From owner-freebsd-security@FreeBSD.ORG Fri May 2 16:58:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B78EE6E5 for ; Fri, 2 May 2014 16:58:27 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9081C1294 for ; Fri, 2 May 2014 16:58:27 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 255422330C; Fri, 2 May 2014 09:58:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1399049905; bh=MMApK6BjEpZ6E5k8RdviXaXGPn2DYWrfnvCEzBm913U=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=mJGpEZJY9wASPTcz+UEWdNz/Qgtn3JmawCEU39EW54VlaWpsJtLAwgjJ0p+L5nlVw S0gpzOLAJ9XUG7RVwZKIrf4JPRwwdrgvwU82ST0LvCj9D3vpdQ54lg1CPK21ghsap8 Ys4+668Gea1BFCvMwP/bE1LGtAM5N9zTBhSCMt00= Message-ID: <5363CEAE.3040805@delphij.net> Date: Fri, 02 May 2014 09:58:22 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: "Ronald F. Guilmette" , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp References: <96385.1398973109@server1.tristatelogic.com> In-Reply-To: <96385.1398973109@server1.tristatelogic.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2014 16:58:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/01/14 12:38, Ronald F. Guilmette wrote: > I also have a question.... > > If one manages a system where (a) all local user accounts are > completely and 100% trustworthy and where (b) one has in place ipfw > rules which reject all incoming packet *fragments* on all > outward-facing interfaces, then is this security problem (relating > to the reassembly queue) an issue at all for said system? Or is it > rather a non-event in such contexts? (a) doesn't matter, systems with only root user can be affected if they provide TCP service. (b) I'm not 100% sure on ipfw details (haven't used it for ~10 years now) but IP fragmentation itself have nothing to do with this issue since it's a different layer. Assuming you can't do TCP reassemble with ipfw, it's still a problem. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTY86uAAoJEJW2GBstM+nsz9QQAI33s2CPVNuk1sWZ+OTdmIK9 2lDgJcVCRkDgX0MXph1CPO0NGkrXs8M7Ct3UtP91gagkkwiEZ6zO7jWK81GrEaNC zBbYUyazWUx37mPUzLHf06a0NnvLFKLkJZZMrXfxYlX/BwFArAzsXY0i+JiGzKe3 Yd686PE2k4HU2RdGzm6H0T4eN5TJgNVb0AD4LIsvFfRcNUlqB0E+wrUrMeX6mmbi 3D1RnSjmD4SV5kFsvgiE3DVpTujwcfyYOQeJyEA7GTaBx/ZNHUI1GOCkCJ34SKzW 5qHwOKwFBPTmiFCmFxALrGv9cHM4M5iykvAqdbAM3tuPyQIUBVRLBCH/BtjzIj6n tV6a7kHVNYamY8HDL3B9BLb/9EtVVNJxPLWWnOwpnhTrxBj79oxe+DCXZPCpYiy6 Od9ljRgS2GozsA0poUo3GNO7zr+mkegLVvg++GuZN2tIsOqWHhKDNQrzOxc27TP0 OHfQXkU6k34SgcVyfjSRKXUdt6ZCJ66FCZHZA7NpxDk2gyuFrYUiFXEJh90qs9QD AUpXXEznNnId+OMEnwiCb5t+4o7TvMsra0XaZfS9+Q87U0owKUT0jOBt054QYtsn IkyiyyjjB1xWtxgICuuBwK9B7D75D4if6z68pkHUsd5jptO84S7auXF1qTYlonPC LG+xvLDPTbXErzcpK+om =zQbC -----END PGP SIGNATURE-----