From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 07:52:37 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05D4E106566B for ; Tue, 1 Dec 2009 07:52:37 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A44DC8FC1B for ; Tue, 1 Dec 2009 07:52:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru; s=two; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=ib3IanGjaT/xTDdMGLFGdoN8LxjkA0XUcOSw8ZZj+kY=; b=WQSbp8anZnxW5h61qraehBDcCBxl28S9BDGxlpDlx0hprM/2llZlwyzfu5UZFb2bPYif46D/wB/4FMNfWwHMdhnkl5l3hbWIZlADPCoWEMPbYnnT0tfn/rtl7zyYVGLrKxT01CS9kyHv2o4CaygQPH/807AL3KNahtWc97oY08TWaCjf+mwrYVmNF7sXNjA7cnxPFMMq41BO9j0GS9OequlcWLh7WtvR6b4BWRObrogth8M5KGzfPgrTVJ+CA4JeNrapUnhcG25Gdcldu74vxNRFwPmfgv80+5GCmnD3BfZpC98npnMoOn6NIyf3Z/TfWWruq7cqM0R4tEMz8XbHxw==; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1NFNXH-0006dl-EQ; Tue, 01 Dec 2009 10:52:35 +0300 Date: Tue, 1 Dec 2009 10:52:33 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org> Sender: rea-fbsd@codelabs.ru Cc: FreeBSD Security Advisories Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 07:52:37 -0000 Colin, *, good day. Tue, Dec 01, 2009 at 01:20:45AM +0000, FreeBSD Security Officer wrote: > A short time ago a "local root" exploit was posted to the full-disclosure > mailing list; as the name suggests, this allows a local user to execute > arbitrary code as root. > > [...] > > The patch is at > http://people.freebsd.org/~cperciva/rtld.patch > and has SHA256 hash > ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 Just to ease other's life: for 7.1 (and 7.0, but it seems to be at EoL now, so there is already no support for it), one should use another patch: ----- http://codelabs.ru/fbsd/patches/vulns/freebsd-7.0-rtld-unsetenv.diff SHA256 (freebsd-7.0-rtld-unsetenv.diff) = e5ebbea24073bf644d3bc0c1ba37674a387af656b4c7e583a564a83598930897 SHA1 (freebsd-7.0-rtld-unsetenv.diff) = 24a79be52be0ea00ed0ea279f25efbf597f9c850 ----- Actually, every system that has rtld.c with r190323 or lower, should use this variant -- clearing of LD_ELF_HINTS_PATH was introduced only in r190324. By the way, if people are using NO_DYNAMIC_ROOT and all setuid executables come from the system itself (no sudo and other stuff from ports or manual installations), such system is obviously safe from this issue -- no dynamic loading takes place. I don't mean that people with such systems shouldn't upgrade, but they probably can do it with a least urgency. Thanks for posting the patch! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #