyone know of a good SSH client that integrates a single packet authentication system -- e.g. fwknop? I'm already seeking sources and a toolchain so that I can try my hand at doing this for TeraTerm.) --Brett Glass From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 17:50:09 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0BCD1065676 for ; Tue, 1 Dec 2009 17:50:09 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 426B78FC0A for ; Tue, 1 Dec 2009 17:50:09 +0000 (UTC) Received: by bwz5 with SMTP id 5so3700073bwz.3 for ; Tue, 01 Dec 2009 09:50:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=+eXdDzlH9YZH8vPnWzj1yD9EEDfz9GrDAGbEk17rulE=; b=NFDuQHONPlCAyqCvY5fuPu+ftvhq95vv0OMR7SAzmuB7LMuuzMn7T6KwPpo0Lp5ypS 9Vsbn65w4TIBcR4OarkWqZpRAvfMX+BgdeKY29GrJxEFkpO6XVPxZzbAo4+lB1MmbO9a E2MbczKp2aRNdF7WozDd3GNpC1dG7LM7lxbz0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=cg3QmHuYzRur6OPtCDD8EC2AzNv0I4HnAMruJ+Xs40q4GhXDB/NtPisvMB0tqi+dxD aBgREEa969MkHri2FWa/TE5xYED6oapAdrRewRKQlSM9VmjM9CK4RBfkY+K30gJQK4qm P4xoEY4tSbEKy5+y6YNjkAl3PNBBN+ykYP0rQ= MIME-Version: 1.0 Received: by 10.102.211.35 with SMTP id j35mr2128559mug.35.1259689807929; Tue, 01 Dec 2009 09:50:07 -0800 (PST) In-Reply-To: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <20091201111627.GC4920@borusse.borussiapark> <86skbuet3x.fsf@ds4.des.no> <4B154635.2050209@obluda.cz> Date: Tue, 1 Dec 2009 18:50:07 +0100 Message-ID: <6101e8c40912010950j70540b6bj140eddbf0f3d7bba@mail.gmail.com> From: Oliver Pinter To: "Sean C. Farley" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Dan Lukes , freebsd security Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:50:10 -0000 http://twitter.com/spendergrsec/status/6223864530 http://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/ On 12/1/09, Sean C. Farley wrote: > On Tue, 1 Dec 2009, Dan Lukes wrote: > >> Dag-Erling Sm=F8rgrav napsal/wrote, On 12/01/09 14:12: >>> As to the second: yes, 6.1 is most likely affected. >> >> Probably no. >> >> The older algorithm used in 6.1 looks like >> ----------------- >> if (trusted) { >> variable =3D getenv(NAME); >> .... >> ----------------- >> >> The affected algorithm looks like: >> ----------------- >> if (!trusted) { >> unsetenv(NAME); >> ... >> }; >> variable =3D getenv(NAME); >> ----------------- >> >> As far as I know such change has been MFCed into 6.3, 6.4, 7.x but not >> into 6.1. So 6.1 should not be affected by this bug (but remain >> vulnerable to problem that triggered the change of old algorithm to >> new). > > That is correct. 6.x should not be affected. The security issue exists > with the combination of the getenv() to unsetenv() change in rtld.c and > the addition of the new env code. The unsetenv() in 6.x would not stop > if environ was corrupted. > > Sean > -- > scf@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 17:55:44 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D87CD1065670 for ; Tue, 1 Dec 2009 17:55:44 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id 527DB8FC26 for ; Tue, 1 Dec 2009 17:55:44 +0000 (UTC) Received: from carton-rouge.local (p579F8DE5.dip.t-dialin.net [87.159.141.229]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0LvPiV-1OFVXO2qH5-0103z8; Tue, 01 Dec 2009 18:55:39 +0100 Message-ID: <4B155899.7030205@nruns.com> Date: Tue, 01 Dec 2009 18:55:37 +0100 From: Jan Muenther User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: "Julian H. Stacey" References: <20091201174800.9B1A71A8282@mailv.nruns.com> In-Reply-To: <20091201174800.9B1A71A8282@mailv.nruns.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1+p70c/cH4fGbkCxcCpE4TixrbdhANSXpjXHcJ ttzBfYljVLHoIYrq9VV83sIbL2+keXRjvgGmCMzN2EFCzrdVHc Tbf18VQyEdc20Ef5CrV3OL2JLZt1ayK Cc: freebsd-security@freebsd.org, Alex Huth Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 17:55:44 -0000 >> I'd be greatly surprised if the affected code looked different in 6.x. >> > > There is No unsetenv in 6.2-RELEASE/src/libexec/rtld-elf/rtld. > There Is unsetenv in 6.[34]-RELEASE/src/libexec/rtld-elf/rtld. > Yeah, I already saw that (and am surprised :) ). My comment was just based on looking at my own 8.0-release, thought I had made that clear. Sorry if that mislead anyone. From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 18:01:15 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AD0D106568B; Tue, 1 Dec 2009 18:01:13 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop1.sarenet.es (proxypop1.sarenet.es [194.30.0.99]) by mx1.freebsd.org (Postfix) with ESMTP id 07EB28FC14; Tue, 1 Dec 2009 18:01:12 +0000 (UTC) Received: from [172.16.1.204] (izaro.sarenet.es [192.148.167.11]) by proxypop1.sarenet.es (Postfix) with ESMTP id 080CC5CA2; Tue, 1 Dec 2009 18:41:19 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org> Date: Tue, 1 Dec 2009 18:41:07 +0100 Content-Transfer-Encoding: 7bit Message-Id: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1077) Cc: FreeBSD Security Advisories Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 18:01:15 -0000 On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: > A short time ago a "local root" exploit was posted to the full-disclosure > mailing list; as the name suggests, this allows a local user to execute > arbitrary code as root. Dr. Strangelove, or How I learned to love the MAC subsystem. # uname -a FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009 root@test:/usr/obj/usr/src/sys/TEST amd64 $ gcc -o program.o -c program.c -fPIC $ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles $ ./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel) # /usr/sbin/getpmac biba/high(low-high) And of course it's root. Now, $ setpmac biba/low\(low-low\) csh %pwd /tmp %./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # ** OMG!! IT WORKED!!. BUT # touch /etc/testing_the_exploit touch: /etc/testing_the_exploit: Permission denied # ls -l /usr/sbin/getpmac -r-xr-xr-x 1 root wheel 7144 May 1 2009 /usr/sbin/getpmac # /usr/sbin/getpmac biba/low(low-low) OOHHHHH, we have a toothless root. Maybe a "riit"? Pity these serious security mechanisms don't get a widespread usage. Borja. From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 18:13:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E46C4106566C for ; Tue, 1 Dec 2009 18:13:42 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 76A028FC08 for ; Tue, 1 Dec 2009 18:13:41 +0000 (UTC) Received: from park.js.berklix.net (p549A613A.dip.t-dialin.net [84.154.97.58]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id nB1HoUqY077294; Tue, 1 Dec 2009 17:50:32 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.13.8/8.13.8) with ESMTP id nB1HoMPE002839; Tue, 1 Dec 2009 18:50:22 +0100 (CET) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.3/8.14.3) with ESMTP id nBBHnK95069152; Fri, 11 Dec 2009 18:49:26 +0100 (CET) (envelope-from jhs@fire.js.berklix.net) Message-Id: <200912111749.nBBHnK95069152@fire.js.berklix.net> To: Jan Muenther From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Tue, 01 Dec 2009 12:53:47 +0100." <4B1503CB.3080405@nruns.com> Date: Fri, 11 Dec 2009 18:49:20 +0100 Sender: jhs@berklix.com Cc: freebsd-security@freebsd.org, Alex Huth Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 18:13:43 -0000 Reference: > From: Jan Muenther > I'd be greatly surprised if the affected code looked different in 6.x. There is No unsetenv in 6.2-RELEASE/src/libexec/rtld-elf/rtld. There Is unsetenv in 6.[34]-RELEASE/src/libexec/rtld-elf/rtld. Cheers, Julian -- Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text not quoted-printable, HTML or Base64: http://asciiribbon.org Vote For Smoke Free Bavarian Pubs Restaurants http://berklix.org/~jhs/nim/ From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 18:27:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CF01106566C for ; Tue, 1 Dec 2009 18:27:17 +0000 (UTC) (envelope-from roberto.nunnari@supsi.ch) Received: from ti-edu.ch (posta.ti-edu.ch [195.176.176.171]) by mx1.freebsd.org (Postfix) with ESMTP id 33C8C8FC08 for ; Tue, 1 Dec 2009 18:27:16 +0000 (UTC) X-Virus-Scanned: by cgpav Received: from [193.5.152.27] (HELO [127.0.0.1]) by ti-edu.ch (CommuniGate Pro SMTP 5.2.15) with ESMTP id 37028509; Tue, 01 Dec 2009 19:27:14 +0100 Message-ID: <4B155FFA.9040500@supsi.ch> Date: Tue, 01 Dec 2009 19:27:06 +0100 From: Roberto Nunnari User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: "Julian H. Stacey" References: <200912111749.nBBHnK95069152@fire.js.berklix.net> In-Reply-To: <200912111749.nBBHnK95069152@fire.js.berklix.net> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Jan Muenther , Alex Huth Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 18:27:17 -0000 Julian H. Stacey ha scritto: > Reference: >> From: Jan Muenther > >> I'd be greatly surprised if the affected code looked different in 6.x. > > There is No unsetenv in 6.2-RELEASE/src/libexec/rtld-elf/rtld. > There Is unsetenv in 6.[34]-RELEASE/src/libexec/rtld-elf/rtld. > > Cheers, > Julian I just checked it out, and on 6.4 the script doesn't work. $ uname -rms FreeBSD 6.4-RELEASE-p7 i386 Best regards. Robi From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 19:09:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFFB9106566B for ; Tue, 1 Dec 2009 19:09:20 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC088FC13 for ; Tue, 1 Dec 2009 19:09:20 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id nB1J9JRM070879; Tue, 1 Dec 2009 14:09:19 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200912011909.nB1J9JRM070879@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 01 Dec 2009 14:09:47 -0500 To: Brett Glass , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200912011724.KAA10851@lariat.net> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 19:09:20 -0000 At 12:23 PM 12/1/2009, Brett Glass wrote: >Everyone: > >I don't know if it's a coincidence, but I doubt it is: Since the >announcement of the rtld bug, we've seen a precipitous increase in >the number of SSH http://isc.sans.org/trends.html and http://isc.sans.org/port.html Do not seem to show any increase. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 20:28:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52AF0106566B for ; Tue, 1 Dec 2009 20:28:23 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout028.mac.com (asmtpout028.mac.com [17.148.16.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3D93C8FC0A for ; Tue, 1 Dec 2009 20:28:23 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp028.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KTZ00JWDNEVRU50@asmtp028.mac.com> for freebsd-security@freebsd.org; Tue, 01 Dec 2009 11:28:07 -0800 (PST) From: Chuck Swiger In-reply-to: <200912011909.nB1J9JRM070879@lava.sentex.ca> Date: Tue, 01 Dec 2009 11:28:06 -0800 Message-id: <2C416146-FE6E-42EC-8FA5-434027BF38EE@mac.com> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> To: Mike Tancsa X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 20:28:23 -0000 Hi-- On Dec 1, 2009, at 11:09 AM, Mike Tancsa wrote: > http://isc.sans.org/trends.html > and > http://isc.sans.org/port.html > > Do not seem to show any increase. I've checked, and the volume of attempts over the past few days seems pretty constant, although there was actually a decrease around Nov 26-29 corresponding to US Thanksgiving holiday. :-) I do use denyhosts with ~4000 IPs known to be actively scanning SSH blocked. I do note an increasing number of malicious scans using "Client: libssh-0.1" string instead of legit connects with "Client: OpenSSH_5.2" or similar.... Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 21:37:40 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD77C1065679 for ; Tue, 1 Dec 2009 21:37:40 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 4D8CD8FC0C for ; Tue, 1 Dec 2009 21:37:39 +0000 (UTC) Received: by bwz5 with SMTP id 5so3903391bwz.3 for ; Tue, 01 Dec 2009 13:37:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=k4+VH2FtZNbXXFW0iEliH9nFg4/SkX+mwVEk5/5YB9o=; b=YJlf2o0p+G7ipASt2gCnO76GHThz/P/eyTl4ZZ5QBQB/c0eTdHco/4MyCzqz3wSQVF WdFWB2U5bwuYsYs7KgaNSUj/7hRXkWAjKv6YM5g7d/V1bMH/7Hy0G/6l03oe7NRKUTbI F1h9q0zjaEh9+V6mQVnDYMzOoAZki3/+FrYU8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=JbktmsZx4FDmeeL/i3ddOMppIKRnB5tpysp2xwOnCYQWVyufNP5NzFSQuEpcwKAbjh XMvRyeInIlf9c8C5WVFqkC26vAWv6FUQtg+TfENmeKOMCJeD9WOMPHo3dQ/fnOQ3sjEg MNMWgq2cX5Wms3KgpBS8E/IzjddGzkTENnxHc= MIME-Version: 1.0 Received: by 10.204.34.70 with SMTP id k6mr6519083bkd.178.1259701825425; Tue, 01 Dec 2009 13:10:25 -0800 (PST) In-Reply-To: <4B155FFA.9040500@supsi.ch> References: <200912111749.nBBHnK95069152@fire.js.berklix.net> <4B155FFA.9040500@supsi.ch> Date: Wed, 2 Dec 2009 00:10:25 +0300 Message-ID: From: pluknet To: Roberto Nunnari Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, "Julian H. Stacey" , Alex Huth , Jan Muenther Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 21:37:40 -0000 2009/12/1 Roberto Nunnari : > Julian H. Stacey ha scritto: >> >> Reference: >>> >>> From: =A0 =A0 =A0 =A0 =A0 Jan Muenther >> >>> I'd be greatly surprised if the affected code looked different in 6.x. >> >> There is No unsetenv in 6.2-RELEASE/src/libexec/rtld-elf/rtld. >> There Is =A0 =A0unsetenv in 6.[34]-RELEASE/src/libexec/rtld-elf/rtld. >> >> Cheers, >> Julian > > I just checked it out, and on 6.4 the script doesn't work. > $ uname -rms > FreeBSD 6.4-RELEASE-p7 i386 Because in 6.x *env() uses legacy Berkeley implementation, while 7+ uses its own one. --=20 wbr, pluknet From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 22:41:33 2009 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DC621065672 for ; Tue, 1 Dec 2009 22:41:33 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp6.server.rpi.edu (smtp6.server.rpi.edu [128.113.2.226]) by mx1.freebsd.org (Postfix) with ESMTP id D909D8FC17 for ; Tue, 1 Dec 2009 22:41:32 +0000 (UTC) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp6.server.rpi.edu (8.13.1/8.13.1) with ESMTP id nB1LZKQi030848; Tue, 1 Dec 2009 16:35:22 -0500 Mime-Version: 1.0 Message-Id: In-Reply-To: <200912011724.KAA10851@lariat.net> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> Date: Tue, 1 Dec 2009 16:35:19 -0500 To: Brett Glass , freebsd-security@FreeBSD.org From: Garance A Drosehn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Bayes-Prob: 0.0001 (Score 0) X-RPI-SA-Score: 0.10 () [Hold at 20.00] COMBINED_FROM,23120(0) X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.226 Cc: Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 22:41:33 -0000 At 10:23 AM -0700 12/1/09, Brett Glass wrote: >Everyone: > >I don't know if it's a coincidence, but I doubt it is: Since the >announcement of the rtld bug, we've seen a precipitous increase >in the number of SSH password guessing attacks on our systems. I have seen an increase in attacks on some of our systems here at RPI (the ones I care about are mostly solaris). I noticed it Sunday night, and assumed it was due to the long weekend. My guess was that they expected to have more time to guess passwords before anyone would notice. While I saw a definite increase, it was not enough of an increase to be alarming. Our current automated procedures can handle it. -- Garance Alistair Drosehn = drosehn@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 01:45:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 264161065679 for ; Wed, 2 Dec 2009 01:45:16 +0000 (UTC) (envelope-from brett@lariat.org) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9CD698FC1F for ; Wed, 2 Dec 2009 01:45:15 +0000 (UTC) Received: from anne-o1dpaayth1.lariat.org (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id SAA17523; Tue, 1 Dec 2009 18:45:06 -0700 (MST) Message-Id: <200912020145.SAA17523@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 01 Dec 2009 18:44:31 -0700 To: Mike Tancsa , freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <200912011909.nB1J9JRM070879@lava.sentex.ca> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 01:45:16 -0000 At 12:09 PM 12/1/2009, Mike Tancsa wrote: >http://isc.sans.org/trends.html >and >http://isc.sans.org/port.html > >Do not seem to show any increase. Do those stats account for the fact that the attackers may first be fingerprinting servers to see if they're running FreeBSD? --Brett From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 01:50:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D7841065694 for ; Wed, 2 Dec 2009 01:50:56 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id 34A208FC2B for ; Wed, 2 Dec 2009 01:50:55 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id nB21ossm072930; Tue, 1 Dec 2009 20:50:54 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200912020150.nB21ossm072930@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 01 Dec 2009 20:51:23 -0500 To: Brett Glass , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200912020145.SAA17523@lariat.net> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> <200912020145.SAA17523@lariat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 01:50:56 -0000 At 08:44 PM 12/1/2009, Brett Glass wrote: >At 12:09 PM 12/1/2009, Mike Tancsa wrote: > >>http://isc.sans.org/trends.html >>and >>http://isc.sans.org/port.html >> >>Do not seem to show any increase. > >Do those stats account for the fact that the attackers may first be >fingerprinting servers to see if they're running FreeBSD? No idea. But looking at the logs of various hosts targeted by distributed scanners that hit my network, they dont seem to be that intelligent. There is no reason it couldnt be done, but I havent seen it yet here anyways. ---Mike >--Brett -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 07:38:29 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1A9E106566B for ; Wed, 2 Dec 2009 07:38:29 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 4F6E08FC14 for ; Wed, 2 Dec 2009 07:38:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=CB5OeVt2oi/c2ptFgQyT69nSPl0G+KmGJ1B3V5U6bkc=; b=TQqYa0+D9NvWLHUjwQEs+KPulvDEA760ju6s+qr+RGlh4lkMhypPVzYGT5KfXyH90+diwy6I+necXbGenm3TvndfARxQTPMMIbjZ+rbTACrJkU/r7nXxwptUV1Ak/BV1oZklTb32dNMWMk/cgPB9FKR2k7epdiy4EqeTzxD9QnjLKFPlQ1xCgAfRzLX+xcTJ46OYWUGJNgRVZUiQY08Vrlmamc3N/L+aRP+OQINf2FxS67Jy1aotXBm1Ct3S+1Wzoengrw+IezG3NOzgtzWZ9rnX5S23YpOqTblCZG5SH9rVJlX6bIzGErCzYE5e2xi2aLwcBP6LL5XxnuhT5I/NTw==; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NFjn8-0009oM-Ct; Wed, 02 Dec 2009 10:38:26 +0300 Date: Wed, 2 Dec 2009 10:38:24 +0300 From: Eygene Ryabinkin To: Jille Timmermans Message-ID: References: <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b> <2l7ppaOshvDTrwINE81EpiKZPIo@HdC2pNlxoZEC2oqxdWvElH3kUBc> <4B15463F.406@quis.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B15463F.406@quis.cx> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org, Vasim Valejev Subject: Re: LD_PRELOAD temporary patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 07:38:29 -0000 Jille, good day. Tue, Dec 01, 2009 at 05:37:19PM +0100, Jille Timmermans wrote: > Eygene Ryabinkin schreef: > > If you're talking about rtld-elf local root, then the real issue > > is that return values of unsetenv() are not checked and unsetenv() > > could fail, thus leaving LD_PRELOAD and friends left unmodified. > > > Isn't the real issue that unsetenv() works differently from getenv()? > If they both said 'your environment is crappy' there wouldn't have been > a problem, would it? You can't really rely on such behaviour: if you will, it will tie you to the implementation details, because standards aren't defining such interrelations (at least I can't find them: [1], [2], [3]). I think that the rule is the following: if something can return/set error value and you want to be sure that the call succeeded, you must check that value and act accorgingly. [1] http://www.opengroup.org/onlinepubs/000095399/functions/getenv.html [2] http://www.opengroup.org/onlinepubs/000095399/functions/unsetenv.html [3] http://www.