From owner-freebsd-security@FreeBSD.ORG Tue Sep 19 14:32:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF1F16A407; Tue, 19 Sep 2006 14:32:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC5943D53; Tue, 19 Sep 2006 14:32:49 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8JEWnZd005668; Tue, 19 Sep 2006 14:32:49 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8JEWn84005666; Tue, 19 Sep 2006 14:32:49 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 19 Sep 2006 14:32:49 GMT Message-Id: <200609191432.k8JEWn84005666@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:21.gzip X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2006 14:32:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:21.gzip Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in gzip Category: contrib Module: gzip Announced: 2006-09-19 Credits: Tavis Ormandy, Google Security Team Affects: All FreeBSD releases. Corrected: 2006-09-19 14:02:30 UTC (RELENG_6, 6.2-PRERELEASE) 2006-09-19 14:03:26 UTC (RELENG_6_1, 6.1-RELEASE-p7) 2006-09-19 14:04:13 UTC (RELENG_6_0, 6.0-RELEASE-p12) 2006-09-19 14:06:21 UTC (RELENG_5, 5.5-STABLE) 2006-09-19 14:07:13 UTC (RELENG_5_5, 5.5-RELEASE-p5) 2006-09-19 14:08:10 UTC (RELENG_5_4, 5.4-RELEASE-p19) 2006-09-19 14:09:09 UTC (RELENG_5_3, 5.3-RELEASE-p34) 2006-09-19 14:11:35 UTC (RELENG_4, 4.11-STABLE) 2006-09-19 14:13:53 UTC (RELENG_4_11, 4.11-RELEASE-p22) CVE Name: CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background gzip is a file compression utility. II. Problem Description Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop. III. Impact The insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:21/gzip.patch # fetch http://security.FreeBSD.org/patches/SA-06:21/gzip.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/gzip # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/gnu/usr.bin/gzip/gzip.h 1.3.12.1 src/gnu/usr.bin/gzip/inflate.c 1.8.2.2 src/gnu/usr.bin/gzip/unlzh.c 1.5.2.1 src/gnu/usr.bin/gzip/unpack.c 1.6.2.1 RELENG_4_11 src/UPDATING 1.73.2.91.2.23 src/sys/conf/newvers.sh 1.44.2.39.2.26 src/gnu/usr.bin/gzip/gzip.h 1.3.36.1 src/gnu/usr.bin/gzip/inflate.c 1.8.2.1.2.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.30.1 src/gnu/usr.bin/gzip/unpack.c 1.6.30.1 RELENG_5 src/gnu/usr.bin/gzip/gzip.h 1.4.2.1 src/gnu/usr.bin/gzip/inflate.c 1.9.2.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.26.1 src/gnu/usr.bin/gzip/unpack.c 1.6.26.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.5 src/sys/conf/newvers.sh 1.62.2.21.2.7 src/gnu/usr.bin/gzip/gzip.h 1.4.14.1 src/gnu/usr.bin/gzip/inflate.c 1.9.14.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.40.1 src/gnu/usr.bin/gzip/unpack.c 1.6.40.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.28 src/sys/conf/newvers.sh 1.62.2.18.2.24 src/gnu/usr.bin/gzip/gzip.h 1.4.6.1 src/gnu/usr.bin/gzip/inflate.c 1.9.6.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.32.1 src/gnu/usr.bin/gzip/unpack.c 1.6.32.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.37 src/sys/conf/newvers.sh 1.62.2.15.2.39 src/gnu/usr.bin/gzip/gzip.h 1.4.4.1 src/gnu/usr.bin/gzip/inflate.c 1.9.4.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.28.1 src/gnu/usr.bin/gzip/unpack.c 1.6.28.1 RELENG_6 src/gnu/usr.bin/gzip/gzip.h 1.4.8.1 src/gnu/usr.bin/gzip/inflate.c 1.9.8.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.34.1 src/gnu/usr.bin/gzip/unpack.c 1.6.34.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.9 src/sys/conf/newvers.sh 1.69.2.11.2.9 src/gnu/usr.bin/gzip/gzip.h 1.4.12.1 src/gnu/usr.bin/gzip/inflate.c 1.9.12.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.38.1 src/gnu/usr.bin/gzip/unpack.c 1.6.38.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.17 src/sys/conf/newvers.sh 1.69.2.8.2.13 src/gnu/usr.bin/gzip/gzip.h 1.4.10.1 src/gnu/usr.bin/gzip/inflate.c 1.9.10.1 src/gnu/usr.bin/gzip/unlzh.c 1.5.36.1 src/gnu/usr.bin/gzip/unpack.c 1.6.36.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:21.gzip.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFD/6bFdaIBMps37IRAgMGAJ9f7rYLs32ZEAKWwhcPqAWrp6fNwACgg2Wj fw3izMEcpupfqNkkQKizV5g= =xYxa -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 20 15:24:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7489516A40F for ; Wed, 20 Sep 2006 15:24:55 +0000 (UTC) (envelope-from astorms@ncircle.com) Received: from mail.ncircle.com (mail.ncircle.com [64.84.9.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19A3A43D6D for ; Wed, 20 Sep 2006 15:24:54 +0000 (GMT) (envelope-from astorms@ncircle.com) Received: from [192.168.75.140] (dhcp-75-140.ncircle.com [192.168.75.140]) by mail.ncircle.com (8.13.1/8.13.1) with ESMTP id k8KFOs6E059828 for ; Wed, 20 Sep 2006 08:24:54 -0700 (PDT) (envelope-from astorms@ncircle.com) User-Agent: Microsoft-Entourage/11.2.5.060620 Date: Wed, 20 Sep 2006 08:24:54 -0700 From: Andrew Storms To: "freebsd-security@freebsd.org" Message-ID: Thread-Topic: Status of MFC security event audit support in RELENG_6? Thread-Index: AcbcyOwkKntshEi8EduTqAARJIv+sA== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Score: -3.977 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.57 on 64.84.9.150 Subject: Status of MFC security event audit support in RELENG_6? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 15:24:55 -0000 A few weeks back Robert Watson announced the merge of these features from 7 back into 6-STABLE. I hadn't seen any updates and was curious as to the status. Us 6-STABLE users are curious to test it out. Thanks. --A From owner-freebsd-security@FreeBSD.ORG Wed Sep 20 16:02:58 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72D2616A407 for ; Wed, 20 Sep 2006 16:02:58 +0000 (UTC) (envelope-from bmah@freebsd.org) Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 641B043D64 for ; Wed, 20 Sep 2006 16:02:56 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from [192.168.26.75] (64-84-9-2-sf-gw.ncircle.com [64.84.9.2]) (authenticated bits=0) by a.mail.