From owner-freebsd-security@FreeBSD.ORG Wed Jan 11 06:26:04 2012 Return-Path: Delivered-To: freebsd-security@Freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54FAD106567F for ; Wed, 11 Jan 2012 06:26:04 +0000 (UTC) (envelope-from Z462vasa@mail.lviv.ua) Received: from airbites.lviv.ua (mail.airbites.lviv.ua [77.87.152.3]) by mx1.freebsd.org (Postfix) with ESMTP id B94EE8FC16 for ; Wed, 11 Jan 2012 06:26:03 +0000 (UTC) Received: from superpolka.com.ua ([77.87.154.174] helo=dom) by airbites.lviv.ua with esmtpa (Exim 4.72 (FreeBSD)) (envelope-from ) id 1RkrA7-00041D-VQ for freebsd-security@Freebsd.org; Wed, 11 Jan 2012 07:55:52 +0200 From: "sasha" To: Date: Wed, 11 Jan 2012 07:52:19 +0200 Message-ID: <422F8D645D05433D9AC41EC89A0F7FE0@dom> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AczQJS4Co6xsX4hpS2qMGPjwHur2uQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17621 X-SA-Exim-Connect-IP: 77.87.154.174 X-SA-Exim-Mail-From: Z462vasa@mail.lviv.ua X-SA-Exim-Scanned: No (on airbites.lviv.ua); SAEximRunCond expanded to false X-Mailman-Approved-At: Wed, 11 Jan 2012 11:42:52 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Hellp !!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2012 06:26:04 -0000 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - error: FreeBSD with vulnerable chroot (FreeBSD-SA-11:07.chroot). 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - chroot to '/home/ftp' failed for user 'ftp001': Operation not permitted. 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - error: unable to set default root directory. superpolka.com.ua 8.2-STABLE FreeBSD 8.2-STABLE #3: Sat Jan 7 10:03:34 EET 2012 root@superpolka.com.ua:/usr/src/sys/amd64/compile/NAS2 amd64 # freebsd-update fetch [root@artvideo /home/sh]# freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching public key from update4.FreeBSD.org... failed. Fetching public key from update3.FreeBSD.org... failed. Fetching public key from update5.FreeBSD.org... failed. Fetching public key from update2.FreeBSD.org... failed. No mirrors remaining, giving up. # freebsd-update -v debug fetch # freebsd-update install [root@artvideo /home/sh]# freebsd-update install No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. From owner-freebsd-security@FreeBSD.ORG Wed Jan 11 12:22:59 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C2901065689 for ; Wed, 11 Jan 2012 12:22:59 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id DB86A8FC1B for ; Wed, 11 Jan 2012 12:22:58 +0000 (UTC) Received: by vcbfk1 with SMTP id fk1so743653vcb.13 for ; Wed, 11 Jan 2012 04:22:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OxxLpTnVhsMGMHa+aXxvpoA+fNEJRTgnYFe3jdtpy3s=; b=GOzGhK5M28svwv6iNqF2GFIwCkS1gKYfVxLbeya4+8w7RRMsCZJvJUiTxkOyg8snCt KJKbkZ3PODNPRwrfu7j8SKyt7e7FGBGOn3+EQYlJCthCRwbPrPhb+A5W7ZOwxjYyoWG0 3eWAY2bZ+p5fUp3iHvmxi1Ty1fZK8srhaI6+E= MIME-Version: 1.0 Received: by 10.220.149.68 with SMTP id s4mr13507216vcv.43.1326282929700; Wed, 11 Jan 2012 03:55:29 -0800 (PST) Received: by 10.52.109.106 with HTTP; Wed, 11 Jan 2012 03:55:29 -0800 (PST) In-Reply-To: <422F8D645D05433D9AC41EC89A0F7FE0@dom> References: <422F8D645D05433D9AC41EC89A0F7FE0@dom> Date: Wed, 11 Jan 2012 11:55:29 +0000 Message-ID: From: Tom Evans To: sasha Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: Hellp !!