From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:51:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D3DC16A41C for ; Wed, 29 Jun 2005 21:51:27 +0000 (GMT) (envelope-from gemini@geminix.org) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C2BA43D49 for ; Wed, 29 Jun 2005 21:51:27 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <42C317DC.50401@geminix.org> Date: Wed, 29 Jun 2005 23:51:24 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050526 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Richard Coleman References: <42BC5054.908@criticalmagic.com> <42BD3AB4.2030209@geminix.org> <42C30C13.8090302@criticalmagic.com> In-Reply-To: <42C30C13.8090302@criticalmagic.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.51 (FreeBSD)) id 1DnkSr-000GJM-Dq; Wed, 29 Jun 2005 23:51:25 +0200 Cc: freebsd-security@freebsd.org Subject: Re: Any status on timestamp vulnerability fix for 4.X? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:51:27 -0000 Richard Coleman wrote: > Uwe Doering wrote: > >> Richard Coleman wrote: >> >>> Any information on when (or if) the following timestamp vulnerability >>> will be fixed for 4.X? Any information would be appreciated. >>> >>> http://www.kb.cert.org/vuls/id/637934 >> >> FYI, the fix for RELENG_5 applies to RELENG_4 as is (apart from the >> CVS version header, of course): >> >> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=u >> >> After verifying its semantic correctness for RELENG_4 we've been >> running the patch for a couple of weeks now with no ill effects. >> >> I'm posting this also as an encouragement for committers to go ahead >> and do the MFC. It's low hanging fruit. >> >> Uwe > > We tried applying that diff to 4.10, but compilation failed with > > tcp_input.o: In function 'tcp_dooptions': > tcp_input.o(.text+0x21d8): undefined reference to 'TSTMP_GT' > > Did you just define that macro? Or was something else required? Well, this MFC affected two files, actually. I didn't mention it explicitly because I considered it obvious from the accompanying CVS comment: ---------------- cut here ---------------- MFC: rev 1.270 of tcp_input.c, rev 1.25 of tcp_seq.h - Tighten up the Timestamp checks to prevent a spoofed segment from setting ts_recent to an arbitrary value, stopping further communication between the two hosts. - If the Echoed Timestamp is greater than the current time, fall back to the non RFC 1323 RTT calculation. ---------------- cut here ---------------- So 'tcp_seq.h' needs to be patched, too. Here's the direct link to that diff: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_seq.h.diff?r1=1.22.2.1&r2=1.22.2.2&f=u With both patches in place the kernel ought to compile correctly. Hope it works for you now. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net