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 13:20:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B9DD106568D for ; Wed, 2 Dec 2009 13:20:42 +0000 (UTC) (envelope-from mfazliazran@gmail.com) Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by mx1.freebsd.org (Postfix) with ESMTP id 686558FC15 for ; Wed, 2 Dec 2009 13:20:42 +0000 (UTC) Received: by pzk6 with SMTP id 6so129032pzk.29 for ; Wed, 02 Dec 2009 05:20:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=6DaGVOqeq/zhpa1CnDdaomB3SqaYOKmTqEGuRGB6wYU=; b=XbNF9Em9Ad4/tP2izNW4SuDyYF7Yqu92QRinpOI9omMOpbrCqg13LhYTkpl5AHBPfa krIC7JGanAKw7JZ4SWfZIQli020EBw4x5FxkKygA0nqPjP/QkML5CAJEWkSG7g9apxeH niF2uuASoGUG7UaqLvusdnd1EvMo7BfJmRs4A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=oAlPIB3lQgcbORMNy1nowqQUIkGv1bROSa4QXr03miBHpiuQVjSQUAWEuq0K8Zs6jc xItM9Qrer4ntMI4fu35Kso9PwioS2eWGF2dGgUnGPdBeR8WhrgfKfU9su7uKaZsYJgrJ Geyliy/ZvkWZ59kns3ou1YmIyz9nJq3M/ZF2Q= Received: by 10.114.188.37 with SMTP id l37mr76860waf.221.1259758271211; Wed, 02 Dec 2009 04:51:11 -0800 (PST) Received: from Fazli-2.local (237.63.50.60.cbj05-home.tm.net.my [60.50.63.237]) by mx.google.com with ESMTPS id 22sm599454pxi.10.2009.12.02.04.51.07 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Dec 2009 04:51:09 -0800 (PST) Message-ID: <4B1662BB.8000908@gmail.com> Date: Wed, 02 Dec 2009 20:51:07 +0800 From: Mohd Fazli Azran User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Mike Tancsa References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> <200912020145.SAA17523@lariat.net> <200912020150.nB21ossm072930@lava.sentex.ca> In-Reply-To: <200912020150.nB21ossm072930@lava.sentex.ca> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 13:20:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Tancsa wrote: > At 08:44 PM 12/1/2009, Brett Glass wrote: >> At 12:09 PM 12/1/2009, Mike Tancsa wrote: >> >>> http://isc.sans.org/trends.html >>> and >>> http://isc.sans.org/port.html >>> >>> Do not seem to show any increase. >> >> Do those stats account for the fact that the attackers may first be >> fingerprinting servers to see if they're running FreeBSD? > > No idea. But looking at the logs of various hosts targeted by > distributed scanners that hit my network, they dont seem to be that > intelligent. There is no reason it couldnt be done, but I havent seen it > yet here anyways. > > ---Mike > > >> --Brett > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > Seem they use multi host and brute force. My network are every day increasing the activity of attempt ssh login with multiple host + multiple login with multiple password. seem i got many of this messages Did not receive identification from X.X.X.X Mohd Fazli Azran System Analysis KL Malaysia -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksWYrsACgkQNF5f3mz2bZm2QwCfTZhxaAu586n66tGoAoX2DzjH Wd0AmgMQyxsmJ+eoeDEgJOdXMk2SxiaB =Ymfg -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 13:24:40 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DFAD1065679 for ; Wed, 2 Dec 2009 13:24:40 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id 77F498FC1A for ; Wed, 2 Dec 2009 13:24:40 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id nB2DOc58001138; Wed, 2 Dec 2009 08:24:38 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200912021324.nB2DOc58001138@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Dec 2009 08:25:08 -0500 To: Mohd Fazli Azran From: Mike Tancsa In-Reply-To: <4B1662BB.8000908@gmail.com> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> <200912020145.SAA17523@lariat.net> <200912020150.nB21ossm072930@lava.sentex.ca> <4B1662BB.8000908@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 13:24:40 -0000 At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: > > >Seem they use multi host and brute force. My network are every day >increasing the activity of attempt ssh login with multiple host + >multiple login with multiple password. seem i got many of this messages > Yes, thats the latest pattern I have been seeing-- distributed, slow and coordinated. Here is a sample from one of my honeypots. The only way to deal with them I found is to have multiple sensors throughout my network and aggregate the data. Otherwise, each IP only appears every few hrs in the logs. In the snippet below, 195.135.140.107 hit the one box 5hrs later, but I had a dozen hits total in that short period elsewhere in my network Nov 24 05:19:09 server sshd[99051]: Invalid user daily from 195.135.140.107 Nov 24 05:21:43 server sshd[19081]: Invalid user daily from 78.36.196.2 Nov 24 05:23:40 server sshd[33746]: Invalid user daily from 62.123.229.20 Nov 24 05:31:18 server sshd[88003]: Invalid user neomail from 212.57.104.168 Nov 24 05:33:26 server sshd[11552]: Invalid user packages from 217.70.139.42 Nov 24 05:41:54 server sshd[2430]: Invalid user packages from 94.82.179.33 Nov 24 05:46:39 server sshd[30961]: Invalid user raqbackup from 99.63.133.121 Nov 24 05:51:27 server sshd[53631]: Invalid user raqbackup from 58.68.30.14 Nov 24 05:54:11 server sshd[72915]: Invalid user spool from 193.85.165.141 Nov 24 05:56:39 server sshd[93869]: Invalid user spool from 88.79.68.190 Nov 24 06:05:33 server sshd[53698]: Invalid user support from 91.144.140.84 Nov 24 06:09:12 server sshd[99870]: Invalid user techsupport from 190.96.169.145 Nov 24 06:12:41 server sshd[14339]: Invalid user techsupport from 221.6.14.108 Nov 24 06:14:53 server sshd[25984]: Invalid user techsupport from 89.97.228.190 Nov 24 06:16:37 server sshd[35437]: Invalid user techsupport from 62.23.130.173 Nov 24 06:20:04 server sshd[45740]: Invalid user customer from 221.148.90.73 Nov 24 06:30:24 server sshd[22798]: Invalid user michael from 200.6.208.158 Nov 24 06:32:57 server sshd[50955]: Invalid user michael from 82.212.49.128 Nov 24 06:38:13 server sshd[78472]: Invalid user michael from 80.32.236.113 Nov 24 14:15:58 server sshd[53503]: Invalid user folder from 194.78.138.227 Nov 24 14:18:29 server sshd[71545]: Invalid user rpcuser from 116.55.226.131 Nov 24 14:21:12 server sshd[99996]: Invalid user rpcuser from 190.67.23.122 Nov 24 14:26:21 server sshd[19058]: Invalid user rpcuser from 212.243.41.9 Nov 24 14:34:11 server sshd[79740]: Invalid user rpcuser from 217.70.139.42 Nov 24 14:19:32 server sshd[35166]: Invalid user rpcuser from 213.140.19.143 Nov 24 14:32:14 server sshd[47004]: Invalid user rpcuser from 212.0.127.98 Nov 24 14:34:46 server sshd[55993]: Invalid user rpcuser from 212.0.127.98 Nov 24 14:47:30 server sshd[80927]: Invalid user rpcuser from 95.91.122.220 Nov 24 14:50:02 server sshd[99146]: Invalid user rpcuser from 213.140.19.143 Nov 24 14:52:42 server sshd[17685]: Invalid user rpcuser from 218.69.27.138 Nov 24 15:01:39 server sshd[78630]: Invalid user rpcuser from 90.182.107.194 Nov 24 15:03:15 server sshd[94459]: Invalid user rpcuser from 212.0.127.98 Nov 24 15:06:56 server sshd[25865]: Invalid user security from 85.126.145.125 Nov 24 15:08:18 server sshd[39544]: Invalid user security from 58.68.30.14 Nov 24 15:12:18 server sshd[59293]: Invalid user security from 217.220.124.90 >Did not receive identification from X.X.X.X > >Mohd Fazli Azran >System Analysis >KL Malaysia > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG/MacGPG2 v2.0.12 (Darwin) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iEYEARECAAYFAksWYrsACgkQNF5f3mz2bZm2QwCfTZhxaAu586n66tGoAoX2DzjH >Wd0AmgMQyxsmJ+eoeDEgJOdXMk2SxiaB >=Ymfg >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 13:54:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC6011065679 for ; Wed, 2 Dec 2009 13:54:38 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: from mail-ew0-f226.google.com (mail-ew0-f226.google.com [209.85.219.226]) by mx1.freebsd.org (Postfix) with ESMTP id 6E0918FC08 for ; Wed, 2 Dec 2009 13:54:38 +0000 (UTC) Received: by ewy26 with SMTP id 26so251035ewy.3 for ; Wed, 02 Dec 2009 05:54:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:content-type :content-transfer-encoding; bh=66MSHC2G2LDKTb8mvbEvulrj2eNpzApmr7a63pr2J5o=; b=HdjfjGyU7pVdcLEuh7z9HsdYxKqu8Q9JWXbgNPtfP9nTpddsRPgnEg5z3Z/wl5wX0d gD0jMeg7t6bF25mE4Y3Ig95fwReM2NjKskQzahst44p/zwMkK6fvjyw5V2+pAW0uWcaw zim9ADlKhNIiL9bcKICoZGjMMu0TRs92S3/f0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=bqWm5B+fR9rdmNmOdFuoY2u23KV3RnYSu4jjDaWhEriSv5qICkpysAZjrzFWtYhDhk j1W1pSmF9bf82C9KEN3/W8jLZy5VNTNonp93Qcfksz7X5QwD7KakzFZ4dwhNEVKOfRfY gRZzhbGR+bd0pMiVQGS/4Ls4QcKTjEEXvBU9g= Received: by 10.213.63.136 with SMTP id b8mr1033157ebi.71.1259760695644; Wed, 02 Dec 2009 05:31:35 -0800 (PST) Received: from pulstar.local (ppp-94-69-76-212.home.otenet.gr [94.69.76.212]) by mx.google.com with ESMTPS id 13sm735108ewy.9.2009.12.02.05.31.34 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Dec 2009 05:31:35 -0800 (PST) Message-ID: <4B166C35.1020505@gmail.com> Date: Wed, 02 Dec 2009 15:31:33 +0200 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: 7bit Subject: rtld patch for 7.2-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 13:54:38 -0000 Just noted that the patch posted here cannot be applied directly to 7.2-RELEASE. Just crafted this one for 7.2: http://people.freebsd.org/~manolis/rtld72.patch From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 14:06:58 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69E0D1065672 for ; Wed, 2 Dec 2009 14:06:58 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 2E9CE8FC1B for ; Wed, 2 Dec 2009 14:06:58 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id 3FD5F7E98F; Wed, 2 Dec 2009 13:51:08 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.3/8.14.3) with ESMTP id nB2DpSZw018402; Wed, 2 Dec 2009 13:51:28 GMT (envelope-from phk@critter.freebsd.dk) To: Mike Tancsa From: "Poul-Henning Kamp" In-Reply-To: Your message of "Wed, 02 Dec 2009 08:25:08 EST." <200912021324.nB2DOc58001138@lava.sentex.ca> Date: Wed, 02 Dec 2009 13:51:28 +0000 Message-ID: <18401.1259761888@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: freebsd-security@freebsd.org, Mohd Fazli Azran Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 14:06:58 -0000 In message <200912021324.nB2DOc58001138@lava.sentex.ca>, Mike Tancsa writes: >At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: >The only way to deal with them I found [...] A very efficient measure: Move your sshd to another port number. You can configure the port in your .ssh/config file: Host foobar port 122 so you don't have to remember it. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 14:07:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42DBC106571D for ; Wed, 2 Dec 2009 14:07:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id B3DC48FC0A for ; Wed, 2 Dec 2009 14:07:05 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id nB2E74sk001353; Wed, 2 Dec 2009 09:07:04 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200912021407.nB2E74sk001353@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Dec 2009 09:07:33 -0500 To: "Poul-Henning Kamp" From: Mike Tancsa In-Reply-To: <18401.1259761888@critter.freebsd.dk> References: <18401.1259761888@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 14:07:06 -0000 At 08:51 AM 12/2/2009, Poul-Henning Kamp wrote: >In message <200912021324.nB2DOc58001138@lava.sentex.ca>, Mike Tancsa writes: > >At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: > > >The only way to deal with them I found [...] > >A very efficient measure: Move your sshd to another port number. As an ISP, this is not always an easy option :( For some of our hosts that have ssh open to the world for our travelling staff, we do have it running on alternate ports. However, for a large and changing customer base, it causes other support problems :( ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 14:11:19 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35DBC106568D for ; Wed, 2 Dec 2009 14:11:19 +0000 (UTC) (envelope-from a.huth@tmr.net) Received: from bo-uwka-srv01.de.tmr.net (bo-uwka-srv01.de.tmr.net [212.23.146.2]) by mx1.freebsd.org (Postfix) with ESMTP id E769A8FC20 for ; Wed, 2 Dec 2009 14:11:17 +0000 (UTC) Received: from localhost (localhost.de.tmr.net [127.0.0.1]) by bo-uwka-srv01.de.tmr.net (Postfix) with ESMTP id 9D2FF1DF297 for ; Wed, 2 Dec 2009 15:11:16 +0100 (CET) Received: from bo-uwka-srv01.de.tmr.net ([127.0.0.1]) by localhost (bo-uwka-srv01.de.tmr.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 59280-01-97 for ; Wed, 2 Dec 2009 15:11:16 +0100 (CET) Received: from localhost (bo-stwhv-fw02.de.tmr.net [212.23.140.253]) by bo-uwka-srv01.de.tmr.net (Postfix) with ESMTP id 5AA4B1DF2F3 for ; Wed, 2 Dec 2009 15:11:16 +0100 (CET) Date: Wed, 2 Dec 2009 15:11:16 +0100 From: Alex Huth To: freebsd-security@freebsd.org Message-ID: <20091202141116.GM4834@borusse.borussiapark> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Predence: first-class Priority: normal X-Editor: VIM - Vi IMproved 7.1 (2007 May 12, compiled Oct 17 2008 18:11:28) X-Operating-System: Linux 2.6.26-2-686 i686 GNU/Linux X-Mailer: Mutt 1.5.18 (2008-05-17) User-Agent: Mutt/1.5.18 (2008-05-17) Subject: freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 14:11:19 -0000 Hello! Is it no longer possible to update minor 6.x releases to 6.3 or 6.4 with the script mentioned on the announcement off 6.3? http://www.freebsd.org/releases/6.3R/announce.html Using it i get the error: Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching public key from update2.FreeBSD.org... failed. Fetching public key from update5.FreeBSD.org... failed. Fetching public key from update4.FreeBSD.org... failed. No mirrors remaining, giving up. telnet to that systems is possible. Thx Alex From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 14:17:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A40C41065670 for ; Wed, 2 Dec 2009 14:17:16 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 5DC7B8FC19 for ; Wed, 2 Dec 2009 14:17:16 +0000 (UTC) Received: from localhost (overdrive.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 02 Dec 2009 09:07:07 -0500 id 00056407.000000004B16748C.000098E8 Date: Wed, 2 Dec 2009 09:07:07 -0500 From: Bill Moran To: Mike Tancsa Message-Id: <20091202090707.f563976d.wmoran@collaborativefusion.com> In-Reply-To: <200912021324.nB2DOc58001138@lava.sentex.ca> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> <200912020145.SAA17523@lariat.net> <200912020150.nB21ossm072930@lava.sentex.ca> <4B1662BB.8000908@gmail.com> <200912021324.nB2DOc58001138@lava.sentex.ca> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.7.1 (GTK+ 2.16.6; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Mohd Fazli Azran Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 14:17:16 -0000 In response to Mike Tancsa : > At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: > > > > >Seem they use multi host and brute force. My network are every day > >increasing the activity of attempt ssh login with multiple host + > >multiple login with multiple password. seem i got many of this messages > > > Yes, thats the latest pattern I have been seeing-- distributed, slow > and coordinated. Here is a sample from one of my honeypots. The > only way to deal with them I found is to have multiple sensors > throughout my network and aggregate the data. Otherwise, each IP > only appears every few hrs in the logs. I deal with it by immediately blocking any host that generates an "invalid user" error. Of course, that won't work for everyone :( -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. **************************************************************** From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 14:37:08 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C5361065679 for ; Wed, 2 Dec 2009 14:37:08 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 1C7438FC18 for ; Wed, 2 Dec 2009 14:37:07 +0000 (UTC) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.3/8.14.3) with ESMTP id nB2E05dP008901 for ; Wed, 2 Dec 2009 06:00:05 -0800 (PST) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.3/8.14.3/Submit) id nB2E05wC008900 for freebsd-security@freebsd.org; Wed, 2 Dec 2009 06:00:05 -0800 (PST) (envelope-from david) Date: Wed, 2 Dec 2009 06:00:05 -0800 From: David Wolfskill To: freebsd-security@freebsd.org Message-ID: <20091202140005.GE1441@albert.catwhisker.org> Mail-Followup-To: David Wolfskill , freebsd-security@freebsd.org References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net> <200912011909.nB1J9JRM070879@lava.sentex.ca> <200912020145.SAA17523@lariat.net> <200912020150.nB21ossm072930@lava.sentex.ca> <4B1662BB.8000908@gmail.com> <200912021324.nB2DOc58001138@lava.