From owner-freebsd-security Tue Oct 21 19:53:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA28874 for security-outgoing; Tue, 21 Oct 1997 19:53:50 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from gras-varg.worldgate.com (skafte@gras-varg.worldgate.com [198.161.84.12]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA28869 for ; Tue, 21 Oct 1997 19:53:47 -0700 (PDT) (envelope-from skafte@worldgate.com) Received: (from skafte@localhost) by gras-varg.worldgate.com (8.8.7/8.6.12) id UAA10211; Tue, 21 Oct 1997 20:53:31 -0600 (MDT) Message-ID: <19971021205331.53826@worldgate.com> Date: Tue, 21 Oct 1997 20:53:31 -0600 From: Greg Skafte To: freebsd-security@FreeBSD.ORG Subject: Re: C2 Trusted FreeBSD? References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: ; from Aleph One on Tue, Oct 14, 1997 at 12:54:34PM -0500 Organization: WorldGate Inc. X-PGP-Fingerprint: 42 9C 2C A8 4D 2B C9 C4 7D B6 00 B0 50 47 20 97 X-URL: http://gras-varg.worldgate.com/~skafte Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Quoting Aleph One (aleph1@dfw.net) On Subject: Re: C2 Trusted FreeBSD? Date: Tue, Oct 14, 1997 at 12:54:34PM -0500 > On Tue, 14 Oct 1997, Brian Beattie wrote: > > > Most of the people involved in INFOSEC are absolutely "head over heals" in > > love with ACL's, big ACL's. I am not convinced of their utility in the > > real world, especially with suplementary groups. If I were designing a B1 > > UNIX system I would not change the current access control design. > > The problem with ACL's is not it's nature but the fact that if you > implement them under UNIX nothing knows how to candle them. For example > you would need to modify ls to show them, you need to modify cp to copy > them, you programs need to be aware of ACL directory inheritance, etc. > This is not a problem when you are designing a new OS and people will have > to learn the new API (e.g. Windows NT) but if you are trying to maintain > compatibility with other unixes or try to port random programs it becomes > a pain. HP-UX has had ACLs for quite some time now but not one uses them > just because of this. back in a former life when I worked for a company that had an HP, I setup extended ACLs all the time, it was very handy for controlling access to things like web directories. (ie yes everyone was part of group http, but then with the extended ACL I could force things to g=rwx, but still control who could read or write to a specific tree) ACL take a some extra time and effort but in the long term I found them wonderful... -- Email: skafte@worldgate.com Voice: +403 413 1910 Fax: +403 421 4929 #575 Sun Life Place * 10123 99 Street * Edmonton, AB * Canada * T5J 3H1 -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) From owner-freebsd-security Wed Oct 22 22:01:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA28717 for security-outgoing; Wed, 22 Oct 1997 22:01:03 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA28712 for ; Wed, 22 Oct 1997 22:01:02 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id WAA11569; (8.8.7/RDY) Wed, 22 Oct 1997 22:00:53 -0700 (PDT) Message-Id: <199710230500.WAA11569@burka.rdy.com> Subject: BoS: Possible SERIOUS bug in open()? (fwd) To: security@freebsd.org Date: Wed, 22 Oct 1997 22:00:52 -0700 (PDT) X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ----- Forwarded message from explorer@flame.org ----- >From burka.rdy.com!cyber.com.au!best-of-security-request Wed Oct 22 20:45:55 1997 Received: from flea.best.net by burka.rdy.com with ESMTP id UAA11248; (8.8.7/RDY) Wed, 22 Oct 1997 20:45:48 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by flea.best.net (8.8.7/8.7.3) with ESMTP id UAA24740; Wed, 22 Oct 1997 20:44:57 -0700 (PDT) Received: (from slist@localhost) by plum.cyber.com.au (8.8.6/8.8.6) id MAA22418; Thu, 23 Oct 1997 12:13:42 +1000 (EST) Resent-Date: Thu, 23 Oct 1997 12:13:42 +1000 (EST) Date: 17 Oct 1997 10:42:13 -0000 Message-ID: <19971017104213.11040.qmail@kechara.flame.org> From: explorer@flame.org Sender: darrenr@cyber.com.au