From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 04:11:27 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF614106566C for ; Sun, 2 Oct 2011 04:11:27 +0000 (UTC) (envelope-from mike@skew.org) Received: from chilled.skew.org (chilled.skew.org [70.90.116.205]) by mx1.freebsd.org (Postfix) with ESMTP id 799E48FC0C for ; Sun, 2 Oct 2011 04:11:27 +0000 (UTC) Received: from chilled.skew.org (localhost [127.0.0.1]) by chilled.skew.org (8.14.4/8.14.4) with ESMTP id p924BPcB037384 for ; Sat, 1 Oct 2011 22:11:26 -0600 (MDT) (envelope-from mike@chilled.skew.org) Received: (from mike@localhost) by chilled.skew.org (8.14.4/8.14.4/Submit) id p924BPqn037383 for freebsd-security@freebsd.org; Sat, 1 Oct 2011 22:11:25 -0600 (MDT) (envelope-from mike) From: Mike Brown Message-Id: <201110020411.p924BPqn037383@chilled.skew.org> In-Reply-To: To: freebsd-security@freebsd.org Date: Sat, 1 Oct 2011 22:11:25 -0600 (MDT) X-Whoa: whoa. X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sun, 02 Oct 2011 10:42:04 +0000 Subject: Reasonable expectations of sysadmins (was Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 04:11:27 -0000 Chris Rees wrote: > Generally users are expected to pay attention to what is updated-- I > know this isn't always the easiest task, but blindly following > instructions is not something that is generally advocated in FreeBSD. Generally, yes. For a security advisory, though, I don't think it's unreasonable for the reader to expect that the solutions and workarounds are exactly as described, with nothing left out or assumed that every system administrator will know. Likewise, the advisory issuer surely expects that the instructions they provide *will* be very strictly followed. Based on my own experience, I did happen to realize that a reboot would probably be needed, but since one procedure in the advisory said to reboot and the other didn't, it led me to wonder if maybe there was some magic in freebsd-update that obviated the need for a reboot. Apparently there's not; it was just an oversight in the instructions. Also, sometimes things go haywire after a reboot, especially after extended uptime and updates to the kernel or core libraries, so I'm in the habit of only shutting down when necessary. So if I don't see "and then reboot" in an update procedure - and most of the time, security updates don't require it - then I don't do it. From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 05:15:47 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA58F106564A; Sun, 2 Oct 2011 05:15:47 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 2ED1E8FC0A; Sun, 2 Oct 2011 05:15:46 +0000 (UTC) Received: from WildRover.lariat.net (IDENT:ppp1000.lariat.net@lariat.net [66.119.58.2] (may be forged)) by lariat.net (8.9.3/8.9.3) with ESMTP id WAA24453; Sat, 1 Oct 2011 22:53:53 -0600 (MDT) Message-Id: <201110020453.WAA24453@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 01 Oct 2011 22:53:46 -0600 To: Chris Rees , Eirik Øverby From: Brett Glass In-Reply-To: References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> <808B16DD-6AC6-438D-B2AE-895C5875EFC5@anduin.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Sun, 02 Oct 2011 10:49:37 +0000 Cc: freebsd-security@freebsd.org, Doug Barton , Mike Brown , Eitan Adler Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 05:15:47 -0000 Another question. Suppose one has built a custom kernel (as I always do). Does FreeBSD-update update the kernel sources such that I can do a simple "make buildkernel installkernel"? Or do I also have to csup my kernel sources to some specific tag and rebuild? If so, how do I know which tag? --Brett Glass From owner-freebsd-security@FreeBSD.ORG Sun Oct 2 11:10:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 909461065670 for ; Sun, 2 Oct 2011 11:10:18 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id EF1CB8FC0C for ; Sun, 2 Oct 2011 11:10:17 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id p92BAEVg029787 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 2 Oct 2011 12:10:14 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p92BAEVg029787 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1317553814; bh=IfMxchKJOlhjps9CVAJxKUxM4xoo5KjEpkBcGAiX2Xc=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4E88468F.2080503@infracaninophile.co.uk>|Date:=20S