Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Dec 2009 10:52:33 +0300
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        freebsd-security@freebsd.org
Cc:        FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject:   Re: Upcoming FreeBSD Security Advisory
Message-ID:  <ov3Jq1IJ/c8KAXGQ501G8Os9xr8@Ll2tHa60cb%2BhiG8R4R8/VS21128>
In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org>
References:  <200912010120.nB11Kjm9087476@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Colin, *, good day.

Tue, Dec 01, 2009 at 01:20:45AM +0000, FreeBSD Security Officer wrote:
> A short time ago a "local root" exploit was posted to the full-disclosure
> mailing list; as the name suggests, this allows a local user to execute
> arbitrary code as root.
>
> [...]
>
> The patch is at
>   http://people.freebsd.org/~cperciva/rtld.patch
> and has SHA256 hash
>   ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1

Just to ease other's life: for 7.1 (and 7.0, but it seems to be at EoL
now, so there is already no support for it), one should use another patch:
-----
  http://codelabs.ru/fbsd/patches/vulns/freebsd-7.0-rtld-unsetenv.diff

  SHA256 (freebsd-7.0-rtld-unsetenv.diff) = e5ebbea24073bf644d3bc0c1ba37674a387af656b4c7e583a564a83598930897
  SHA1 (freebsd-7.0-rtld-unsetenv.diff) = 24a79be52be0ea00ed0ea279f25efbf597f9c850
-----
Actually, every system that has rtld.c with r190323 or lower, should
use this variant -- clearing of LD_ELF_HINTS_PATH was introduced only
in r190324.


By the way, if people are using NO_DYNAMIC_ROOT and all setuid
executables come from the system itself (no sudo and other stuff from
ports or manual installations), such system is obviously safe from this
issue -- no dynamic loading takes place.  I don't mean that people with
such systems shouldn't upgrade, but they probably can do it with a least
urgency.

Thanks for posting the patch!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ov3Jq1IJ/c8KAXGQ501G8Os9xr8>