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZInfyf7laFu/Kiw7" Content-Disposition: inline In-Reply-To: <200912021324.nB2DOc58001138@lava.sentex.ca> User-Agent: Mutt/1.4.2.3i Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 14:37:08 -0000 --ZInfyf7laFu/Kiw7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable It appears that folks are tending to focus on events logged by sshd(8) (in /var/log/auth.log). While that is certainly of interest, over the last few years, I have seen a pattern that's likely to be unnoticed by this approach: Apparent "probes" (22/tcp SYN packets that do not cause sshd(8) to log anything). I use IPFW on my border machine, and have things configured so it logs every attempted SSH "session-establishment" packet. For example, examining yesterday's logs, I see the following (after filtering out the usual expected entries): [Extract from /var/log/auth.log] Dec 1 19:31:22 albert sshd[3425]: Did not receive identification string fr= om 190.198.167.71 Dec 2 04:21:08 albert sshd[6178]: Did not receive identification string fr= om 66.234.187.17 [Extract from /var/log/security] Dec 1 19:31:21 janus kernel: ipfw: 10000 Accept TCP 190.198.167.71:54754 1= 72.16.8.13:22 out via dc0 Dec 2 04:21:08 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:39854 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:03 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:45562 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:05 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46050 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:06 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46081 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:07 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46128 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:09 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46574 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:10 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46619 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:11 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46662 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:12 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:46708 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:14 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47152 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:15 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47194 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:16 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47238 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:17 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47273 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:19 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47717 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:20 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47758 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:21 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47805 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:22 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:47846 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:24 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48289 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:25 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48329 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:26 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48372 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:28 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48410 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:29 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48850 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:30 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48889 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:32 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48932 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:33 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:48976 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:34 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:49417 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:36 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:49466 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:37 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:49512 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:39 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:49954 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:40 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:49996 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:41 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:50039 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:42 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:50080 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:44 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:50520 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:45 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:50562 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:46 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:50597 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:47 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:50639 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:49 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:51064 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:50 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:51089 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:51 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:51113 17= 2.16.8.13:22 out via dc0 Dec 2 04:28:52 janus kernel: ipfw: 10000 Accept TCP 66.234.187.17:51141 17= 2.16.8.13:22 out via dc0 One of the ways I address this is to also use IPFW to disallow 22/tcp from certain sources -- quite early in the ruleset. I use IPFW "tables" for this purpose; the unit of granularity I nearly always use is "network name" -- that is, I do the following: * Examine output of "whois 66.234.187.17" [in the case in point]. * Note that the NetName is "PNG-TELECOM". * Add a/PNG-TELECOM to the list of networks from which I do not care to receive SSH connection requests. (The directory structure is a bit of a hack: the "a" in this case is a registry identifier; it corresponds with a flag for whois(1), as NetNames only designate an entity within a registry -- well, except for LACNIC, which doesn't appear to use them, so I use "inetnum" for LACNIC-registered networks.) The process is manually-invoked, but I have some scripts & a hack of a Makefile to reduce the pain (and probability of clerical error). (I have another IPFW table for Seriously Annoying netblocks -- for that one, I have IPFW rules to block all traffic in either direction. This isn't something I do lightly, but I will protect my network.) I use this on all of my machines that are (or may be) exposed to networks not under my control -- thus, in addition to the above-cited border machine at home, I also do the same on my laptop. And as my laptop is used to track stable/6, stable/7, stable/8, and head on a daily basis, I think it's fair to say that the approach gets at least some exposure to what's changing in FreeBSD & IPFW fairly regularly. In any case: please do not assume(!) that sshd(8) is logging all 22/tcp SYN traffic. You may want to adjust things so you can see such traffic. Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --ZInfyf7laFu/Kiw7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAksWcuQACgkQmprOCmdXAD3vcwCeN+1bHFtVwkKgYp/Kvzt2u7GF BCYAniWTxXwAChcvn7How0HGI1xRzVxE =b4bo -----END PGP SIGNATURE----- --ZInfyf7laFu/Kiw7-- From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 17:47:48 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE2771065676 for ; Wed, 2 Dec 2009 17:47:48 +0000 (UTC) (envelope-from matthew.herzog@gmail.com) Received: from mail-yw0-f204.google.com (mail-yw0-f204.google.com [209.85.211.204]) by mx1.freebsd.org (Postfix) with ESMTP id 5B4C08FC0A for ; Wed, 2 Dec 2009 17:47:48 +0000 (UTC) Received: by ywh42 with SMTP id 42so408255ywh.28 for ; Wed, 02 Dec 2009 09:47:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=RbgOcJ68X5tGtfAL3310TT66lO02lL2mlb+piOndwwU=; b=K4+CkaYPmblod4XSu6hU0Eql28DKdKKSu964iavcyTka4D2X0r5/yoaSdV0luGU6gv g7HlRrl3ys5DcrmyeKknPcOsGWLmybBtExyalRkBAlwlTLNhBL2jE2YFIwl6tQ0n9GEw 3Lh0ueDmWEeVBmjr7DCCFs//nMMFzjeEUD5uw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=K1t5mrLZdDkQHx5wgaPGTotOvX7dlsm9eXYQs0AjP5W6VLOwfG9+YUnyPhVwkMMWXU b9k4y2oC/hbqDgNQu8S8hxZUJMvObUUADxWGg+O2oCktYO4kCtPWuyZfpvwDJzkGYpxE D129CWZXYODVhYOYNCCmknyi9qmkiQZnmcMYk= Received: by 10.101.3.26 with SMTP id f26mr398815ani.5.1259774521310; Wed, 02 Dec 2009 09:22:01 -0800 (PST) Received: from orthrus.nplz.yo ([173.48.203.170]) by mx.google.com with ESMTPS id 9sm485670ywf.50.2009.12.02.09.21.59 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Dec 2009 09:21:59 -0800 (PST) Message-ID: <4B16A237.9020903@gmail.com> Date: Wed, 02 Dec 2009 12:21:59 -0500 From: Matthew Herzog User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20091014 Fedora/3.0-2.8.b4.fc11 Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20091202141116.GM4834@borusse.borussiapark> In-Reply-To: <20091202141116.GM4834@borusse.borussiapark> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 17:47:48 -0000 On 12/02/2009 09:11 AM, Alex Huth wrote: > Hello! > > Is it no longer possible to update minor 6.x releases to 6.3 or 6.4 with the > script mentioned on the announcement off 6.3? > > http://www.freebsd.org/releases/6.3R/announce.html > > Using it i get the error: > > Looking up update.FreeBSD.org mirrors... 3 mirrors found. > Fetching public key from update2.FreeBSD.org... failed. > Fetching public key from update5.FreeBSD.org... failed. > Fetching public key from update4.FreeBSD.org... failed. > No mirrors remaining, giving up. It fails for me too. I tried to update from 7.2 (i386) to 8.0. I got the same error. I tried importing the public key manually and that failed too. Boo. > > telnet to that systems is possible. > > Thx > > Alex > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- "The perfect is the enemy of the good." -- Voltaire From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 17:51:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9864510656E4 for ; Wed, 2 Dec 2009 17:51:05 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outR.internet-mail-service.net (outr.internet-mail-service.net [216.240.47.241]) by mx1.freebsd.org (Postfix) with ESMTP id 56A1A8FC21 for ; Wed, 2 Dec 2009 17:51:04 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 01828961CA; Wed, 2 Dec 2009 09:51:04 -0800 (PST) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 5616D2D6011; Wed, 2 Dec 2009 09:51:03 -0800 (PST) Message-ID: <4B16A90B.50807@elischer.org> Date: Wed, 02 Dec 2009 09:51:07 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Poul-Henning Kamp References: <18401.1259761888@critter.freebsd.dk> In-Reply-To: <18401.1259761888@critter.freebsd.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 02 Dec 2009 17:58:28 +0000 Cc: freebsd-security@freebsd.org, Mohd Fazli Azran Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 17:51:05 -0000 Poul-Henning Kamp wrote: > In message <200912021324.nB2DOc58001138@lava.sentex.ca>, Mike Tancsa writes: >> At 07:51 AM 12/2/2009, Mohd Fazli Azran wrote: > >> The only way to deal with them I found [...] > > A very efficient measure: Move your sshd to another port number. > > You can configure the port in your .ssh/config file: > > Host foobar > port 122 > > so you don't have to remember it. > > I just use port knocking 99.999% of the time my ssh port is blocked by the firewall. From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 18:31:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32D881065672 for ; Wed, 2 Dec 2009 18:31:23 +0000 (UTC) (envelope-from lopez.on.the.lists@yellowspace.net) Received: from mail.yellowspace.net (mail.yellowspace.net [80.190.200.164]) by mx1.freebsd.org (Postfix) with ESMTP id A4D158FC0A for ; Wed, 2 Dec 2009 18:31:22 +0000 (UTC) Received: from furia.intranet ([93.104.56.71]) (AUTH: LOGIN lopez.on.the.lists@yellowspace.net) by mail.yellowspace.net with esmtp; Wed, 02 Dec 2009 19:20:55 +0100 id 0036A1E5.000000004B16B00C.00008E3F Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Lorenzo Perone In-Reply-To: <4B16A90B.50807@elischer.org> Date: Wed, 2 Dec 2009 19:20:49 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1F8861DF-1EC7-46F9-B9D8-0F7679F5AE08@yellowspace.net> References: <18401.1259761888@critter.freebsd.dk> <4B16A90B.50807@elischer.org> To: Julian Elischer X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org, Poul-Henning Kamp , Mohd Fazli Azran Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 18:31:23 -0000 On 02.12.2009, at 18:51, Julian Elischer wrote: > I just use port knocking >=20 sounds cool (at least after a quick flow over [1])... any keywords on = your setup (involved ports, pf.conf settings, client compatibility)? thx & regards, Lorenzo [1] http://www.portknocking.org/ From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 18:33:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 248FD106566C for ; Wed, 2 Dec 2009 18:33:05 +0000 (UTC) (envelope-from lopez.on.the.lists@yellowspace.net) Received: from mail.yellowspace.net (mail.yellowspace.net [80.190.200.164]) by mx1.freebsd.org (Postfix) with ESMTP id 97BDA8FC16 for ; Wed, 2 Dec 2009 18:33:04 +0000 (UTC) Received: from furia.intranet ([93.104.56.71]) (AUTH: LOGIN lopez.on.the.lists@yellowspace.net) by mail.yellowspace.net with esmtp; Wed, 02 Dec 2009 19:27:46 +0100 id 0036A1D9.000000004B16B1A7.00009182 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1077) From: Lorenzo Perone In-Reply-To: <4B166C35.1020505@gmail.com> Date: Wed, 2 Dec 2009 19:27:41 +0100 Content-Transfer-Encoding: 7bit Message-Id: <37DF87C6-76C4-4F28-9389-19297F18F9DB@yellowspace.net> References: <4B166C35.1020505@gmail.com> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1077) Subject: Re: rtld patch for 7.2-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 18:33:05 -0000 I cvsupped last night on RELENG_7 and RELNENG_8 and the patch seems to be in there already - wondering when the advisory will come out... Lorenzo On 02.12.2009, at 14:31, Manolis Kiagias wrote: > Just noted that the patch posted here cannot be applied directly to > 7.2-RELEASE. > Just crafted this one for 7.2: > > http://people.freebsd.org/~manolis/rtld72.patch > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 19:13:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0D6610656A3 for ; Wed, 2 Dec 2009 19:13:47 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id B25C78FC18 for ; Wed, 2 Dec 2009 19:13:47 +0000 (UTC) Received: from [212.62.248.148] (helo=[192.168.2.157]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1NFue2-000J5q-2o; Wed, 02 Dec 2009 20:13:46 +0100 Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4B16A237.9020903@gmail.com> Date: Wed, 2 Dec 2009 20:13:45 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20091202141116.GM4834@borusse.borussiapark> <4B16A237.9020903@gmail.com> To: Matthew Herzog X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 19:13:48 -0000 Your uname -a will say you're running -STABLE, not -RELEASE-something. = This is a result of using source upgrades to anything but RELENG_6_X in = the past. Which, in turn, is why freebsd-update fails. Move /usr/bin/uname out of the way, create a shell script like so: --- #!/bin/sh /usr/bin/uname.org $* | sed s/STABLE/RELEASE/g --- and chmod 755 it. Then try again. I know, it's ugly, and it might get = you into trouble. But it Worked For Me. Oh and I suppose this belongs on the -users or -stable list? /Eirik On Dec 2, 2009, at 6:21 PM, Matthew Herzog wrote: > On 12/02/2009 09:11 AM, Alex Huth wrote: >> Hello! >>=20 >> Is it no longer possible to update minor 6.x releases to 6.3 or 6.4 = with the >> script mentioned on the announcement off 6.3? >>=20 >> http://www.freebsd.org/releases/6.3R/announce.html >>=20 >> Using it i get the error: >>=20 >> Looking up update.FreeBSD.org mirrors... 3 mirrors found. >> Fetching public key from update2.FreeBSD.org... failed. >> Fetching public key from update5.FreeBSD.org... failed. >> Fetching public key from update4.FreeBSD.org... failed. >> No mirrors remaining, giving up. >=20 > It fails for me too. I tried to update from 7.2 (i386) to 8.0. > I got the same error. I tried importing the public key manually and = that failed too. >=20 > Boo. >=20 >>=20 >> telnet to that systems is possible. >>=20 >> Thx >>=20 >> Alex >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >>=20 >=20 >=20 > --=20 > "The perfect is the enemy of the good." >=20 > -- Voltaire > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 19:48:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 648411065672 for ; Wed, 2 Dec 2009 19:48:30 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 23C6D8FC15 for ; Wed, 2 Dec 2009 19:48:29 +0000 (UTC) Received: from [212.62.248.148] (helo=[192.168.2.157]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1NFvBc-000LtW-Nh; Wed, 02 Dec 2009 20:48:28 +0100 Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <20091202194057.GA94044@citylink.fud.org.nz> Date: Wed, 2 Dec 2009 20:48:28 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1AC0EF6B-B145-4A80-920D-7326A95B51D5@anduin.net> References: <20091202141116.GM4834@borusse.borussiapark> <4B16A237.9020903@gmail.com> <20091202194057.GA94044@citylink.fud.org.nz> To: Andrew Thompson X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org, Matthew Herzog Subject: Re: freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 19:48:30 -0000 On Dec 2, 2009, at 8:40 PM, Andrew Thompson wrote: > On Wed, Dec 02, 2009 at 08:13:45PM +0100, Eirik ?verby wrote: >> On Dec 2, 2009, at 6:21 PM, Matthew Herzog wrote: >>=20 >>> On 12/02/2009 09:11 AM, Alex Huth wrote: >>>> Hello! >>>>=20 >>>> Is it no longer possible to update minor 6.x releases to 6.3 or 6.4 = with the >>>> script mentioned on the announcement off 6.3? >>>>=20 >>>> http://www.freebsd.org/releases/6.3R/announce.html >>>>=20 >>>> Using it i get the error: >>>>=20 >>>> Looking up update.FreeBSD.org mirrors... 3 mirrors found. >>>> Fetching public key from update2.FreeBSD.org... failed. >>>> Fetching public key from update5.FreeBSD.org... failed. >>>> Fetching public key from update4.FreeBSD.org... failed. >>>> No mirrors remaining, giving up. >>>=20 >>> It fails for me too. I tried to update from 7.2 (i386) to 8.0. >>> I got the same error. I tried importing the public key manually and = that failed too. >>>=20 >>> Boo. >> Your uname -a will say you're running -STABLE, not = -RELEASE-something. This is a result of using source upgrades to = anything but RELENG_6_X in the past. Which, in turn, is why = freebsd-update fails. >>=20 >> Move /usr/bin/uname out of the way, create a shell script like so: >>=20 >> --- >> #!/bin/sh >> /usr/bin/uname.org $* | sed s/STABLE/RELEASE/g >> --- >>=20 >> and chmod 755 it. Then try again. I know, it's ugly, and it might get = you into trouble. But it Worked For Me. >>=20 >> Oh and I suppose this belongs on the -users or -stable list? >=20 > For the sake of the archives, uname already supports overriding the = info > through environment variables. You set UNAME_x were 'x' is the uname > flag you want to overwrite (see man page). Ok. Duh. Me needs to RTFM more often. Thanks, and sorry. ;) > % uname -r =20 > 9.0-CURRENT > % export UNAME_r=3D7.2-RELEASE > % uname -r > 7.2-RELEASE >=20 >=20 > Andrew >=20 From owner-freebsd-security@FreeBSD.ORG Wed Dec 2 19:58:41 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3496106566B for ; Wed, 2 Dec 2009 19:58:40 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from pele.citylink.co.nz (pele.citylink.co.nz [202.8.44.226]) by mx1.freebsd.org (Postfix) with ESMTP id 67DBF8FC08 for ; Wed, 2 Dec 2009 19:58:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by pele.citylink.co.nz (Postfix) with ESMTP id D8D4E7BE33; Thu, 3 Dec 2009 08:41:03 +1300 (NZDT) X-Virus-Scanned: Debian amavisd-new at citylink.co.nz Received: from pele.citylink.co.nz ([127.0.0.1]) by localhost (pele.citylink.co.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3NsOPAZblNk; Thu, 3 Dec 2009 08:40:58 +1300 (NZDT) Received: from citylink.fud.org.nz (unknown [202.8.44.45]) by pele.citylink.co.nz (Postfix) with ESMTP; Thu, 3 Dec 2009 08:40:58 +1300 (NZDT) Received: by citylink.fud.org.nz (Postfix, from userid 1001) id 2BF4A11475; Thu, 3 Dec 2009 08:40:58 +1300 (NZDT) Date: Thu, 3 Dec 2009 08:40:58 +1300 From: Andrew Thompson To: Eirik ?verby Message-ID: <20091202194057.GA94044@citylink.fud.org.nz> References: <20091202141116.GM4834@borusse.borussiapark> <4B16A237.9020903@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) X-Mailman-Approved-At: Wed, 02 Dec 2009 20:51:27 +0000 Cc: freebsd-security@freebsd.org, Matthew Herzog Subject: Re: freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2009 19:58:42 -0000 On Wed, Dec 02, 2009 at 08:13:45PM +0100, Eirik ?verby wrote: > On Dec 2, 2009, at 6:21 PM, Matthew Herzog wrote: > > > On 12/02/2009 09:11 AM, Alex Huth wrote: > >> Hello! > >> > >> Is it no longer possible to update minor 6.x releases to 6.3 or 6.4 with the > >> script mentioned on the announcement off 6.3? > >> > >> http://www.freebsd.org/releases/6.3R/announce.html > >> > >> Using it i get the error: > >> > >> Looking up update.FreeBSD.org mirrors... 3 mirrors found. > >> Fetching public key from update2.FreeBSD.org... failed. > >> Fetching public key from update5.FreeBSD.org... failed. > >> Fetching public key from update4.FreeBSD.org... failed. > >> No mirrors remaining, giving up. > > > > It fails for me too. I tried to update from 7.2 (i386) to 8.0. > > I got the same error. I tried importing the public key manually and that failed too. > > > > Boo. > Your uname -a will say you're running -STABLE, not -RELEASE-something. This is a result of using source upgrades to anything but RELENG_6_X in the past. Which, in turn, is why freebsd-update fails. > > Move /usr/bin/uname out of the way, create a shell script like so: > > --- > #!