From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:49:11 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04EB61065679 for ; Thu, 3 Dec 2009 19:49:11 +0000 (UTC) (envelope-from lxn.smth@gmail.com) Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by mx1.freebsd.org (Postfix) with ESMTP id CC35F8FC0A for ; Thu, 3 Dec 2009 19:49:10 +0000 (UTC) Received: by pzk6 with SMTP id 6so1613227pzk.29 for ; Thu, 03 Dec 2009 11:49:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=b0gTqyCLhZFw+g6hAOtCYjiyz8jTuVrN5AuV9rd0KMc=; b=Eyqg2rl4CMyfSZZzLduorjGCEgimssn0en5/IUkZ5y4bO8jIXeXQhJogR5qRU869c3 Y1XYd3A9X5GonGAS/FTqbyZIs3LaCKN0cv1RQmCwgoWrhYNHmcicC6aM9jvb2/acICUL DDVEKzs8YWpjXG2RoGQzWY5eoDkOFy4A054Jw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=teJAYe1KgIPgGE2dALJ2HL60nvQBqBYrae2QfnXhC3H9UOfASQpRJ9UYpQEw11ng8P dCh5RCmrvvG87ZHv7f4qL/8cKGxNepObLp9ET2B4KJ57otIbEFT0ZT8GryAtRVBFVUtS cAXeXKwn8zym4WXljjqtC2ETJMLUzM3cmglwY= MIME-Version: 1.0 Received: by 10.142.247.5 with SMTP id u5mr254179wfh.333.1259869747026; Thu, 03 Dec 2009 11:49:07 -0800 (PST) In-Reply-To: <200912030930.nB39UhW9038238@freefall.freebsd.org> References: <200912030930.nB39UhW9038238@freefall.freebsd.org> Date: Thu, 3 Dec 2009 11:49:06 -0800 Message-ID: <864f75cb0912031149p64695dd0kd1770348114d6c0c@mail.gmail.com> From: lxn smth To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:49:11 -0000 Any body can explain why no credit section for this advisory? On Thu, Dec 3, 2009 at 1:30 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-09:16.rtld =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 Security Advisory > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project > > Topic: =A0 =A0 =A0 =A0 =A0Improper environment sanitization in rtld(1) > > Category: =A0 =A0 =A0 core > Module: =A0 =A0 =A0 =A0 rtld > Announced: =A0 =A0 =A02009-12-03 > Affects: =A0 =A0 =A0 =A0FreeBSD 7.0 and later. > Corrected: =A0 =A0 =A02009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-R= ELEASE-p1) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-01 03:00:16 UTC (RELENG_7, 7.2-STA= BLE) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-R= ELEASE-p5) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A02009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-R= ELEASE-p9) > CVE Name: =A0 =A0 =A0 CVE-2009-4146, CVE-2009-4147 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. =A0 Background > > The run-time link-editor, rtld, links dynamic executable with their > needed libraries at run-time. =A0It also allows users to explicitly > load libraries via various LD_ environmental variables. > > II. =A0Problem Description > > When running setuid programs rtld will normally remove potentially > dangerous environment variables. =A0Due to recent changes in FreeBSD > environment variable handling code, a corrupt environment may > result in attempts to unset environment variables failing. > > III. Impact > > An unprivileged user who can execute programs on a system can gain > the privileges of any setuid program which he can run. =A0On most > systems configurations, this will allow a local attacker to execute > code as the root user. > > IV. =A0Workaround > > No workaround is available, but systems without untrusted local users, > where all the untrusted local users are jailed superusers, and/or where > untrusted users cannot execute arbitrary code (e.g., due to use of read > only and noexec mount options) are not affected. > > Note that "untrusted local users" include users with the ability to > upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they > may be able to exploit this issue. > > V. =A0 Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated > after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.1, 7.2, > and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 7.x] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/libexec/rtld-elf > # make obj && make depend && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). =A0On > amd64 systems where the i386 rtld are installed, the operating system > should instead be recompiled as described in > > > VI. =A0Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Revision > =A0Path > - -----------------------------------------------------------------------= -- > RELENG_7 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.124.2.7 > RELENG_7_2 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.507.2.23.2.8 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.11.2.9 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.124.2.4.2.2 > RELENG_7_1 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.507.2.13.2.12 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.72.2.9.2.13 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.124.2.3.2.2 > RELENG_8 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 1.139.2.4 > RELENG_8_0 > =A0src/UPDATING =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A01.632.2.7.2.4 > =A0src/sys/conf/newvers.sh =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A01.83.2.6.2.4 > =A0src/libexec/rtld-elf/rtld.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 1.139.2.2.2.2 > - -----------------------------------------------------------------------= -- > > Subversion: > > Branch/path =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Revision > - -----------------------------------------------------------------------= -- > stable/7/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r199981 > releng/7.2/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > releng/7.1/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > stable/8/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r199980 > releng/8.0/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r200054 > - -----------------------------------------------------------------------= -- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-4146 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-4147 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ > nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=3D > =3DjK/a > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >