From owner-freebsd-questions@freebsd.org Wed Jul 5 10:22:32 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E704DDA7688 for ; Wed, 5 Jul 2017 10:22:32 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D7F67AC48 for ; Wed, 5 Jul 2017 10:22:32 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 5A380C844 for ; Wed, 5 Jul 2017 10:22:29 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/5A380C844; dkim=none; dkim-atps=neutral Subject: Re: CVE-2017-1000364 FreeBSD exposure ? To: freebsd-questions@freebsd.org References: From: Matthew Seaman Message-ID: <7860b23a-66ce-1bc6-b5f6-9264057bdf23@FreeBSD.org> Date: Wed, 5 Jul 2017 11:22:22 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="h4FNrVCRGiT9geMmDVGCJLCpCIlFCR1Vv" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2017 10:22:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --h4FNrVCRGiT9geMmDVGCJLCpCIlFCR1Vv Content-Type: multipart/mixed; boundary="opsLRtEaSm6ec2qPcw9HeQTueE6lj0Op9"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <7860b23a-66ce-1bc6-b5f6-9264057bdf23@FreeBSD.org> Subject: Re: CVE-2017-1000364 FreeBSD exposure ? References: In-Reply-To: --opsLRtEaSm6ec2qPcw9HeQTueE6lj0Op9 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2017/07/05 10:55, Damien Fleuriot wrote: > I'm curious about the lack of announcement on the site in the > vulnerabilities section [1], about CVE-2017-1000364 [2] [3]. >=20 >=20 > Does anyone know to what extent FreeBSD is affected ? >=20 > I'm trying to assess how critical it is that I patch our FreeBSD > 10-STABLE boxes at work. >=20 >=20 >=20 > Hope a kind soul can spare 5 minutes of their precious time to shed > some light for me ;) The Security Team and a number of Kernel developers have examined the stack-clash exploit and how it would apply to FreeBSD, and have concluded that on FreeBSD it does not pose a vulnerability that would merit a security advisory. While it is possible to write an application to generate a stack-clash relatively simply. According to Qualys' work, in order to be exploitable, this requires a particular type of vulnerability in a setuid or setgid application where a stack-clash can be generated. As far as they could determine, no such combination could be found. Stack-clash is definitely a bug, and there is on-going work to tighten up the way stack and heap collisions are handled which has recently been committed to CURRENT and will be MFC'd to STABLE branches in the usual way. There may well be an Errata Notification on the currently supported -RELEASE branches in order to address the widespread public concerns. However, to the best of SecTeam's knowledge this is not a critical problem on FreeBSD. Of course, this does not preclude an exploit using some ported software -- if anyone is aware of any such exploit, please let SecTeam know as soon as possible. Cheers, Matthew --opsLRtEaSm6ec2qPcw9HeQTueE6lj0Op9-- --h4FNrVCRGiT9geMmDVGCJLCpCIlFCR1Vv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJZXL3kXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnpVkP/RmqBAMsybJNSGPn1QHUWk8p eJXBG6Je/7Ysi+rhgO+ZJTEiJshcGyk6hb+0u738goNlKpvfiX/+2l1LXnAoIY9I 53cqTFPVJ4nL4LkLoF+dwSClGJzAxTAI8R5WGgFR5FY0M6pvAU2wMz4v33sKdCBq L4suVsBsZtjuN/jqHlbZfVn008rLXIgvhVHDxg25C8kh/pidaOrILuUFGCwTuWva iJh45psjuuvROAaDb0GD70BOkgCsaYvqaggQ/0pchU8Xreo7HwiTzHi84o9acYLu rCln1PBt9JFyzL0fYs5gs48Z5jPiVV+Ydv15CZHAxoMZ+2ERS0qrrWlUaSxqtL9B YzNJn1xCuZ9sSiNNqkWU9exac/5zmdwBOuioQwN6Bevmr8aE2fsLHMgvTrmLHMYC qMacbM7QOvw19I/3HuZ2qO9jMUhpbQ8XAZu6o3TcqY2VcrHm9gSyzKhMF6uMAgcC TRJhgndejKaX4KFxp8Kpckt1nRETprdkMFI+5q67q0wmNkHpgeu31kQoehSCJiqF HfFVQXFp1fW5hOx0Onm4feH363Of4LOA+BKFz0w3HXrZ3M6C4Me/ZJR7/W6qLFyp ezaxI+nPhiat+2cxpm2xecZdo82lQXRpHvWoOIztHqEBm1LDlnSaZoy9c1ZRsN3y alLjQLtpnRFry3mOWUrQ =RyFX -----END PGP SIGNATURE----- --h4FNrVCRGiT9geMmDVGCJLCpCIlFCR1Vv--