/bin/sh > /usr/bin/uname.org $* | sed s/STABLE/RELEASE/g > --- > > and chmod 755 it. Then try again. I know, it's ugly, and it might get you into trouble. But it Worked For Me. > > Oh and I suppose this belongs on the -users or -stable list? For the sake of the archives, uname already supports overriding the info through environment variables. You set UNAME_x were 'x' is the uname flag you want to overwrite (see man page). % uname -r 9.0-CURRENT % export UNAME_r=7.2-RELEASE % uname -r 7.2-RELEASE Andrew From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 04:23:25 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06E42106566B for ; Thu, 3 Dec 2009 04:23:25 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.119.58.2]) by mx1.freebsd.org (Postfix) with ESMTP id 78F218FC13 for ; Thu, 3 Dec 2009 04:23:24 +0000 (UTC) Received: from anne-o1dpaayth1.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id VAA04903; Wed, 2 Dec 2009 21:23:08 -0700 (MST) Message-Id: <200912030423.VAA04903@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Dec 2009 12:10:47 -0700 To: "Poul-Henning Kamp" , Mike Tancsa From: Brett Glass In-Reply-To: <18401.1259761888@critter.freebsd.dk> References: <18401.1259761888@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Thu, 03 Dec 2009 05:19:35 +0000 Cc: freebsd-security@freebsd.org, Mohd Fazli Azran Subject: Re: Increase in SSH attacks as of announcement of rtld bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 04:23:25 -0000 At 06:51 AM 12/2/2009, Poul-Henning Kamp wrote: >A very efficient measure: Move your sshd to another port number. This helps. However, I'd like to try single packet authentication, as it would likely work even better. (It's possible to find an SSH daemon on an unusual port with a port scan.) And it would have the advantage that it could be integrated directly into SSH daemons and clients. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 09:30:39 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5845B1065698; Thu, 3 Dec 2009 09:30:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4484C8FC15; Thu, 3 Dec 2009 09:30:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB39Ud2Z037496; Thu, 3 Dec 2009 09:30:39 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB39UdMK037494; Thu, 3 Dec 2009 09:30:39 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 3 Dec 2009 09:30:39 GMT Message-Id: <200912030930.nB39UdMK037494@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 09:30:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:15.ssl Security Advisory The FreeBSD Project Topic: SSL protocol flaw Category: contrib Module: openssl Announced: 2009-12-03 Credits: Marsh Ray, Steve Dispensa Affects: All supported versions of FreeBSD. Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) 2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE) 2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8) 2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14) CVE Name: CVE-2009-3555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols provide a secure communications layer over which other protocols can be utilized. The most widespread use of SSL/TLS is to add security to the HTTP protocol, thus producing HTTPS. FreeBSD includes software from the OpenSSL Project which implements SSL and TLS. II. Problem Description The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters. III. Impact An attacker who can intercept a TCP connection being used for SSL or TLS can cause the initial session negotiation to take the place of a session renegotiation. This can be exploited in several ways, including: * Causing a server to interpret incoming messages as having been sent under the auspices of a client SSL key when in fact they were not; * Causing a client request to be appended to an attacker-supplied request, potentially revealing to the attacker the contents of the client request (including any authentication parameters); and * Causing a client to receive a response to an attacker-supplied request instead of a response to the request sent by the client. IV. Workaround No workaround is available. V. Solution NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate SSL / TLS session parameters. As a result, connections in which the other party attempts to renegotiate session parameters will break. In practice, however, session renegotiation is a rarely-used feature, so disabling this functionality is unlikely to cause problems for most systems. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE, or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libcrypto # make obj && make depend && make includes && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.3 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.2.1 RELENG_6_4 src/UPDATING 1.416.2.40.2.12 src/sys/conf/newvers.sh 1.69.2.18.2.14 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.12.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.12.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.19 src/sys/conf/newvers.sh 1.69.2.15.2.18 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.10.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.4.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.10.1 RELENG_7 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.12.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.13.2.1 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.12.8.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.1.2.1 src/crypto/openssl/ssl/s3_lib.c 1.1.1.13.8.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.12.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.6.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.13.6.1 RELENG_8 src/crypto/openssl/ssl/s3_pkt.c 1.2.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.3.2.1 src/crypto/openssl/ssl/s3_lib.c 1.2.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/crypto/openssl/ssl/s3_pkt.c 1.2.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.3.4.1 src/crypto/openssl/ssl/s3_lib.c 1.2.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r200054 releng/6.4/ r200054 releng/6.3/ r200054 stable/7/ r200054 releng/7.2/ r200054 releng/7.1/ r200054 - ------------------------------------------------------------------------- VII. References http://extendedsubset.com/Renegotiating_TLS.pdf http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:15.ssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAksXg+oACgkQFdaIBMps37JenACfdPIoOc1uHHsBap0FkH1uctHp VeoAnirgLeaG00lD6Um6qJK2EjlU8hEg =dioq -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 09:30:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB48710656A7; Thu, 3 Dec 2009 09:30:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C80A48FC1E; Thu, 3 Dec 2009 09:30:43 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB39UhXh038244; Thu, 3 Dec 2009 09:30:43 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB39UhW9038238; Thu, 3 Dec 2009 09:30:43 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 3 Dec 2009 09:30:43 GMT Message-Id: <200912030930.nB39UhW9038238@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 09:30:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:16.rtld Security Advisory The FreeBSD Project Topic: Improper environment sanitization in rtld(1) Category: core Module: rtld Announced: 2009-12-03 Affects: FreeBSD 7.0 and later. Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) CVE Name: CVE-2009-4146, CVE-2009-4147 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables. II. Problem Description When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing. III. Impact An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user. IV. Workaround No workaround is available, but systems without untrusted local users, where all the untrusted local users are jailed superusers, and/or where untrusted users cannot execute arbitrary code (e.g., due to use of read only and noexec mount options) are not affected. Note that "untrusted local users" include users with the ability to upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they may be able to exploit this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/libexec/rtld-elf # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On amd64 systems where the i386 rtld are installed, the operating system should instead be recompiled as described in VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/libexec/rtld-elf/rtld.c 1.124.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/libexec/rtld-elf/rtld.c 1.124.2.4.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/libexec/rtld-elf/rtld.c 1.124.2.3.2.2 RELENG_8 src/libexec/rtld-elf/rtld.c 1.139.2.4 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/libexec/rtld-elf/rtld.c 1.139.2.2.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r199981 releng/7.2/ r200054 releng/7.1/ r200054 stable/8/ r199980 releng/8.0/ r200054 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ nhYAliVcz9tL8Ll6pYKpIalR740sZ5s= =jK/a -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 09:30:49 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E60810656FA; Thu, 3 Dec 2009 09:30:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 72BB08FC25; Thu, 3 Dec 2009 09:30:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB39UnYY038952; Thu, 3 Dec 2009 09:30:49 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB39Uno3038944; Thu, 3 Dec 2009 09:30:49 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 3 Dec 2009 09:30:49 GMT Message-Id: <200912030930.nB39Uno3038944@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:17.freebsd-update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 09:30:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:17.freebsd-update Security Advisory The FreeBSD Project Topic: Inappropriate directory permissions in freebsd-update(8) Category: core Module: usr.sbin Announced: 2009-12-03 Credits: KAMADA Ken'ichi Affects: All supported versions of FreeBSD. Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) 2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE) 2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8) 2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The freebsd-update(8) utility is used to fetch, install, and rollback updates to the FreeBSD base system, and also to upgrade from one FreeBSD release to another. II. Problem Description When downloading updates to FreeBSD via 'freebsd-update fetch' or 'freebsd-update upgrade', the freebsd-update(8) utility copies currently installed files into its working directory (/var/db/freebsd-update by default) both for the purpose of merging changes to configuration files and in order to be able to roll back installed updates. The default working directory used by freebsd-update(8) is normally created during the installation of FreeBSD with permissions which allow all local users to see its contents, and freebsd-update(8) does not take any steps to restrict access to files stored in said directory. III. Impact A local user can read files which have been updated by freebsd-update(8), even if those files have permissions which would normally not allow users to read them. In particular, on systems which have been upgraded using 'freebsd-update upgrade', local users can read freebsd-update's backed-up copy of the master password file. IV. Workaround Set the permissions on the freebsd-update(8) working directory to not allow unprivileged users to read said directory: # chmod 0700 /var/db/freebsd-update Note that if freebsd-update(8) is run using the '-d workdir' option, the directory which should have its permissions adjusted will be different. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:17/freebsd-update.patch # fetch http://security.FreeBSD.org/patches/SA-09:17/freebsd-update.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/freebsd-update # make obj && make depend && make && make install # chmod 0700 /var/db/freebsd-update VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.11 src/etc/mtree/BSD.var.dist 1.71.2.4 RELENG_6_4 src/UPDATING 1.416.2.40.2.12 src/sys/conf/newvers.sh 1.69.2.18.2.14 src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.10.2.2 src/etc/mtree/BSD.var.dist 1.71.2.3.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.19 src/sys/conf/newvers.sh 1.69.2.15.2.18 src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.8.2.1 src/etc/mtree/BSD.var.dist 1.71.2.3.4.1 RELENG_7 src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.5 src/etc/mtree/BSD.var.dist 1.75.2.1 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.4.4.2 src/etc/mtree/BSD.var.dist 1.75.8.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.4.2.2 src/etc/mtree/BSD.var.dist 1.75.6.2 RELENG_8 src/usr.sbin/freebsd-update/freebsd-update.sh 1.16.2.3 src/etc/mtree/BSD.var.dist 1.75.10.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/usr.sbin/freebsd-update/freebsd-update.sh 1.16.2.2.2.2 src/etc/mtree/BSD.var.dist 1.75.10.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r200054 releng/6.4/ r200054 releng/6.3/ r200054 stable/7/ r200054 releng/7.2/ r200054 releng/7.1/ r200054 stable/8/ r200054 releng/8.0/ r200054 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:17.freebsd-update.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAksXhA0ACgkQFdaIBMps37Lg+wCfSK5sMXpsxTW9jpgwwcqx+24z zzwAniR50V8K8/vI0qshCUaKwryEYDuK =/lsC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 10:18:53 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E77E106568D for ; Thu, 3 Dec 2009 10:18:53 +0000 (UTC) (envelope-from marcs@draenor.org) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id C52448FC29 for ; Thu, 3 Dec 2009 10:18:52 +0000 (UTC) Received: by ewy1 with SMTP id 1so753141ewy.14 for ; Thu, 03 Dec 2009 02:18:51 -0800 (PST) MIME-Version: 1.0 Received: by 10.216.90.1 with SMTP id d1mr438691wef.136.1259833999862; Thu, 03 Dec 2009 01:53:19 -0800 (PST) Date: Thu, 3 Dec 2009 11:53:19 +0200 Message-ID: From: Marc Silver To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: bsd.security.see_other_uids affecting netstat? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 10:18:53 -0000 Hi guys, Please forgive if this is a bit of a noob question I noticed that when the bsd.security.see_other_uids sysctl is set to 0, the netstat command gives no output for users (non-root). I can't find any mention of this in any documentation ... is this intentional? Cheers, Marc -- Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 11:14:56 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 517141065672 for ; Thu, 3 Dec 2009 11:14:56 +0000 (UTC) (envelope-from pluknet@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id D83948FC1C for ; Thu, 3 Dec 2009 11:14:55 +0000 (UTC) Received: by bwz5 with SMTP id 5so960933bwz.3 for ; Thu, 03 Dec 2009 03:14:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=/IqYFbhyHvfHXc+37LOjr+PQrxkbltLEEP4Xp6wDkJE=; b=ejPpyWSbUMADKNVp3fHZDp8v7Tokf8J5Ap3Gd0zFHh2kuJkvqwZb/rCe6asHeWTVEX ZVuWR/jhGKFvwVM6TRyDTsgqMT+f2uh3VxBjX0XrCv321ThjTIISLU+ITpMB6g3gXZJg LPiE/kPZs4yPViMeKJ8/AtMqKSDDj/QdtTQww= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=V6UmUZD+YjsDwvFicFIGvDuWfLEdoPIrzQjNOQy3spK6XKoAQs9uIDkaqnITKL28Wv fzsOxvgFTxdMugbskm/J+o7+uQyZKeJjcFfZUGzXLy3Jtc5eLZyX+eXPk5Wu31TZRppK AeqvLXAxD1yuXxtOAYYRRj9UXTNFLMVeBbZ1k= MIME-Version: 1.0 Received: by 10.204.6.65 with SMTP id 1mr1433345bky.186.1259838894705; Thu, 03 Dec 2009 03:14:54 -0800 (PST) In-Reply-To: References: Date: Thu, 3 Dec 2009 14:14:54 +0300 Message-ID: From: pluknet To: Marc Silver Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: Re: bsd.security.see_other_uids affecting netstat? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 11:14:56 -0000 2009/12/3 Marc Silver : > Hi guys, > > Please forgive if this is a bit of a noob question > > I noticed that when the bsd.security.see_other_uids sysctl is set to 0, the > netstat command gives no output for users (non-root). No, it gives no access to sockets (switched to per-inpcb since 7) not owned by that user. See mac_seeotheruids(4): DESCRIPTION The mac_seeotheruids policy module, when enabled, denies users to see processes or sockets owned by other users. -- wbr, pluknet From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 11:17:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89B08106568F for ; Thu, 3 Dec 2009 11:17:30 +0000 (UTC) (envelope-from ml@netfence.it) Received: from cp-out8.libero.it (cp-out8.libero.it [212.52.84.108]) by mx1.freebsd.org (Postfix) with ESMTP id 1E1568FC20 for ; Thu, 3 Dec 2009 11:17:29 +0000 (UTC) Received: from soth.ventu (151.51.164.240) by cp-out8.libero.it (8.5.107) id 4B14C099008329A8 for freebsd-security@freebsd.org; Thu, 3 Dec 2009 12:05:53 +0100 Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.3/8.14.2) with ESMTP id nB3B5qtb070486 for ; Thu, 3 Dec 2009 12:05:52 +0100 (CET) (envelope-from ml@netfence.it) Message-ID: <4B179B90.10307@netfence.it> Date: Thu, 03 Dec 2009 12:05:52 +0100 From: Andrea Venturoli User-Agent: Thunderbird 2.0.0.23 (X11/20090828) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> In-Reply-To: <200912030930.nB39UhW9038238@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 11:17:30 -0000 FreeBSD Security Advisories ha scritto: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-09:16.rtld Security Advisory > The FreeBSD Project > > Topic: Improper environment sanitization in rtld(1) > > Category: core > Module: rtld > Announced: 2009-12-03 > Affects: FreeBSD 7.0 and later. > Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) > 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) > 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) > 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) Sorry, this might seem a stupid question, but... In several places I read that FreeBSD 6.x is NOT affected; however, I heard some people discussing how to apply the patch to such systems. So, I'd like to know for sure: is 6.x affected? Is another patch on the way for it? bye & Thanks av. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 12:45:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C2D21065692 for ; Thu, 3 Dec 2009 12:45:26 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop2.sarenet.es (proxypop2.sarenet.es [194.30.0.95]) by mx1.freebsd.org (Postfix) with ESMTP id D31038FC22 for ; Thu, 3 Dec 2009 12:45:25 +0000 (UTC) Received: from [172.16.1.204] (izaro.sarenet.es [192.148.167.11]) by proxypop2.sarenet.es (Postfix) with ESMTP id 2E8B37352E; Thu, 3 Dec 2009 13:45:24 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <4B17A0BE.9090502@fer.hr> Date: Thu, 3 Dec 2009 13:45:22 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <3ACC849F-06CF-4BBD-88A5-7489D6DD75B4@sarenet.es> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <4B17A0BE.9090502@fer.hr> To: Ivan Voras X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 12:45:26 -0000 On Dec 3, 2009, at 12:27 PM, Ivan Voras wrote: > Borja Marcos wrote: >> On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: >>> A short time ago a "local root" exploit was posted to the = full-disclosure >>> mailing list; as the name suggests, this allows a local user to = execute >>> arbitrary code as root. >> Dr. Strangelove, or How I learned to love the MAC subsystem. >=20 > Hi, >=20 > Could you point to, or write, some tutorial-like documentation on how = you use the MAC for this particular purpose? >=20 > I tried reading the mac* man pages in several instances before but = can't seem to connect the theory described in there with how to apply it = in a practical way. Could write, indeed. A problem with the MAC subsystem documentation is = that it's too formal. But, my fault, I should have contributed long ago. Let me at least explain how I'm using it for fun and profit ;) Maybe I = should write something for the wiki and enhance it over time. I have been using it for some time in a shared hosting server based on = FreeBSD. It hosts many small websites, close to 1000 now, I think, so = jail management was quite clumsy. The server is a shared hosting server based on Apache. Each user has an = ftp account, chrooted to his home directory, of course. Users can upload = PHP and CGI scripts, without restrictions in principle. My goals were: 1- Guarantee operating system integrity. Such a setup can suffer plenty = of security compromises 2- Avoid escalation from one user to another. A compromised user account = should not allow the user to read another user's files. 