Date: Fri, 25 Jan 2002 16:03:12 -0800 From: Patrick Fish (patrick@pwhsnet.com) <patrick@pwhsnet.com> To: <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:08.exec Message-ID: <004401c1a5fc$d905eb70$2300a8c0@zeus> References: <200201242153.g0OLrSn75456@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
When i do: #cd /usr/src #patch -p /root/exec-43R.patch ....It takes a long time, is it supposed to? -- Patrick Fish - patrick@pwhsnet.com PWHS Networks - http://www.pwhsnet.com ----- Original Message ----- From: "FreeBSD Security Advisories" <security-advisories@FreeBSD.ORG> To: "FreeBSD Security Advisories" <security-advisories@FreeBSD.ORG> Sent: Thursday, January 24, 2002 1:53 PM Subject: FreeBSD Security Advisory FreeBSD-SA-02:08.exec > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-02:08 Security Advisory > FreeBSD, Inc. > > Topic: race condition during exec may allow local root compromise > > Category: core > Module: kernel > Announced: 2002-01-24 > Credits: Logan Gabriel <gersh@sonn.com>, > Robert Watson <rwatson@FreeBSD.org>, > Dag-Erling Smørgrav <des@FreeBSD.org> > Affects: All released versions of FreeBSD 4.x prior to 4.5-RELEASE. > FreeBSD 4.4-STABLE prior to the correction date. > Corrected: 2002-01-22 17:22:59 UTC (4-STABLE, RELENG_4) > 2002-01-23 23:05:00 UTC (4.4-RELEASE-p4, RELENG_4_4) > 2002-01-23 23:05:53 UTC (4.3-RELEASE-p24, RELENG_4_3) > FreeBSD only: NO > > I. Background > > When a process is started from a set-user-ID or set-group-ID binary, > it is marked so that attempts to attach to it with debugging hooks > fail. To allow such attachments would allow a user to subvert the > process and gain elevated privileges. > > II. Problem Description > > A race condition exists in the FreeBSD exec system call > implementation. It is possible for a user to attach a debugger to a > process while it is exec'ing, but before the kernel has determined > that the process is set-user-ID or set-group-ID. > > All versions of FreeBSD 4.x prior to FreeBSD 4.5-RELEASE are > vulnerable to this problem. The problem has been corrected by marking > processes that have started but not yet completed exec with an > `in-exec' state. Attempts to debug a process in the in-exec state > will fail. > > III. Impact > > Local users may be able to gain increased privileges on the local > system. > > IV. Workaround > > None. Do not allow untrusted users to gain access to the local > system. > > V. Solution > > One of the following: > > 1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the > RELENG_4_3 or RELENG_4_4 security branch, dated after the respective > correction date. > > 2) To patch your present system: > > a) Download the relevant patch from the following location: > > [FreeBSD 4.4-STABLE, or RELENG_4_3 and RELENG_4_4 security branches] > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc > > [FreeBSD 4.3-RELEASE only] > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc > > b) Verify the detached PGP signature using your PGP utility. > > c) Execute the following commands as root: > > # cd /usr/src > # patch -p < /path/to/patch > > Recompile your kernel as described in > http://www.freebsd.org/handbook/kernelconfig.html > and reboot the system. > > 3) FreeBSD 4.4-RELEASE systems: > > An experimental upgrade package is available for users who wish to > provide testing and feedback on the binary upgrade process. This > package may be installed on FreeBSD 4.4-RELEASE systems only, and is > intended for use on systems for which