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2012 12:22:59 -0000 On Wed, Jan 11, 2012 at 5:52 AM, sasha wrote: > superpolka.com.ua 8.2-STABLE FreeBSD 8.2-STABLE #3: Sat Jan 7 10:03:34 EET > 2012 root@superpolka.com.ua:/usr/src/sys/amd64/compile/NAS2 amd64 > > [root@artvideo /home/sh]# freebsd-update fetch > You cannot use freebsd-update to update a custom kernel, or from -STABLE. freebsd-update is also only used for updating between releases - from freebsd-update(8): Note that updates are only available if they are being built for the FreeBSD release and architecture being used; in particular, the FreeBSD Security Team only builds updates for releases shipped in binary form by the FreeBSD Release Engineering Team, e.g., FreeBSD 7.3-RELEASE and FreeBSD 8.0, but not FreeBSD 6.3-STABLE or FreeBSD 9.0-CURRENT. You will need to update your sources, and rebuild kernel and world. See the handbook for details: http://www.freebsd.org/doc/en/books/handbook/makeworld.html Cheers Tom From owner-freebsd-security@FreeBSD.ORG Wed Jan 11 12:36:57 2012 Return-Path: Delivered-To: freebsd-security@Freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78B9B1065675 for ; Wed, 11 Jan 2012 12:36:57 +0000 (UTC) (envelope-from victor@bsdes.net) Received: from equilibrium.bsdes.net (244.Red-217-126-240.staticIP.rima-tde.net [217.126.240.244]) by mx1.freebsd.org (Postfix) with ESMTP id 1C1B58FC20 for ; Wed, 11 Jan 2012 12:36:56 +0000 (UTC) Received: by equilibrium.bsdes.net (Postfix, from userid 1001) id 4C1073983F; Wed, 11 Jan 2012 13:21:21 +0100 (CET) Date: Wed, 11 Jan 2012 13:21:21 +0100 From: Victor Balada Diaz To: sasha Message-ID: <20120111122121.GD39290@equilibrium.bsdes.net> References: <422F8D645D05433D9AC41EC89A0F7FE0@dom> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <422F8D645D05433D9AC41EC89A0F7FE0@dom> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@Freebsd.org Subject: Re: Hellp !!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2012 12:36:57 -0000 On Wed, Jan 11, 2012 at 07:52:19AM +0200, sasha wrote: > 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - error: > FreeBSD with vulnerable chroot (FreeBSD-SA-11:07.chroot). > > 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - chroot > to '/home/ftp' failed for user 'ftp001': Operation not permitted. > > 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - error: > unable to set default root directory. > > > > > > superpolka.com.ua 8.2-STABLE FreeBSD 8.2-STABLE #3: Sat Jan 7 10:03:34 EET > 2012 root@superpolka.com.ua:/usr/src/sys/amd64/compile/NAS2 amd64 > > > > # freebsd-update fetch > > > > [root@artvideo /home/sh]# freebsd-update fetch > > Looking up update.FreeBSD.org mirrors... 4 mirrors found. > > Fetching public key from update4.FreeBSD.org... failed. > > Fetching public key from update3.FreeBSD.org... failed. > > Fetching public key from update5.FreeBSD.org... failed. > > Fetching public key from update2.FreeBSD.org... failed. > > No mirrors remaining, giving up. > > > > # freebsd-update -v debug fetch > > # freebsd-update install > > > > [root@artvideo /home/sh]# freebsd-update install > > No updates are available to install. > > Run '/usr/sbin/freebsd-update fetch' first. Hello, I'm not sure what are you trying to do, but if it's just patching the system you can't use freebsd-update for it. You're running a custom-built system with FreeBSD 8.2-STABLE and freebsd-update just works with standard systems. To fix the vulnerabilities you can: 1) apply patches and rebuild as per each security advisory 2) Update source to RELENG_8 and upgrade using the procedure described here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html I hope it helps. Regards. Victor. -- La prueba más fehaciente de que existe vida inteligente en otros planetas, es que no han intentado contactar con nosotros. From owner-freebsd-security@FreeBSD.ORG Wed Jan 11 12:25:27 2012 Return-Path: Delivered-To: freebsd-security@Freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31733106564A for ; Wed, 11 Jan 2012 12:25:27 +0000 (UTC) (envelope-from jorge@petry.net.br) Received: from clientes.petry.net.br (clientes.petry.net.br [199.48.128.222]) by mx1.freebsd.org (Postfix) with ESMTP id DA4F88FC13 for ; Wed, 11 Jan 2012 12:25:26 +0000 (UTC) Received: from clientes.petry.net.br (localhost [127.0.0.1]) by clientes.petry.net.br (Postfix) with ESMTP id 0CE023CE306 for ; Wed, 11 Jan 2012 10:07:47 -0200 (BRST) X-Virus-Scanned: amavisd-new at clientes.petry.net.br Received: from clientes.petry.net.br ([127.0.0.1]) by clientes.petry.net.br (clientes.petry.net.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frj8aOMBy8lN for ; Wed, 11 Jan 2012 10:07:41 -0200 (BRST) Received: from [192.168.2.200] (vpn.weev.com.br [201.22.86.249]) by clientes.petry.net.br (Postfix) with ESMTPSA id D76F13CE300; Wed, 11 Jan 2012 10:07:39 -0200 (BRST) Message-ID: <4F0D7B8A.2040602@petry.net.br> Date: Wed, 11 Jan 2012 10:07:38 -0200 From: Jorge Petry User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 To: sasha , freebsd-security@Freebsd.org References: <422F8D645D05433D9AC41EC89A0F7FE0@dom> In-Reply-To: <422F8D645D05433D9AC41EC89A0F7FE0@dom> Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 11 Jan 2012 12:49:20 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Hellp !!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2012 12:25:27 -0000 Hi. You pass your server to STABLE, freebsd-update don't work for this server. DESCRIPTION The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system. Note that updates are only available if they are being built for the FreeBSD release and architecture being used; in particular, the FreeBSD Security Team only builds updates for releases shipped in binary form by the FreeBSD Release Engineering Team, e.g., FreeBSD 7.3-RELEASE and FreeBSD 8.0, but not FreeBSD 6.3-STABLE or FreeBSD 9.0-CURRENT. Cheers. _________________________________________ Jorge Petry Neto Administrador de Redes e Servidores PETRY Soluções Tecnológicas LTDA. (48) 8401-4436 [1]jorge@petry.net.br [2]www.petry.net.br Em 11/01/2012 03:52, sasha escreveu: 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - error: FreeBSD with vulnerable chroot (FreeBSD-SA-11:07.chroot). 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - chroot to '/home/ftp' failed for user 'ftp001': Operation not permitted. 197]: superpolka.com.ua (superpolka.com.ua[::ffff:77.87.154.174]) - error: unable to set default root directory. superpolka.com.ua 8.2-STABLE FreeBSD 8.2-STABLE #3: Sat Jan 7 10:03:34 EET 2012 [3]root@superpolka.com.ua:/usr/src/sys/amd64/compile/NAS2 amd64 # freebsd-update fetch [root@artvideo /home/sh]# freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching public key from update4.FreeBSD.org... failed. Fetching public key from update3.FreeBSD.org... failed. Fetching public key from update5.FreeBSD.org... failed. Fetching public key from update2.FreeBSD.org... failed. No mirrors remaining, giving up. # freebsd-update -v debug fetch # freebsd-update install [root@artvideo /home/sh]# freebsd-update install No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. _______________________________________________ [4]freebsd-security@freebsd.org mailing list [5]http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [6]"freebsd-security-unsubscribe@freebsd.org" References 1. mailto:jorge@petry.net.br 2. http://www.petry.net.br/ 3. mailto:root@superpolka.com.ua:/usr/src/sys/amd64/compile/NAS2 