From owner-freebsd-questions Mon Sep 16 10:49:13 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96BB137B400 for ; Mon, 16 Sep 2002 10:49:09 -0700 (PDT) Received: from cpimssmtpu04.email.msn.com (cpimssmtpu04.email.msn.com [207.46.181.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22EBD43E3B for ; Mon, 16 Sep 2002 10:49:09 -0700 (PDT) (envelope-from mikeyg@igalaxy.net) Received: from mikeyg ([64.160.107.6]) by cpimssmtpu04.email.msn.com with Microsoft SMTPSVC(5.0.2195.4905); Mon, 16 Sep 2002 10:48:02 -0700 Message-ID: <009e01c25da9$5abe43b0$0301a8c0@mikeyg> Reply-To: "Mike Grissom" From: "Mike Grissom" To: References: <200209161615.g8GGFk0g073000@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm Date: Mon, 16 Sep 2002 10:48:55 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 16 Sep 2002 17:48:03.0401 (UTC) FILETIME=[34A6FB90:01C25DA9] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG For some reason the patch is not on the ftp and the directory doesnt even exist. When will it be added? ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Monday, September 16, 2002 9:15 AM Subject: FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-02:39.libkvm Security Advisory > The FreeBSD Project > > Topic: Applications using libkvm may leak sensitive descriptors > > Category: core > Module: libkvm > Announced: 2002-09-16 > Credits: David Endler , > > Affects: All releases prior to and including 4.6.2-RELEASE. > Security branch releases prior to 4.4-RELEASE-p27, > 4.5-RELEASE-p20, and 4.6.2-RELEASE-p2. > Corrected: 2002-09-13 14:53:43 UTC (RELENG_4) > 2002-09-13 15:04:22 UTC (RELENG_4_6) > 2002-09-13 15:07:26 UTC (RELENG_4_5) > 2002-09-13 15:09:07 UTC (RELENG_4_4) > FreeBSD only: NO > > I. Background > > The kvm(3) library provides a uniform interface for accessing kernel > virtual memory images, including live systems and crash dumps. Access > to live systems is via /dev/mem and /dev/kmem. Memory can be read and > written, kernel symbol addresses can be looked up efficiently, and > information about user processes can be gathered. > > The kvm_openfiles(3) function opens the special device files /dev/mem > and /dev/kmem, and returns an opaque handle that must be passed > to the other library functions. > > II. Problem Description > > Applications that wish to present system information such as swap > utilization, virtual memory utilization, CPU utilization, and > so on may use the kvm(3) library to read kernel memory directly > and gather this information. Such applications typically must > be run set-group-ID kmem so that the call to kvm_openfiles(3) > can access /dev/mem and /dev/kmem. > > If the application then uses exec(2) to start another application, > the new application will continue to have open file descriptors to > /dev/mem and /dev/kmem. This is usually avoided by marking file > descriptors as close-on-exec, but since the handle returned by > kvm_openfiles(3) is opaque, there is no direct way for the application > to determine what file descriptors have been opened by the library. > As a result, application writers may neglect to take these file > descriptors into account. > > III. Impact > > Set-group-ID kmem applications which use kvm(3) and start other > applications may leak /dev/mem and /dev/kmem file descriptors. If > those applications can be specified by a local user, they may be > used to read kernel memory, resulting in disclosure of sensitive > information such as file, network, and tty buffers, authentication > tokens, and so on. > > Several applications in the FreeBSD Ports Collection were identified > that are affected: asmon, ascpu, bubblemon, wmmon, and wmnet2. There > may be other applications as well. > > IV. Workaround > > Remove the set-group-ID bit on affected applications. This will > result in the applications losing some functionality. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, > RELENG_4_5, or RELENG_4_4 security branch dated after the correction > date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20, or 4.4-RELEASE-p27). > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 4.4, FreeBSD > 4.5, FreeBSD 4.6, and FreeBSD 4.6.2 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libkvm > # make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Path Revision > Branch > - ------------------------------------------------------------------------ - > src/lib/libkvm/kvm.c > RELENG_4 1.12.2.3 > RELENG_4_6 1.12.2.2.8.1 > RELENG_4_5 1.12.2.2.6.1 > RELENG_4_4 1.12.2.2.4.1 > src/sys/conf/newvers.sh > RELENG_4_6 1.44.2.23.2.19 > RELENG_4_5 1.44.2.20.2.21 > RELENG_4_4 1.44.2.17.2.26 > - ------------------------------------------------------------------------ - > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (FreeBSD) > > iQCVAwUBPYXz/1UuHi5z0oilAQGNGAP/cpg8s9L034EbrJriQDicHptv/2QgSnrw > 2BvOaUXRIEweDz7FAoLstbxDFVE3Hx9+zN4gn7S49WIbFjATFRcL2FT/1yBhrbBx > Yp20/gveFQSU+AnjsriKVDrH9ksBO4/ZX6lBxjvxD0Hbyj4ATd027jNAXl7WeLbq > 2DN6Lf4FB1Y= > =699Y > -----END PGP SIGNATURE----- > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message