un,=2002=20Oct=202011=2012:10:07=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:7.0.1)=20Gecko/2 0110929=20Thunderbird/7.0.1|MIME-Version:=201.0|To:=20freebsd-secu rity@freebsd.org|Subject:=20Re:=20FreeBSD=20Security=20Advisory=20 FreeBSD-SA-11:05.unix|References:=20<201110010410.p914Ap3F001617@c hilled.skew.org>=20<4E86A12E.3070600@FreeBSD.org>=20<808B16DD-6AC6 -438D-B2AE-895C5875EFC5@anduin.net>=20=20<201110020453.WAA24453@ lariat.net>|In-Reply-To:=20<201110020453.WAA24453@lariat.net>|X-En igmail-Version:=201.3.2|OpenPGP:=20id=3D60AE908C|Content-Type:=20m ultipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"appl ication/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig5A7E 62BBF62CA10731E4A0D6"; b=yrrjBZZjGnYdUO3aWZHjPALGXXbD+UzgNvRkB+KLgdAwnAy34UBzbzVsdNvvElrr9 f3teMrjB1rtm33bQTTLntAMobRYQwmWr7CQHFH7OjCpwuGoKGzAp+bvK6YH4K1u0Al p1XEgvA41x0J5ejHrtO4cGf4n0WvbnSRWUrXOFuo= Message-ID: <4E88468F.2080503@infracaninophile.co.uk> Date: Sun, 02 Oct 2011 12:10:07 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> <808B16DD-6AC6-438D-B2AE-895C5875EFC5@anduin.net> <201110020453.WAA24453@lariat.net> In-Reply-To: <201110020453.WAA24453@lariat.net> X-Enigmail-Version: 1.3.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig5A7E62BBF62CA10731E4A0D6" X-Virus-Scanned: clamav-milter 0.97.2 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Oct 2011 11:10:18 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5A7E62BBF62CA10731E4A0D6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 02/10/2011 05:53, Brett Glass wrote: > Another question. Suppose one has built a custom kernel (as I always > do). Does FreeBSD-update update the kernel sources such that I can do a= > simple "make buildkernel installkernel"? Or do I also have to csup my > kernel sources to some specific tag and rebuild? If so, how do I know > which tag? Yes -- freebsd-update will update your system sources. Unless you've specifically told it not to. In general, if you're using freebsd-update(8) you shouldn't need to use csup(1) for the system bits, and vice-versa. If you are using csup alongside freebsd-update, then just update to the latest available on whichever RELEASE branch you are tracking. So for 8.2-RELEASE-p3, the tag in your supfile should be RELENG_8_2. But that really shouldn't be necessary. Still unsure? The advisory will detail which of the system sources have been modified and give details of the revision numbers for the files on all the affected branches. It's easy to just read the files concerned and compare contents of the $FreeBSD$ tag to what's in the advisory. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig5A7E62BBF62CA10731E4A0D6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6IRpYACgkQ8Mjk52CukIzOXgCgh4v8dc1+bieTnXRFjQRg/dOv 7NsAnRbiD+Lck7/iZBQ9LVPH/C9YMLfD =8ouz -----END PGP SIGNATURE----- --------------enig5A7E62BBF62CA10731E4A0D6-- From owner-freebsd-security@FreeBSD.ORG Tue Oct 4 19:15:42 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CB1310657B8; Tue, 4 Oct 2011 19:15:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 594EE8FC17; Tue, 4 Oct 2011 19:15:42 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p94JFgKr092870; Tue, 4 Oct 2011 19:15:42 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p94JFgpT092868; Tue, 4 Oct 2011 19:15:42 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 4 Oct 2011 19:15:42 GMT Message-Id: <201110041915.p94JFgpT092868@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 19:15:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2011-10-04 19:07:38 UTC (RELENG_7, 7.4-STABLE) 2011-10-04 19:07:38 UTC (RELENG_7_4, 7.4-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_7_3, 7.3-RELEASE-p8) 2011-10-04 19:07:38 UTC (RELENG_8, 8.2-STABLE) 2011-10-04 19:07:38 UTC (RELENG_8_2, 8.2-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_8_1, 8.1-RELEASE-p6) 2011-10-04 19:07:38 UTC (RELENG_9, 9.0-RC1) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2011-09-28 Initial release. v1.1 2011-10-04 Updated patch to add linux emulation bug fix. I. Background UNIX-domain sockets, also known as "local" sockets, are a mechanism for interprocess communication. They are similar to Internet sockets (and utilize the same system calls) but instead of relying on IP addresses and port numbers, UNIX-domain sockets have addresses in the local file system address space. FreeBSD contains "linux