Date: Tue, 19 Dec 2000 03:42:05 +0200 From: Esa Etelavuori <eetelavu@cc.hut.fi> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001219034205.A29042@ksylofoni.hut.fi> In-Reply-To: <20001218153619.071BE37B400@hub.freebsd.org>; from security-advisories@FreeBSD.ORG on Mon, Dec 18, 2000 at 07:36:19AM -0800 References: <20001218153619.071BE37B400@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
> Topic: Several vulnerabilities in procfs
> Announced: 2000-12-18
> Affects: Problem #1: FreeBSD 4.x prior to the correction date.
> FreeBSD 3.x is unaffected.
... except for procfs/ctl
> Problem #2, #3: FreeBSD 4.x and 3.x prior to the correction
> date.
> Corrected: 2000-12-16 (FreeBSD 4.2-STABLE)
> 2000-12-18 (FreeBSD 3.5.1-STABLE)
Looks fine but the story is quite unfortunate. I heard afterwards
from Frank van Vliet that they notified security-officer@freebsd.org about
procfs/mem problems on October 25. I mailed the FreeBSD team about the
procfs/status buffer overflow on October 27.
I quickly got confirmation emails, but a public announcement seemed
to take ages although fixes had been committed to -current in two weeks.
I asked about the status and agreed that it would be ok for me to wait for
the advisory until the soon coming release of 4.2.
After 4.2 had been released I got a draft advisory, checked the fixes
and noticed that the procfs/ctl fix was missing. I emailed about it on
November 25.
Looking at the CVS repository it seems that procfs/ctl had been broken
in FreeBSD since procfs was implemented. It was corrected in OpenBSD in
1996 and in NetBSD in 1997. Procfs/{mem,regs} had been corrected in 1997
(mem was still otherwise broken until early 2000), but the CHECKIO()
checks were incorrectly replaced about a year ago.
Afterwards it seems like a mistake to wait for over 7 weeks when partial
fixes had been on the public CVS for most of the time. Now I wonder how
many of "bad guys" actually scan for those changes, apparently one could get
atleast several days advantage with many open source projects.
CVS changes/notes can be very revealing for automated scanners, and
there probably has been other silent "minor" fixes in addition to
netgraph(3) loading kernel modules regardless of the securelevel on <4.1
(pointed to me by Pascal Bouchareine).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (DreamOS)
Comment: http://www.iki.fi/ee/08C1E33D.asc
iQCVAwUBOj68r1ZDrCkIweM9AQGuwQP9HPfsTi0BFe6V237BaFUfOMI9CLfdEqNv
ojK4CGCrXZlc6FjOTAiO8BehQPnKm18dV1zePIiYFqoUTfSwNgNC428sMa5SayIX
aHBkxwe/+arBaoxhd1BGtxdrnjT59ud3wqQiew2W3irX9KE4JQRyO//Zpcopt5m4
Pa9GRcdieTQ=
=+XaS
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219034205.A29042>