Old-Status: O Old-X-Originally-To: To: developers@NetBSD.ORG Old-X-Originated-From: From: explorer@flame.org Resent-Message-ID: <"4heHGD.A.NVC.gSjT0"@plum> X-Loop: best-of-security@cyber.com.au Errors-To: best-of-security-request@cyber.com.au Precedence: list Resent-Sender: best-of-security-request@cyber.com.au To: best-of-security@cyber.com.au Resent-From: best-of-security@cyber.com.au X-Mailing-List: ftp://ftp.cyber.com.au/pub/archive/b-o-s/ X-Subscription: To unsubscribe from this fine mailing list mail best-of-security-request@cyber.com.au with Subject: unsubscribe Subject: BoS: Possible SERIOUS bug in open()? This was sent to me recently... It seems to be a pretty serious hole in open() and permissions... Note, in the following, open() succeeds, and ioctls are probably executed... /* * This will give you a file descriptor on a device you should not have * access to. This seems really, really screwed up, since holding a fd * lets you do a lot of ioctls that you should not be able to do... */ #include #include #include #include int main(int argc, char **argv) { int fd; fd = open("/dev/rsd0a", -1, 0); if (fd < 0) err(1, "open"); } ----- End of forwarded message from explorer@flame.org ----- -- dima From owner-freebsd-security Wed Oct 22 23:38:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA03083 for security-outgoing; Wed, 22 Oct 1997 23:38:59 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from joshua.enteract.com (joshua.enteract.com [207.229.129.5]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id XAA03078 for ; Wed, 22 Oct 1997 23:38:47 -0700 (PDT) (envelope-from tqbf@joshua.enteract.com) From: tqbf@joshua.enteract.com Received: (qmail 19964 invoked by uid 1004); 23 Oct 1997 06:36:36 -0000 Date: 23 Oct 1997 06:36:36 -0000 Message-ID: <19971023063636.19963.qmail@joshua.enteract.com> To: dima@best.net, freebsd-security@freebsd.org Subject: Re: BoS: Possible SERIOUS bug in open()? (fwd) In-Reply-To: <199710230500.WAA11569@burka.rdy.com> Reply-To: tqbf@enteract.com Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In muc.lists.freebsd.security, you wrote: > fd = open("/dev/rsd0a", -1, 0); Yep. This definitely works on {Free,Net,Open}BSD. This is a variant of a bug Theo de Raadt found in SunOS back in the 1980s. The basic issue is that the code that guards access to the device-specific open() routine checks explicitly for FREAD, FWRITE, and O_TRUNC, and passes the call through if none of these are set. Theo's bug involved using "3" for the open() flag. The problem here is that before calls to open() are even passed to the vnode open() routine (after the vnode is looked up by the generic vfs_syscalls open() syscall handler), the flags field is incremented by one: vfs_syscalls.c:open() ... flags = FFLAGS(uap->flags); ... where FFLAGS() is: ./sys/fcntl.h:#define FFLAGS(oflags) ((oflags) + 1) As you can see, passing a "-1" to open() will result in "flags" becoming "0" - open() ordinarily never passes "0" to the vnode code, since "0" becomes "1" after being converted to fflags format. A fun game you can play with practically no programming ability is to exploit the fact that some devices will initialize themselves immediately upon being opened - particularly amusing is the SCSI tape driver, sys/scsi/st.c, which will rewind itself when opened. Simply run the previously posted example code on /dev/rst0 and destroy tonight's backup. If you want to hack this fixed in FreeBSD, you can apply the enclosed diff to your kernel; this is a total hack, and someone else will provide a "correct" fix soon enough. Incidentally, this is yet another piece of evidence supporting the presence of another systemic secure-coding problem - sanity checking integer arguments and guarding against overflow. This is far from the only place that I've seen problems with unexpected interactions owing to surprise negative arguments. Anyone want to take a guess as to what strncpy() does when it gets a negative "count" argument? Think that can't happen? Think pointer arithmetic. -- ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- "mmm... sacrilicious..." --- vfs_syscalls.c-orig Thu Oct 23 01:21:58 1997 +++ vfs_syscalls.c Thu Oct 23 01:21:19 1997 @@ -690,6 +690,9 @@ return (error); fp = nfp; flags = FFLAGS(uap->flags); + if(!flags) + flags++; + cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p); p->p_dupfd = -indx - 1; /* XXX check for fdopen */ From owner-freebsd-security Thu Oct 23 06:46:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA26577 for security-outgoing; Thu, 23 Oct 1997 06:46:53 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA26570 for ; Thu, 23 Oct 1997 06:46:47 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id NAA29448; Thu, 23 Oct 1997 13:46:15 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id PAA16163; Thu, 23 Oct 1997 15:46:06 +0200 (MET DST) Date: Thu, 23 Oct 1997 15:46:06 +0200 (MET DST) Message-Id: <199710231346.PAA16163@bitbox.follo.net> From: Eivind Eklund To: tqbf@enteract.com CC: dima@best.net, freebsd-security@FreeBSD.ORG In-reply-to: tqbf@joshua.enteract.com's message of 23 Oct 1997 06:36:36 -0000 Subject: Re: BoS: Possible SERIOUS bug in open()? (fwd) References: <199710230500.WAA11569@burka.rdy.com> <19971023063636.19963.qmail@joshua.enteract.com> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > In muc.lists.freebsd.security, you wrote: > > fd = open("/dev/rsd0a", -1, 0); > > Yep. This definitely works on {Free,Net,Open}BSD. Joerg Wunsch fixed this yesterday in -current at least. Eivind. From owner-freebsd-security Fri Oct 24 03:41:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id DAA08283 for security-outgoing; Fri, 24 Oct 1997 03:41:20 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id DAA08278 for ; Fri, 24 Oct 1997 03:41:17 -0700 (PDT) (envelope-from darrenr@cyber.com.au) Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id UAA14898 for security@freebsd.org; Fri, 24 Oct 1997 20:40:57 +1000 From: Darren Reed Message-Id: <199710241040.UAA14898@plum.cyber.com.au> Subject: open(device,-1) bug To: security@freebsd.org Date: Fri, 24 Oct 1997 20:40:56 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk is anyone fixing that or is has it been fixed already ? in 2.2.1, it definately isn't fixed and I don't recall seeing it mentioned in a CVS message.... From owner-freebsd-security Fri Oct 24 05:38:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA15488 for security-outgoing; Fri, 24 Oct 1997 05:38:53 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from gresten.dorm10.nctu.edu.tw (sjhuang@gresten.Dorm10.NCTU.edu.tw [140.113.122.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id FAA15478 for ; Fri, 24 Oct 1997 05:38:46 -0700 (PDT) (envelope-from sjhuang@gresten.dorm10.nctu.edu.tw) Received: (from sjhuang@localhost) by gresten.dorm10.nctu.edu.tw (8.8.7/8.8.5) id UAA25232 for security@freebsd.org; Fri, 24 Oct 1997 20:32:11 +0800 (CST) Date: Fri, 24 Oct 1997 20:32:11 +0800 (CST) From: sjhuang Message-Id: <199710241232.UAA25232@gresten.dorm10.nctu.edu.tw> To: security@freebsd.org Subject: send() Denial of Service bug Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, i have found the the flags in send() with all of them can cause a instant reboot as you press the "reset" key in console. And now can anyone tell me why this would cause such problem , i have informed Jordan this issue and he is fixing this(as he told me). From owner-freebsd-security Fri Oct 24 06:16:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA18290 for security-outgoing; Fri, 24 Oct 1997 06:16:12 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from cs.iastate.edu (root@cs.iastate.edu [129.186.3.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA18283 for ; Fri, 24 Oct 1997 06:16:10 -0700 (PDT) (envelope-from ghelmer@cs.iastate.edu) Received: from popeye.cs.iastate.edu (popeye.cs.iastate.edu [129.186.3.4]) by cs.iastate.edu (8.8.7/8.8.7) with ESMTP id IAA19998; Fri, 24 Oct 1997 08:16:02 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.8.7/8.7.1) with SMTP id IAA01268; Fri, 24 Oct 1997 08:16:01 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Fri, 24 Oct 1997 08:16:00 -0500 (CDT) From: Guy Helmer To: Darren Reed cc: security@FreeBSD.ORG Subject: Re: open(device,-1) bug In-Reply-To: <199710241040.UAA14898@plum.cyber.