emulation" support via system call translation in order to make it possible to use certain linux applications without recompilation. II. Problem Description When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. Linux uses a larger socket address structure for UNIX-domain sockets than FreeBSD, and the FreeBSD's linux emulation code did not translate UNIX-domain socket addresses into the correct size of structure. III. Impact A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways. The patch provided with the initial version of this advisory exposed the pre-existing bug in FreeBSD's linux emulation code, resulting in attempts to use UNIX sockets from linux applications failing. The most common instance where UNIX sockets were used by linux applications is in the context of the X windowing system, including the widely used linux "flash" web browser plugin. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch.asc NOTE: The patch distributed at the time of the original advisory fixed the security vulnerability but exposed the pre-existing bug in the linux emulation subsystem. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the additional changes required to fix the newly-exposed linux emulation bug: # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/uipc_usrreq.c 1.206.2.13 src/sys/compat/linux/linux_socket.c 1.74.2.15 RELENG_7_4 src/UPDATING 1.507.2.36.2.5 src/sys/conf/newvers.sh 1.72.2.18.2.8 src/sys/kern/uipc_usrreq.c 1.206.2.11.4.2 src/sys/compat/linux/linux_socket.c 1.74.2.13.2.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.9 src/sys/conf/newvers.sh 1.72.2.16.2.11 src/sys/kern/uipc_usrreq.c 1.206.2.11.2.2 src/sys/compat/linux/linux_socket.c 1.74.2.12.2.2 RELENG_8 src/sys/kern/uipc_usrreq.c 1.233.2.6 src/sys/compat/linux/linux_socket.c 1.101.2.5 RELENG_8_2 src/UPDATING 1.632.2.19.2.5 src/sys/conf/newvers.sh 1.83.2.12.2.8 src/sys/kern/uipc_usrreq.c 1.233.2.2.2.2 src/sys/compat/linux/linux_socket.c 1.101.2.3.4.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.8 src/sys/conf/newvers.sh 1.83.2.10.2.9 src/sys/kern/uipc_usrreq.c 1.233.2.1.4.2 src/sys/compat/linux/linux_socket.c 1.101.2.3.2.2 RELENG_9 src/sys/kern/uipc_usrreq.c 1.244.2.2 src/sys/compat/linux/linux_socket.c 1.108.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r226023 releng/7.4/ r226023 releng/7.3/ r226023 stable/8/ r226023 releng/8.2/ r226023 releng/8.1/ r226023 stable/9/ r226023 - ------------------------------------------------------------------------- The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:05.unix.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk6LWp4ACgkQFdaIBMps37LlGQCgl5uCTA/QydDSsIuBR/TOxTRD Bg0AnjL43sOhR5yIp8xNAkMZxwfl3YiE =Df+l -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 4 21:11:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34072106566B for ; Tue, 4 Oct 2011 21:11:07 +0000 (UTC) (envelope-from mark.duller@oucs.ox.ac.uk) Received: from fallback1.mail.ox.ac.uk (fallback1.mail.ox.ac.uk [163.1.2.175]) by mx1.freebsd.org (Postfix) with ESMTP id EB1E78FC21 for ; Tue, 4 Oct 2011 21:11:06 +0000 (UTC) Received: from relay3.mail.ox.ac.uk ([163.1.2.165]) by fallback1.mail.ox.ac.uk with esmtp (Exim 4.69) (envelope-from ) id 1RBBkv-0004UA-5p for freebsd-security@freebsd.org; Tue, 04 Oct 2011 21:38:25 +0100 Received: from smtp0.mail.ox.ac.uk ([129.67.1.205]) by relay3.mail.ox.ac.uk with esmtp (Exim 4.75) (envelope-from ) id 1RBBku-0006iP-AN for freebsd-security@freebsd.org; Tue, 04 Oct 2011 21:38:24 +0100 Received: from gilliam.oucs.ox.ac.uk ([129.67.102.47]) by smtp0.mail.ox.ac.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1RBBkt-0001fE-2y for freebsd-security@freebsd.org; Tue, 04 Oct 2011 21:38:24 +0100 Message-ID: <4E8B6EBF.4060308@oucs.ox.ac.uk> Date: Tue, 04 Oct 2011 21:38:23 +0100 From: Mark Duller MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <201110041915.p94JFgpT092868@freefall.freebsd.org> In-Reply-To: <201110041915.p94JFgpT092868@freefall.freebsd.org> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 21:11:07 -0000 On 10/04/11 20:15, FreeBSD Security Advisories wrote: > ============================================================================= > > FreeBSD-SA-11:05.unix Security Advisory > The FreeBSD Project > > Topic: Buffer overflow in handling of UNIX socket > addresses > > Category: core Module: kern Announced: > 2011-09-28 Credits: Mateusz