source patching is not practical > or convenient. > > If you use the upgrade package, feedback (positive or negative) to > security-officer@FreeBSD.org is requested so we can improve the > process for future advisories. > > Since this vulnerability involves the FreeBSD kernel which is often > locally customized on installed systems, a universal binary upgrade > package is not feasible. This package includes a patched version of > the GENERIC kernel which should be suitable for use on many systems. > Systems requiring a customized kernel must use an alternative > solution. > > During the installation procedure, backup copies are made of the files > which are replaced by the package. These backup copies will be > reinstalled if the package is removed, reverting the system to a > pre-patched state. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec -02.08.tgz > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-02:08/security-patch-exec -02.08.tgz.asc > > Verify the detached PGP signature using your PGP utility. > > # pkg_add security-patch-exec-02.08.tgz > > The new kernel is named /kernel.GENERIC to avoid conflict with the > default kernel name (``/kernel''). To cause the system to boot > automatically with the new kernel, add the following line to > /boot/loader.conf: > > kernel="/kernel.GENERIC" > > and reboot the system to load the new kernel. The old kernel is still > available and can be manually loaded in the boot loader in case of > problems. > > VI. Correction details > > The following list contains the $FreeBSD$ revision number of the > files that were corrected in the FreeBSD source. > > Path Revision > Branch > - ------------------------------------------------------------------------ - > src/sys/conf/newvers.sh > RELENG_4_4 1.44.2.17.2.5 > RELENG_4_3 1.44.2.14.2.14 > src/sys/kern/kern_exec.c > RELENG_4 1.107.2.13 > RELENG_4_4 1.107.2.8.2.1 > RELENG_4_3 1.107.2.5.2.2 > src/sys/kern/sys_process.c > RELENG_4 1.51.2.3 > RELENG_4_4 1.51.2.1.4.1 > RELENG_4_3 1.51.2.1.2.1 > src/sys/miscfs/procfs/procfs.h > RELENG_4 1.32.2.3 > RELENG_4_4 1.32.2.2.2.1 > RELENG_4_3 1.32.2.1.2.2 > src/sys/miscfs/procfs/procfs_ctl.c > RELENG_4 1.20.2.2 > RELENG_4_4 1.20.2.1.4.1 > RELENG_4_3 1.20.2.1.2.1 > src/sys/miscfs/procfs/procfs_dbregs.c > RELENG_4 1.4.2.3 > RELENG_4_4 1.4.2.2.2.1 > RELENG_4_3 1.4.2.1.2.1 > src/sys/miscfs/procfs/procfs_fpregs.c > RELENG_4 1.11.2.3 > RELENG_4_4 1.11.2.2.2.1 > RELENG_4_3 1.11.2.1.2.1 > src/sys/miscfs/procfs/procfs_mem.c > RELENG_4 1.46.2.3 > RELENG_4_4 1.46.2.2.2.1 > RELENG_4_3 1.46.2.1.2.2 > src/sys/miscfs/procfs/procfs_regs.c > RELENG_4 1.10.2.3 > RELENG_4_4 1.10.2.2.2.1 > RELENG_4_3 1.10.2.1.2.1 > src/sys/miscfs/procfs/procfs_status.c > RELENG_4 1.20.2.4 > RELENG_4_4 1.20.2.3.4.1 > RELENG_4_3 1.20.2.3.2.1 > src/sys/miscfs/procfs/procfs_vnops.c > RELENG_4 1.76.2.7 > RELENG_4_4 1.76.2.5.2.1 > RELENG_4_3 1.76.2.3.2.2 > src/sys/sys/proc.h > RELENG_4 1.99.2.6 > RELENG_4_4 1.99.2.5.4.1 > RELENG_4_3 1.99.2.5.2.1 > - ------------------------------------------------------------------------ - > > VII. References > > <URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.t xt.asc> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBPFCAl1UuHi5z0oilAQGyiQP/V2byHL40v23S1q4PanobNUPhKUQBKsVI > OCmBowy2r7Ka0GPDFxAko/xeXnZmM9lvZ0PqMdpy5god27txxAtXmvmJjMPc3dRK > SbJGvfrGSrRMvXR8rrpIOugq0mkMePiXsS8RDAkcAHAXpFF0MVuQfoaQYykn+LiV > i6D4RvGxGZw= > =ywM6 > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004401c1a5fc$d905eb70$2300a8c0>