Date: Thu, 3 Dec 2009 11:49:06 -0800 From: lxn smth <lxn.smth@gmail.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld Message-ID: <864f75cb0912031149p64695dd0kd1770348114d6c0c@mail.gmail.com> In-Reply-To: <200912030930.nB39UhW9038238@freefall.freebsd.org> References: <200912030930.nB39UhW9038238@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Any body can explain why no credit section for this advisory? On Thu, Dec 3, 2009 at 1:30 AM, FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-09:16.rtld =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 Security Advisory > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project > > Topic: =A0 =A0 =A0 =A0 =A0Improper environment sanitization in rtld(1) > > Category: =A0 =A0 =A0 core > Module: =A0 =A0 =A0 =A0 rtld > Announced: =A0 =A0 =A02009-12-03 > Affects: =A0 =A0 =A0 =A0FreeBSD 7.0 and later. > Corrected: =A0 =A0 =A02009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-R= ELEASE-p1) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-01 03:00:16 UTC (RELENG_7, 7.2-STA= BLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-R= ELEASE-p5) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-R= ELEASE-p9) > CVE Name: =A0 =A0 =A0 CVE-2009-4146, CVE-2009-4147 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. =A0 Background > > The run-time link-editor, rtld, links dynamic executable with their > needed libraries at run-time. =A0It also allows users to explicitly > load libraries via various LD_ environmental variables. > > II. =A0Problem Description > > When running setuid programs rtld will normally remove potentially > dangerous environment variables. =A0Due to recent changes in FreeBSD > environment variable handling code, a corrupt environment may > result in attempts to unset environment variables failing. > > III. Impact > > An unprivileged user who can execute programs on a system can gain > the privileges of any setuid program which he can run. =A0On most > systems configurations, this will allow a local attacker to execute > code as the root user. > > IV. =A0Workaround > > No workaround is available, but systems without untrusted local users, > where all the untrusted local users are jailed superusers, and/or where > untrusted users cannot execute arbitrary code (e.g., due to use of read > only and noexec mount options) are not affected. > > Note that "untrusted local users" include users with the ability to > upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they > may be able to exploit this issue. > > V. =A0 Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated > after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.1, 7.2, > and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 7.x] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/libexec/rtld-elf > # make obj && make depend && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). =A0On > amd64 systems where the i386 rtld are installed, the operating system > should instead be recompiled as described in > <URL:http://www.FreeBSD.org/handbook/makeworld.html> > > VI. =A0Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Revision > =A0Path > - -----------------------------------------------------------------------= -- > RELENG_7 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.124.2.7 > RELENG_7_2 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.507.2.23.2.8 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.11.2.9 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.124.2.4.2.2 > RELENG_7_1 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.507.2.13.2.12 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.9.2.13 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.124.2.3.2.2 > RELENG_8 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.139.2.4 > RELENG_8_0 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.632.2.7.2.4 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A01.83.2.6.2.4 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.139.2.2.2.2 > - -----------------------------------------------------------------------= -- > > Subversion: > > Branch/path =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Revision > - -----------------------------------------------------------------------= -- > stable/7/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r199981 > releng/7.2/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > releng/7.1/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > stable/8/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r199980 > releng/8.0/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > - -----------------------------------------------------------------------= -- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-4146 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-4147 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ > nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=3D > =3DjK/a > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864f75cb0912031149p64695dd0kd1770348114d6c0c>