Guzik Affects: All > supported versions of FreeBSD. > IV. Workaround > > No workaround is available, but systems without untrusted local > users are not vulnerable. Does this affect a default FreeBSD install? I believe linux emulation support is disabled by default? Mark From owner-freebsd-security@FreeBSD.ORG Tue Oct 4 22:09:45 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8A3B1065678 for ; Tue, 4 Oct 2011 22:09:45 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 51ADA8FC1E for ; Tue, 4 Oct 2011 22:09:45 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id p94M9feK018980 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 4 Oct 2011 23:09:42 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p94M9feK018980 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1317766182; bh=zel+krFq1Pqwv217ZbMP07g32KnU5LScOj7dtmT0+cE=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4E8B841E.8000406@infracaninophile.co.uk>|Date:=20T ue,=2004=20Oct=202011=2023:09:34=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:7.0.1)=20Gecko/2 0110929=20Thunderbird/7.0.1|MIME-Version:=201.0|To:=20Mark=20Dulle r=20|CC:=20freebsd-security@freebsd.org |Subject:=20Re:=20FreeBSD=20Security=20Advisory=20FreeBSD-SA-11:05 .unix=20[REVISED]|References:=20<201110041915.p94JFgpT092868@freef all.freebsd.org>=20<4E8B6EBF.4060308@oucs.ox.ac.uk>|In-Reply-To:=2 0<4E8B6EBF.4060308@oucs.ox.ac.uk>|X-Enigmail-Version:=201.3.2|Open PGP:=20id=3D60AE908C|Content-Type:=20multipart/signed=3B=20micalg= 3Dpgp-sha1=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D =0A=20boundary=3D"------------enigF858F74B77284BCA0D98A3AE"; b=oN/nGmBiiGTR/xAIoXgqnGb5SIRdIeHKaqzeEt224z1/x5b7x5TpyJuU23xlPXXbN g6h4SdHnOaR/a8sMduaN9pvguKwnx/s6fmlYxm7YvJ1bEnn3IdFa1SoXvm+DZ7SnJV /+/jnAC/NgeUgJoN/cCLYkPWKO7Rz0uTSpXw6vb0= Message-ID: <4E8B841E.8000406@infracaninophile.co.uk> Date: Tue, 04 Oct 2011 23:09:34 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Mark Duller References: <201110041915.p94JFgpT092868@freefall.freebsd.org> <4E8B6EBF.4060308@oucs.ox.ac.uk> In-Reply-To: <4E8B6EBF.4060308@oucs.ox.ac.uk> X-Enigmail-Version: 1.3.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF858F74B77284BCA0D98A3AE" X-Virus-Scanned: clamav-milter 0.97.2 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 22:09:46 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF858F74B77284BCA0D98A3AE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/10/2011 21:38, Mark Duller wrote: > On 10/04/11 20:15, FreeBSD Security Advisories wrote: >> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> > >> >=20 > FreeBSD-SA-11:05.unix Security > Advisory >> > The FreeBSD Project >> >=20 >> > Topic: Buffer overflow in handling of UNIX socket >> > addresses >> >=20 >> > Category: core Module: kern Announced: >> > 2011-09-28 Credits: Mateusz Guzik Affects: All >> > supported versions of FreeBSD. > >> > IV. Workaround >> >=20 >> > No workaround is available, but systems without untrusted local >> > users are not vulnerable. > Does this affect a default FreeBSD install? I believe linux emulation > support is disabled by default? Ish. Sort of. The default system contains the linux.ko loadable module which is not loaded by default, but would be caused to automatically load into the kernel by installing one of the linux_base ports. Nothing needs to be re-compiled in order to enable linux compat, and it doesn't even require a reboot, but it does require root privileges to kldload the module. The underlying unix domain socket vulnerability affected all released and development versions of FreeBSD up to the point where the advisory was first issued. If you'ld applied the patches from the original advisory then you should already be secure. If your system definitely doesn't run any linux binaries and never will do, then the additional bits in the revised patch won't do anything for you. However, without the additional changes any linux applications that try to use unix domain sockets will crash. This doesn't result in any additional security exposure, but it certainly won't endear your users to you. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigF858F74B77284BCA0D98A3AE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LhCUACgkQ8Mjk52CukIx/3ACglRST1+YFsWlzuSKWkZm+IC/X 8nwAn1Be5XpGEmOmhklAF/wpy99BhBJ1 =Pqp7 -----END PGP SIGNATURE----- --------------enigF858F74B77284BCA0D98A3AE--