Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Feb 2012 10:22:57 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
Message-ID:  <4F40CD81.1000708@infracaninophile.co.uk>
In-Reply-To: <CAJ5UdcO%2Bx6oEuEWL4%2Bfh1TanEv1vCCnOSi%2BaZ-bcQBsehuqKsA@mail.gmail.com>
References:  <CAJ5UdcOobT8jmUM7KpweU1sjie4P8HvQcA0vNMQdO66ZTHXHkA@mail.gmail.com> <201202190204.q1J24gJx080884@mail.r-bonomi.com> <CAJ5UdcO%2Bx6oEuEWL4%2Bfh1TanEv1vCCnOSi%2BaZ-bcQBsehuqKsA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig28B02A17AC54AFF48A34EA84
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 19/02/2012 02:06, Antonio Olivares wrote:
> On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi <bonomi@mail.r-bonomi.co=
m> wrote:
>>
>> Antonio,
>>  The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the ker=
nel ID
>> did not change.
>>
>>  Going from P3  you should have seen a kernel update.
>>
>>  what do you see if you do "strings /boot/kernel/kernel |grep 8"
>=20
> It is a big file so I'll paste it to pastebin temporarily:
>=20
> http://pastebin.com/K1PsTa0P

Heh.  The interesting bit is on line 4301 -- the last line of that
output.  A slightly more selective grep term would have been a good idea.=


Anyhow, that shows the kernel on your system is 8.2-RELEASE-p3.  Which
implies that something ain't right somewhere.

Four possibilities, roughly in order of severity:

   1) None of the security patches between p3 and p6 did actually
      touch the kernel.  You can tell if this was the case by looking
      at the list of modified files in the security advisory.  The
      kernel is affected if any files under sys have been
      modified other than src/sys/conf/newvers.sh

      The last advisory that did touch the kernel was
      http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc

      which should have given you 8.2-RELEASE-p4.  However -- see
      below.

   2) An oversight in the freebsd-update process upstream meaning that
      the operational patches were applied, but not the changes to the
      kernel version number when the replacement kernel was compiled.
      Unlikely, as newvers.sh is always updated on each of the security
      branches even if the update doesn't touch the kernel.

   3) You've told freebsd-update not to touch your kernel.  Unlikely,
      and not in the default config, but useful where people need to
      use a custom kernel and maintain the rest of the system with
      freebsd-update.

      In this case, you'ld have modified /etc/freebsd-update.conf to
      change:

        Components src world kernel

      to read:

        Components src world

      Also you should be expecting to have to rebuild your kernel from
      sources, so I doubt this is the case.

   4) The kernel wasn't patched properly and hasn't been updated and
      you're still vulnerable.

Now, I believe that in fact the situation is in fact as described in
option (1) -- none of the patches since p3 have touched the kernel
distributed through freebsd-update.  (2) and (4) can be discounted -- if
such egregious mistakes had been made, they would long ago have been
noticed and corrected.

Here is the thing I alluded to under option (1).  The security patch for
the unix domain socket problem came out in two chunks.  There was an
original patch to fix the actual security problem, then a later followup
patch to fix a bug that exposed in the linux emulation layer.  It is
possible to tell this from the text of the advisory as it exists at the
moment, but you might not see it unless you are looking for it.  The
important bit of text is this:

  NOTE: The patch distributed at the time of the original advisory fixed
  the security vulnerability but exposed the pre-existing bug in the
  linux emulation subsystem.  Systems to which the original patch was
  applied should be patched with the following corrective patch, which
  contains only the additional changes required to fix the newly-
  exposed linux emulation bug:

Given that the second part of the patch was actually not a security fix,
there would not have been a modified kernel distributed.  So you got a
bundle of three advisories issued together on 2011-09-28 resulting in
FreeBSD 8.2-RELEASE-p3.  Then later on, at 2011-10-04 a further update
was issued modifying FreeBSD-SA-11:05-unix and technically taking the
system to FreeBSD 8.2-RELEASE-p4.  However, as this was not a security
fix, it was not applied to the freebsd-update distribution channel.  As
none of the updates since then have touched the kernel, it will still
show -p3 even though you are in fact fully patched against all known
security problems.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig28B02A17AC54AFF48A34EA84
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9AzYgACgkQ8Mjk52CukIzHkwCeKvZ4L554QQufOFFk3xgRXj4m
WpgAn2D4Gyl/7Ca3c6tmCm8lHpP2Xzdu
=vBWp
-----END PGP SIGNATURE-----

--------------enig28B02A17AC54AFF48A34EA84--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F40CD81.1000708>