3- Keep it reasonably simple. Users only can manage their files by ftp. = Although a next iteration could offer something more complete. 4- Allow CGI and PHP scripts written by customers to work without = special modifications. If you give them a long list of requirements and = restrictions, that will spell trouble. The goals were hard to meet. For instance, the Unix permissions model, = which is very outdated for this kind of application, presents a serious = problem. It's an elementary good practice to run a web server as an = unprivileged user. So, html files (and, hence, php files) must be = readable by all. But that means that a compromised user account, in case = of escaping a chroot(), would be able to read other users' files. Integrity is hard to keep when you allow users to run php, cgi's...=20 The solution adopted was to use the FreeBSD's MAC subsystem, exactly two = elements: - The mac/biba policy, that assigns an integrity label to processes = (subjects) and resources (objects) so that the following restrictions = apply: ---- A high integrity subject cannot read a lower integrity object. = Think about a classical /tmp/.whatever_rc bobby trap left by an = untrusted (lower integrity).. user. Your /usr/bin/whatever program, ran = with your higher integrity level, would not be able to read the booby = trap, so you would be safe. The problem is that it's awkward to do some = administration tasks, but not impossible. ---- A low integrity subject cannot modify a high integrity object. Our = toothless root in my previous message, imagine that it comes from a = compromised PHP script that was, of course, being executed with a low = integrity label, cannot modify anything in the operating system, as = anything is marked as high integrity by default. Again, it cannot leave = bobby traps for other processes to execute. Not a crontab, an "atjob", = etc, because it lacks the necessary integrity level to do so. Integrity = level cannot be increased once a process has been created with a low = level, and as this applies as well to kmem et all, I think that a root = exploit to overcome this is less likely to work than the typical = privilege escalation exploit. ---- There exists a special integrity label, biba/equal, which means "do = not check integrity". For instance, the system administrator can fork a = shell with no checks when it's necessary to examine a user's directory = ("setpmac biba/equal bin/csh" does the trick), and the backup program = can be executed with a biba/equal integrity label. It will be able to = read any files without restriction. ---- Integrity labels can be applied to other resources such as network = interfaces. Imagine you have a secondary network used for network based = backups. If you label that network interface properly, a low integrity = process spawned from a customer account will not be able to access that = secondary network. - The mac/ugidfw policy, that allows you to setup a sort of "ipfw-like" = restrictions. In our case, customers have uid numbers assigned = belonging to a given range, say, 10000 - 20000, and the ugidfw policy is = set up so that processes with a uid belonging to that interval cannot = access resources belonging to a a different uid inside that interval. = Processes with a uid belonging to this interval will have no = interference from this module as long as the resource being accessed is = owned by a non-customer uid. In that case only regular Unix permissions = apply. This allows us to have user files with universal read permissions, and = run Apache as an untrusted user. Apache can read each customer's files, = but a customer cannot read other customers' files. PHP runs as a cgi (the websites are very low volume usually, so it's not = an issue at all) and we use Apache's mod_suexec so that each user's CGI = programs are executed with the user's credentials. As mod_suexec uses the operating system mechanisms to acquire the user's = credentials, instead of just doing a setuid(), we use /etc/login.conf to = apply a MAC label (in this case a biba/low label) to the customer = accounts. Setting it up was a bit of a pain in the ass. Depending on how complex = your setup is, expect to spend some time playing with ktrace. This added = layer of security can create some unexpected problems. Programs expect = to be able to write to /tmp or /var/tmp (I had to label them as = biba/equal), etc, etc. But the results have been good so far, and it's not so much of a hassle = to manage it. In this case, a successful run of a root exploit such as = our star exploit of this week, customer data could have been compromised = although I can reasonably say that the operating system integrity would = be more than reasonably safe. There's a wrong assumption I made: the MAC subsystem should make a root = exploit hard to achieve, and the latest security issue shows that indeed = that's not necessarily the case. I chose not to chroot the runnnig CGI's = so that they saw a complete operating system, avoiding the costs of lots = of phone calls to support because their script got a text file and ran = awk on it, etc, etc, you know. Keeping lots of copies of the OS is quite = ineffective. And restricting access to mostly harmless programs such as = ping can be a problem as well. One of my compromises (wrong, maybe) was = to offer the closest thing to a complete system as possible. Best regards, Borja. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 13:09:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09244106568D for ; Thu, 3 Dec 2009 13:09:38 +0000 (UTC) (envelope-from niels@bakker.net) Received: from burnout.bakker.net (home.bakker.net [IPv6:2001:888:1037:1337::53:53]) by mx1.freebsd.org (Postfix) with ESMTP id C38498FC0A for ; Thu, 3 Dec 2009 13:09:37 +0000 (UTC) Received: by burnout.bakker.net (Postfix, from userid 910) id 8E2AEF1844; Thu, 3 Dec 2009 14:09:36 +0100 (CET) Date: Thu, 3 Dec 2009 14:09:36 +0100 From: niels@bakker.net (Niels Bakker) To: freebsd-security@freebsd.org Message-ID: <20091203130936.GU20638@burnout.tpb.net> References: <200912030930.nB39Ude2037517@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <200912030930.nB39Ude2037517@freefall.freebsd.org> X-Mailman-Approved-At: Thu, 03 Dec 2009 13:15:43 +0000 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 13:09:38 -0000 Hi, >============================================================================= >FreeBSD-SA-09:15.ssl Security Advisory > The FreeBSD Project [..] >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch ># cd /usr/src/secure/lib/libcrypto ># make obj && make depend && make includes && make && make install Did you mean secure/lib/libssl rather than libcrypto? Regards, -- Niels. -- zo weten we nog steeds niet of de steganosaurus wel echt bestaan heeft From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 14:55:54 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 478031065670 for ; Thu, 3 Dec 2009 14:55:54 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id E98CA8FC08 for ; Thu, 3 Dec 2009 14:55:53 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3Etro2031316; Thu, 3 Dec 2009 14:55:53 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3EtriT031315; Thu, 3 Dec 2009 14:55:53 GMT From: Jamie Landeg Jones Message-Id: <200912031455.nB3EtriT031315@catflap.bishopston.net> Date: Thu, 03 Dec 2009 14:55:53 +0000 Organization: http://www.bishopston.com/jamie/ To: ml@netfence.it, freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> In-Reply-To: <4B179B90.10307@netfence.it> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 14:55:53 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean X-Mailman-Approved-At: Thu, 03 Dec 2009 15:01:15 +0000 Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 14:55:54 -0000 > Sorry, this might seem a stupid question, but... > In several places I read that FreeBSD 6.x is NOT affected; however, I > heard some people discussing how to apply the patch to such systems. > So, I'd like to know for sure: is 6.x affected? Is another patch on the > way for it? > > bye & Thanks > av. The change that introduced the bug was made as follows: | Revision 1.124: download - view: text, markup, annotated - select for diffs | Thu May 17 18:00:27 2007 UTC (2 years, 6 months ago) by csjp | Branches: MAIN | CVS tags: RELENG_7_BP, RELENG_7_0_BP, RELENG_7_0_0_RELEASE, RELENG_7_0 | Branch point for: RELENG_7 | Diff to: previous 1.123: preferred, colored | Changes since revision 1.123: +20 -10 lines | | In the event a process is tainted (setuid/setgid binaries), un-set any | potentially dangerous environment variables all together. It should be | noted that the run-time linker will not honnor these environment variables | if the process is tainted currently. However, once a child of the tainted | process calls setuid(2), it's status as being tainted (as defined by | issetugid(2)) will be removed. This could be problematic because | subsequent activations of the run-time linker could honnor these | dangerous variables. | | This is more of an anti foot-shot mechanism, there is nothing I am | aware of in base that does this, however there may be third party | utilities which do, and there is no real negative impact of clearing | these environment variables. | | Discussed on: secteam | Reviewed by: cperciva | PR: kern/109836 | MFC after: 2 weeks This was also ported MFC'd into 6.3 onwards: | Revision 1.106.2.7: download - view: text, markup, annotated - select for diffs | Sat Jul 14 19:04:00 2007 UTC (2 years, 4 months ago) by csjp | Branches: RELENG_6 | CVS tags: RELENG_6_4_BP, RELENG_6_3_BP, RELENG_6_3_0_RELEASE, RELENG_6_3 | Branch point for: RELENG_6_4 | Diff to: previous 1.106.2.6: preferred, colored; branchpoint 1.106: preferred, colored; next MAIN 1.107: preferred, colored | Changes since revision 1.106.2.6: +20 -10 lines | | MFC rtld.c revision 1.124 | | Unset potentially harmful environment variables. | | Discussed on: seacteam | PR: kern/109836 So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 15:09:48 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B12A1065672 for ; Thu, 3 Dec 2009 15:09:48 +0000 (UTC) (envelope-from ml@netfence.it) Received: from cp-out8.libero.it (cp-out8.libero.it [212.52.84.108]) by mx1.freebsd.org (Postfix) with ESMTP id 5A7458FC1F for ; Thu, 3 Dec 2009 15:09:47 +0000 (UTC) Received: from soth.ventu (151.51.164.240) by cp-out8.libero.it (8.5.107) id 4B14C099008D9BB6 for freebsd-security@freebsd.org; Thu, 3 Dec 2009 16:09:46 +0100 Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.3/8.14.2) with ESMTP id nB3F9j0m000487 for ; Thu, 3 Dec 2009 16:09:46 +0100 (CET) (envelope-from ml@netfence.it) Message-ID: <4B17D4B9.103@netfence.it> Date: Thu, 03 Dec 2009 16:09:45 +0100 From: Andrea Venturoli User-Agent: Thunderbird 2.0.0.23 (X11/20090828) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <200912031455.nB3EtriT031315@catflap.bishopston.net> In-Reply-To: <200912031455.nB3EtriT031315@catflap.bishopston.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 15:09:48 -0000 Jamie Landeg Jones ha scritto: > So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't. Thanks. So, is a patch on the way for 6.[34] too? I guess the sec team just wanted to get out what they had as soon as possible and I agree with them and thanks them. But I just need to plan... :-) bye av. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 15:24:21 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB7251065811 for ; Thu, 3 Dec 2009 15:24:21 +0000 (UTC) (envelope-from timo.schoeler@riscworks.net) Received: from tydirium.riscworks.net (tydirium.riscworks.net [213.73.89.76]) by mx1.freebsd.org (Postfix) with ESMTP id 663B98FC0A for ; Thu, 3 Dec 2009 15:24:21 +0000 (UTC) Received: by tydirium.riscworks.net (Postfix, from userid 65534) id 232E3142726; Thu, 3 Dec 2009 16:04:34 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on tydirium.riscworks.net X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=failed version=3.2.5 Received: from soyuz.interdotnet.de (soyuz.InterDotNet.de [213.73.110.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tydirium.riscworks.net (Postfix) with ESMTPSA id A12AB142713 for ; Thu, 3 Dec 2009 16:04:31 +0100 (CET) Message-ID: <4B17D39B.5030204@riscworks.net> Date: Thu, 03 Dec 2009 16:04:59 +0100 From: Timo Schoeler User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <200912031455.nB3EtriT031315@catflap.bishopston.net> In-Reply-To: <200912031455.nB3EtriT031315@catflap.bishopston.net> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 15:24:21 -0000 thus Jamie Landeg Jones spake: >> Sorry, this might seem a stupid question, but... >> In several places I read that FreeBSD 6.x is NOT affected; however, I >> heard some people discussing how to apply the patch to such systems. >> So, I'd like to know for sure: is 6.x affected? Is another patch on the >> way for it? >> >> bye & Thanks >> av. So, what would be 'best of practice' to apply the patch to 6.3-RELEASE upwards -- is the FreeBSD-7 patch applicable or should one wait for an official announcement? Best, Timo > The change that introduced the bug was made as follows: > > | Revision 1.124: download - view: text, markup, annotated - select for diffs > | Thu May 17 18:00:27 2007 UTC (2 years, 6 months ago) by csjp > | Branches: MAIN > | CVS tags: RELENG_7_BP, RELENG_7_0_BP, RELENG_7_0_0_RELEASE, RELENG_7_0 > | Branch point for: RELENG_7 > | Diff to: previous 1.123: preferred, colored > | Changes since revision 1.123: +20 -10 lines > | > | In the event a process is tainted (setuid/setgid binaries), un-set any > | potentially dangerous environment variables all together. It should be > | noted that the run-time linker will not honnor these environment variables > | if the process is tainted currently. However, once a child of the tainted > | process calls setuid(2), it's status as being tainted (as defined by > | issetugid(2)) will be removed. This could be problematic because > | subsequent activations of the run-time linker could honnor these > | dangerous variables. > | > | This is more of an anti foot-shot mechanism, there is nothing I am > | aware of in base that does this, however there may be third party > | utilities which do, and there is no real negative impact of clearing > | these environment variables. > | > | Discussed on: secteam > | Reviewed by: cperciva > | PR: kern/109836 > | MFC after: 2 weeks > > This was also ported MFC'd into 6.3 onwards: > > | Revision 1.106.2.7: download - view: text, markup, annotated - select for diffs > | Sat Jul 14 19:04:00 2007 UTC (2 years, 4 months ago) by csjp > | Branches: RELENG_6 > | CVS tags: RELENG_6_4_BP, RELENG_6_3_BP, RELENG_6_3_0_RELEASE, RELENG_6_3 > | Branch point for: RELENG_6_4 > | Diff to: previous 1.106.2.6: preferred, colored; branchpoint 1.106: preferred, colored; next MAIN 1.107: preferred, colored > | Changes since revision 1.106.2.6: +20 -10 lines > | > | MFC rtld.c revision 1.124 > | > | Unset potentially harmful environment variables. > | > | Discussed on: seacteam > | PR: kern/109836 > > > So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 15:37:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2CC3106566B for ; Thu, 3 Dec 2009 15:37:06 +0000 (UTC) (envelope-from henrique@cssg.g12.br) Received: from a.mx.cssg.g12.br (arigao.cssg.g12.br [201.88.203.12]) by mx1.freebsd.org (Postfix) with SMTP id 93BD68FC1B for ; Thu, 3 Dec 2009 15:37:05 +0000 (UTC) Received: (qmail 85322 invoked from network); 3 Dec 2009 15:29:40 -0000 Received: from unknown (172.16.24.3) by 172.16.24.4 with QMQP; 3 Dec 2009 15:29:40 -0000 Received: from unknown (HELO ?172.16.1.254?) (henrique@cssg.g12.br@172.16.1.254) by proxy.local.cssg.g12.br with ESMTPA; 3 Dec 2009 15:29:40 -0000 From: Henrique Araujo To: freebsd-security@freebsd.org In-Reply-To: <200912030930.nB39UhPQ038263@freefall.freebsd.org> References: <200912030930.nB39UhPQ038263@freefall.freebsd.org> Content-Type: text/plain; charset="iso8859-1" Organization: =?ISO-8859-1?Q?Col=E9gio?= Salesiano =?ISO-8859-1?Q?S=E3o?= =?ISO-8859-1?Q?_Gon=E7alo?= Date: Thu, 03 Dec 2009 12:33:39 -0300 Message-ID: <1259854419.33763.10.camel@cpd1.local.cssg.g12.br> Mime-Version: 1.0 X-Mailer: Evolution 2.28.