From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jun 29 21:54:54 2005 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A07A16A41F; Wed, 29 Jun 2005 21:54:54 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E93B43D49; Wed, 29 Jun 2005 21:54:54 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5TLsscJ008151; Wed, 29 Jun 2005 21:54:54 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5TLssOf008150; Wed, 29 Jun 2005 21:54:54 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jun 2005 21:54:54 GMT Message-Id: <200506292154.j5TLssOf008150@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:13.ipfw X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:54:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:13.ipfw Security Advisory The FreeBSD Project Topic: ipfw packet matching errors with address tables Category: core Module: netinet Announced: 2005-06-29 Credits: Max Laier Affects: FreeBSD 5.4-RELEASE Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) CVE Name: CAN-2005-2019 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ipfw(8) is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ipfw lookup tables are a way to specify many IP addresses which can be used for packet matching in an efficient manner. II. Problem Description The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table. III. Impact When lookup tables are used with ipfw, packets may on very rare occasions incorrectly match a lookup table. This could result in a packet being treated contrary to the defined packet filtering ruleset. For example, a packet may be allowed to pass through when it should have been discarded. The problem can only occur on Symmetric Multi-Processor (SMP) systems, or on Uni Processor (UP) systems with the PREEMPTION kernel option enabled (not the default). IV. Workaround a) Do not use lookup tables. OR b) Disable concurrent processing of packets in the network stack by setting the "debug.mpsafenet=0" tunable: # echo "debug.mpsafenet=0" >> /boot/loader.conf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:13/ipfw.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:13/ipfw.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/netinet/ip_fw2.c 1.70.2.14 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/ip_fw2.c 1.70.2.10.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2019 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:13.ipfw.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxeeFdaIBMps37IRAkOAAJ0cCLsoqdUsfTfPNxocl1/TSORXnwCeIq0L wM2hw6x90lSyoEVYnxfAg2s= =khtV -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jun 29 21:55:01 2005 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24BE316A421; Wed, 29 Jun 2005 21:55:01 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0193F43D48; Wed, 29 Jun 2005 21:55:01 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5TLt0OJ008197; Wed, 29 Jun 2005 21:55:00 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5TLt0cj008194; Wed, 29 Jun 2005 21:55:00 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jun 2005 21:55:00 GMT Message-Id: <200506292155.j5TLt0cj008194@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:14.bzip2 X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:55:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:14.bzip2 Security Advisory The FreeBSD Project Topic: bzip2 denial of service and permission race vulnerabilities Category: contrib Module: contrib_bzip2 Announced: 2005-06-29 Credits: Imran Ghory, Chris Evans Affects: All FreeBSD releases Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0953, CAN-2005-1260 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bzip2 is a block-sorting file compression utility. II. Problem Description Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions. III. Impact The first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time. The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted. IV. Workaround Do not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libbz2 # make obj && make depend && make && make install # cd /usr/src/usr.bin/bzip2 # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/bzip2/bzip2.c 1.1.1.1.2.3 contrib/bzip2/bzlib.c 1.1.1.1.2.3 contrib/bzip2/compress.c 1.1.1.1.2.3 contrib/bzip2/decompress.c 1.1.1.1.2.3 contrib/bzip2/huffman.c 1.1.1.1.2.3 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 contrib/bzip2/bzip2.c 1.1.1.1.2.2.12.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.12.1 contrib/bzip2/compress.c 1.1.1.1.2.2.12.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.12.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 contrib/bzip2/bzip2.c 1.1.1.1.2.2.10.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.10.1 contrib/bzip2/compress.c 1.1.1.1.2.2.10.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.10.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.10.1 RELENG_5 contrib/bzip2/bzip2.c 1.1.1.2.8.1 contrib/bzip2/bzlib.c 1.1.1.2.8.1 contrib/bzip2/compress.c 1.1.1.2.8.1 contrib/bzip2/decompress.c 1.1.1.2.8.1 contrib/bzip2/huffman.c 1.1.1.2.8.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 contrib/bzip2/bzip2.c 1.1.1.2.12.1 contrib/bzip2/bzlib.c 1.1.1.2.12.1 contrib/bzip2/compress.c 1.1.1.2.12.1 contrib/bzip2/decompress.c 1.1.1.2.12.1 contrib/bzip2/huffman.c 1.1.1.2.12.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 contrib/bzip2/bzip2.c 1.1.1.2.10.1 contrib/bzip2/bzlib.c 1.1.1.2.10.1 contrib/bzip2/compress.c 1.1.1.2.10.1 contrib/bzip2/decompress.c 1.1.1.2.10.1 contrib/bzip2/huffman.c 1.1.1.2.10.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 http://scary.beasts.org/security/CESA-2005-002.txt The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:14.bzip.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxenFdaIBMps37IRAsYxAJ9K8pFrImuACPxauHUqGqumKs2nLQCfQ0ne SQ0RlXP6MiG88y/2B2wF7aA= =TvEK -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Jun 29 21:55:05 2005 Return-Path: X-Original-To: freebsd-security-notifications@freebsd.org Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC0F516A433; Wed, 29 Jun 2005 21:55:05 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E20B43D48; Wed, 29 Jun 2005 21:55:05 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5TLt5tZ008240; Wed, 29 Jun 2005 21:55:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5TLt5ig008238; Wed, 29 Jun 2005 21:55:05 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jun 2005 21:55:05 GMT Message-Id: <200506292155.j5TLt5ig008238@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:55:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:15.tcp Security Advisory The FreeBSD Project Topic: TCP connection stall denial of service Category: core Module: inet Announced: 2005-06-29 Credits: Noritoshi Demizu Affects: All FreeBSD releases. Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0356, CAN-2005-2068 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP timestamps are used to measure Round-Trip Time and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP packets with the SYN flag set are used during setup of new TCP connections. II. Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. III. Impact Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. IV. Workaround In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/tcp_input.c 1.107.2.44 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 src/sys/netinet/tcp_input.c 1.107.2.41.4.3 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 src/sys/netinet/tcp_input.c 1.107.2.41.2.1 RELENG_5 src/sys/netinet/tcp_input.c 1.252.2.16 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/tcp_input.c 1.252.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 src/sys/netinet/tcp_input.c 1.252.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxe7FdaIBMps37IRAi39AJ9ss6PVEwloS4SlKEWi5S1hpHnzmACeJF7H rKmK2NtleJ98dTLWW4QLMn4= =6fBH -----END PGP SIGNATURE-----