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 24 Oct 1997, Darren Reed wrote: > is anyone fixing that or is has it been fixed already ? Fixed in src/sys/kern/vfs_syscalls.c: version 1.77 in -current, version 1.51.2.6 in RELENG_2_2 (the fix didn't make it in for 2.2.5). See http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/vfs_syscalls.c for details. Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu Iowa State University http://www.cs.iastate.edu/~ghelmer Research Assistant, Scalable Computing Laboratory, Ames Laboratory From owner-freebsd-security Fri Oct 24 07:05:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA21243 for security-outgoing; Fri, 24 Oct 1997 07:05:51 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA21236 for ; Fri, 24 Oct 1997 07:05:44 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id OAA16116; Fri, 24 Oct 1997 14:05:36 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id QAA03514; Fri, 24 Oct 1997 16:05:35 +0200 (MET DST) Date: Fri, 24 Oct 1997 16:05:35 +0200 (MET DST) Message-Id: <199710241405.QAA03514@bitbox.follo.net> From: Eivind Eklund To: Darren Reed CC: security@FreeBSD.ORG In-reply-to: Darren Reed's message of Fri, 24 Oct 1997 20:40:56 +1000 (EST) Subject: Re: open(device,-1) bug References: <199710241040.UAA14898@plum.cyber.com.au> Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > is anyone fixing that or is has it been fixed already ? > > in 2.2.1, it definately isn't fixed and I don't recall seeing it > mentioned in a CVS message.... > Has been fixed, both in -current and RELENG_2_2 Joerg did it. Eivind. From owner-freebsd-security Fri Oct 24 10:03:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA04071 for security-outgoing; Fri, 24 Oct 1997 10:03:46 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA04066 for ; Fri, 24 Oct 1997 10:03:44 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id KAA02762; Fri, 24 Oct 1997 10:03:17 -0700 (PDT) To: sjhuang cc: security@FreeBSD.ORG Subject: Re: send() Denial of Service bug In-reply-to: Your message of "Fri, 24 Oct 1997 20:32:11 +0800." <199710241232.UAA25232@gresten.dorm10.nctu.edu.tw> Date: Fri, 24 Oct 1997 10:03:16 -0700 Message-ID: <2757.877712596@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Hello, i have found the the flags in send() with all of them can > cause a instant reboot as you press the "reset" key in console. > And now can anyone tell me why this would cause such problem , > i have informed Jordan this issue and he is fixing this(as he told me). Not me personally, I said we'd work on a fix. :) Jordan From owner-freebsd-security Fri Oct 24 10:10:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA04461 for security-outgoing; Fri, 24 Oct 1997 10:10:57 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA04453 for ; Fri, 24 Oct 1997 10:10:54 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.7/8.8.5) with SMTP id NAA22575; Fri, 24 Oct 1997 13:08:26 -0400 (EDT) Date: Fri, 24 Oct 1997 13:08:26 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: tqbf@enteract.com cc: freebsd-security@FreeBSD.ORG Subject: Re: BoS: Possible SERIOUS bug in open()? (fwd) In-Reply-To: <19971023063636.19963.qmail@joshua.enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I see a fix for RELENG_2_2 at: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/vfs_syscalls.c but has anyone by chance back-ported this to 2.1.x? Thanks, Charles On 23 Oct 1997 tqbf@joshua.enteract.com wrote: > In muc.lists.freebsd.security, you wrote: > > fd = open("/dev/rsd0a", -1, 0); > > Yep. This definitely works on {Free,Net,Open}BSD. > > This is a variant of a bug Theo de Raadt found in SunOS back in the 1980s. > The basic issue is that the code that guards access to the device-specific > open() routine checks explicitly for