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 15:37:06 -0000 Em Qui, 2009-12-03 às 09:30 +0000, FreeBSD Security Advisories escreveu: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-09:16.rtld Security Advisory > The FreeBSD Project > > Topic: Improper environment sanitization in rtld(1) > > Category: core > Module: rtld > Announced: 2009-12-03 > Affects: FreeBSD 7.0 and later. > Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) > 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) > 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) > 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) > CVE Name: CVE-2009-4146, CVE-2009-4147 > [...] I think it's only cosmetic, but I couldn't see any change in the BRANCH (7.2: p4 -> p4?). Henrique From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 16:33:15 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48E84106566B for ; Thu, 3 Dec 2009 16:33:15 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id D255E8FC13 for ; Thu, 3 Dec 2009 16:33:14 +0000 (UTC) Received: by ewy1 with SMTP id 1so379134ewy.14 for ; Thu, 03 Dec 2009 08:33:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=ABgfDMlto6AXg90A+mQA1bNNENbEYlFc26gqYGdpH1Q=; b=CZh8IMfb7p/W4bEp583eeGomJ4rwuK61lyedoYOHzTfCLUnZrKSX98DoBLxxVxiNGZ Qz1nAPgg2asGBpJ2j7W51VuKtueJMvb8zKmBeCXa9ntABncl4zGvKkkHSNxDyp3Tjxx9 ikkZbPWx7TWF8bwPIIwHikog7+HkCDvLcMS1w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=oOoVeGiEMP6t8KS7QflWrULcrHwGaBZEYpMgtfZzfvmYfmSzAszYY+OyvZY0+vu8j8 10d8tOgWwakIynkKDAWjAACJhAPtqTG43GjJlPrUi8CmU3OJ5995gZJRoJLg9JJ4ctvj ccj3sL2N34StGvE5LRCisHULK8OzzukGukK14= MIME-Version: 1.0 Received: by 10.213.43.195 with SMTP id x3mr4051311ebe.19.1259856272211; Thu, 03 Dec 2009 08:04:32 -0800 (PST) In-Reply-To: <1259854419.33763.10.camel@cpd1.local.cssg.g12.br> References: <200912030930.nB39UhPQ038263@freefall.freebsd.org> <1259854419.33763.10.camel@cpd1.local.cssg.g12.br> From: Maxim Khitrov Date: Thu, 3 Dec 2009 11:04:12 -0500 Message-ID: <26ddd1750912030804k2e4ee7f1u858c28e82beccb6c@mail.gmail.com> To: Henrique Araujo Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 16:33:15 -0000 MjAwOS8xMi8zIEhlbnJpcXVlIEFyYXVqbyA8aGVucmlxdWVAY3NzZy5nMTIuYnI+Ogo+IEVtIFF1 aSwgMjAwOS0xMi0wMyDDoHMgMDk6MzAgKzAwMDAsIEZyZWVCU0QgU2VjdXJpdHkgQWR2aXNvcmll cyBlc2NyZXZldToKPj4gLS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQo+PiBIYXNo OiBTSEExCj4+Cj4+ID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj4+IEZyZWVCU0QtU0EtMDk6MTYucnRs ZCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDC oCBTZWN1cml0eSBBZHZpc29yeQo+PiDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDC oCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCBUaGUg RnJlZUJTRCBQcm9qZWN0Cj4+Cj4+IFRvcGljOiDCoCDCoCDCoCDCoCDCoEltcHJvcGVyIGVudmly b25tZW50IHNhbml0aXphdGlvbiBpbiBydGxkKDEpCj4+Cj4+IENhdGVnb3J5OiDCoCDCoCDCoCBj b3JlCj4+IE1vZHVsZTogwqAgwqAgwqAgwqAgcnRsZAo+PiBBbm5vdW5jZWQ6IMKgIMKgIMKgMjAw OS0xMi0wMwo+PiBBZmZlY3RzOiDCoCDCoCDCoCDCoEZyZWVCU0QgNy4wIGFuZCBsYXRlci4KPj4g Q29ycmVjdGVkOiDCoCDCoCDCoDIwMDktMTItMDEgMDI6NTk6MjIgVVRDIChSRUxFTkdfOCwgOC4w LVNUQUJMRSkKPj4gwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgMjAwOS0xMi0wMyAwOToxODo0MCBV VEMgKFJFTEVOR184XzAsIDguMC1SRUxFQVNFLXAxKQo+PiDCoCDCoCDCoCDCoCDCoCDCoCDCoCDC oCAyMDA5LTEyLTAxIDAzOjAwOjE2IFVUQyAoUkVMRU5HXzcsIDcuMi1TVEFCTEUpCj4+IMKgIMKg IMKgIMKgIMKgIMKgIMKgIMKgIDIwMDktMTItMDMgMDk6MTg6NDAgVVRDIChSRUxFTkdfN18yLCA3 LjItUkVMRUFTRS1wNSkKPj4gwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgMjAwOS0xMi0wMyAwOTox ODo0MCBVVEMgKFJFTEVOR183XzEsIDcuMS1SRUxFQVNFLXA5KQo+PiBDVkUgTmFtZTogwqAgwqAg wqAgQ1ZFLTIwMDktNDE0NiwgQ1ZFLTIwMDktNDE0Nwo+Pgo+IFsuLi5dCj4KPiBJIHRoaW5rIGl0 J3Mgb25seSBjb3NtZXRpYywgYnV0IEkgY291bGRuJ3Qgc2VlIGFueSBjaGFuZ2UgaW4gdGhlIEJS QU5DSAo+ICg3LjI6IHA0IC0+IHA0PykuCj4KPgo+IEhlbnJpcXVlCgpUaGUgZmlsZSBzeXMvY29u Zi9uZXd2ZXJzLnNoIHdhcyBub3QgdXBkYXRlZCBpbiB0aGUgb3JpZ2luYWwgY29tbWl0LgpVcGRh dGUgeW91ciBzb3VyY2Ugb25jZSBtb3JlIGFuZCByZWJ1aWxkIHRoZSBrZXJuZWwuCgotIE1heAo= From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 16:49:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D64FC1065676 for ; Thu, 3 Dec 2009 16:49:26 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop2.sarenet.es (proxypop2.sarenet.es [194.30.0.95]) by mx1.freebsd.org (Postfix) with ESMTP id 97F078FC18 for ; Thu, 3 Dec 2009 16:49:26 +0000 (UTC) Received: from [172.16.1.204] (izaro.sarenet.es [192.148.167.11]) by proxypop2.sarenet.es (Postfix) with ESMTP id E407A7341F; Thu, 3 Dec 2009 17:49:24 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <3ACC849F-06CF-4BBD-88A5-7489D6DD75B4@sarenet.es> Date: Thu, 3 Dec 2009 17:49:24 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <4B17A0BE.9090502@fer.hr> <3ACC849F-06CF-4BBD-88A5-7489D6DD75B4@sarenet.es> To: Borja Marcos X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: rtld issue, MAC subsystem suggestion X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 16:49:26 -0000 On Dec 3, 2009, at 1:45 PM, Borja Marcos wrote: > There's a wrong assumption I made: the MAC subsystem should make a = root exploit hard to achieve, and the latest security issue shows that = indeed that's not necessarily the case. I chose not to chroot the = runnnig CGI's so that they saw a complete operating system, avoiding the = costs of lots of phone calls to support because their script got a text = file and ran awk on it, etc, etc, you know. Keeping lots of copies of = the OS is quite ineffective. And restricting access to mostly harmless = programs such as ping can be a problem as well. One of my compromises = (wrong, maybe) was to offer the closest thing to a complete system as = possible. Which brings an idea... I understand it might sound a bit ad-hoc after = this problem, but how about extending the usage of the MAC subsystem so = that MAC policies are enforced for such things as the dynamic linker? It = would certainly put a stop to a whole class of attacks. If a program with a given integrity label tried to link with a lower = integrity shared library maybe the operation should fail. Same should = apply to mac/mls.=20 I see no reason to allow that behavior to succeed, and plenty of reasons = for the MAC policies to be applied. Borja. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 17:10:09 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0272F1065672 for ; Thu, 3 Dec 2009 17:10:09 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A255F8FC08 for ; Thu, 3 Dec 2009 17:10:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=QxTyj0ox+ZQfyo46PAxI2pan0gu224CzNMem6Oz7hlI=; b=thKa+CwimN4dYR6EIOMcitzLtaCraupwRFHoA2wxSQkOll430apeYxwFsgdNC5jwLPDOAgeB61esszNSoOtpV/pjw7dyh4ZQF3RSh2/qEeYtfSE8tUHojNqJPDxbw/R++E62NVk2SLcmVclGgoF026WKyFMc0AG+hHuxe3EVFVmq/4VWas06xp4ETGGdgEhTRkI03UznhRal6UBqB+gMlaFZHyIppVBfcmMrk6SzI8gm+QP/n7QAHYVI5ufOp8GBaoTAEmGKCqy63OeRHd+0zZDN9dFGh3s5k3mgzWnzjYeAQ+NOdmalsfFMTVT4h4e38e1N1vtNjvK+pWmNucEenw==; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NGFBv-00071N-KH; Thu, 03 Dec 2009 20:10:07 +0300 Date: Thu, 3 Dec 2009 20:10:05 +0300 From: Eygene Ryabinkin To: Niels Bakker Message-ID: References: <200912030930.nB39Ude2037517@freefall.freebsd.org> <20091203130936.GU20638@burnout.tpb.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091203130936.GU20638@burnout.tpb.net> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 17:10:09 -0000 Thu, Dec 03, 2009 at 02:09:36PM +0100, Niels Bakker wrote: > >============================================================================= > >FreeBSD-SA-09:15.ssl Security Advisory > > The FreeBSD Project > [..] > >b) Execute the following commands as root: > > > ># cd /usr/src > ># patch < /path/to/patch > ># cd /usr/src/secure/lib/libcrypto > ># make obj && make depend && make includes && make && make install > > Did you mean secure/lib/libssl rather than libcrypto? Most probably, yes: both commits to 0.9.8k reference files in libssl, http://cvs.openssl.org/chngview?cn=18794 http://cvs.openssl.org/chngview?cn=18791 ----- [/usr/src/secure/lib]$ grep -Er '(s3_srvr|s3_lib)' * libssl/Makefile: s3_both.c s3_clnt.c s3_enc.c s3_lib.c s3_meth.c s3_pkt.c \ libssl/Makefile: s3_srvr.c ssl_algs.c ssl_asn1.c ssl_cert.c ssl_ciph.c \ :: rea@void : 20:06:59 : /usr/src/secure/lib $ grep -Er '(s3_srvr|s3_lib|ssl_err|s3_pkt|ssl3\.h)' * libssl/Makefile: s3_both.c s3_clnt.c s3_enc.c s3_lib.c s3_meth.c s3_pkt.c \ libssl/Makefile: s3_srvr.c ssl_algs.c ssl_asn1.c ssl_cert.c ssl_ciph.c \ libssl/Makefile: ssl_err.c ssl_err2.c ssl_lib.c ssl_rsa.c ssl_sess.c ssl_stat.c \ libssl/Makefile:INCS= dtls1.h kssl.h ssl.h ssl2.h ssl23.h ssl3.h tls1.h libssl/man/ssl.3:.IP "\fBssl3.h\fR" 4 libssl/man/ssl.3:.IX Item "ssl3.h" ----- -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 17:40:22 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EC3B106566B for ; Thu, 3 Dec 2009 17:40:22 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 241258FC1A for ; Thu, 3 Dec 2009 17:40:21 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3HeK02058040; Thu, 3 Dec 2009 17:40:20 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3HeKbQ058031; Thu, 3 Dec 2009 17:40:20 GMT From: Jamie Landeg Jones Message-Id: <200912031740.nB3HeKbQ058031@catflap.bishopston.net> Date: Thu, 03 Dec 2009 17:40:20 +0000 Organization: http://www.bishopston.com/jamie/ To: ml@netfence.it, freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <200912031455.nB3EtriT031315@catflap.bishopston.net> <4B17D4B9.103@netfence.it> In-Reply-To: <4B17D4B9.103@netfence.it> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 17:40:20 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 17:40:22 -0000 > Jamie Landeg Jones ha scritto: > > > So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't. > > Thanks. > So, is a patch on the way for 6.[34] too? > I guess the sec team just wanted to get out what they had as soon as > possible and I agree with them and thanks them. > But I just need to plan... :-) I don't know - are they still supported? Anyway, I just made this patch. I don't have any 6.X machines to test it on, but it should work on 6.3 and 6.4 (put it this way, if it doesn't work it will fail to compile, rather than break your machine!): Incidently, I am not part of the offical freebsd team. cheers, Jamie --- rtld.c.orig 2007-07-14 20:04:00.000000000 +0100 +++ rtld.c 2009-12-03 17:29:58.000000000 +0000 @@ -349,11 +349,12 @@ * future processes to honor the potentially un-safe variables. */ if (!trust) { - unsetenv(LD_ "PRELOAD"); - unsetenv(LD_ "LIBMAP"); - unsetenv(LD_ "LIBRARY_PATH"); - unsetenv(LD_ "LIBMAP_DISABLE"); - unsetenv(LD_ "DEBUG"); + if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") || + unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") || + unsetenv(LD_ "DEBUG")) { + _rtld_error("environment corrupt; aborting"); + die(); + } } ld_debug = getenv(LD_ "DEBUG"); libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL; From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 18:15:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C3D0106566C for ; Thu, 3 Dec 2009 18:15:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout025.mac.com (asmtpout025.mac.com [17.148.16.100]) by mx1.freebsd.org (Postfix) with ESMTP id 0A18A8FC14 for ; Thu, 3 Dec 2009 18:15:37 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp025.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KU3000DT9DEH910@asmtp025.mac.com> for freebsd-security@freebsd.org; Thu, 03 Dec 2009 10:15:15 -0800 (PST) From: Chuck Swiger In-reply-to: <4B179B90.10307@netfence.it> Date: Thu, 03 Dec 2009 10:15:14 -0800 Message-id: <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> To: Andrea Venturoli X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 18:15:38 -0000 Hi-- On Dec 3, 2009, at 3:05 AM, Andrea Venturoli wrote: > Sorry, this might seem a stupid question, but... > In several places I read that FreeBSD 6.x is NOT affected; however, I heard some people discussing how to apply the patch to such systems. So, I'd like to know for sure: is 6.x affected? Is another patch on the way for it? Well, I've tested the exploit and FreeBSD 6.4-STABLE was not vulnerable. Starting with 7.x, rtld was significantly re-written from the prior version, and that re-write included the security vulnerability. The discussion you mention presumably involves checking out the patched version of rtld sources from 7.x or 8 and building+installing that under 6.x. Given that 6.x rtld is the older one with a longer history of security review and doesn't have the current known vulnerability, whereas the new version just got patched and might have other issues lurking, I am happy sticking with 6.x version on my 6.x boxes. Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 18:29:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14EFD1065676 for ; Thu, 3 Dec 2009 18:29:16 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 9CCE38FC15 for ; Thu, 3 Dec 2009 18:29:15 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (smmsp@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3ITEBa015364; Thu, 3 Dec 2009 18:29:14 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from root@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3ITEiX015363; Thu, 3 Dec 2009 18:29:14 GMT From: Jamie Landeg Jones Message-Id: <200912031829.nB3ITEiX015363@catflap.bishopston.net> Date: Thu, 03 Dec 2009 18:29:14 +0000 Organization: http://www.bishopston.com/jamie/ To: timo.schoeler@riscworks.net, freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <200912031455.nB3EtriT031315@catflap.bishopston.net> <4B17D39B.5030204@riscworks.net> In-Reply-To: <4B17D39B.5030204@riscworks.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 18:29:14 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 18:29:16 -0000 > So, what would be 'best of practice' to apply the patch to 6.3-RELEASE > upwards -- is the FreeBSD-7 patch applicable or should one wait for an > official announcement? I just noticed that the patch I replied with is basically the same as the Freebsd-7 patch that was posted. However, as has already been discussed, 6.X isn't exploitable by the posted bug, because the changes to the env functions that allow the exploit to work didn't happen until 7.X However, I would certainly apply the patch anyway - basically, the old way was just blindly unsetting environment variables and blindly assuming the unsetting worked. The new way does exactly the same unsetting, but if any of the unsets fails (due to corrupt environment) it aborts. Just in case there is some other way of exploiting the fact that rtld.c didn't check whether unsetenv was successful (which I bet people are now looking for) I'd apply the patch to 6.3 and 6.4 also, just to be sure. Cheers, Jamie From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 18:32:19 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A11751065693 for ; Thu, 3 Dec 2009 18:32:19 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 995B98FC15 for ; Thu, 3 Dec 2009 18:32:18 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (smmsp@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3IWHrg023457; Thu, 3 Dec 2009 18:32:17 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from root@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3IWHe5023456; Thu, 3 Dec 2009 18:32:17 GMT From: Jamie Landeg Jones Message-Id: <200912031832.nB3IWHe5023456@catflap.bishopston.net> Date: Thu, 03 Dec 2009 18:32:17 +0000 Organization: http://www.bishopston.com/jamie/ To: ml@netfence.it, cswiger@mac.com References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> In-Reply-To: <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 18:32:18 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 18:32:19 -0000 = From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 18:37:20 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42527106568F for ; Thu, 3 Dec 2009 18:37:20 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 2B1568FC41 for ; Thu, 3 Dec 2009 18:37:17 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3IbFvu036115 for ; Thu, 3 Dec 2009 18:37:15 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3IbEKB036114 for freebsd-security@freebsd.org; Thu, 3 Dec 2009 18:37:14 GMT From: Jamie Landeg Jones Message-Id: <200912031837.nB3IbEKB036114@catflap.bishopston.net> Date: Thu, 03 Dec 2009 18:37:14 +0000 Organization: http://www.bishopston.com/jamie/ To: freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> In-Reply-To: <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 18:37:15 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 18:37:20 -0000 > The discussion you mention presumably involves checking out the patched version of rtld sources from 7.x or 8 and building+installing that under 6.x. Given that 6.x rtld is the older one with a longer history of security review and doesn't have the current known vulnerability, whereas the new version just got patched and might have other issues lurking, I am happy sticking with 6.x version on my 6.x boxes. Ahhhh, I see. I was looking at the source of rtld.c to check when the change was made that allowed this vulnerability to exist, and that change was from 6.3 onwards. But it seems it's the changes to getenv/unsetenv from 7.0 onwards that cause this to be an exploitable issue. However, I'd still apply the patch in case some other way to exploit the non-checking of the unsetenv return status crops up elsewhere. It can't do any harm. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:01:58 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02421106566B for ; Thu, 3 Dec 2009 19:01:58 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (router.thelostparadise.com [IPv6:2a02:898:0:30::30:1]) by mx1.freebsd.org (Postfix) with ESMTP id 988CF8FC13 for ; Thu, 3 Dec 2009 19:01:57 +0000 (UTC) Received: from [192.168.1.13] (home [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id 2BBA461C4B; Thu, 3 Dec 2009 20:01:30 +0100 (CET) Message-ID: <4B180B03.1040405@thedarkside.nl> Date: Thu, 03 Dec 2009 20:01:23 +0100 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.23 (X11/20090907) MIME-Version: 1.0 To: Jamie Landeg Jones References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> <200912031837.nB3IbEKB036114@catflap.bishopston.net> In-Reply-To: <200912031837.nB3IbEKB036114@catflap.bishopston.net> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:01:58 -0000 Jamie Landeg Jones wrote: > > However, I'd still apply the patch in case some other way to exploit > the non-checking of the unsetenv return status crops up elsewhere. > > It can't do any harm. The problem with that is, on 6.x, unsetenv() returns 'void', so there's no return value to check on. On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other versions), the unsetenv() uses __findenv() in a while loop to remove the given setting. The getenv() function also uses __findenv() to find the given environment setting. The issue described in the advisory simply doesn't exist in 6(.4-RELEASE-p7). -- Pieter From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:06:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 628621065672 for ; Thu, 3 Dec 2009 19:06:45 +0000 (UTC) (envelope-from timo.schoeler@riscworks.net) Received: from tydirium.riscworks.net (tydirium.riscworks.net [213.73.89.76]) by mx1.freebsd.org (Postfix) with ESMTP id 181DA8FC16 for ; Thu, 3 Dec 2009 19:06:44 +0000 (UTC) Received: by tydirium.riscworks.net (Postfix, from userid 65534) id 051BC142765; Thu, 3 Dec 2009 20:06:15 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on tydirium.riscworks.net X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=failed version=3.2.5 Received: from relentless.interdotnet.de (95-89-45-47-dynip.superkabel.de [95.89.45.47]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tydirium.riscworks.net (Postfix) with ESMTPSA id 85E3E142731 for ; Thu, 3 Dec 2009 20:06:12 +0100 (CET) Message-ID: <4B180C40.3040001@riscworks.net> Date: Thu, 03 Dec 2009 20:06:40 +0100 From: Timo Schoeler User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12 Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> <200912031837.nB3IbEKB036114@catflap.bishopston.net> <4B180B03.1040405@thedarkside.nl> In-Reply-To: <4B180B03.1040405@thedarkside.nl> X-Enigmail-Version: 0.97a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:06:45 -0000 On 12/03/2009 08:01 PM, Pieter de Boer wrote: > Jamie Landeg Jones wrote: >> >> However, I'd still apply the patch in case some other way to exploit >> the non-checking of the unsetenv return status crops up elsewhere. >> >> It can't do any harm. > > The problem with that is, on 6.x, unsetenv() returns 'void', so there's > no return value to check on. > > On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other > versions), the unsetenv() uses __findenv() in a while loop to remove the > given setting. The getenv() function also uses __findenv() to find the > given environment setting. The issue described in the advisory simply > doesn't exist in 6(.4-RELEASE-p7). patch doesn't complain on the diff, but compiling gives me the following error on 6.4-STABLE (i386): # make depend rm -f .depend mkdep -f .depend -a -DFREEBSD_ELF -DIN_RTLD -I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -DPIC /usr/src/libexec/rtld-elf/i386/rtld_start.S /usr/src/libexec/rtld-elf/i386/reloc.c /usr/src/libexec/rtld-elf/rtld.c /usr/src/libexec/rtld-elf/rtld_lock.c /usr/src/libexec/rtld-elf/map_object.c /usr/src/libexec/rtld-elf/malloc.c /usr/src/libexec/rtld-elf/xmalloc.c /usr/src/libexec/rtld-elf/debug.c /usr/src/libexec/rtld-elf/libmap.c echo ld-elf.so.1: /usr/lib/libc_pic.a >> .depend test# make cc -O2 -fno-strict-aliasing -pipe -Wall -DFREEBSD_ELF -DIN_RTLD -I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -elf -fpic -DPIC -std=gnu99 -Wformat=2 -Wno-format-extra-args -Werror -c /usr/src/libexec/rtld-elf/i386/rtld_start.S cc -O2 -fno-strict-aliasing -pipe -Wall -DFREEBSD_ELF -DIN_RTLD -I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -elf -fpic -DPIC -std=gnu99 -Wformat=2 -Wno-format-extra-args -Werror -c /usr/src/libexec/rtld-elf/i386/reloc.c cc -O2 -fno-strict-aliasing -pipe -Wall -DFREEBSD_ELF -DIN_RTLD -I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -elf -fpic -DPIC -std=gnu99 -Wformat=2 -Wno-format-extra-args -Werror -c /usr/src/libexec/rtld-elf/rtld.c /usr/src/libexec/rtld-elf/rtld.c: In function `_rtld': /usr/src/libexec/rtld-elf/rtld.c:352: error: void value not ignored as it ought to be /usr/src/libexec/rtld-elf/rtld.c:352: error: void value not ignored as it ought to be /usr/src/libexec/rtld-elf/rtld.c:353: error: void value not ignored as it ought to be /usr/src/libexec/rtld-elf/rtld.c:353: error: void value not ignored as it ought to be /usr/src/libexec/rtld-elf/rtld.c:354: error: void value not ignored as it ought to be *** Error code 1 Stop in /usr/src/libexec/rtld-elf. # Best, Timo From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:10:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61D38106568B for ; Thu, 3 Dec 2009 19:10:16 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id D3CB28FC08 for ; Thu, 3 Dec 2009 19:10:15 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3JAE8n028481; Thu, 3 Dec 2009 19:10:14 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3JAEKj028478; Thu, 3 Dec 2009 19:10:14 GMT From: Jamie Landeg Jones Message-Id: <200912031910.nB3JAEKj028478@catflap.bishopston.net> Date: Thu, 03 Dec 2009 19:10:14 +0000 Organization: http://www.bishopston.com/jamie/ To: timo.schoeler@riscworks.net, freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> <200912031837.nB3IbEKB036114@catflap.bishopston.net> <4B180B03.1040405@thedarkside.nl> <4B180C40.3040001@riscworks.net> In-Reply-To: <4B180C40.3040001@riscworks.