From owner-freebsd-security@FreeBSD.ORG  Mon Apr 29 21:20:53 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id CF2361A5
 for <freebsd-security@freebsd.org>; Mon, 29 Apr 2013 21:20:53 +0000 (UTC)
 (envelope-from s-tlk@s-tlk.org)
Received: from mail.s-tlk.org (s-tlk.org [178.63.70.119])
 by mx1.freebsd.org (Postfix) with ESMTP id 6A8141375
 for <freebsd-security@freebsd.org>; Mon, 29 Apr 2013 21:20:53 +0000 (UTC)
Received: from [10.0.3.6] (unknown [10.0.3.6])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.s-tlk.org (Postfix) with ESMTPSA id ADCA7AE11A3
 for <freebsd-security@freebsd.org>; Mon, 29 Apr 2013 23:20:52 +0200 (CEST)
Date: Mon, 29 Apr 2013 23:20:52 +0200 (CEST)
From: Michael Schnell <s-tlk@s-tlk.org>
X-X-Sender: michi@priv.s-tlk.org
To: freebsd-security@freebsd.org
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory
 FreeBSD-SA-13:05.nfsserver
In-Reply-To: <201304292055.r3TKtcrk039951@freefall.freebsd.org>
Message-ID: <alpine.BSF.2.00.1304292320000.16029@priv.s-tlk.org>
References: <201304292055.r3TKtcrk039951@freefall.freebsd.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2013 21:20:53 -0000

Okay,
found the correct link:
http://www.freebsd.org/security/patches/SA-13:05/nfsserver.patch
http://www.freebsd.org/security/patches/SA-13:05/nfsserver.patch.asc

Just a wrong SA number in the url. ;-)


Greetings
Michael


On Mon, 29 Apr 2013, FreeBSD Security Advisories wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-13:05.nfsserver                                  Security Advisory
>                                                          The FreeBSD Project
>
> Topic:          Insufficient input validation in the NFS server
>
> Category:       core
> Module:         nfsserver
> Announced:      2013-04-29
> Credits:        Adam Nowacki
> Affects:        All supported versions of FreeBSD.
> Corrected:      2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
>                2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
>                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
>                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
>                2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
>                2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
> CVE Name:       CVE-2013-3266
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> The Network File System (NFS) allows a host to export some or all of its
> file systems so that other hosts can access them over the network and mount
> them as if they were on local disks.  FreeBSD includes server and client
> implementations of NFS.
>
> FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
> NFSv2 and NFSv3 implementation and a new implementation which also
> supports NFSv4.
>
> FreeBSD 9.0 and onward uses the new NFS implementation by default.
>
> II.  Problem Description
>
> When processing READDIR requests, the NFS server does not check that
> it is in fact operating on a directory node.  An attacker can use a
> specially modified NFS client to submit a READDIR request on a file,
> causing the underlying filesystem to interpret that file as a
> directory.
>
> III. Impact
>
> The exact consequences of an attack depend on the amount of input
> validation in the underlying filesystem:
>
> - If the file resides on a UFS filesystem on a little-endian server,
>   an attacker can cause random heap corruption with completely
>   unpredictable consequences.
>
> - If the file resides on a ZFS filesystem, an attacker can write
>   arbitrary data on the stack.  It is believed, but has not been
>   confirmed, that this can be exploited to run arbitrary code in
>   kernel context.
>
> Other filesystems may also be vulnerable.
>
> IV.  Workaround
>
> Systems that do not provide NFS service are not vulnerable.  Neither
> are systems that do but use the old NFS implementation, which is the
> default in FreeBSD 8.x.
>
> To determine which implementation an NFS server is running, run the
> following command:
>
> # kldstat -v | grep -cw nfsd
>
> This will print 1 if the system is running the new NFS implementation,
> and 0 otherwise.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
> # gpg --verify nfsserver.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> 3) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/8/                                                         r250058
> releng/8.3/                                                       r250059
> releng/8.4/                                                       r250062
> stable/9/                                                         r250060
> releng/9.1/                                                       r250061
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
> -----BEGIN PGP SIGNATURE-----
>
> iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q
> 9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ
> =polM
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
>