FREAD, FWRITE, and O_TRUNC, and > passes the call through if none of these are set. Theo's bug involved > using "3" for the open() flag. > > The problem here is that before calls to open() are even passed to the > vnode open() routine (after the vnode is looked up by the generic > vfs_syscalls open() syscall handler), the flags field is incremented by > one: > > vfs_syscalls.c:open() > > ... > > flags = FFLAGS(uap->flags); > > ... > > where FFLAGS() is: > > ./sys/fcntl.h:#define FFLAGS(oflags) ((oflags) + 1) > > As you can see, passing a "-1" to open() will result in "flags" becoming > "0" - open() ordinarily never passes "0" to the vnode code, since "0" > becomes "1" after being converted to fflags format. > > A fun game you can play with practically no programming ability is to > exploit the fact that some devices will initialize themselves immediately > upon being opened - particularly amusing is the SCSI tape driver, > sys/scsi/st.c, which will rewind itself when opened. Simply run the > previously posted example code on /dev/rst0 and destroy tonight's backup. > > If you want to hack this fixed in FreeBSD, you can apply the enclosed diff > to your kernel; this is a total hack, and someone else will provide a > "correct" fix soon enough. > > Incidentally, this is yet another piece of evidence supporting the > presence of another systemic secure-coding problem - sanity checking > integer arguments and guarding against overflow. This is far from the only > place that I've seen problems with unexpected interactions owing to > surprise negative arguments. Anyone want to take a guess as to what > strncpy() does when it gets a negative "count" argument? Think that can't > happen? Think pointer arithmetic. > > -- > ----------------------------------------------------------------------------- > Thomas H. Ptacek Secure Networks, Inc. > ----------------------------------------------------------------------------- > "mmm... sacrilicious..." > > --- vfs_syscalls.c-orig Thu Oct 23 01:21:58 1997 > +++ vfs_syscalls.c Thu Oct 23 01:21:19 1997 > @@ -690,6 +690,9 @@ > return (error); > fp = nfp; > flags = FFLAGS(uap->flags); > + if(!flags) > + flags++; > + > cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; > NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p); > p->p_dupfd = -indx - 1; /* XXX check for fdopen */ > From owner-freebsd-security Fri Oct 24 11:47:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA10800 for security-outgoing; Fri, 24 Oct 1997 11:47:13 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA10669; Fri, 24 Oct 1997 11:42:58 -0700 (PDT) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous232.ppp.cs.tu-berlin.de [130.149.17.232]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id UAA12663; Fri, 24 Oct 1997 20:40:14 +0200 (MET DST) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id UAA00853; Fri, 24 Oct 1997 20:21:07 +0200 (MET DST) To: Eivind Eklund Cc: Darren Reed , security@freebsd.org, joerg@freebsd.org Subject: Re: open(device,-1) bug References: <199710241040.UAA14898@plum.cyber.com.au> <199710241405.QAA03514@bitbox.follo.net> From: Wolfram Schneider Date: 24 Oct 1997 20:21:05 +0200 In-Reply-To: Eivind Eklund's message of Fri, 24 Oct 1997 16:05:35 +0200 (MET DST) Message-ID: Lines: 12 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Eivind Eklund writes: > > is anyone fixing that or is has it been fixed already ? > > > > in 2.2.1, it definately isn't fixed and I don't recall seeing it > > mentioned in a CVS message.... > Has been fixed, both in -current and RELENG_2_2 > Joerg did it. It should be fixed in 2.1.x too. -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-security Fri Oct 24 11:50:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA11045 for security-outgoing; Fri, 24 Oct 1997 11:50:20 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA11034 for ; Fri, 24 Oct 1997 11:50:17 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id LAA21178; (8.8.7/RDY) Fri, 24 Oct 1997 11:49:38 -0700 (PDT) Message-Id: <199710241849.LAA21178@burka.rdy.com> Subject: Re: open(device,-1) bug In-Reply-To: <199710241040.UAA14898@plum.cyber.com.au> from Darren Reed at "Oct 24, 97 08:40:56 pm" To: darrenr@cyber.com.au (Darren Reed) Date: Fri, 24 Oct 1997 11:49:37 -0700 (PDT) Cc: security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Darren Reed writes: > > is anyone fixing that or is has it been fixed already ? It's been fixed 2 days ago in -current and -stable. > > in 2.2.1, it definately isn't fixed and I don't recall seeing it > mentioned in a CVS message.... > -- dima From owner-freebsd-security Fri Oct 24 13:33:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA18160 for security-outgoing; Fri, 24 Oct 1997 13:33:25 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from oblivion.esgroup.net (root@oblivion.esgroup.net [207.194.190.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA18154 for ; Fri, 24 Oct 1997 13:33:23 -0700 (PDT) (envelope-from tbaur@ESGROUP.NET) Received: from oblivion.esgroup.net (tbaur@oblivion.esgroup.net [207.194.190.2]) by oblivion.esgroup.net (8.8.7/8.8.7) with SMTP id NAA28623 for ; Fri, 24 Oct 1997 13:33:20 -0700 (PDT) Date: Fri, 24 Oct 1997 13:33:20 -0700 (PDT) From: Tim Baur To: freebsd-security@freebsd.org Subject: bug in 2.2.5? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I just jumped on this list, so sorry if this issue has already been brought up. It has some to my knowledge that there is a security bug in version 2.2.5-REL and 2.2.5.1-REL is due shortly. Could someone explain what this bug pretains to? Tim Baur ESI Communications From owner-freebsd-security Fri Oct 24 14:16:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA20697 for security-outgoing; Fri, 24 Oct 1997 14:16:18 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA20691 for ; Fri, 24 Oct 1997 14:16:16 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id OAA26764; (8.8.7/RDY) Fri, 24 Oct 1997 14:16:00 -0700 (PDT) Message-Id: <199710242116.OAA26764@burka.rdy.com> Subject: Re: bug in 2.2.5? In-Reply-To: from Tim Baur at "Oct 24, 97 01:33:20 pm" To: tbaur@ESGROUP.NET (Tim Baur) Date: Fri, 24 Oct 1997 14:16:00 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Tim Baur writes: > I just jumped on this list, so sorry if this issue has already been > brought up. It has some to my knowledge that there is a security bug in > version 2.2.5-REL and 2.2.5.1-REL is due shortly. Could someone explain > what this bug pretains to? Problem with open() syscall. > > Tim Baur > ESI Communications > -- dima From owner-freebsd-security Fri Oct 24 14:24:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA21144 for security-outgoing; Fri, 24 Oct 1997 14:24:20 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id OAA21137 for ; Fri, 24 Oct 1997 14:24:14 -0700 (PDT) (envelope-from j@uriah.heep.sax.de) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id XAA01006; Fri, 24 Oct 1997 23:24:09 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.8.7/8.8.5) id XAA10781; Fri, 24 Oct 1997 23:00:38 +0200 (MET DST) Message-ID: <19971024230038.LK28116@uriah.heep.sax.de> Date: Fri, 24 Oct 1997 23:00:38 +0200 From: j@uriah.heep.sax.de (J Wunsch) To: wosch@cs.tu-berlin.de (Wolfram Schneider) Cc: perhaps@yes.no (Eivind Eklund), darrenr@cyber.com.au (Darren Reed), security@freebsd.org Subject: Re: open(device,-1) bug References: <199710241040.UAA14898@plum.cyber.com.au> <199710241405.QAA03514@bitbox.follo.net> X-Mailer: Mutt 0.60_p2-3,5,8-9 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: ; from Wolfram Schneider on Oct 24, 1997 20:21:05 +0200 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Wolfram Schneider wrote: > > Has been fixed, both in -current and RELENG_2_2 > > Joerg did it. > > It should be fixed in 2.1.x too. Go ahead, you've got commit privs. RELENG_2_1_0 has basically been abandoned, or rather, ``orphaned'' by most of the developers. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From owner-freebsd-security Fri Oct 24 14:41:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA22467 for security-outgoing; Fri, 24 Oct 1997 14:41:55 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA22460 for ; Fri, 24 Oct 1997 14:41:53 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id OAA22038; Fri, 24 Oct 1997 14:41:45 -0700 (PDT) To: Tim Baur cc: freebsd-security@FreeBSD.ORG Subject: Re: bug in 2.2.5? In-reply-to: Your message of "Fri, 24 Oct 1997 13:33:20 PDT." Date: Fri, 24 Oct 1997 14:41:45 -0700 Message-ID: <22034.877729305@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I just jumped on this list, so sorry if this issue has already been > brought up. It has some to my knowledge that there is a security bug in > version 2.2.5-REL and 2.2.5.1-REL is due shortly. Could someone explain I don't know where you heard that 2.2.5.1 was due shortly, but this information was in error. I have no intention of releasing a point release and am going to rely instead on ftp://ftp.freebsd.org/pub/FreeBSD/2.2.5/ERRATA.TXT and its associated ftp://ftp.freebsd.org/pub/FreeBSD/2.2.5/updates/ directory to spread the word on security issues and errata. Keep an eye on that space. Jordan From owner-freebsd-security Fri Oct 24 16:44:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA29205 for security-outgoing; Fri, 24 Oct 1997 16:44:38 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA29188; Fri, 24 Oct 1997 16:44:28 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.7/8.8.5) with SMTP id TAA07385; Fri, 24 Oct 1997 19:41:51 -0400 (EDT) Date: Fri, 24 Oct 1997 19:41:50 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: security@freebsd.org cc: alex@freebsd.org Subject: open() patch, Thanks! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Alex, whoever you are, thank you *very* much for patching this in 2.1.7... I just cvsupped a rather busy public-access machine, made and booted a new kernel, and all is well. Thanks again, Charles From owner-freebsd-security Fri Oct 24 20:00:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA07737 for security-outgoing; Fri, 24 Oct 1997 20:00:30 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from reseau.k2r.org (reseau.reseau.rcac.tdi.co.jp [202.230.24.67]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id UAA07723 for ; Fri, 24 Oct 1997 20:00:25 -0700 (PDT) (envelope-from kenji@k2r.org) Received: (qmail 1029 invoked by uid 1000); 25 Oct 1997 03:00:17 -0000 Message-ID: <19971025030017.1028.qmail@k2r.org> Date: Sat, 25 Oct 1997 12:00:17 +0900 (JST) From: Kenji Rikitake X-Sender: kenji@reseau.reseau.rcac.tdi.co.jp To: "Jordan K. Hubbard" cc: freebsd-security@FreeBSD.ORG Subject: Will open() bugfix be included in 2.2.5-RELEASE CD-ROM? In-Reply-To: <22034.877729305@time.cdrom.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 24 Oct 1997, Jordan K. Hubbard wrote: > [...] I have no intention of releasing a point > release and am going to rely instead on > ftp://ftp.freebsd.org/pub/FreeBSD/2.2.5/ERRATA.TXT and its associated > ftp://ftp.freebsd.org/pub/FreeBSD/2.2.5/updates/ directory to spread > the word on security issues and errata. Will the open() bugfix included in 2.2.5-RELEASE CD-ROM from Walnut Creek? // Kenji Rikitake // Think twice before whining on the Net. Fix bugs before blaming the author. From owner-freebsd-security Fri Oct 24 20:14:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA08349 for security-outgoing; Fri, 24 Oct 1997 20:14:44 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA08344 for ; Fri, 24 Oct 1997 20:14:42 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.7/8.6.9) with ESMTP id UAA13897; Fri, 24 Oct 1997 20:13:15 -0700 (PDT) To: Kenji Rikitake cc: freebsd-security@FreeBSD.ORG Subject: Re: Will open() bugfix be included in 2.2.5-RELEASE CD-ROM? In-reply-to: Your message of "Sat, 25 Oct 1997 12:00:17 +0900." <19971025030017.1028.qmail@k2r.org> Date: Fri, 24 Oct 1997 20:13:15 -0700 Message-ID: <13893.877749195@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Will the open() bugfix included in 2.2.5-RELEASE CD-ROM from > Walnut Creek? No, it's far too late for that. Jordan