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 19:10:14 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:10:16 -0000 > > On 12/03/2009 08:01 PM, Pieter de Boer wrote: > > Jamie Landeg Jones wrote: > >> > >> However, I'd still apply the patch in case some other way to exploit > >> the non-checking of the unsetenv return status crops up elsewhere. > >> > >> It can't do any harm. > > > > The problem with that is, on 6.x, unsetenv() returns 'void', so there's > > no return value to check on. As Pieter pointed out, unsetenv returns 'void', so checking for a return value (like that patch does) doesn't make sense. Sorry for wasting your time - the patch is not necessary (and won't even work) on 6.X systems, as you've discovered. Your system is safe from this attack, and any related ones. Jamie From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:32:48 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4110E1065672 for ; Thu, 3 Dec 2009 19:32:48 +0000 (UTC) (envelope-from timo.schoeler@riscworks.net) Received: from tydirium.riscworks.net (tydirium.riscworks.net [213.73.89.76]) by mx1.freebsd.org (Postfix) with ESMTP id EC7AE8FC17 for ; Thu, 3 Dec 2009 19:32:47 +0000 (UTC) Received: by tydirium.riscworks.net (Postfix, from userid 65534) id 4253214276D; Thu, 3 Dec 2009 20:32:17 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on tydirium.riscworks.net X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=failed version=3.2.5 Received: from relentless.interdotnet.de (95-89-45-47-dynip.superkabel.de [95.89.45.47]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tydirium.riscworks.net (Postfix) with ESMTPSA id 2F2CA142731 for ; Thu, 3 Dec 2009 20:32:13 +0100 (CET) Message-ID: <4B181258.9060607@riscworks.net> Date: Thu, 03 Dec 2009 20:32:40 +0100 From: Timo Schoeler User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12 Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> <200912031837.nB3IbEKB036114@catflap.bishopston.net> <4B180B03.1040405@thedarkside.nl> <4B180C40.3040001@riscworks.net> <20091203191506.GA24957@citylink.fud.org.nz> In-Reply-To: <20091203191506.GA24957@citylink.fud.org.nz> X-Enigmail-Version: 0.97a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:32:48 -0000 On 12/03/2009 08:15 PM, Andrew Thompson wrote: > On Thu, Dec 03, 2009 at 08:06:40PM +0100, Timo Schoeler wrote: >> On 12/03/2009 08:01 PM, Pieter de Boer wrote: >>> Jamie Landeg Jones wrote: >>>> >>>> However, I'd still apply the patch in case some other way to exploit >>>> the non-checking of the unsetenv return status crops up elsewhere. >>>> >>>> It can't do any harm. >>> >>> The problem with that is, on 6.x, unsetenv() returns 'void', so there's >>> no return value to check on. >>> >>> On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other >>> versions), the unsetenv() uses __findenv() in a while loop to remove the >>> given setting. The getenv() function also uses __findenv() to find the >>> given environment setting. The issue described in the advisory simply >>> doesn't exist in 6(.4-RELEASE-p7). >> >> patch doesn't complain on the diff, but compiling gives me the following >> error on 6.4-STABLE (i386): > > To quote the advisory > > "Affects: FreeBSD 7.0 and later." i) there was not a big discussion on this list ii) humans are impeccable From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:33:41 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D40211065672 for ; Thu, 3 Dec 2009 19:33:41 +0000 (UTC) (envelope-from thompsa@nz.FreeBSD.org) Received: from pele.citylink.co.nz (pele.citylink.co.nz [202.8.44.226]) by mx1.freebsd.org (Postfix) with ESMTP id 90CE18FC21 for ; Thu, 3 Dec 2009 19:33:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by pele.citylink.co.nz (Postfix) with ESMTP id 018A47B502; Fri, 4 Dec 2009 08:15:11 +1300 (NZDT) X-Virus-Scanned: Debian amavisd-new at citylink.co.nz Received: from pele.citylink.co.nz ([127.0.0.1]) by localhost (pele.citylink.co.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnmgoZSfJnH9; Fri, 4 Dec 2009 08:15:06 +1300 (NZDT) Received: from citylink.fud.org.nz (unknown [202.8.44.45]) by pele.citylink.co.nz (Postfix) with ESMTP; Fri, 4 Dec 2009 08:15:06 +1300 (NZDT) Received: by citylink.fud.org.nz (Postfix, from userid 1001) id 4BB3011475; Fri, 4 Dec 2009 08:15:06 +1300 (NZDT) Date: Fri, 4 Dec 2009 08:15:06 +1300 From: Andrew Thompson To: Timo Schoeler Message-ID: <20091203191506.GA24957@citylink.fud.org.nz> References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> <200912031837.nB3IbEKB036114@catflap.bishopston.net> <4B180B03.1040405@thedarkside.nl> <4B180C40.3040001@riscworks.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B180C40.3040001@riscworks.net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:33:41 -0000 On Thu, Dec 03, 2009 at 08:06:40PM +0100, Timo Schoeler wrote: > On 12/03/2009 08:01 PM, Pieter de Boer wrote: > > Jamie Landeg Jones wrote: > >> > >> However, I'd still apply the patch in case some other way to exploit > >> the non-checking of the unsetenv return status crops up elsewhere. > >> > >> It can't do any harm. > > > > The problem with that is, on 6.x, unsetenv() returns 'void', so there's > > no return value to check on. > > > > On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other > > versions), the unsetenv() uses __findenv() in a while loop to remove the > > given setting. The getenv() function also uses __findenv() to find the > > given environment setting. The issue described in the advisory simply > > doesn't exist in 6(.4-RELEASE-p7). > > patch doesn't complain on the diff, but compiling gives me the following > error on 6.4-STABLE (i386): To quote the advisory "Affects: FreeBSD 7.0 and later." Andrew From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:49:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04EB61065679 for ; Thu, 3 Dec 2009 19:49:11 +0000 (UTC) (envelope-from lxn.smth@gmail.com) Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by mx1.freebsd.org (Postfix) with ESMTP id CC35F8FC0A for ; Thu, 3 Dec 2009 19:49:10 +0000 (UTC) Received: by pzk6 with SMTP id 6so1613227pzk.29 for ; Thu, 03 Dec 2009 11:49:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=b0gTqyCLhZFw+g6hAOtCYjiyz8jTuVrN5AuV9rd0KMc=; b=Eyqg2rl4CMyfSZZzLduorjGCEgimssn0en5/IUkZ5y4bO8jIXeXQhJogR5qRU869c3 Y1XYd3A9X5GonGAS/FTqbyZIs3LaCKN0cv1RQmCwgoWrhYNHmcicC6aM9jvb2/acICUL DDVEKzs8YWpjXG2RoGQzWY5eoDkOFy4A054Jw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=teJAYe1KgIPgGE2dALJ2HL60nvQBqBYrae2QfnXhC3H9UOfASQpRJ9UYpQEw11ng8P dCh5RCmrvvG87ZHv7f4qL/8cKGxNepObLp9ET2B4KJ57otIbEFT0ZT8GryAtRVBFVUtS cAXeXKwn8zym4WXljjqtC2ETJMLUzM3cmglwY= MIME-Version: 1.0 Received: by 10.142.247.5 with SMTP id u5mr254179wfh.333.1259869747026; Thu, 03 Dec 2009 11:49:07 -0800 (PST) In-Reply-To: <200912030930.nB39UhW9038238@freefall.freebsd.org> References: <200912030930.nB39UhW9038238@freefall.freebsd.org> Date: Thu, 3 Dec 2009 11:49:06 -0800 Message-ID: <864f75cb0912031149p64695dd0kd1770348114d6c0c@mail.gmail.com> From: lxn smth To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:49:11 -0000 Any body can explain why no credit section for this advisory? On Thu, Dec 3, 2009 at 1:30 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-09:16.rtld =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 Security Advisory > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project > > Topic: =A0 =A0 =A0 =A0 =A0Improper environment sanitization in rtld(1) > > Category: =A0 =A0 =A0 core > Module: =A0 =A0 =A0 =A0 rtld > Announced: =A0 =A0 =A02009-12-03 > Affects: =A0 =A0 =A0 =A0FreeBSD 7.0 and later. > Corrected: =A0 =A0 =A02009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-R= ELEASE-p1) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-01 03:00:16 UTC (RELENG_7, 7.2-STA= BLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-R= ELEASE-p5) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-R= ELEASE-p9) > CVE Name: =A0 =A0 =A0 CVE-2009-4146, CVE-2009-4147 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. =A0 Background > > The run-time link-editor, rtld, links dynamic executable with their > needed libraries at run-time. =A0It also allows users to explicitly > load libraries via various LD_ environmental variables. > > II. =A0Problem Description > > When running setuid programs rtld will normally remove potentially > dangerous environment variables. =A0Due to recent changes in FreeBSD > environment variable handling code, a corrupt environment may > result in attempts to unset environment variables failing. > > III. Impact > > An unprivileged user who can execute programs on a system can gain > the privileges of any setuid program which he can run. =A0On most > systems configurations, this will allow a local attacker to execute > code as the root user. > > IV. =A0Workaround > > No workaround is available, but systems without untrusted local users, > where all the untrusted local users are jailed superusers, and/or where > untrusted users cannot execute arbitrary code (e.g., due to use of read > only and noexec mount options) are not affected. > > Note that "untrusted local users" include users with the ability to > upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they > may be able to exploit this issue. > > V. =A0 Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated > after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.1, 7.2, > and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 7.x] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/libexec/rtld-elf > # make obj && make depend && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). =A0On > amd64 systems where the i386 rtld are installed, the operating system > should instead be recompiled as described in > > > VI. =A0Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Revision > =A0Path > - -----------------------------------------------------------------------= -- > RELENG_7 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.124.2.7 > RELENG_7_2 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.507.2.23.2.8 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.11.2.9 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.124.2.4.2.2 > RELENG_7_1 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.507.2.13.2.12 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.9.2.13 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.124.2.3.2.2 > RELENG_8 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.139.2.4 > RELENG_8_0 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.632.2.7.2.4 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A01.83.2.6.2.4 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.139.2.2.2.2 > - -----------------------------------------------------------------------= -- > > Subversion: > > Branch/path =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Revision > - -----------------------------------------------------------------------= -- > stable/7/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r199981 > releng/7.2/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > releng/7.1/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > stable/8/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r199980 > releng/8.0/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > - -----------------------------------------------------------------------= -- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-4146 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-4147 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ > nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=3D > =3DjK/a > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:51:21 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E560C1065694 for ; Thu, 3 Dec 2009 19:51:21 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [IPv6:2001:5c0:1100:200::3]) by mx1.freebsd.org (Postfix) with ESMTP id 91BFE8FC18 for ; Thu, 3 Dec 2009 19:50:51 +0000 (UTC) X-Catflap-Envelope-From: X-Catflap-Envelope-To: freebsd-security@freebsd.org Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id nB3JomsX027756; Thu, 3 Dec 2009 19:50:48 GMT (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id nB3JomQq027755; Thu, 3 Dec 2009 19:50:48 GMT From: Jamie Landeg Jones Message-Id: <200912031950.nB3JomQq027755@catflap.bishopston.net> Date: Thu, 03 Dec 2009 19:50:48 +0000 Organization: http://www.bishopston.com/jamie/ To: lxn.smth@gmail.com, freebsd-security@freebsd.org References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <864f75cb0912031149p64695dd0kd1770348114d6c0c@mail.gmail.com> In-Reply-To: <864f75cb0912031149p64695dd0kd1770348114d6c0c@mail.gmail.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (catflap.bishopston.net [127.0.0.1]); Thu, 03 Dec 2009 19:50:48 +0000 (GMT) X-Virus-Scanned: clamav-milter 0.95.2 at catflap.bishopston.net X-Virus-Status: Clean Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:51:22 -0000 > Any body can explain why no credit section for this advisory? Probably because the person who found the bug didn't notify the security team, but posted it on a public list to gain l33t points. From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:13:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE242106566B for ; Thu, 3 Dec 2009 19:13:43 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 39E188FC12 for ; Thu, 3 Dec 2009 19:13:43 +0000 (UTC) Received: by bwz5 with SMTP id 5so1385148bwz.3 for ; Thu, 03 Dec 2009 11:13:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=IhmFBfbU5M5Q3+4kQJTMDOeqJEzE+JofZq8ov5j5goE=; b=pD2stwBPV2GNsqnNXJ6IitdtxGfNd7b5sVjcpJGuW+kCo0wBLeEjl2DPEOjars+yTj yYx7o6eST0PH22NCevPplzz1FwOlqKWoChByd5ZckxgPlfLyugBmPPk6FexpqSrSik/E n3y/CvZsn1EnRi0kc9W891nc/DumqynT0YIvQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=wDjKdjxKiRGuz15f9xp56QpLOJvx/An6dEk4Tt5ZJrmTaxn5YVE0g+8akX0MAANKVY fQxpfkE2ObH7zz5LHq5FBRUA2M9yrZIABoYHB75qgs70yyt1O845XmQ89N7B6eSfWw3P EUD3bijfDlgS5H1FB/C5k4oJTg0rpHT5uOJys= Received: by 10.204.32.204 with SMTP id e12mr2077904bkd.51.1259867622217; Thu, 03 Dec 2009 11:13:42 -0800 (PST) Received: from lynx.homenet (130-129-132-95.pool.ukrtel.net [95.132.129.130]) by mx.google.com with ESMTPS id 13sm860848fxm.1.2009.12.03.11.13.40 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 03 Dec 2009 11:13:41 -0800 (PST) Message-ID: <4B180DE3.9010304@gmail.com> Date: Thu, 03 Dec 2009 21:13:39 +0200 From: Dmitry Pryanishnikov User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090906 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Jamie Landeg Jones Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 03 Dec 2009 20:18:17 +0000 Cc: freebsd-security@freebsd.org, timo.schoeler@riscworks.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:13:43 -0000 > Just in case there is some other way of exploiting the fact that rtld.c didn't > check whether unsetenv was successful (which I bet people are now looking for) > I'd apply the patch to 6.3 and 6.4 also, just to be sure. Well, they can search as long as they wish - _but_ there's just nothing to search: void unsetenv(name) const char *name; { extern char **environ; char **p; int offset; while (__findenv(name, &offset)) /* if set multiple times */ for (p = &environ[offset];; ++p) if (!(*p = *(p + 1))) break; } So unsetenv in 6.* just won't return until __findenv(name) returns NULL - but then __findenv() will return NULL next time in getenv(name). So we had robust, consistent implementation in 6.* and before; now we haven't ;( Sincerely, Dmitry -- nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:21:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 033E61065676 for ; Thu, 3 Dec 2009 19:21:36 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 837878FC19 for ; Thu, 3 Dec 2009 19:21:35 +0000 (UTC) Received: by bwz5 with SMTP id 5so1391611bwz.3 for ; Thu, 03 Dec 2009 11:21:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=6IA1bdzy2TFxNIDDBZz0X4ULb8R4lZm5uC5pSmRDii4=; b=MiqMgLmx3GE2oboTPr8FGim8acYI90ZQUl59ecUEsJFgCZ9IkjdRa6P5q9CpzSaC3a hTkmzM/KXoazYqy0we89mlO7BqbaqcBCopgV+1Ew/ODxsXXYb2maWzaAv04S9skYb8xz UCsdcGWWZC/M70lKeUW7vommYQyCXFCacn674= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=m1yQwsV2SYN7zksUPIE7KhJYWjd2/IjVRE/1Mix3bx+YUqyyCpYK2uIvrSiARiqybd GbkqYxy0PPsuPwDYJ/1zH0tcJZsD7GYU56r+k+PMV2YJ8BWqj3D/2e5gpZRO2FLf7/Mc CxzkgsqZp7MsTRkvVudC8JwK9o//ch1e8qkLM= Received: by 10.204.20.142 with SMTP id f14mr2113468bkb.64.1259866557324; Thu, 03 Dec 2009 10:55:57 -0800 (PST) Received: from lynx.homenet (130-129-132-95.pool.ukrtel.net [95.132.129.130]) by mx.google.com with ESMTPS id 14sm855956fxm.7.2009.12.03.10.55.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 03 Dec 2009 10:55:56 -0800 (PST) Message-ID: <4B1809BA.2050702@gmail.com> Date: Thu, 03 Dec 2009 20:55:54 +0200 From: Dmitry Pryanishnikov User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090906 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Jamie Landeg Jones Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 03 Dec 2009 20:18:42 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:21:36 -0000 Hello! > The change that introduced the bug was made as follows: > > | Revision 1.124: download - view: text, markup, annotated - select for diffs > | Thu May 17 18:00:27 2007 UTC (2 years, 6 months ago) by csjp > | Branches: MAIN ... > This was also ported MFC'd into 6.3 onwards: ... > So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't. Well, not exactly. This change introduces vulnerability _only_ if *env() implementation allows to create an environment, in which unsetenv(X) will fail but getenv(X) will still work. RELENG_6 luckily uses old, legacy, but _consistent_ *env() implementation which just uses the same variable search routine __findenv() both in getenv() and unsetenv(). So IMHO the advisory is correct, and there is no need to patch 6.