4. mailto:freebsd-security@freebsd.org 5. http://lists.freebsd.org/mailman/listinfo/freebsd-security 6. mailto:freebsd-security-unsubscribe@freebsd.org From owner-freebsd-security@FreeBSD.ORG Sat Jan 14 04:03:02 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9A891065672 for ; Sat, 14 Jan 2012 04:03:02 +0000 (UTC) (envelope-from clemun@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 89D5B8FC12 for ; Sat, 14 Jan 2012 04:03:02 +0000 (UTC) Received: by obbta17 with SMTP id ta17so4518767obb.13 for ; Fri, 13 Jan 2012 20:03:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=q3hQdSq2HMJCvSoKGhyrY6N//BIp77wIUvoW2zsaKcM=; b=TLhAroYukGiHffihdelGySQE+OzHMWWm6XA91Wl9C9c8jrqxNrusBjzpCyxC/2su2l 4s9BcKxusnhwVvvC0RpGsMaSLm9biEjojou2dGX88dfn31a/EWM0N0rDzGhMitqIoNye gwQdwBN7QOQ2a694UGEhmES13G6YZLLsoW4Ws= MIME-Version: 1.0 Received: by 10.182.147.4 with SMTP id tg4mr3010787obb.65.1326513781745; Fri, 13 Jan 2012 20:03:01 -0800 (PST) Received: by 10.182.186.98 with HTTP; Fri, 13 Jan 2012 20:03:01 -0800 (PST) Date: Sat, 14 Jan 2012 05:03:01 +0100 Message-ID: From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Double SCTP_INP_RUNLOCK() in SCTP result in KP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2012 04:03:02 -0000 Hi, In sctp_ussreq.c, lines are based from HEAD: 3041 SCTP_INP_RUNLOCK(inp); 3042 onoff = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO); 3043 SCTP_INP_RUNLOCK(inp); The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo? That results in an easily user triggerable kernel panic through getsockopt(). I don't think user can do something evil with this double unlock which result in a kernel panic due to a NULL dereference in mtx_unlock() on my fresh FreeBSD 9.0. Bests, -clem1 From owner-freebsd-security@FreeBSD.ORG Sat Jan 14 04:11:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C71C1065670 for ; Sat, 14 Jan 2012 04:11:06 +0000 (UTC) (envelope-from clemun@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 37E508FC16 for ; Sat, 14 Jan 2012 04:11:05 +0000 (UTC) Received: by obbta17 with SMTP id ta17so4523576obb.13 for ; Fri, 13 Jan 2012 20:11:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=g+0KfV9BHbuRwie1yaeC578i+eMVxtvY1j8oZljWXlc=; b=cU5kWDUJ57h3vpLJecrod8TZVOQk4Eot9s9vwsMyTL/JQitzQowwUGECug6xwaLsZY +OZQmGB7gvEt62AeljuOW09gYt25Rs4lcfc64GQLjoSl71qNbuLqwpnKAYlqpbHnB9AS U/LQzwYuuE7c+5gFmmbqFc7a7RPod0WZ2vRqI= MIME-Version: 1.0 Received: by 10.182.147.4 with SMTP id tg4mr3025948obb.65.1326514265589; Fri, 13 Jan 2012 20:11:05 -0800 (PST) Received: by 10.182.186.98 with HTTP; Fri, 13 Jan 2012 20:11:05 -0800 (PST) In-Reply-To: References: Date: Sat, 14 Jan 2012 05:11:05 +0100 Message-ID: From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Double SCTP_INP_RUNLOCK() in SCTP result in KP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2012 04:11:06 -0000 Oups mistake, the LOCK() should be on line 3041, same problem just above on line 3021, UNLOCK() instead of LOCK(). -clem1 Le 14 janvier 2012 05:03, Cl=E9ment Lecigne a =E9crit : > Hi, > > In sctp_ussreq.c, lines are based from HEAD: > > 3041 =A0 =A0SCTP_INP_RUNLOCK(inp); > 3042 =A0 =A0onoff =3D sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO)= ; > 3043 =A0 =A0SCTP_INP_RUNLOCK(inp); > > The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo? > That results in an easily user triggerable kernel panic through > getsockopt(). I don't think user can do something evil with this > double unlock which result in a kernel panic due to a NULL dereference > in mtx_unlock() on my fresh FreeBSD 9.0. > > Bests, > -clem1 --=20 -clem1