From owner-freebsd-security@FreeBSD.ORG Wed Sep 16 00:02:28 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55837106566B for ; Wed, 16 Sep 2009 00:02:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id F3B228FC22 for ; Wed, 16 Sep 2009 00:02:27 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id D58AF5C06F for ; Wed, 16 Sep 2009 08:02:26 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id A223355CD9EF; Wed, 16 Sep 2009 08:02:26 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id Wsmkj4RnVr9F; Wed, 16 Sep 2009 08:02:21 +0800 (CST) Received: from charlie.delphij.net (unknown [12.130.152.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id B968455CE037; Wed, 16 Sep 2009 08:02:20 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=AYeV3wH93hdItLuMQRtfL75N5OxgCK3mWINA7fY0iCGZHktGrDyMfdj9O5gAGXEEC AUaOzLiSkYIJAtJopH43Q== Message-ID: <4AB02B07.8050404@delphij.net> Date: Tue, 15 Sep 2009 17:02:15 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090803) MIME-Version: 1.0 To: utisoft@googlemail.com References: <0016e6d99efa540b8b047399738b@google.com> In-Reply-To: <0016e6d99efa540b8b047399738b@google.com> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Frederique Rijsdijk Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 00:02:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 utisoft@googlemail.com wrote: > It appears to only affect 6.x.... and requires local access. If an > attacker has local access to a machine you're screwed anyway. 'local' here means login as a local user, i.e. ssh/telnet/etc, not console access which seems to be what you mean by 'local access'. Note that, in order to successfully exploit this vulnerability, a remote attacker still need someone or something to run the code on their behalf, typically this would have to be used in conjunction with some other remote vulnerability (i.e. some popular remote admin tool that allows you to upload and run something on web server's context, etc). We are still working on this one, it looks like that we would need to patch some other problems altogether. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqwKwcACgkQi+vbBBjt66BtawCgsDhrON8DzvX7A6M1O37A2Qw6 /54An0CAgPeTTJcJKcdkVWcF9qX0FVuY =EeKO -----END PGP SIGNATURE-----