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id k8KG2qQb001164 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Sep 2006 09:02:56 -0700 Message-ID: <45116622.1050907@freebsd.org> Date: Wed, 20 Sep 2006 09:02:42 -0700 From: "Bruce A. Mah" User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: Andrew Storms References: In-Reply-To: X-Enigmail-Version: 0.94.1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBFEE17209E1E84968B8267E3" Cc: "freebsd-security@freebsd.org" Subject: Re: Status of MFC security event audit support in RELENG_6? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 16:02:58 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBFEE17209E1E84968B8267E3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable If memory serves me right, Andrew Storms wrote: > A few weeks back Robert Watson announced the merge of these features fr= om 7 > back into 6-STABLE. I hadn't seen any updates and was curious as to th= e > status. Us 6-STABLE users are curious to test it out. =46rom the re@ perspective: It's still on track for shipping as a part o= f 6.2-RELEASE as an experimental feature. The audit developers have a few more MFCs planned before the release, but as of right now, I'm told that the audit feature is working in 6-STABLE. (I personally have not worked with this feature yet, so YMMV.) Cheers, Bruce. --------------enigBFEE17209E1E84968B8267E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFEWYs2MoxcVugUsMRAlnoAJ0dYquBKpGZkM4v9NqL8P0lHsctFgCg6Un1 VgA7ruqCo1JNrHS7lW3/pRg= =o8R0 -----END PGP SIGNATURE----- --------------enigBFEE17209E1E84968B8267E3-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 21 07:55:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD1B416A403; Thu, 21 Sep 2006 07:55:01 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5576243D53; Thu, 21 Sep 2006 07:55:01 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E0ACD46CAC; Thu, 21 Sep 2006 03:55:00 -0400 (EDT) Date: Thu, 21 Sep 2006 08:55:00 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Andrew Storms In-Reply-To: Message-ID: <20060921084320.N55647@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "freebsd-security@freebsd.org" , trustedbsd-audit@TrustedBSD.org Subject: Re: Status of MFC security event audit support in RELENG_6? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2006 07:55:02 -0000 On Wed, 20 Sep 2006, Andrew Storms wrote: > A few weeks back Robert Watson announced the merge of these features from 7 > back into 6-STABLE. I hadn't seen any updates and was curious as to the > status. Us 6-STABLE users are curious to test it out. The MFC is largely complete, and we're now basically chasing and address bugs being reported by -CURRENT and -STABLE users of audit. BETA1 ships with audit support, but there are a few known issues with it: - The sparc64 BETA1 ISO doesn't include the auditctl(2) bugfix, so auditd cannot be started. amd64 and i386 both do include this fix so auditd should start properly. - User applications are unable to submit audit records due to a bug in uer record audit preselection. The fix has been tested and merged to RELENG_6, but didn't make the BETA1 cutoff. BETA2 will include the fix, and it's available if you update to the latest RELENG_6 also. - There are both kernel and praudit bugs relating to extremely large audit records generated by turning on argv or envv auditing with execve(1). These bugs have been fixed in -CURRENT but the fixes are not yet merged to RELENG_6. They will be merged in the next few days once they've settled a bit in HEAD. However, as the version of OpenBSM in RELENG_6 doesn't currently allow turning on the argv and envv auditing flag, this doesn't present an immediate problem for audit users in RELENG_6. Support for turning on argv/arge auditing via audit_control(5) will appear in the OpenBSM 1.0 alpha 11 MFC to RELENG_6 in a few days (prior to BETA2). - There are some known usability issues when the audit store partition becomes very full. In particular, you get a lot of kernel printfs, which can slow the system down a lot and could make the console unusable. Fixes for this are on my notebook, and will be merged to P4 and CVS HEAD shortly, with an MFC planned before BETA2. Basically, these changes rate limit warning messages and are a bit more careful to avoid hitting out of space errors. Bug fixes to improve auditd's handling of low space conditions and triggers are in HEAD and will be MFC'd with OpenBSM 1.0 alpha 11. - 32-bit compatibility system calls on amd64 are not currently audited, as with emulated Linux system calls in RELENG_6. I'm working on the MFC patch for this currently, so hope to get the compat32 auditing merged in the next day or so (once approved by re@). Testing and feedback would be extremely welcome. While the above list of RELENG_6 problems is non-trivial, the code currently in RELENG_6 is quite functional, and I've deployed it on several servers, as have a number of other developers and end-users. Another thing that needs to happen before the release is that the Handbook chapter needs to be reviewed and updated. In particular, we've added the policy: line to audit_control(5) since it was written, and since this is quite useful/important, an update is required for that. Robert N M Watson Computer Laboratory University of Cambridge