*. Sincerely, Dmitry -- nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 20:28:31 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5340C1065672 for ; Thu, 3 Dec 2009 20:28:31 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18]) by mx1.freebsd.org (Postfix) with ESMTP id CED108FC0A for ; Thu, 3 Dec 2009 20:28:30 +0000 (UTC) Received: from lara.cc.fer.hr (lara.cc.fer.hr [161.53.72.113]) by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id nB3BXgRZ003685; Thu, 3 Dec 2009 12:33:42 +0100 (MET) Message-ID: <4B17A0BE.9090502@fer.hr> Date: Thu, 03 Dec 2009 12:27:58 +0100 From: Ivan Voras User-Agent: Thunderbird 2.0.0.23 (X11/20090928) MIME-Version: 1.0 To: Borja Marcos References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> In-Reply-To: Content-Type: multipart/mixed; boundary="------------030205080901070601010101" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 20:28:31 -0000 This is a multi-part message in MIME format. --------------030205080901070601010101 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Borja Marcos wrote: > On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: > >> A short time ago a "local root" exploit was posted to the full-disclosure >> mailing list; as the name suggests, this allows a local user to execute >> arbitrary code as root. > > Dr. Strangelove, or How I learned to love the MAC subsystem. Hi, Could you point to, or write, some tutorial-like documentation on how you use the MAC for this particular purpose? I tried reading the mac* man pages in several instances before but can't seem to connect the theory described in there with how to apply it in a practical way. > # uname -a > FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009 > root@test:/usr/obj/usr/src/sys/TEST amd64 > > > $ gcc -o program.o -c program.c -fPIC > $ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles > $ ./env > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # id > uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel) > # /usr/sbin/getpmac > biba/high(low-high) > > And of course it's root. > > Now, > > $ setpmac biba/low\(low-low\) csh > %pwd > /tmp > %./env > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # > ** OMG!! IT WORKED!!. > > BUT > > # touch /etc/testing_the_exploit > touch: /etc/testing_the_exploit: Permission denied > # ls -l /usr/sbin/getpmac > -r-xr-xr-x 1 root wheel 7144 May 1 2009 /usr/sbin/getpmac > # /usr/sbin/getpmac > biba/low(low-low) > > OOHHHHH, we have a toothless root. Maybe a "riit"? > > > Pity these serious security mechanisms don't get a widespread usage. > > > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > --------------030205080901070601010101-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 20:43:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3978E1065672; Thu, 3 Dec 2009 20:43:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 251C08FC08; Thu, 3 Dec 2009 20:43:17 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB3KhGnq062236; Thu, 3 Dec 2009 20:43:16 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB3KhGsg062235; Thu, 3 Dec 2009 20:43:16 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 3 Dec 2009 20:43:16 GMT Message-Id: <200912032043.nB3KhGsg062235@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 20:43:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:15.ssl Security Advisory The FreeBSD Project Topic: SSL protocol flaw Category: contrib Module: openssl Announced: 2009-12-03 Credits: Marsh Ray, Steve Dispensa Affects: All supported versions of FreeBSD. Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) 2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE) 2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8) 2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14) CVE Name: CVE-2009-3555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2009-12-03 Initial release. v1.1 2009-12-03 Corrected instructions in section V.2)b). I. Background The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols provide a secure communications layer over which other protocols can be utilized. The most widespread use of SSL/TLS is to add security to the HTTP protocol, thus producing HTTPS. FreeBSD includes software from the OpenSSL Project which implements SSL and TLS. II. Problem Description The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters. III. Impact An attacker who can intercept a TCP connection being used for SSL or TLS can cause the initial session negotiation to take the place of a session renegotiation. This can be exploited in several ways, including: * Causing a server to interpret incoming messages as having been sent under the auspices of a client SSL key when in fact they were not; * Causing a client request to be appended to an attacker-supplied request, potentially revealing to the attacker the contents of the client request (including any authentication parameters); and * Causing a client to receive a response to an attacker-supplied request instead of a response to the request sent by the client. IV. Workaround No workaround is available. V. Solution NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate SSL / TLS session parameters. As a result, connections in which the other party attempts to renegotiate session parameters will break. In practice, however, session renegotiation is a rarely-used feature, so disabling this functionality is unlikely to cause problems for most systems. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE, or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssl # make obj && make depend && make includes && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.3 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.2.1 RELENG_6_4 src/UPDATING 1.416.2.40.2.12 src/sys/conf/newvers.sh 1.69.2.18.2.14 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.12.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.12.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.19 src/sys/conf/newvers.sh 1.69.2.15.2.18 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.10.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.4.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.10.1 RELENG_7 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.12.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.13.2.1 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.12.8.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.1.2.1 src/crypto/openssl/ssl/s3_lib.c 1.1.1.13.8.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.12.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.6.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.13.6.1 RELENG_8 src/crypto/openssl/ssl/s3_pkt.c 1.2.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.3.2.1 src/crypto/openssl/ssl/s3_lib.c 1.2.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/crypto/openssl/ssl/s3_pkt.c 1.2.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.3.4.1 src/crypto/openssl/ssl/s3_lib.c 1.2.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r200054 releng/6.4/ r200054 releng/6.3/ r200054 stable/7/ r200054 releng/7.2/ r200054 releng/7.1/ r200054 - ------------------------------------------------------------------------- VII. References http://extendedsubset.com/Renegotiating_TLS.pdf http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:15.ssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAksYIm4ACgkQFdaIBMps37J5jwCZAQurPSu2CyGz2thi8ljb+MlF LcwAnjSLYWT1nV5G9a46n9zcrpEqydJ3 =XuZD -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 22:53:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6937F106566B for ; Thu, 3 Dec 2009 22:53:00 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 1741A8FC08 for ; Thu, 3 Dec 2009 22:52:59 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id nB3MqwWt026231 for ; Thu, 3 Dec 2009 17:52:58 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id nB3Mqw8R026228; Thu, 3 Dec 2009 17:52:58 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19224.16714.510240.508679@hergotha.csail.mit.edu> Date: Thu, 3 Dec 2009 17:52:58 -0500 From: Garrett Wollman To: freebsd-security@freebsd.org In-Reply-To: <200912030930.nB39UdMK037494@freefall.freebsd.org> References: <200912030930.nB39UdMK037494@freefall.freebsd.org> X-Mailer: VM 7.17 under 21.4 (patch 21) "Educational Television" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hergotha.csail.mit.edu [127.0.0.1]); Thu, 03 Dec 2009 17:52:58 -0500 (EST) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on hergotha.csail.mit.edu X-Mailman-Approved-At: Thu, 03 Dec 2009 23:04:26 +0000 Subject: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 22:53:00 -0000 < said: > NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate > SSL / TLS session parameters. As a result, connections in which the other > party attempts to renegotiate session parameters will break. In practice, > however, session renegotiation is a rarely-used feature, so disabling this > functionality is unlikely to cause problems for most systems. Actually, pretty much anyone who uses client certificates in an enterprise environment is likely to have a problem with this, which is why the IETF TLS working group is working on publishing a protocol fix. It looks like that RFC should be published, at Proposed Standard, in a few weeks, and most vendors look prepared to release implementations of the fix immediately thereafter (as soon as the relevant constants are assigned by IANA). -GAWollman From owner-freebsd-security@FreeBSD.ORG Fri Dec 4 10:21:58 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5AEC106566C for ; Fri, 4 Dec 2009 10:21:58 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 959728FC08 for ; Fri, 4 Dec 2009 10:21:58 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id C7DFA6D41D; Fri, 4 Dec 2009 10:21:57 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 5818C844E9; Fri, 4 Dec 2009 11:21:57 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jamie Landeg Jones References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <200912031455.nB3EtriT031315@catflap.bishopston.net> <4B17D39B.5030204@riscworks.net> <200912031829.nB3ITEiX015363@catflap.bishopston.net> Date: Fri, 04 Dec 2009 11:21:57 +0100 In-Reply-To: <200912031829.nB3ITEiX015363@catflap.bishopston.net> (Jamie Landeg Jones's message of "Thu, 03 Dec 2009 18:29:14 +0000") Message-ID: <86ljhjvy2i.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, timo.schoeler@riscworks.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 10:21:58 -0000 Jamie Landeg Jones writes: > However, I would certainly apply the patch anyway - basically, the old way > was just blindly unsetting environment variables and blindly assuming the > unsetting worked. It won't build. > Just in case there is some other way of exploiting the fact that rtld.c d= idn't > check whether unsetenv was successful (which I bet people are now looking= for) > I'd apply the patch to 6.3 and 6.4 also, just to be sure. It won't build. from in stable/6: void unsetenv(const char *); DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Dec 4 10:26:59 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B5A11065670 for ; Fri, 4 Dec 2009 10:26:59 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 3ADED8FC0A for ; Fri, 4 Dec 2009 10:26:58 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 4426C6D41B; Fri, 4 Dec 2009 10:26:58 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 17701844E9; Fri, 4 Dec 2009 11:26:58 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Timo Schoeler References: <200912030930.nB39UhW9038238@freefall.freebsd.org> <4B179B90.10307@netfence.it> <8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com> <200912031837.nB3IbEKB036114@catflap.bishopston.net> <4B180B03.1040405@thedarkside.nl> <4B180C40.3040001@riscworks.net> <20091203191506.GA24957@citylink.fud.org.nz> <4B181258.9060607@riscworks.net> Date: Fri, 04 Dec 2009 11:26:58 +0100 In-Reply-To: <4B181258.9060607@riscworks.net> (Timo Schoeler's message of "Thu, 03 Dec 2009 20:32:40 +0100") Message-ID: <86hbs7vxu5.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 10:26:59 -0000 Timo Schoeler writes: > ii) humans are impeccable Hmm... I don't think that means what you think it means. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Dec 4 18:31:30 2009 Return-Path: Delivered-To: FreeBSD-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6242106566B for ; Fri, 4 Dec 2009 18:31:30 +0000 (UTC) (envelope-from nikolaos.rangos@googlemail.com) Received: from mail-fx0-f209.google.com (mail-fx0-f209.google.com [209.85.220.209]) by mx1.freebsd.org (Postfix) with ESMTP id 5EEA88FC1D for ; Fri, 4 Dec 2009 18:31:30 +0000 (UTC) Received: by fxm2 with SMTP id 2so428334fxm.13 for ; Fri, 04 Dec 2009 10:31:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=jTCHsHVwcILMorD2BhNlaEiffKGbZZKPlw02HPjW6lM=; b=nrxNC8AJuD7XiMPo+xqWjI/4DKgFJZ9WV563GK7wXuOHVZ4lU3I5jA+zorGg2rLQ5a UiFhlGhuGzzdEuVSinX/LSHOwExQU0zaa0oLEzfS033e8JGCR0L80xbEGbA+gVMTEGtA TUetYCnE9bFVFHZGJT4z89adZGRNBjSRn+T3o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=MjX90gfUfyJ34JMquSRsBRsoLFx6pjVWqNz91BRmJkOXx8cj+tFU6b1dSQ0LKL6e46 WVP8VDDkB5H5q9LW3OwKHD21j9Qgde8mmc6wU+CriFj7adKgJN3mqk5H7tpc5eosIJWg SuCsnV1IhEpCLHuqmQiiufOMqicM9rZCBlHZE= MIME-Version: 1.0 Received: by 10.102.237.29 with SMTP id k29mr342111muh.67.1259950048975; Fri, 04 Dec 2009 10:07:28 -0800 (PST) Date: Fri, 4 Dec 2009 19:07:28 +0100 Message-ID: <12373a410912041007u3a1f810eu63e7081fdde56a17@mail.gmail.com> From: Nikolaos Rangos To: FreeBSD-security@FreeBSD.org X-Mailman-Approved-At: Fri, 04 Dec 2009 18:46:04 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 18:31:30 -0000 Hello all, First of all this was a real quick patch time for the rtld bug. Nevertheless I have to say some things about the patch. In my eyes the first quickpatch sent out in the first place when the exploit was posted on bugtraq did for sure fix the bug that let one slip through rtld and become root. I don't think the final patch did patch the root cause though, I know it's up to the FreeBSD Team to give out advisories and patch bugs. I just give my opinion on the bug here. unsetenv FAILS to unset the environment variable, so why is this? Because of the bug that let corrupt the environment. So in my opinion it is not sufficient to patch a code line in one place and leave other instances, where this bug may happen, open to the bug. Env calls are used widely. I did some more auditing and found out that putenv and setenv also FAILS on setting environment variables when the environ array variable is modified directly to corrupt the environment. So it would be possible to set an environment variable which in this case is not UNSETABLE or SETABLE (unsetenv and putenv/setenv respectively), in my eyes this is a bad behaviour of the enviroment handling routines introduced recently in FreeBSD. So the bug is not only in not checking the return values, but also in the code that lets one refuse to set or unset envvars. I do my best to understand it correctly but may be wrong on this. I would be glad to see this fixed soon if not happend to this day, but as I said it's up to the FreeBSD Team that did a great job here. Regards, Nikolaos Rangos From owner-freebsd-security@FreeBSD.ORG Fri Dec 4 22:30:51 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02CF1106566B for ; Fri, 4 Dec 2009 22:30:51 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 82FF08FC08 for ; Fri, 4 Dec 2009 22:30:50 +0000 (UTC) Received: by bwz5 with SMTP id 5so2282903bwz.3 for ; Fri, 04 Dec 2009 14:30:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=65kcJZWgo6ZohobDOWIMq2EIPaHUj7S4SoJn84QC0/U=; b=hmtaVm+xeRAT4QBhjGO1c9Bk9GKfLrO7ekKSQqG67DrL+xxX3FAqmzxQi/Dd7Pg98N BeyoZ4iEC9i4ogkZXDd2yPpdKhd5vW1ZS5P+dEBYify0IE8M2aQC+JxLHzNGJXdfxNxz f7i5cboh4FBKkbGNOpXfsyzba/c5kFrqmf2p8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=YWZpstxgxQDDeqVjNBA53ETzWzUUL3jOSELznuwItCMlogXxcYki2Fgqm/nghBfYov SQ4cgufcimDYrbTqp7oXb6C4+FaqB/FpLmRoQvITyjtL+GTI9wAz4MF99tdacPxESSIf mY8Qz2IkW7nD1OpgO3EJ1sNYV+lGp9+cDL5FY= Received: by 10.204.11.3 with SMTP id r3mr3838570bkr.107.1259965849378; Fri, 04 Dec 2009 14:30:49 -0800 (PST) Received: from lynx.homenet (56-231-132-95.pool.ukrtel.net [95.132.231.56]) by mx.google.com with ESMTPS id g28sm4027111fkg.38.2009.12.04.14.30.46 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 04 Dec 2009 14:30:47 -0800 (PST) Message-ID: <4B198D8F.9000400@gmail.com> Date: Sat, 05 Dec 2009 00:30:39 +0200 From: Dmitry Pryanishnikov User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090906 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Nikolaos Rangos Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 22:30:51 -0000 Hello! > So it would be possible to set an > environment > variable which in this case is not UNSETABLE or SETABLE (unsetenv and > putenv/setenv > respectively), in my eyes this is a bad behaviour of the enviroment handling > routines > introduced recently in FreeBSD. Yes, this is a very dangerous situation when environmental variable can't be unset yet can be read. I would only understand that if we supported readonly variables. But officially we haven't them, yet virtually they can exist due to the corrupted environment ;( Generally speaking, IMHO, having destroying function that can fail is the thing which should be avoided if possible. Imagine free() which could fail... Sounds really weird, but current unsetenv() behaviour resembles that. Sincerely, Dmitry -- nic-hdl: LYNX-RIPE From owner-freebsd-security@FreeBSD.ORG Sat Dec 5 22:29:10 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8626D1065672 for ; Sat, 5 Dec 2009 22:29:10 +0000 (UTC) (envelope-from ml@infosec.pl) Received: from v027580.home.net.pl (v027580.home.net.pl [89.161.156.148]) by mx1.freebsd.org (Postfix) with SMTP id C37E58FC08 for ; Sat, 5 Dec 2009 22:29:09 +0000 (UTC) Received: from localhost (HELO ?192.168.1.66?) (ml.freeside@home@127.0.0.1) by m094.home.net.pl with SMTP; Sat, 5 Dec 2009 22:02:33 -0000 Message-ID: <4B1AD86F.8090907@infosec.pl> Date: Sat, 05 Dec 2009 22:02:23 +0000 From: Michal User-Agent: Thunderbird 2.0.0.23 (X11/20091128) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200912030930.nB39UdMK037494@freefall.freebsd.org> In-Reply-To: <200912030930.nB39UdMK037494@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2009 22:29:10 -0000 FreeBSD Security Advisories wrote: > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/secure/lib/libcrypto > # make obj && make depend && make includes && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > lib32 (i386 compatibility) libraries. On amd64 systems where the i386 > compatibility libraries are used, the operating system should instead > be recompiled as described in > > Don't quite understand - do we really have to rebuild and reinstall whole world on amd64 just to update these libraries? Rebuilding is not a problem here but reinstalling can be painful because of host-based IDS, custom chflags and so on. Looks like a terrible waste of resources. Is there a way to reinstall just these libraries or to get them from the net in a secure manner i.e. signed? Cheers. Michal -- "Lost time is never found again." -Benjamin Franklin